From cd31c01464848ee4be0fc981f42b6777d467a3ca Mon Sep 17 00:00:00 2001 From: Antun Franjin Date: Tue, 7 Dec 2021 14:55:50 +0100 Subject: [PATCH 1/7] Add qa baseline deployment. Trying to make it work and react use modified env variables. --- 01_onsite/02_qa/baseline/deployment.yaml | 226 +++++++++++++++++++ 02_hetzner/00_infra/keycloak/deployment.yaml | 84 +++++++ 2 files changed, 310 insertions(+) create mode 100644 01_onsite/02_qa/baseline/deployment.yaml create mode 100644 02_hetzner/00_infra/keycloak/deployment.yaml diff --git a/01_onsite/02_qa/baseline/deployment.yaml b/01_onsite/02_qa/baseline/deployment.yaml new file mode 100644 index 0000000..b482302 --- /dev/null +++ b/01_onsite/02_qa/baseline/deployment.yaml @@ -0,0 +1,226 @@ +# Deployment description +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baseline-deployment + namespace: qa-environment + labels: + app: baseline-qa +spec: + strategy: + type: Recreate + replicas: 1 + selector: + matchLabels: + app: baseline-qa + template: + metadata: + labels: + app: baseline-qa + spec: + containers: + - name: baseline-frontend + image: packages.semapp.lan:5000/baseline_frontend:qa1 + workingDir: /opt/web + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "4" + ports: + - containerPort: 8000 + name: baseline-http + protocol: TCP + volumeMounts: + - mountPath: /etc/nginx/conf.d + readOnly: true + name: baseline-qa-frontend-conf + - mountPath: /etc/web/src/appConf.json + subPath: appConf.json + name: basiline-env-frontend + readOnly: true + imagePullPolicy: Always + + - name: baseline-backend + image: packages.semapp.lan:5000/baseline_backend:qa1 + workingDir: /opt/www + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "4" + ports: + - containerPort: 5000 + name: bl-bck-http + protocol: TCP + imagePullPolicy: Always + envFrom: + - configMapRef: + name: baseline-qa-backend-conf + volumes: + - name: basiline-env-frontend + configMap: + name: basiline-env-frontend + - name: baseline-qa-frontend-conf + configMap: + name: baseline-qa-frontend-conf + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: basiline-env-frontend + namespace: qa-environment + labels: + app: baseline-qa +data: + appConf.json: | + { + "REACT_APP_KEYCLOAK_REALM": "baseline_test", + "REACT_APP_KEYCLOAK_CLIENT_ID": "baseline_qa", + "REACT_APP_TOKEN_MIN_VALIDITY": "600" + } + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: qa-environment + name: baseline-qa-backend-conf + labels: + app: baseline-qa +data: + DB_CONNECTION: "pgsql" + DB_HOST: "dbpg11.semapp.lan" + DB_PORT: "5432" + DB_DATABASE: "baseline_k8s_db" + DB_USERNAME: "baseline_qa" + DB_PASSWORD: "baseline_qa" + + APP_NAME: "Baseline" + APP_ENV: "development" + APP_KEY: "base64:14Vg4rilGKEk34XeqNR7ffg6GhFTzA7/z5T1aqy6JHw=" + APP_DEBUG: "true" + APP_URL: "http://baseline-qa.k3s.semapp.lan/" + + LOG_CHANNEL: "stack" + BROADCAST_DRIVER: "log" + CACHE_DRIVER: "file" + QUEUE_CONNECTION: "sync" + SESSION_DRIVER: "cookie" + SESSION_LIFETIME: "120" + + + SANCTUM_STATEFUL_DOMAINS: "baseline-qa.k3s.semapp.lan" + SESSION_DOMAIN: "baseline-qa.k3s.semapp.lan" + + THROTTLE_MAX_ATTEMPTS: "80" + + KEYCLOAK_URL: "http://keycloak.semapp.lan" + KEYCLOAK_PORT: "80" + KEYCLOAK_REALM: "baseline_test" + + REDIRECT_URL: "http://baseline-qa.k3s.semapp.lan/" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: