pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #977 from dod-ccpo/k8s-reconfig

Browse Source 
K8s reconfig
This commit is contained in:
dandds
2019-08-01 13:55:32 -04:00
committed by GitHub
parent 0493078b33 f3e032fc03
commit df7dbbb603
17 changed files with 432 additions and 440 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
.circleci/config.yml
View File

@@ -2,7 +2,10 @@ version: 2.1
orbs: orbs:
aws-ecr: circleci/aws-ecr@4.0.1 aws-ecr: circleci/aws-ecr@4.0.1
aws-eks: circleci/aws-eks@0.1.0
azure-acr: circleci/azure-acr@0.1.1 azure-acr: circleci/azure-acr@0.1.1
azure-aks: circleci/azure-aks@0.2.0
kubernetes: circleci/kubernetes@0.3.0
defaults: defaults:
appEnvironment: &appEnvironment appEnvironment: &appEnvironment
@@ -14,6 +17,27 @@ defaults:
PIP_VERSION: 18.* PIP_VERSION: 18.*
CRL_STORAGE_PROVIDER: CLOUDFILES CRL_STORAGE_PROVIDER: CLOUDFILES
commands:
migration_setup:
parameters:
container_image:
type: string
steps:
- attach_workspace:
at: .
- run:
name: Setup Environment Variables
command: |
echo 'export CONTAINER_IMAGE="<< parameters.container_image >>"' >> $BASH_ENV
- run: sudo apt-get update
- run: sudo apt-get install gettext
- kubernetes/install
migration_apply:
steps:
- run:
command: ./script/cluster_migration
name: Apply Migrations and Seed Roles
jobs: jobs:
app_setup: app_setup:
docker: docker:
@@ -74,6 +98,27 @@ jobs:
name: "Run Tests" name: "Run Tests"
command: ./script/cibuild command: ./script/cibuild
aws-migration:
executor: aws-eks/python3
steps:
- migration_setup:
container_image: "$AWS_ECR_ACCOUNT_URL/atat:$CIRCLE_SHA1"
- aws-eks/update-kubeconfig-with-authenticator:
cluster-name: atat
aws-region: "${AWS_REGION}"
- migration_apply
azure-migration:
executor: azure-aks/default
steps:
- migration_setup:
container_image: "$AZURE_SERVER_NAME/atat:$CIRCLE_SHA1"
- azure-aks/update-kubeconfig-with-credentials:
cluster-name: atat-cluster
install-kubectl: true
perform-login: true
resource-group: atat
- migration_apply
workflows: workflows:
version: 2 version: 2
@@ -83,15 +128,6 @@ workflows:
- test: - test:
requires: requires:
- app_setup - app_setup
- aws-ecr/build_and_push_image:
repo: atat
tag: "${CIRCLE_SHA1}"
requires:
- test
filters:
branches:
only:
- master
- azure-acr/build_and_push_image: - azure-acr/build_and_push_image:
login-server-name: "${AZURE_SERVER_NAME}" login-server-name: "${AZURE_SERVER_NAME}"
registry-name: pwatat registry-name: pwatat
@@ -103,3 +139,82 @@ workflows:
branches: branches:
only: only:
- master - master
- azure-migration:
requires:
- azure-acr/build_and_push_image
filters:
branches:
only:
- master
- azure-aks/update-container-image:
cluster-name: atat-cluster
container-image-updates: "atst=${AZURE_SERVER_NAME}/atat:${CIRCLE_SHA1}"
namespace: atat
resource-name: deployment.apps/atst
resource-group: atat
# uncomment below for debugging
# show-kubectl-command: true
requires:
- azure-migration
filters:
branches:
only:
- master
- azure-aks/update-container-image:
cluster-name: atat-cluster
container-image-updates: "atst-worker=${AZURE_SERVER_NAME}/atat:${CIRCLE_SHA1}"
namespace: atat
resource-name: deployment.apps/atst-worker
resource-group: atat
# uncomment below for debugging
# show-kubectl-command: true
requires:
- azure-migration
filters:
branches:
only:
- master
- aws-ecr/build_and_push_image:
repo: atat
tag: "${CIRCLE_SHA1}"
requires:
- test
filters:
branches:
only:
- master
- aws-migration:
requires:
- aws-ecr/build_and_push_image
filters:
branches:
only:
- master
- aws-eks/update-container-image:
cluster-name: atat
container-image-updates: "atst=${AWS_ECR_ACCOUNT_URL}/atat:${CIRCLE_SHA1}"
namespace: atat
resource-name: deployment.apps/atst
aws-region: "${AWS_REGION}"
# uncomment below for debugging
# show-kubectl-command: true
requires:
- aws-migration
filters:
branches:
only:
- master
- aws-eks/update-container-image:
cluster-name: atat
container-image-updates: "atst-worker=${AWS_ECR_ACCOUNT_URL}/atat:${CIRCLE_SHA1}"
namespace: atat
resource-name: deployment.apps/atst-worker
aws-region: "${AWS_REGION}"
# uncomment below for debugging
# show-kubectl-command: true
requires:
- aws-migration
filters:
branches:
only:
- master

