Add kubernetes deployment specs

2022-06-25 20:55:06 -05:00 · 2022-06-25 20:55:06 -05:00 · 562ada3af5
commit 562ada3af5
parent 04ea16743d
10 changed files with 339 additions and 3 deletions
--- a/16
+++ b/16
@ -0,0 +1,16 @@
 FROM node:14
 RUN mkdir /app
 COPY package.json /app
 COPY yarn.lock /app
 RUN cd /app && yarn install
 COPY . /app
 RUN rm -rf /app/.env
 RUN touch /app/.env
 WORKDIR /app
 CMD ["node", "index.js"]
--- a/config/redis.config.js
+++ b/config/redis.config.js
@ -10,6 +10,7 @@ const redis_config = {
    //  https://github.com/luin/ioredis#connect-to-redis
    server: {
        host: env('REDIS_HOST', 'localhost'),
        password: env('REDIS_PASS'),
        port: env('REDIS_PORT', 6379),
    },
 }
--- a/deploy/0-namespace.yaml
+++ b/deploy/0-namespace.yaml
@ -0,0 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: starship
--- a/deploy/1-deployment.yaml
+++ b/deploy/1-deployment.yaml
@ -0,0 +1,217 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: coreid-www
  namespace: starship
 spec:
  selector:
    matchLabels:
      app: coreid
  template:
    metadata:
      name: coreid
      labels:
        app: coreid
    spec:
      volumes:
        - name: coreid-secrets-vol
          secret:
            secretName: coreid-secrets
            optional: false
      containers:
        - name: coreid-web
          image: ${DOCKER_REGISTRY}/starship/coreid
          imagePullPolicy: Always
          volumeMounts:
            - mountPath: /secrets
              readOnly: true
              name: coreid-secrets-vol
          env:
            - name: APP_URL
              value: "https://${COREID_DOMAIN}/"
            - name: DATABASE_HOST
              value: '${COREID_DATABASE_HOST}'
            - name: DATABASE_NAME
              value: '${COREID_DATABASE_NAME}'
            - name: LDAP_BASE_DC
              value: '${COREID_LDAP_BASE_DC}'
            - name: REDIS_HOST
              value: '${COREID_REDIS_HOST}'
            - name: SMTP_HOST
              value: '${COREID_SMTP_HOST}'
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  key: SECRET
                  name: coreid-secrets
                  optional: false
            - name: SMTP_USER
              valueFrom:
                secretKeyRef:
                  key: SMTP_USER
                  name: coreid-secrets
                  optional: false
            - name: SMTP_DEFAULT_SENDER
              valueFrom:
                secretKeyRef:
                  key: SMTP_DEFAULT_SENDER
                  name: coreid-secrets
                  optional: false
            - name: SMTP_PASS
              valueFrom:
                secretKeyRef:
                  key: SMTP_PASS
                  name: coreid-secrets
                  optional: false
            - name: REDIS_PASS
              valueFrom:
                secretKeyRef:
                  key: REDIS_PASS
                  name: coreid-secrets
                  optional: false
            - name: APP_NAME
              value: "Starship CoreID"
            - name: SERVER_PORT
              value: '8000'
            - name: DATABASE_PORT
              value: '27017'
            - name: DATABASE_AUTH
              value: 'false'
            - name: ENVIRONMENT
              value: production
            - name: SSL_ENABLE
              value: 'false'
            - name: LDAP_SERVER_PORT
              value: '636'
            - name: LDAP_SSL_ENABLE
              value: 'true'
            - name: LDAP_CERT_PATH
              value: '/secrets/X509_CERT'
            - name: LDAP_CERT_KEY_PATH
              value: '/secrets/X509_KEY'
            - name: SAML_CERT_FILE
              value: '/secrets/X509_CERT'
            - name: SAML_KEY_FILE
              value: '/secrets/X509_KEY'
            - name: RADIUS_CERT_FILE
              value: '/secrets/X509_CERT'
            - name: RADIUS_KEY_FILE
              value: '/secrets/X509_KEY'
            - name: REDIS_PORT
              value: '6379'
            - name: SMTP_PORT
              value: '587'
            - name: OPENID_CONNECT_PROXY
              value: 'true'
            - name: SESSION_MAX_AGE
              value: '1209600000'
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: coreid-jobs
  namespace: starship
 spec:
  selector:
    matchLabels:
      app: coreid-jobs
  template:
    metadata:
      name: coreid
      labels:
        app: coreid-jobs
    spec:
      volumes:
        - name: coreid-secrets-vol
          secret:
            secretName: coreid-secrets
            optional: false
      containers:
        - name: coreid-job-worker
          image: ${DOCKER_REGISTRY}/starship/coreid
          imagePullPolicy: Always
          command: ["node", "/app/flitter", "worker", "main"]
          volumeMounts:
            - mountPath: /secrets
              readOnly: true
              name: coreid-secrets-vol
          env:
            - name: APP_URL
              value: "https://${COREID_DOMAIN}/"
            - name: DATABASE_HOST
              value: '${COREID_DATABASE_HOST}'
            - name: DATABASE_NAME
              value: '${COREID_DATABASE_NAME}'
            - name: LDAP_BASE_DC
              value: '${COREID_LDAP_BASE_DC}'
            - name: REDIS_HOST
              value: '${COREID_REDIS_HOST}'
            - name: SMTP_HOST
              value: '${COREID_SMTP_HOST}'
            - name: SECRET
              valueFrom:
                secretKeyRef:
                  key: SECRET
                  name: coreid-secrets
                  optional: false
            - name: SMTP_USER
              valueFrom:
                secretKeyRef:
                  key: SMTP_USER
                  name: coreid-secrets
                  optional: false
            - name: SMTP_DEFAULT_SENDER
              valueFrom:
                secretKeyRef:
                  key: SMTP_DEFAULT_SENDER
                  name: coreid-secrets
                  optional: false
            - name: SMTP_PASS
              valueFrom:
                secretKeyRef:
                  key: SMTP_PASS
                  name: coreid-secrets
                  optional: false
            - name: REDIS_PASS
              valueFrom:
                secretKeyRef:
                  key: REDIS_PASS
                  name: coreid-secrets
                  optional: false
            - name: APP_NAME
              value: "Starship CoreID"
            - name: SERVER_PORT
              value: '8000'
            - name: DATABASE_PORT
              value: '27017'
            - name: DATABASE_AUTH
              value: 'false'
            - name: ENVIRONMENT
              value: production
            - name: SSL_ENABLE
              value: 'false'
            - name: LDAP_SERVER_PORT
              value: '636'
            - name: LDAP_SSL_ENABLE
              value: 'true'
            - name: LDAP_CERT_PATH
              value: '/secrets/X509_CERT'
            - name: LDAP_CERT_KEY_PATH
              value: '/secrets/X509_KEY'
            - name: SAML_CERT_FILE
              value: '/secrets/X509_CERT'
            - name: SAML_KEY_FILE
              value: '/secrets/X509_KEY'
            - name: RADIUS_CERT_FILE
              value: '/secrets/X509_CERT'
            - name: RADIUS_KEY_FILE
              value: '/secrets/X509_KEY'
            - name: REDIS_PORT
              value: '6379'
            - name: SMTP_PORT
              value: '587'
            - name: OPENID_CONNECT_PROXY
              value: 'true'
            - name: SESSION_MAX_AGE
              value: '1209600000'
--- a/deploy/2-service.yaml
+++ b/deploy/2-service.yaml
@ -0,0 +1,24 @@
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: coreid-web
  namespace: starship
 spec:
  selector:
    app: coreid
  ports:
    - port: 80
      targetPort: 8000
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: coreid-ldaps
  namespace: starship
 spec:
  selector:
    app: coreid
  ports:
    - port: 636
      targetPort: 636
--- a/deploy/3-certificate.yaml
+++ b/deploy/3-certificate.yaml
@ -0,0 +1,13 @@
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: coreid-tls
  namespace: starship
 spec:
  secretName: coreid-tls-secret
  dnsNames:
    - ${COREID_DOMAIN}
  issuerRef:
    name: letsencrypt-ca
    kind: ClusterIssuer
--- a/deploy/4-ingress.yaml
+++ b/deploy/4-ingress.yaml
@ -0,0 +1,25 @@
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: coreid-ingress
  namespace: starship
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: 'false'
 spec:
  tls:
    - hosts:
        - ${COREID_DOMAIN}
      secretName: coreid-tls-secret
  ingressClassName: nginx
  rules:
    - host: ${COREID_DOMAIN}
      http:
        paths:
          - pathType: Prefix
            path: '/'
            backend:
              service:
                name: coreid-web
                port:
                  number: 80
--- a/deploy/README.md
+++ b/deploy/README.md
@ -0,0 +1,32 @@
 This deployment is parameterized for use with `envsubst(1)`.