qa-environment + name: baseline-qa-frontend-conf +data: + default.conf: | + upstream backend { + server baseline-backend-qa:5000; + } + + server { + listen 8000; + + access_log /var/log/nginx/access.log; + charset utf-8; + client_max_body_size 1G; + + location / { + root /srv/web; + add_header X-Frame-Options "SAMEORIGIN"; + index index.html index.htm; + try_files $uri $uri /index.html =404; + } + + location ~ ^/api { + proxy_pass http://backend; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_read_timeout 300s; + proxy_send_timeout 300s; + send_timeout 300s; + } + + error_page 404 =200 /index.html; + + add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + + expires off; + open_file_cache off; + sendfile off; + } + +--- +# EFC Service +apiVersion: v1 +kind: Service +metadata: + name: baseline-frontend-qa + namespace: qa-environment +spec: + selector: + app: baseline-qa + ports: + - name: baseline-http + port: 8000 + targetPort: baseline-http + type: NodePort + +--- +# EFC backend +apiVersion: v1 +kind: Service +metadata: + name: baseline-backend-qa + namespace: qa-environment +spec: + selector: + app: baseline-qa + ports: + - name: bl-bck-http + port: 5000 + targetPort: bl-bck-http + type: NodePort +--- + +# Ingress description +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: baseline-qa-ingress + namespace: qa-environment + annotations: + kubernetes.io/ingress.class: "traefik" +spec: + rules: + - host: baseline-qa.k3s.semapp.lan + http: + paths: + - path: / + backend: + serviceName: baseline-frontend-qa + servicePort: 8000 \ No newline at end of file diff --git a/02_hetzner/00_infra/keycloak/deployment.yaml b/02_hetzner/00_infra/keycloak/deployment.yaml new file mode 100644 index 0000000..0816570 --- /dev/null +++ b/02_hetzner/00_infra/keycloak/deployment.yaml @@ -0,0 +1,84 @@ +--- + apiVersion: "apps/v1" + kind: "Deployment" + metadata: + name: "keycloak" + namespace: "infra-environment" + spec: + selector: + matchLabels: + app: "keycloak" + replicas: 1 + template: + metadata: + labels: + app: "keycloak" + spec: + containers: + - name: "keycloak-prod" + image: "jboss/keycloak" + resources: + requests: + memory: "512Mi" + cpu: "100m" + limits: + memory: "1Gi" + cpu: "4" + imagePullPolicy: "Always" + env: + - name: "KEYCLOAK_USER" + value: "admin" + - name: "KEYCLOAK_PASSWORD" + value: "admin" + - name: DB_VENDOR + value: postgres + - name: DB_ADDR + value: psql.semprod.local + - name: DB_DATABASE + value: keycloak_db + - name: DB_USER + value: keycloak + - name: DB_PASSWORD + value: e7ov7xx45qr1erk9 + ports: + - name: keycloak-http + containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: keycloak-srv + namespace: infra-environment +spec: + selector: + app: keycloak + ports: + - name: keycloak-http + port: 8080 + targetPort: keycloak-http + type: NodePort + +--- +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: keycloak-ingress + namespace: infra-environment + annotations: + kubernetes.io/ingress.class: "traefik" +spec: + rules: + - host: keycloak.k8s.semprod.local + http: + paths: + - path: / + backend: + serviceName: keycloak-srv + servicePort: 8080 + # - host: keycloak.semapp.lan + # http: + # paths: + # - path: / + # backend: + # serviceName: keycloack-srv + # servicePort: 8080 \ No newline at end of file From ec56bd3adeccbd852714d6d02e3926ab7da09462 