1
Dockerfile
View File

@@ -78,6 +78,7 @@ COPY --from=builder /install/atst/ ./atst/
COPY --from=builder /install/config/ ./config/ COPY --from=builder /install/config/ ./config/
COPY --from=builder /install/templates/ ./templates/ COPY --from=builder /install/templates/ ./templates/
COPY --from=builder /install/translations.yaml . COPY --from=builder /install/translations.yaml .
COPY --from=builder /install/script/seed_roles.py ./script/seed_roles.py
COPY --from=builder /install/static/ ./static/ COPY --from=builder /install/static/ ./static/
COPY --from=builder /install/uwsgi.ini . COPY --from=builder /install/uwsgi.ini .
COPY --from=builder /usr/local/bin/uwsgi /usr/local/bin/uwsgi COPY --from=builder /usr/local/bin/uwsgi /usr/local/bin/uwsgi

26
deploy/kubernetes/test/atat-deploy-role.yml
View File

@@ -1,26 +0,0 @@
kind: Role
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
namespace: atat-test
name: atat-sample-update
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: atst-sample-role-binding
namespace: atat-test
subjects:
- kind: ServiceAccount
name: atat-deployer
namespace: atat
roleRef:
kind: Role
name: atat-sample-update
apiGroup: rbac.authorization.k8s.io

99
deploy/kubernetes/test/atst-nginx-configmap.yml
View File

@@ -1,99 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-nginx
namespace: atat-test
data:
nginx-config: |-
server {
access_log /var/log/nginx/access.log json;
server_name test.atat.code.mil;
listen 8442;
listen [::]:8442 ipv6only=on;
if ($http_x_forwarded_proto != 'https') {
return 301 https://$host$request_uri;
}
location /login-redirect {
return 301 https://auth-test.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
location @appbasicauth {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
auth_basic "Developer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
server {
access_log /var/log/nginx/access.log json;
server_name auth-test.atat.code.mil;
listen 8443 ssl;
listen [::]:8443 ssl ipv6only=on;
# SSL server certificate and private key
ssl_certificate /etc/ssl/private/auth.atat.crt;
ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate
ssl_verify_client on;
ssl_verify_depth 10;
ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://test.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
nginx-json-log-config: |-
log_format json escape=json
'{'
'"timestamp":"$time_iso8601",'
'"msec":"$msec",'
'"request_id":"$request_id",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status":$status,'
'"body_bytes_sent":$body_bytes_sent,'
'"referer":"$http_referer",'
'"user_agent":"$http_user_agent",'
'"http_x_forwarded_for":"$http_x_forwarded_for"'
'}';

99
deploy/kubernetes/uat/atst-nginx-configmap.yml
View File

@@ -1,99 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-nginx
namespace: atat-uat
data:
nginx-config: |-
server {
access_log /var/log/nginx/access.log json;
server_name uat.atat.code.mil;
listen 8442;
listen [::]:8442 ipv6only=on;
if ($http_x_forwarded_proto != 'https') {
return 301 https://$host$request_uri;
}
location /login-redirect {
return 301 https://auth-uat.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
location @appbasicauth {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
auth_basic "Developer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
server {
access_log /var/log/nginx/access.log json;
server_name auth-uat.atat.code.mil;
listen 8443 ssl;
listen [::]:8443 ssl ipv6only=on;
# SSL server certificate and private key
ssl_certificate /etc/ssl/private/auth.atat.crt;
ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
ssl_protocols TLSv1.3 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_ecdh_curve secp384r1;
ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
ssl_session_timeout 4h;
ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
ssl_session_tickets off;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate
ssl_verify_client on;
ssl_verify_depth 10;
ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://uat.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
nginx-json-log-config: |-
log_format json escape=json
'{'
'"timestamp":"$time_iso8601",'
'"msec":"$msec",'
'"request_id":"$request_id",'
'"remote_addr":"$remote_addr",'
'"remote_user":"$remote_user",'
'"request":"$request",'
'"status":$status,'
'"body_bytes_sent":$body_bytes_sent,'
'"referer":"$http_referer",'
'"user_agent":"$http_user_agent",'
'"http_x_forwarded_for":"$http_x_forwarded_for"'
'}';

