13 Commits

Author SHA1 Message Date
dandds
88171aaee7 Supply named default queue for Celery.
Supplying this will prevent queue clashes between various ATAT sites
sharing the same Redis instance.

Note that the Celery documentation is currently wrong about the name for
configuring this:

https://docs.celeryproject.org/en/latest/userguide/configuration.html#std:setting-task_default_queue

It specifies `CELERY_TASK_DEFAULT_QUEUE`, but
`CELERY_DEFAULT_QUEUE` is the value that Celery currently looks for.
This appears to be fixed in on an upcoming release:

https://github.com/celery/celery/issues/5575

This is worth keeping an eye on, since the configuration key could
change in the future.
2019-11-14 15:48:14 -05:00
dandds
79eb691907 Configure K8s deployment for easy LetsEncrypt verification.
This is not the certificate setup we will use in production. I'd like to
merge this configuration as a reference point because this is the
easiest way to handle manual LetsEncrypt verification within the
cluster.

This allows NGINX to serve static files over HTTP from the
".well-known/acme-challenge" directory, which is necessary for certbot
validation of domain ownership.
2019-11-14 09:51:35 -05:00
dandds
fd57036f74 Keep client CAs as a K8s ConfigMap.
The CAs used to verify clients are not secrets and can be committed to
the repository as K8s ConfigMaps. This updates the config to include
them.
2019-11-08 14:28:45 -05:00
dandds
630469744a Use kustomize and envsubst to generalize k8s config.
Adds a [kustomize](https://github.com/kubernetes-sigs/kustomize) overlay
for a new staging environment. Additionally, adds environment variables
in the place of certain pieces of information that need to be templated.

The K8s README ("deploy/README.md") has been updated to reflect the new
method for applying config.

This commit also removes the configuration for the AWS cluster and
references to AWS in the README.
2019-11-08 14:28:45 -05:00
dandds
efcb9681d3 Make Postgres SSL connection configurable.
This will allow us to force SSL connections to the database in
production by setting two values:

- PGSSLMODE should be set to "verify-full". This forces the client to
  verify the server against a known CA: https://www.postgresql.org/docs/10/libpq-ssl.html
- PGSSLROOTCERT should be set to the path of the public cert for the
  relevant CA.

When the database connection is made, these values are passed to the
adapter. For local development, PGSSLMODE is set to "prefer" and
PGSSLROOTCERT is left unset.

Kubernetes config has been added to maintain the root CAs for both Azure
and AWS as k8s ConfigMap objects. These are mounted into the containers
and referenced by PGSSLROOTCERT in the container environment.
2019-10-17 16:05:19 -04:00
dandds
fc637e933d Specify Flask SERVER_NAME value for Celery worker.
The Celery worker cannot render URLs for the app without having a
SERVER_NAME value set. AT-AT's ability to send notifications when an
environment is ready is broken as a result.

This commit sets a null default value for SERVER_NAME in the default
config file. A setting must exist in the INI file in order to be
over-written by an environment variable, which is why we declare it as
null here. There is an additional kwarg, "allow_no_value", that must be
passed to ConfigParser to allow null values.

This also applies the correct domains as SERVER_NAME environment
variables in the Kubernetes ConfigMaps for the AWS and Azure Celery
workers.
2019-10-16 11:57:18 -04:00
dandds
bbd0ffe1a9 Kubernetes configuration to allow Azure Monitor to collect logs.
With this additional ClusterRole and ClusterRoleBinding, Azure Monitor
will receive the aggregate logs from our application containers.
2019-10-11 11:24:53 -04:00
dandds
67ff70201e Add beat worker to the deployment.
We will run a separate pod for the beat worker. There should only ever
be a single beat worker (to avoid redundant work) so the number of
replicas needs to be managed independently.

This adds both the Kubernetes config for the new pod and additional
CircleCI config to swap a new image into the pod during CD.
2019-09-18 16:34:56 -04:00
dandds
ace222fe95 Push multiple Docker tags for image in CD.
This will allow Kubernetes resources that only pull images occasionally
(i.e., k8s jobs) to point to a static tag name, "latest", that is updated
regularly. It also means we can refer to that image in the k8s config
tracked in the repo, instead of out-of-date images.
2019-09-11 15:37:09 -04:00
dandds
e809f06c32 Make log-level INFO for Celery workers in kubernetes cluster.
This is useful for testing and development purposes. Otherwise there's
not much log output.
2019-08-29 14:18:06 -04:00
dandds
d7478e322a Use Celery instead of RQ.
Celery provides a more robust set of queueing options for both tasks and
worker processes. Updates include:
- infrastructure necessary to run Celery, including celery entrypoint
- backgrounded functions are now imported directly from atst.jobs
- update tests as-needed
- update kubernetes worker pod command
2019-08-29 09:33:47 -04:00
dandds
485f578c78 Apply config changes for CSP file uploads.
This applies configuration changes for the Flask app and adds changes to
the Dockerfile so that the build can make a CSP-specific JS bundle. It
adds `write_dotenv` script that creates the appropriate `.env` file for
the `parcel` bundler depending on how the `CSP` environment variable is
set.

- Configure K8s environment variables for Flask CSP usage
- Supply default CSP config setting to Flask app
- Declare the CSP arg in the Dockerfile
- Supply extra Docker build args to CD
- Fix top-level reference to boto3 in file_upload module
- Add back missing sample NGINX config for docker-compose build
2019-08-09 08:05:20 -04:00
dandds
c100cc8d1f Move k8s config dir to deploy dir 2019-08-08 08:30:14 -04:00