diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..14c69e3 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,16 @@ +FROM node:14 + +RUN mkdir /app + +COPY package.json /app +COPY yarn.lock /app + +RUN cd /app && yarn install + +COPY . /app + +RUN rm -rf /app/.env +RUN touch /app/.env + +WORKDIR /app +CMD ["node", "index.js"] diff --git a/config/redis.config.js b/config/redis.config.js index 18f9471..1ca88f8 100644 --- a/config/redis.config.js +++ b/config/redis.config.js @@ -10,6 +10,7 @@ const redis_config = { // https://github.com/luin/ioredis#connect-to-redis server: { host: env('REDIS_HOST', 'localhost'), + password: env('REDIS_PASS'), port: env('REDIS_PORT', 6379), }, } diff --git a/deploy/0-namespace.yaml b/deploy/0-namespace.yaml new file mode 100644 index 0000000..6fd67d0 --- /dev/null +++ b/deploy/0-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: starship diff --git a/deploy/1-deployment.yaml b/deploy/1-deployment.yaml new file mode 100644 index 0000000..01eb210 --- /dev/null +++ b/deploy/1-deployment.yaml @@ -0,0 +1,217 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coreid-www + namespace: starship +spec: + selector: + matchLabels: + app: coreid + template: + metadata: + name: coreid + labels: + app: coreid + spec: + volumes: + - name: coreid-secrets-vol + secret: + secretName: coreid-secrets + optional: false + containers: + - name: coreid-web + image: ${DOCKER_REGISTRY}/starship/coreid + imagePullPolicy: Always + volumeMounts: + - mountPath: /secrets + readOnly: true + name: coreid-secrets-vol + env: + - name: APP_URL + value: "https://${COREID_DOMAIN}/" + - name: DATABASE_HOST + value: '${COREID_DATABASE_HOST}' + - name: DATABASE_NAME + value: '${COREID_DATABASE_NAME}' + - name: LDAP_BASE_DC + value: '${COREID_LDAP_BASE_DC}' + - name: REDIS_HOST + value: '${COREID_REDIS_HOST}' + - name: SMTP_HOST + value: '${COREID_SMTP_HOST}' + - name: SECRET + valueFrom: + secretKeyRef: + key: SECRET + name: coreid-secrets + optional: false + - name: SMTP_USER + valueFrom: + secretKeyRef: + key: SMTP_USER + name: coreid-secrets + optional: false + - name: SMTP_DEFAULT_SENDER + valueFrom: + secretKeyRef: + key: SMTP_DEFAULT_SENDER + name: coreid-secrets + optional: false + - name: SMTP_PASS + valueFrom: + secretKeyRef: + key: SMTP_PASS + name: coreid-secrets + optional: false + - name: REDIS_PASS + valueFrom: + secretKeyRef: + key: REDIS_PASS + name: coreid-secrets + optional: false + - name: APP_NAME + value: "Starship CoreID" + - name: SERVER_PORT + value: '8000' + - name: DATABASE_PORT + value: '27017' + - name: DATABASE_AUTH + value: 'false' + - name: ENVIRONMENT + value: production + - name: SSL_ENABLE + value: 'false' + - name: LDAP_SERVER_PORT + value: '636' + - name: LDAP_SSL_ENABLE + value: 'true' + - name: LDAP_CERT_PATH + value: '/secrets/X509_CERT' + - name: LDAP_CERT_KEY_PATH + value: '/secrets/X509_KEY' + - name: SAML_CERT_FILE + value: '/secrets/X509_CERT' + - name: SAML_KEY_FILE + value: '/secrets/X509_KEY' + - name: RADIUS_CERT_FILE + value: '/secrets/X509_CERT' + - name: RADIUS_KEY_FILE + value: '/secrets/X509_KEY' + - name: REDIS_PORT + value: '6379' + - name: SMTP_PORT + value: '587' + - name: OPENID_CONNECT_PROXY + value: 'true' + - name: SESSION_MAX_AGE + value: '1209600000' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: