- Don't write a CRL to the cache if the response code is above 399. (We
were getting HTML files as CRLs, d'oh).
- Fix a kwarg in the CRL logger (extras -> extra).
- Set Kubernetes clusters to log output as JSON.
Chose Elastic File Storage over EBS (Elastic Block Storage) because the
latter can only be mounted into a single node.
This adds the RBAC config and deployment for managing EFS mounts within
the cluster. Largely depends on this efs-provisioner config:
https://github.com/kubernetes-incubator/external-storage/tree/master/aws/efs
The config has been hard-copied into the repo and updated for future
reference. Note that the config requires an environment variable
substitution and cannot be applied directly to the cluster.
- Fix some python formatting and import issues
- Fix dockerfile to include sync-crls script
- Adjust sync-crls script to use paths and CLI tools available in the
Docker container
This adds a previous version of the CRL sync functionality back to the
repo, with some small adjustments. We now grab the CRLs directly from
their DISA URLs.
The CRL sync is handled by a kubernetes cronjob that sync the files to a
persistent volume that is mounted into each Flask app container.
There may be a cleaner way to configure this with Kubernetes. For now,
we expose port 80 on the load balancers and let NGINX redirect that
traffic to the HTTPS version of the site.
This presumes the existence of TLS kubernetes secrets available in both
clusters. It adds NGINX config for SSL termination and the necessary k8s
config to write the certificate and private key to the NGINX container.
Add CircleCI config for both CSPs to:
- build the Docker image and push it to the registry
- run a short-lived k8s job to apply migrations and see data
- update the images for the Flask pods and rq worker pods