2
deploy/kubernetes/uat/atst-configmap.yml → k8s/aws/atst-configmap.yml
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: atst-config name: atst-config
namespace: atat-uat namespace: atat
data: data:
uwsgi-config: |- uwsgi-config: |-
[uwsgi] [uwsgi]

6
deploy/kubernetes/uat/atst-envvars-configmap.yml → k8s/aws/atst-envvars-configmap.yml
View File

@@ -3,12 +3,10 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: atst-envvars name: atst-envvars
namespace: atat-uat namespace: atat
data: data:
TZ: UTC TZ: UTC
FLASK_ENV: dev FLASK_ENV: dev
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi-config.ini UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
RQ_QUEUES: atat-uat
CRL_STORAGE_PROVIDER: CLOUDFILES CRL_STORAGE_PROVIDER: CLOUDFILES
LOG_JSON: "true"

84
k8s/aws/atst-nginx-configmap.yml Normal file
View File

@@ -0,0 +1,84 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-nginx
namespace: atat
data:
nginx-config: |-
server {
server_name aws.atat.code.mil;
# access_log /var/log/nginx/access.log json;
listen 8442;
listen [::]:8442 ipv6only=on;
# if ($http_x_forwarded_proto != 'https') {
# return 301 https://$host$request_uri;
# }
location /login-redirect {
return 301 https://auth-aws.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
location @appbasicauth {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
auth_basic "Developer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
server {
# access_log /var/log/nginx/access.log json;
server_name auth-aws.atat.code.mil;
listen 8443;
listen [::]:8443 ipv6only=on;
# SSL server certificate and private key
# ssl_certificate /etc/ssl/private/auth.atat.crt;
# ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
# ssl_ecdh_curve secp384r1;
# ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
# ssl_session_timeout 4h;
# ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
# ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate
# ssl_verify_client on;
# ssl_verify_depth 10;
# ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://aws.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
# uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
# uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}

2
deploy/kubernetes/uat/atst-worker-envvars-configmap.yml → k8s/aws/atst-worker-envvars-configmap.yml
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: atst-worker-envvars name: atst-worker-envvars
namespace: atat-uat namespace: atat
data: data:
TZ: UTC TZ: UTC
DISABLE_CRL_CHECK: "True" DISABLE_CRL_CHECK: "True"