coreid-jobs + namespace: starship +spec: + selector: + matchLabels: + app: coreid-jobs + template: + metadata: + name: coreid + labels: + app: coreid-jobs + spec: + volumes: + - name: coreid-secrets-vol + secret: + secretName: coreid-secrets + optional: false + containers: + - name: coreid-job-worker + image: ${DOCKER_REGISTRY}/starship/coreid + imagePullPolicy: Always + command: ["node", "/app/flitter", "worker", "main"] + volumeMounts: + - mountPath: /secrets + readOnly: true + name: coreid-secrets-vol + env: + - name: APP_URL + value: "https://${COREID_DOMAIN}/" + - name: DATABASE_HOST + value: '${COREID_DATABASE_HOST}' + - name: DATABASE_NAME + value: '${COREID_DATABASE_NAME}' + - name: LDAP_BASE_DC + value: '${COREID_LDAP_BASE_DC}' + - name: REDIS_HOST + value: '${COREID_REDIS_HOST}' + - name: SMTP_HOST + value: '${COREID_SMTP_HOST}' + - name: SECRET + valueFrom: + secretKeyRef: + key: SECRET + name: coreid-secrets + optional: false + - name: SMTP_USER + valueFrom: + secretKeyRef: + key: SMTP_USER + name: coreid-secrets + optional: false + - name: SMTP_DEFAULT_SENDER + valueFrom: + secretKeyRef: + key: SMTP_DEFAULT_SENDER + name: coreid-secrets + optional: false + - name: SMTP_PASS + valueFrom: + secretKeyRef: + key: SMTP_PASS + name: coreid-secrets + optional: false + - name: REDIS_PASS + valueFrom: + secretKeyRef: + key: REDIS_PASS + name: coreid-secrets + optional: false + - name: APP_NAME + value: "Starship CoreID" + - name: SERVER_PORT + value: '8000' + - name: DATABASE_PORT + value: '27017' + - name: DATABASE_AUTH + value: 'false' + - name: ENVIRONMENT + value: production + - name: SSL_ENABLE + value: 'false' + - name: LDAP_SERVER_PORT + value: '636' + - name: LDAP_SSL_ENABLE + value: 'true' + - name: LDAP_CERT_PATH + value: '/secrets/X509_CERT' + - name: LDAP_CERT_KEY_PATH + value: '/secrets/X509_KEY' + - name: SAML_CERT_FILE + value: '/secrets/X509_CERT' + - name: SAML_KEY_FILE + value: '/secrets/X509_KEY' + - name: RADIUS_CERT_FILE + value: '/secrets/X509_CERT' + - name: RADIUS_KEY_FILE + value: '/secrets/X509_KEY' + - name: REDIS_PORT + value: '6379' + - name: SMTP_PORT + value: '587' + - name: OPENID_CONNECT_PROXY + value: 'true' + - name: SESSION_MAX_AGE + value: '1209600000' diff --git a/deploy/2-service.yaml b/deploy/2-service.yaml new file mode 100644 index 0000000..5a6d0eb --- /dev/null +++ b/deploy/2-service.yaml @@ -0,0 +1,24 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: coreid-web + namespace: starship +spec: + selector: + app: coreid + ports: + - port: 80 + targetPort: 8000 +--- +apiVersion: v1 +kind: Service +metadata: + name: coreid-ldaps + namespace: starship +spec: + selector: + app: coreid + ports: + - port: 636 + targetPort: 636 diff --git a/deploy/3-certificate.yaml b/deploy/3-certificate.yaml new file mode 100644 index 0000000..5f7ccc2 --- /dev/null +++ b/deploy/3-certificate.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: coreid-tls + namespace: starship +spec: + secretName: coreid-tls-secret + dnsNames: + - ${COREID_DOMAIN} + issuerRef: + name: letsencrypt-ca + kind: ClusterIssuer diff --git a/deploy/4-ingress.yaml b/deploy/4-ingress.yaml new file mode 100644 index 0000000..c0b371e --- /dev/null +++ b/deploy/4-ingress.