diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..87e14f1 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,17 @@ +FROM node:14 + +RUN mkdir /app + +COPY package.json /app +COPY yarn.lock /app + +RUN cd /app && yarn install + +COPY . /app + +RUN rm -rf /app/.env +RUN touch /app/.env + +WORKDIR /app + +CMD ["node", "index.js"] diff --git a/deploy/0-namespace.yaml b/deploy/0-namespace.yaml new file mode 100644 index 0000000..e92614e --- /dev/null +++ b/deploy/0-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: noded diff --git a/deploy/1-deployment.yaml b/deploy/1-deployment.yaml new file mode 100644 index 0000000..0f6ed11 --- /dev/null +++ b/deploy/1-deployment.yaml @@ -0,0 +1,94 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: noded-backend + namespace: noded +spec: + selector: + matchLabels: + app: noded-backend + template: + metadata: + name: noded-backend + labels: + app: noded-backend + spec: + volumes: + - name: noded-secrets-vol + secret: + secretName: noded-secrets + optional: false + containers: + - name: noded-web + image: ${DOCKER_REGISTRY}/noded/backend + imagePullPolicy: Always + volumeMounts: + - mountPath: /secrets + readOnly: true + name: noded-secrets-vol + env: + - name: APP_URL + value: "https://${NODED_DOMAIN}/" + - name: DATABASE_HOST + value: '${NODED_DATABASE_HOST}' + - name: DATABASE_NAME + value: '${NODED_DATABASE_NAME}' + - name: SECRET + valueFrom: + secretKeyRef: + key: SECRET + name: noded-secrets + optional: false + - name: AUTH_COREID_CLIENT_ID + valueFrom: + secretKeyRef: + key: AUTH_COREID_CLIENT_ID + name: noded-secrets + optional: false + - name: AUTH_COREID_CLIENT_SECRET + valueFrom: + secretKeyRef: + key: AUTH_COREID_CLIENT_SECRET + name: noded-secrets + optional: false + - name: APP_NAME + value: "Noded" + - name: SERVER_PORT + value: '8000' + - name: DATABASE_PORT + value: '27017' + - name: DATABASE_AUTH + value: 'false' + - name: ENVIRONMENT + value: production + - name: SSL_ENABLE + value: 'false' + - name: AUTH_FLITTER_ENABLE + value: 'true' + - name: AUTH_COREID_ENABLE + value: 'true' + - name: SESSION_MAX_AGE + value: '2678400000' + - name: NODE_TLS_REJECT_UNAUTHORIZED + value: '0' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: noded-frontend + namespace: noded +spec: + selector: + matchLabels: + app: noded-frontend + template: + metadata: + name: noded-frontend + labels: + app: noded-frontend + spec: + containers: + - name: noded-web + image: ${DOCKER_REGISTRY}/noded/frontend + imagePullPolicy: Always diff --git a/deploy/2-service.yaml b/deploy/2-service.yaml new file mode 100644 index 0000000..074f305 --- /dev/null +++ b/deploy/2-service.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: noded-backend + namespace: noded +spec: + selector: + app: noded-backend + ports: + - port: 80 + targetPort: 8000 +--- +apiVersion: v1 +kind: Service +metadata: + name: noded-frontend + namespace: noded +spec: + selector: + app: noded-frontend + ports: + - port: 80 + targetPort: 80 diff --git a/deploy/3-certificate.yaml b/deploy/3-certificate.yaml new file mode 100644 index 0000000..fc63fe5 --- /dev/null +++ b/deploy/3-certificate.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: noded-tls + namespace: noded +spec: + secretName: noded-tls-secret + dnsNames: + - ${NODED_DOMAIN} + issuerRef: + name: letsencrypt-ca + kind: ClusterIssuer diff --git a/deploy/4-ingress.yaml b/deploy/4-ingress.yaml new file mode 100644 index 0000000..a617f31 --- /dev/null +++ b/deploy/4-ingress.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: noded-ingress + namespace: noded + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: 'false' +spec: + tls: + - hosts: + - ${NODED_DOMAIN} + secretName: noded-tls-secret + ingressClassName: nginx + rules: + - host: ${NODED_DOMAIN} + http: + paths: + - pathType: Prefix + path: '/i/' + backend: + service: + name: noded-frontend + port: + number: 80 + - pathType: Prefix + path: '/' + backend: + service: + name: noded-backend + port: + number: 80 diff --git a/deploy/README.md b/deploy/README.md new file mode 100644 index 0000000..7e9f988 --- /dev/null +++ b/deploy/README.md @@ -0,0 +1,27 @@ +This deployment is parameterized for use with `envsubst(1)`. + +Before proceeding, you should also build and push the image from `noded/frontend.git`. + +You will need to set up the secret values and environment variables (see below). + +```shell +bash -c 'for f in *.yaml; do envsubst < $f | kubectl apply -f -; done' +``` + +## Supported environment variables + +Set these environment variables in your shell before running the above command to apply the Kubernetes spec. + +- `NODED_DOMAIN` - domain name where CoreID is accessed (e.g. `coreid.mydomain.com`) +- `DOCKER_REGISTRY` - host of the docker registry to pull the image from (e.g. `registry.mydomain.com`) + - this is the same registry that is used by `yarn docker:build` and `yarn docker:push` +- `NODED_DATABASE_HOST` - MongoDB host (e.g. `mongo.mylan.net`) +- `NODED_DATABASE_NAME` - MongoDB database name to use (e.g. `coreid_p1`) + +## Secret values + +The spec expects there to be a `coreid-secrets` secret in the `starship` namespace with the following values: + +- `SECRET` - hash seed used by CoreID (e.g. `df8db5a2-429b-4597-a013-18efee2465e0`) +- `AUTH_COREID_CLIENT_ID` - Starship CoreID OAuth2 client ID +- `AUTH_COREID_CLIENT_SECRET` - Starship CoreID OAuth2 client secret diff --git a/package.json b/package.json index 2e443bc..2f132e7 100644 --- a/package.json +++ b/package.json @@ -7,6 +7,10 @@ "type": "git", "url": "https://git.garrettmills.dev/flitter/flitter" }, + "scripts": { + "docker:build": "docker build -t ${DOCKER_REGISTRY}/noded/backend .", + "docker:push": "docker push ${DOCKER_REGISTRY}/noded/backend" + }, "keywords": [ "flitter", "glmdev",