127
deploy/kubernetes/test/test.yml → k8s/aws/aws.yml
View File

@@ -2,7 +2,7 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: atat-test name: atat
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@@ -10,7 +10,7 @@ metadata:
labels: labels:
app: atst app: atst
name: atst name: atst
namespace: atat-test namespace: atat
spec: spec:
selector: selector:
matchLabels: matchLabels:
@@ -28,10 +28,10 @@ spec:
fsGroup: 101 fsGroup: 101
containers: containers:
- name: atst - name: atst
image: registry.atat.code.mil:443/atst-prod:575cfce5 image: 904153757533.dkr.ecr.us-east-2.amazonaws.com/atat:884d95ada21a5097f5c07f305d8e4e24d0f2a03f
resources: resources:
requests: requests:
memory: "2500Mi" memory: "500Mi"
envFrom: envFrom:
- configMapRef: - configMapRef:
name: atst-envvars name: atst-envvars
@@ -39,40 +39,24 @@ spec:
- name: atst-config - name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini" mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini subPath: atst-overrides.ini
- name: uwsgi-config - name: nginx-client-ca-bundle
mountPath: "/opt/atat/atst/uwsgi-config.ini" mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
subPath: uwsgi-config.ini subPath: client-ca-bundle.pem
- name: uwsgi-socket-dir - name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi" mountPath: "/var/run/uwsgi"
- name: atst-nginx - name: nginx
image: nginx:alpine image: nginx:alpine
ports: ports:
- containerPort: 8442 - containerPort: 8442
name: http name: main
- containerPort: 8443 - containerPort: 8443
name: https name: auth
volumeMounts: volumeMounts:
- name: nginx-auth-tls
mountPath: "/etc/ssl/private"
- name: nginx-client-ca-bundle
mountPath: "/etc/ssl/client-ca-bundle.pem"
subPath: client-ca-bundle.pem
- name: nginx-config - name: nginx-config
mountPath: "/etc/nginx/conf.d/atst.conf" mountPath: "/etc/nginx/conf.d/atst.conf"
subPath: atst.conf subPath: atst.conf
- name: nginx-config
mountPath: "/etc/nginx/conf.d/00json_log.conf"
subPath: 00json_log.conf
- name: nginx-dhparam
mountPath: "/etc/ssl/dhparam.pem"
subPath: dhparam.pem
- name: nginx-htpasswd
mountPath: "/etc/nginx/.htpasswd"
subPath: .htpasswd
- name: uwsgi-socket-dir - name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi" mountPath: "/var/run/uwsgi"
imagePullSecrets:
- name: regcred
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
@@ -81,16 +65,6 @@ spec:
- key: override.ini - key: override.ini
path: atst-overrides.ini path: atst-overrides.ini
mode: 0644 mode: 0644
- name: nginx-auth-tls
secret:
secretName: atst-auth-test-ingress-tls
items:
- key: tls.crt
path: auth.atat.crt
mode: 0644
- key: tls.key
path: auth.atat.key
mode: 0640
- name: nginx-client-ca-bundle - name: nginx-client-ca-bundle
secret: secret:
secretName: nginx-client-ca-bundle secretName: nginx-client-ca-bundle
@@ -104,29 +78,6 @@ spec:
items: items:
- key: nginx-config - key: nginx-config
path: atst.conf path: atst.conf
- key: nginx-json-log-config
path: 00json_log.conf
- name: nginx-dhparam
secret:
secretName: dhparam-4096
items:
- key: dhparam.pem
path: dhparam.pem
mode: 0640
- name: nginx-htpasswd
secret:
secretName: atst-nginx-htpasswd
items:
- key: htpasswd
path: .htpasswd
mode: 0640
- name: uwsgi-config
configMap:
name: atst-config
items:
- key: uwsgi-config
path: uwsgi-config.ini
mode: 0644
- name: uwsgi-socket-dir - name: uwsgi-socket-dir
emptyDir: emptyDir:
medium: Memory medium: Memory
@@ -137,7 +88,7 @@ metadata:
labels: labels:
app: atst app: atst
name: atst-worker name: atst-worker
namespace: atat-test namespace: atat
spec: spec:
selector: selector:
matchLabels: matchLabels:
@@ -155,8 +106,13 @@ spec:
fsGroup: 101 fsGroup: 101
containers: containers:
- name: atst-worker - name: atst-worker
image: registry.atat.code.mil:443/atst-prod:575cfce5 image: 904153757533.dkr.ecr.us-east-2.amazonaws.com/atat:884d95ada21a5097f5c07f305d8e4e24d0f2a03f
args: ["/bin/bash", "-c", "/opt/atat/atst/script/rq_worker"] args: [
"/opt/atat/atst/.venv/bin/python",
"/opt/atat/atst/.venv/bin/flask",
"rq",
"worker"
]
resources: resources:
requests: requests:
memory: "500Mi" memory: "500Mi"
@@ -169,8 +125,6 @@ spec:
- name: atst-config - name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini" mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini subPath: atst-overrides.ini
imagePullSecrets:
- name: regcred
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
@@ -185,15 +139,17 @@ kind: Service
metadata: metadata:
labels: labels:
app: atst app: atst
name: atst name: atst-main
namespace: atat-test namespace: atat
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec: spec:
ports: ports:
- name: http - port: 80
port: 80
targetPort: 8442 targetPort: 8442
selector: selector:
role: web role: web
type: LoadBalancer
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -201,36 +157,13 @@ metadata:
labels: labels:
app: atst app: atst
name: atst-auth name: atst-auth
namespace: atat-test namespace: atat
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
spec: spec:
type: NodePort
ports: ports:
- name: https - port: 80
protocol: TCP targetPort: 8443
nodePort: 32711
port: 8443
selector: selector:
role: web role: web
--- type: LoadBalancer
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: atst
namespace: atat-test
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/proxy-body-size: 10m
spec:
tls:
- secretName: atst-test-ingress-tls
hosts:
- test.atat.code.mil
rules:
- host: test.atat.code.mil
http:
paths:
- path: /
backend:
serviceName: atst
servicePort: 80