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: coreid-ingress + namespace: starship + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: 'false' +spec: + tls: + - hosts: + - ${COREID_DOMAIN} + secretName: coreid-tls-secret + ingressClassName: nginx + rules: + - host: ${COREID_DOMAIN} + http: + paths: + - pathType: Prefix + path: '/' + backend: + service: + name: coreid-web + port: + number: 80 diff --git a/deploy/README.md b/deploy/README.md new file mode 100644 index 0000000..b13fd63 --- /dev/null +++ b/deploy/README.md @@ -0,0 +1,32 @@ +This deployment is parameterized for use with `envsubst(1)`. + +You will need to set up the secret values and environment variables (see below). + +```shell +bash -c 'for f in *.yaml; do envsubst < $f | kubectl apply -f -; done' +``` + +## Supported environment variables + +Set these environment variables in your shell before running the above command to apply the Kubernetes spec. + +- `COREID_DOMAIN` - domain name where CoreID is accessed (e.g. `coreid.mydomain.com`) +- `DOCKER_REGISTRY` - host of the docker registry to pull the image from (e.g. `registry.mydomain.com`) + - this is the same registry that is used by `yarn docker:build` and `yarn docker:push` +- `COREID_DATABASE_HOST` - MongoDB host (e.g. `mongo.mylan.net`) +- `COREID_DATABASE_NAME` - MongoDB database name to use (e.g. `coreid_p1`) +- `COREID_LDAP_BASE_DC` - base DC to use for LDAP tree (e.g. `dc=platform,dc=local`) +- `COREID_REDIS_HOST` - Redis host (e.g. `redis.mylan.net`) +- `COREID_SMTP_HOST` - SMTP server host (e.g. `smtp.mymail.com`) + +## Secret values + +The spec expects there to be a `coreid-secrets` secret in the `starship` namespace with the following values: + +- `SECRET` - hash seed used by CoreID (e.g. `df8db5a2-429b-4597-a013-18efee2465e0`) +- `SMTP_USER` - username used to log-into SMTP server (e.g. `user@mymail.com`) +- `SMTP_DEFAULT_SENDER` - email to use as FROM address. Usually same as `SMTP_USER` (e.g. `user@mymail.com`) +- `SMTP_PASS` - password for `SMTP_USER` +- `REDIS_PASS` - password for the Redis service +- `X509_CERT` - contents of the x509 certificate to be used for SAML/LDAP/RADIUS +- `X509_KEY` - contents of the x509 certificate key to be used for SAML/LDAP/RADIUS diff --git a/package.json b/package.json index 51691b7..ea4b55d 100644 --- a/package.json +++ b/package.json @@ -13,6 +13,10 @@ "framework", "express" ], + "scripts": { + "docker:build": "docker build -t ${DOCKER_REGISTRY}/starship/coreid .", + "docker:push": "docker push ${DOCKER_REGISTRY}/starship/coreid" + }, "author": "Garrett Mills (https://garrettmills.dev/)", "license": "MIT", "dependencies": { diff --git a/yarn.lock b/yarn.lock index c400f24..0632131 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2216,9 +2216,9 @@ flitter-i18n@^0.1.1: pluralize "^8.0.0" flitter-jobs@^0.4.0: - version "0.4.0" - resolved "https://registry.yarnpkg.com/flitter-jobs/-/flitter-jobs-0.4.0.tgz#6871f611fddb43e8e0ecdb144743ada967aedf8a" - integrity sha512-L7SPCzxR+pR9LflWOsChkalhLav7YSES79dv7N8VEFpQuhXZ01jm0MwUnKMJyS9+QOiogDzQuab7IsVdMojUFQ== + version "0.4.3" + resolved "https://registry.yarnpkg.com/flitter-jobs/-/flitter-jobs-0.4.3.tgz#60f935e38710b42099fc7d2e6b71df2156881363" + integrity sha512-T+qAcHOD8zRY9s55RepQ5hftzghq4isT2WuoWQBXrDpZB9xGr09yvvLwIyRhPy3zHxDUG23V6boin3HGdxwojA== dependencies: bullmq "^1.8.8" flitter-redis "^0.1.1"