 You will need to set up the secret values and environment variables (see below).
 ```shell
 bash -c 'for f in *.yaml; do envsubst < $f | kubectl apply -f -; done'
 ```
 ## Supported environment variables
 Set these environment variables in your shell before running the above command to apply the Kubernetes spec.
 - `COREID_DOMAIN` - domain name where CoreID is accessed (e.g. `coreid.mydomain.com`)
 - `DOCKER_REGISTRY` - host of the docker registry to pull the image from (e.g. `registry.mydomain.com`)
  - this is the same registry that is used by `yarn docker:build` and `yarn docker:push`
 - `COREID_DATABASE_HOST` - MongoDB host (e.g. `mongo.mylan.net`)
 - `COREID_DATABASE_NAME` - MongoDB database name to use (e.g. `coreid_p1`)
 - `COREID_LDAP_BASE_DC` - base DC to use for LDAP tree (e.g. `dc=platform,dc=local`)
 - `COREID_REDIS_HOST` - Redis host (e.g. `redis.mylan.net`)
 - `COREID_SMTP_HOST` - SMTP server host (e.g. `smtp.mymail.com`)
 ## Secret values
 The spec expects there to be a `coreid-secrets` secret in the `starship` namespace with the following values:
 - `SECRET` - hash seed used by CoreID (e.g. `df8db5a2-429b-4597-a013-18efee2465e0`)
 - `SMTP_USER` - username used to log-into SMTP server (e.g. `user@mymail.com`)
 - `SMTP_DEFAULT_SENDER` - email to use as FROM address. Usually same as `SMTP_USER` (e.g. `user@mymail.com`)
 - `SMTP_PASS` - password for `SMTP_USER`
 - `REDIS_PASS` - password for the Redis service
 - `X509_CERT` - contents of the x509 certificate to be used for SAML/LDAP/RADIUS
 - `X509_KEY` - contents of the x509 certificate key to be used for SAML/LDAP/RADIUS
--- a/package.json
+++ b/package.json
@ -13,6 +13,10 @@
    "framework",
    "express"
  ],
  "scripts": {
    "docker:build": "docker build -t ${DOCKER_REGISTRY}/starship/coreid .",
    "docker:push": "docker push ${DOCKER_REGISTRY}/starship/coreid"
  },
  "author": "Garrett Mills <garrett@glmdev.tech> (https://garrettmills.dev/)",
  "license": "MIT",
  "dependencies": {
--- a/yarn.lock
+++ b/yarn.lock
@ -2216,9 +2216,9 @@ flitter-i18n@^0.1.1:
    pluralize "^8.0.0"
 flitter-jobs@^0.4.0:
-  version "0.4.0"
+  version "0.4.3"
-  resolved "https://registry.yarnpkg.com/flitter-jobs/-/flitter-jobs-0.4.0.tgz#6871f611fddb43e8e0ecdb144743ada967aedf8a"
+  resolved "https://registry.yarnpkg.com/flitter-jobs/-/flitter-jobs-0.4.3.tgz#60f935e38710b42099fc7d2e6b71df2156881363"
-  integrity sha512-L7SPCzxR+pR9LflWOsChkalhLav7YSES79dv7N8VEFpQuhXZ01jm0MwUnKMJyS9+QOiogDzQuab7IsVdMojUFQ==
+  integrity sha512-T+qAcHOD8zRY9s55RepQ5hftzghq4isT2WuoWQBXrDpZB9xGr09yvvLwIyRhPy3zHxDUG23V6boin3HGdxwojA==
  dependencies:
    bullmq "^1.8.8"
    flitter-redis "^0.1.1"