2
deploy/kubernetes/test/atst-configmap.yml → k8s/azure/atst-configmap.yml
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: atst-config name: atst-config
namespace: atat-test namespace: atat
data: data:
uwsgi-config: |- uwsgi-config: |-
[uwsgi] [uwsgi]

7
deploy/kubernetes/test/atst-envvars-configmap.yml → k8s/azure/atst-envvars-configmap.yml
View File

@@ -3,13 +3,10 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: atst-envvars name: atst-envvars
namespace: atat-test namespace: atat
data: data:
TZ: UTC TZ: UTC
FLASK_ENV: dev FLASK_ENV: dev
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi-config.ini UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
RQ_QUEUES: atat-test
CRL_STORAGE_PROVIDER: CLOUDFILES CRL_STORAGE_PROVIDER: CLOUDFILES
LOG_JSON: "true"
DEBUG: "false"

84
k8s/azure/atst-nginx-configmap.yml Normal file
View File

@@ -0,0 +1,84 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: atst-nginx
namespace: atat
data:
nginx-config: |-
server {
server_name azure.atat.code.mil;
# access_log /var/log/nginx/access.log json;
listen 8442;
listen [::]:8442 ipv6only=on;
# if ($http_x_forwarded_proto != 'https') {
# return 301 https://$host$request_uri;
# }
location /login-redirect {
return 301 https://auth-azure.atat.code.mil$request_uri;
}
location /login-dev {
try_files $uri @appbasicauth;
}
location / {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
location @appbasicauth {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
auth_basic "Developer Access";
auth_basic_user_file /etc/nginx/.htpasswd;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}
server {
# access_log /var/log/nginx/access.log json;
server_name auth-azure.atat.code.mil;
listen 8443;
listen [::]:8443 ipv6only=on;
# SSL server certificate and private key
# ssl_certificate /etc/ssl/private/auth.atat.crt;
# ssl_certificate_key /etc/ssl/private/auth.atat.key;
# Set SSL protocols, ciphers, and related options
# ssl_protocols TLSv1.3 TLSv1.2;
# ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
# ssl_prefer_server_ciphers on;
# ssl_ecdh_curve secp384r1;
# ssl_dhparam /etc/ssl/dhparam.pem;
# SSL session options
# ssl_session_timeout 4h;
# ssl_session_cache shared:SSL:10m; # 1mb = ~4000 sessions
# ssl_session_tickets off;
# OCSP Stapling
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8 8.8.4.4;
# Request and validate client certificate
# ssl_verify_client on;
# ssl_verify_depth 10;
# ssl_client_certificate /etc/ssl/client-ca-bundle.pem;
# Guard against HTTPS -> HTTP downgrade
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; always";
location / {
return 301 https://azure.atat.code.mil$request_uri;
}
location /login-redirect {
try_files $uri @app;
}
location @app {
include uwsgi_params;
uwsgi_pass unix:///var/run/uwsgi/uwsgi.socket;
# uwsgi_param HTTP_X_SSL_CLIENT_VERIFY $ssl_client_verify;
# uwsgi_param HTTP_X_SSL_CLIENT_CERT $ssl_client_raw_cert;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN $ssl_client_s_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_S_DN_LEGACY $ssl_client_s_dn_legacy;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN $ssl_client_i_dn;
# uwsgi_param HTTP_X_SSL_CLIENT_I_DN_LEGACY $ssl_client_i_dn_legacy;
uwsgi_param HTTP_X_REQUEST_ID $request_id;
}
}

2
deploy/kubernetes/test/atst-worker-envvars-configmap.yml → k8s/azure/atst-worker-envvars-configmap.yml
View File

@@ -3,7 +3,7 @@ apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
name: atst-worker-envvars name: atst-worker-envvars
namespace: atat-test namespace: atat
data: data:
TZ: UTC TZ: UTC
DISABLE_CRL_CHECK: "True" DISABLE_CRL_CHECK: "True"

