Add kubernetes deployment specs

Dockerfile

@@ -0,0 +1,17 @@
+FROM node:14
+
+RUN mkdir /app
+
+COPY package.json /app
+COPY yarn.lock /app
+
+RUN cd /app && yarn install
+
+COPY . /app
+
+RUN rm -rf /app/.env
+RUN touch /app/.env
+
+WORKDIR /app
+
+CMD ["node", "index.js"]

deploy/0-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: noded

deploy/1-deployment.yaml

@@ -0,0 +1,94 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: noded-backend
+  namespace: noded
+spec:
+  selector:
+    matchLabels:
+      app: noded-backend
+  template:
+    metadata:
+      name: noded-backend
+      labels:
+        app: noded-backend
+    spec:
+      volumes:
+        - name: noded-secrets-vol
+          secret:
+            secretName: noded-secrets
+            optional: false
+      containers:
+        - name: noded-web
+          image: ${DOCKER_REGISTRY}/noded/backend
+          imagePullPolicy: Always
+          volumeMounts:
+            - mountPath: /secrets
+              readOnly: true
+              name: noded-secrets-vol
+          env:
+            - name: APP_URL
+              value: "https://${NODED_DOMAIN}/"
+            - name: DATABASE_HOST
+              value: '${NODED_DATABASE_HOST}'
+            - name: DATABASE_NAME
+              value: '${NODED_DATABASE_NAME}'
+            - name: SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: SECRET
+                  name: noded-secrets
+                  optional: false
+            - name: AUTH_COREID_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  key: AUTH_COREID_CLIENT_ID
+                  name: noded-secrets
+                  optional: false
+            - name: AUTH_COREID_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  key: AUTH_COREID_CLIENT_SECRET
+                  name: noded-secrets
+                  optional: false
+            - name: APP_NAME
+              value: "Noded"
+            - name: SERVER_PORT
+              value: '8000'
+            - name: DATABASE_PORT
+              value: '27017'
+            - name: DATABASE_AUTH
+              value: 'false'
+            - name: ENVIRONMENT
+              value: production
+            - name: SSL_ENABLE
+              value: 'false'
+            - name: AUTH_FLITTER_ENABLE
+              value: 'true'
+            - name: AUTH_COREID_ENABLE
+              value: 'true'
+            - name: SESSION_MAX_AGE
+              value: '2678400000'
+            - name: NODE_TLS_REJECT_UNAUTHORIZED
+              value: '0'
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: noded-frontend
+  namespace: noded
+spec:
+  selector:
+    matchLabels:
+      app: noded-frontend
+  template:
+    metadata:
+      name: noded-frontend
+      labels:
+        app: noded-frontend
+    spec:
+      containers:
+        - name: noded-web
+          image: ${DOCKER_REGISTRY}/noded/frontend
+          imagePullPolicy: Always

deploy/2-service.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: noded-backend
+  namespace: noded
+spec:
+  selector:
+    app: noded-backend
+  ports:
+    - port: 80
+      targetPort: 8000
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: noded-frontend
+  namespace: noded
+spec:
+  selector:
+    app: noded-frontend
+  ports:
+    - port: 80
+      targetPort: 80

deploy/3-certificate.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: noded-tls
+  namespace: noded
+spec:
+  secretName: noded-tls-secret
+  dnsNames:
+    - ${NODED_DOMAIN}
+  issuerRef:
+    name: letsencrypt-ca
+    kind: ClusterIssuer

deploy/4-ingress.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: noded-ingress
+  namespace: noded
+  annotations:
+    nginx.ingress.kubernetes.io/ssl-redirect: 'false'
+spec:
+  tls:
+    - hosts:
+        - ${NODED_DOMAIN}
+      secretName: noded-tls-secret
+  ingressClassName: nginx
+  rules:
+    - host: ${NODED_DOMAIN}
+      http:
+        paths:
+          - pathType: Prefix
+            path: '/i/'
+            backend:
+              service:
+                name: noded-frontend
+                port:
+                  number: 80
+          - pathType: Prefix
+            path: '/'
+            backend:
+              service:
+                name: noded-backend
+                port:
+                  number: 80

deploy/README.md

@@ -0,0 +1,27 @@
+This deployment is parameterized for use with `envsubst(1)`.
+
+Before proceeding, you should also build and push the image from `noded/frontend.git`.
+
+You will need to set up the secret values and environment variables (see below).
+
+```shell
+bash -c 'for f in *.yaml; do envsubst < $f | kubectl apply -f -; done'
+```
+
+## Supported environment variables
+
+Set these environment variables in your shell before running the above command to apply the Kubernetes spec.
+
+- `NODED_DOMAIN` - domain name where CoreID is accessed (e.g. `coreid.mydomain.com`)
+- `DOCKER_REGISTRY` - host of the docker registry to pull the image from (e.g. `registry.mydomain.com`)
+  - this is the same registry that is used by `yarn docker:build` and `yarn docker:push`
+- `NODED_DATABASE_HOST` - MongoDB host (e.g. `mongo.mylan.net`)
+- `NODED_DATABASE_NAME` - MongoDB database name to use (e.g. `coreid_p1`)
+
+## Secret values
+
+The spec expects there to be a `coreid-secrets` secret in the `starship` namespace with the following values:
+
+- `SECRET` - hash seed used by CoreID (e.g. `df8db5a2-429b-4597-a013-18efee2465e0`)
+- `AUTH_COREID_CLIENT_ID` - Starship CoreID OAuth2 client ID
+- `AUTH_COREID_CLIENT_SECRET` - Starship CoreID OAuth2 client secret

package.json

@@ -7,6 +7,10 @@
     "type": "git",
     "url": "https://git.garrettmills.dev/flitter/flitter"
   },
+  "scripts": {
+    "docker:build": "docker build -t ${DOCKER_REGISTRY}/noded/backend .",
+    "docker:push": "docker push ${DOCKER_REGISTRY}/noded/backend"
+  },
   "keywords": [
     "flitter",
     "glmdev",