122
deploy/kubernetes/uat/uat.yml → k8s/azure/azure.yml
View File

@@ -2,7 +2,7 @@
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
name: atat-uat name: atat
--- ---
apiVersion: extensions/v1beta1 apiVersion: extensions/v1beta1
kind: Deployment kind: Deployment
@@ -10,7 +10,7 @@ metadata:
labels: labels:
app: atst app: atst
name: atst name: atst
namespace: atat-uat namespace: atat
spec: spec:
selector: selector:
matchLabels: matchLabels:
@@ -28,10 +28,10 @@ spec:
fsGroup: 101 fsGroup: 101
containers: containers:
- name: atst - name: atst
image: registry.atat.code.mil:443/atst-prod:03ee3438 image: pwatat.azurecr.io/atat:884d95ada21a5097f5c07f305d8e4e24d0f2a03f
resources: resources:
requests: requests:
memory: "2500Mi" memory: "500Mi"
envFrom: envFrom:
- configMapRef: - configMapRef:
name: atst-envvars name: atst-envvars
@@ -42,40 +42,21 @@ spec:
- name: nginx-client-ca-bundle - name: nginx-client-ca-bundle
mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem" mountPath: "/opt/atat/atst/ssl/server-certs/ca-chain.pem"
subPath: client-ca-bundle.pem subPath: client-ca-bundle.pem
- name: uwsgi-config
mountPath: "/opt/atat/atst/uwsgi-config.ini"
subPath: uwsgi-config.ini
- name: uwsgi-socket-dir - name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi" mountPath: "/var/run/uwsgi"
- name: atst-nginx - name: nginx
image: nginx:alpine image: nginx:alpine
ports: ports:
- containerPort: 8442 - containerPort: 8442
name: http name: main
- containerPort: 8443 - containerPort: 8443
name: https name: auth
volumeMounts: volumeMounts:
- name: nginx-auth-tls
mountPath: "/etc/ssl/private"
- name: nginx-client-ca-bundle
mountPath: "/etc/ssl/client-ca-bundle.pem"
subPath: client-ca-bundle.pem
- name: nginx-config - name: nginx-config
mountPath: "/etc/nginx/conf.d/atst.conf" mountPath: "/etc/nginx/conf.d/atst.conf"
subPath: atst.conf subPath: atst.conf
- name: nginx-config
mountPath: "/etc/nginx/conf.d/00json_log.conf"
subPath: 00json_log.conf
- name: nginx-dhparam
mountPath: "/etc/ssl/dhparam.pem"
subPath: dhparam.pem
- name: nginx-htpasswd
mountPath: "/etc/nginx/.htpasswd"
subPath: .htpasswd
- name: uwsgi-socket-dir - name: uwsgi-socket-dir
mountPath: "/var/run/uwsgi" mountPath: "/var/run/uwsgi"
imagePullSecrets:
- name: regcred
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
@@ -84,16 +65,6 @@ spec:
- key: override.ini - key: override.ini
path: atst-overrides.ini path: atst-overrides.ini
mode: 0644 mode: 0644
- name: nginx-auth-tls
secret:
secretName: atst-auth-uat-ingress-tls
items:
- key: tls.crt
path: auth.atat.crt
mode: 0644
- key: tls.key
path: auth.atat.key
mode: 0640
- name: nginx-client-ca-bundle - name: nginx-client-ca-bundle
secret: secret:
secretName: nginx-client-ca-bundle secretName: nginx-client-ca-bundle
@@ -107,29 +78,6 @@ spec:
items: items:
- key: nginx-config - key: nginx-config
path: atst.conf path: atst.conf
- key: nginx-json-log-config
path: 00json_log.conf
- name: nginx-dhparam
secret:
secretName: dhparam-4096
items:
- key: dhparam.pem
path: dhparam.pem
mode: 0640
- name: nginx-htpasswd
secret:
secretName: atst-nginx-htpasswd
items:
- key: htpasswd
path: .htpasswd
mode: 0640
- name: uwsgi-config
configMap:
name: atst-config
items:
- key: uwsgi-config
path: uwsgi-config.ini
mode: 0644
- name: uwsgi-socket-dir - name: uwsgi-socket-dir
emptyDir: emptyDir:
medium: Memory medium: Memory
@@ -140,7 +88,7 @@ metadata:
labels: labels:
app: atst app: atst
name: atst-worker name: atst-worker
namespace: atat-uat namespace: atat
spec: spec:
selector: selector:
matchLabels: matchLabels:
@@ -158,8 +106,13 @@ spec:
fsGroup: 101 fsGroup: 101
containers: containers:
- name: atst-worker - name: atst-worker
image: registry.atat.code.mil:443/atst-prod:03ee3438 image: pwatat.azurecr.io/atat:884d95ada21a5097f5c07f305d8e4e24d0f2a03f
args: ["/bin/bash", "-c", "/opt/atat/atst/script/rq_worker"] args: [
"/opt/atat/atst/.venv/bin/python",
"/opt/atat/atst/.venv/bin/flask",
"rq",
"worker"
]
resources: resources:
requests: requests:
memory: "500Mi" memory: "500Mi"
@@ -172,8 +125,6 @@ spec:
- name: atst-config - name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini" mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini subPath: atst-overrides.ini
imagePullSecrets:
- name: regcred
volumes: volumes:
- name: atst-config - name: atst-config
secret: secret:
@@ -188,15 +139,16 @@ kind: Service
metadata: metadata:
labels: labels:
app: atst app: atst
name: atst name: atst-main
namespace: atat-uat namespace: atat
spec: spec:
loadBalancerIP: 13.92.235.6
ports: ports:
- name: http - port: 80
port: 80
targetPort: 8442 targetPort: 8442
selector: selector:
role: web role: web
type: LoadBalancer
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -204,36 +156,12 @@ metadata:
labels: labels:
app: atst app: atst
name: atst-auth name: atst-auth
namespace: atat-uat namespace: atat
spec: spec:
type: NodePort loadBalancerIP: 23.100.24.41
ports: ports:
- name: https - port: 80
protocol: TCP targetPort: 8443
nodePort: 32701
port: 8443
selector: selector:
role: web role: web
--- type: LoadBalancer
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: atst
namespace: atat-uat
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/proxy-body-size: 10m
spec:
tls:
- secretName: atst-uat-ingress-tls
hosts:
- uat.atat.code.mil
rules:
- host: uat.atat.code.mil
http:
paths:
- path: /
backend:
serviceName: atst
servicePort: 80

42
k8s/shared/migration.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: batch/v1
kind: Job
metadata:
name: migration
namespace: atat
spec:
ttlSecondsAfterFinished: 100
backoffLimit: 2
template:
spec:
containers:
- name: migration
image: $CONTAINER_IMAGE
command: [
"/bin/sh", "-c"
]
args:
- |
/opt/atat/atst/.venv/bin/python \
/opt/atat/atst/.venv/bin/alembic \
upgrade head \
&& \
/opt/atat/atst/.venv/bin/python \
/opt/atat/atst/script/seed_roles.py
envFrom:
- configMapRef:
name: atst-envvars
- configMapRef:
name: atst-worker-envvars
volumeMounts:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
volumes:
- name: atst-config
secret:
secretName: atst-config-ini
items:
- key: override.ini
path: atst-overrides.ini
mode: 0644
restartPolicy: Never

34
script/cluster_migration Executable file
View File

@@ -0,0 +1,34 @@
#!/bin/sh
if [ -z "${K8S_CONTEXT+is_set}" ]; then
K8S_CMD="kubectl"
else
K8S_CMD="kubectl --context=$K8S_CONTEXT"
fi
if [ -z "${MIGRATION_TIMEOUT+is_set}" ]; then
MIGRATION_TIMEOUT=120s
fi
echo "Creating job..."
envsubst < k8s/shared/migration.yaml | $K8S_CMD -n atat apply -f -
echo "Wait for job to finish or timeout..."
JOB_SUCCESS=$(${K8S_CMD} -n atat wait --for=condition=complete --timeout=${MIGRATION_TIMEOUT} job/migration)
delete_job () {
echo "Deleting job..."
$K8S_CMD -n atat delete job migration
}
if echo "$JOB_SUCCESS" | grep -q "condition met"; then
echo "Job ran successfully."
delete_job
exit 0
else
POD_NAME=$(${K8S_CMD} -n atat get pods -l job-name=migration -o=jsonpath='{.items[0].metadata.name}')
echo "Job failed:"
$K8S_CMD -n atat log $POD_NAME
delete_job
exit 1
fi