Mon Sep 17 00:00:00 2001 From: Antun Franjin Date: Tue, 14 Dec 2021 03:52:25 +0100 Subject: [PATCH 2/7] Add qa baseline working instzance and add production deployment(not final). --- 01_onsite/01_dev/baseline/deployment.yaml | 21 +- 01_onsite/02_qa/baseline/deployment.yaml | 42 ++-- 02_hetzner/01_prod/baseline/deployment.yaml | 229 ++++++++++++++++++++ 3 files changed, 250 insertions(+), 42 deletions(-) create mode 100644 02_hetzner/01_prod/baseline/deployment.yaml diff --git a/01_onsite/01_dev/baseline/deployment.yaml b/01_onsite/01_dev/baseline/deployment.yaml index 4c0d2e0..b11e709 100644 --- a/01_onsite/01_dev/baseline/deployment.yaml +++ b/01_onsite/01_dev/baseline/deployment.yaml @@ -21,6 +21,7 @@ spec: containers: - name: baseline-frontend image: packages.semapp.lan:5000/baseline_frontend:develop + workingDir: /srv/web resources: requests: memory: "256Mi" @@ -37,23 +38,15 @@ spec: readOnly: true name: baseline-dev-frontend-conf imagePullPolicy: Always - env: - - name: PORT - value: "8000" - - name: REACT_APP_PROD_API_URL - value: "http://baseline-dev.k3s.semapp.lan/api/" - - name: REACT_APP_DEV_API_URL - value: "http://baseline-dev.k3s.semapp.lan/api/" - - name: REACT_APP_VERSION - value: "v1" - - name: REACT_APP_KEYCLOAK_URL - value: "http://keycloak.semapp.lan/auth/" - - name: REACT_APP_KEYCLOAK_REALM + env: + - name: KEYCLOAK_REALM value: "baseline" - - name: REACT_APP_KEYCLOAK_CLIENT_ID + - name: KEYCLOAK_CLIENT value: "baseline" - - name: REACT_APP_TOKEN_MIN_VALIDITY + - name: KEYCLOAK_TOKEN_VALIDITY value: "600" + - name: KEYCLOAK_URL + value: "http://keycloak.semapp.lan/auth/" - name: baseline-backend image: packages.semapp.lan:5000/baseline_backend:develop diff --git a/01_onsite/02_qa/baseline/deployment.yaml b/01_onsite/02_qa/baseline/deployment.yaml index b482302..cc57d5e 100644 --- a/01_onsite/02_qa/baseline/deployment.yaml +++ b/01_onsite/02_qa/baseline/deployment.yaml @@ -21,7 +21,7 @@ spec: containers: - name: baseline-frontend image: packages.semapp.lan:5000/baseline_frontend:qa1 - workingDir: /opt/web + workingDir: /srv/web resources: requests: memory: "256Mi" @@ -34,13 +34,18 @@ spec: name: baseline-http protocol: TCP volumeMounts: - - mountPath: /etc/nginx/conf.d - readOnly: true - name: baseline-qa-frontend-conf - - mountPath: /etc/web/src/appConf.json - subPath: appConf.json - name: basiline-env-frontend - readOnly: true + - mountPath: /etc/nginx/conf.d + readOnly: true + name: baseline-qa-frontend-conf + env: + - name: KEYCLOAK_REALM + value: "baseline_test" + - name: KEYCLOAK_CLIENT + value: "baseline_qa" + - name: KEYCLOAK_TOKEN_VALIDITY + value: "600" + - name: KEYCLOAK_URL + value: "http://keycloak.semapp.lan/auth/" imagePullPolicy: Always - name: baseline-backend @@ -62,29 +67,10 @@ spec: - configMapRef: name: baseline-qa-backend-conf volumes: - - name: basiline-env-frontend - configMap: - name: basiline-env-frontend - name: baseline-qa-frontend-conf configMap: name: baseline-qa-frontend-conf ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: basiline-env-frontend - namespace: qa-environment - labels: - app: baseline-qa -data: - appConf.json: | - { - "REACT_APP_KEYCLOAK_REALM": "baseline_test", - "REACT_APP_KEYCLOAK_CLIENT_ID": "baseline_qa", - "REACT_APP_TOKEN_MIN_VALIDITY": "600" - } - --- apiVersion: v1 kind: ConfigMap @@ -97,7 +83,7 @@ data: DB_CONNECTION: "pgsql" DB_HOST: "dbpg11.semapp.lan" DB_PORT: "5432" - DB_DATABASE: "baseline_k8s_db" + DB_DATABASE: "baseline_k8s_qa" DB_USERNAME: "baseline_qa" DB_PASSWORD: "baseline_qa" diff --git a/02_hetzner/01_prod/baseline/deployment.yaml b/02_hetzner/01_prod/baseline/deployment.yaml new file mode 100644 index 0000000..9ab995c --- /dev/null +++ b/02_hetzner/01_prod/baseline/deployment.yaml @@ -0,0 +1,229 @@ +# Deployment description +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baseline-deployment + namespace: prod-environment + labels: + app: baseline-prod +spec: + strategy: + type: Recreate + replicas: 1 + selector: + matchLabels: + app: baseline-prod + template: + metadata: + labels: + app: baseline-prod + spec: + containers: + - name: baseline-frontend + image: packages.semapp.lan:5000/baseline_frontend:qa1 + workingDir: /srv/web + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "4" + ports: + - containerPort: 8000 + name: baseline-http + protocol: TCP + volumeMounts: + - mountPath: /etc/nginx/conf.d + readOnly: true + name: baseline-prod-frontend-conf + + - mountPath: /srv/web/appConfiguration.json + subPath: appConfiguration.json + name: basiline-prod-env-frontend + readOnly: true + + imagePullPolicy: Always + + - name: baseline-backend + image: packages.semapp.lan:5000/baseline_backend:qa1 + workingDir: /opt/www + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "4" + ports: + - containerPort: 5000 + name: bl-bck-http + protocol: TCP + imagePullPolicy: Always + envFrom: + - configMapRef: + name: baseline-prod-backend-conf + volumes: + - name: basiline-prod-env-frontend + configMap: + name: basiline-env-frontend + - name: baseline-prod-frontend-conf + configMap: + name: baseline-prod-frontend-conf + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: basiline-prod-env-frontend + namespace: prod-environment + labels: + app: baseline-prod +data: + appConfiguration.json: | + { + "REACT_APP_KEYCLOAK_URL": "http://keycloak.semapp.lan/auth/", + "REACT_APP_KEYCLOAK_REALM": "baseline_prod", + "REACT_APP_KEYCLOAK_CLIENT_ID": "baseline_prod", + "REACT_APP_TOKEN_MIN_VALIDITY": "600" + } + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: prod-environment + name: baseline-prod-backend-conf + labels: + app: baseline-prod +data: + DB_CONNECTION: "pgsql" + DB_HOST: "psql.semprod.local" + DB_PORT: "5432" + DB_DATABASE: "baseline_prod" + DB_USERNAME: "baseline_prod" + DB_PASSWORD: "yZLi2WZ037l9Xcgg" + + APP_NAME: "Baseline" + APP_ENV: "production" + APP_KEY: "base64:14Vg4rilGKEk34XeqNR7ffg6GhFTzA7/z5T1aqy6JHw=" + APP_DEBUG: "true" + APP_URL: "http://baseline.k8s.semprod.local/" + + LOG_CHANNEL: "stack" + BROADCAST_DRIVER: "log" + CACHE_DRIVER: "file" + QUEUE_CONNECTION: "sync" + SESSION_DRIVER: "cookie" + SESSION_LIFETIME: "120" + + + SANCTUM_STATEFUL_DOMAINS: "baseline.k8s.semprod.local" + SESSION_DOMAIN: "baseline.k8s.semprod.local" + + THROTTLE_MAX_ATTEMPTS: "80" + + KEYCLOAK_URL: "http://keycloak.semapp.lan" + KEYCLOAK_PORT: "80" + KEYCLOAK_REALM: "baseline_prod" + + REDIRECT_URL: "http://baseline.k8s.semprod.local/" + +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: prod-environment + name: baseline-prod-frontend-conf +data: + default.conf: | + upstream backend { + server baseline-backend-prod:5000; + } + + server { + listen 8000; + + access_log /var/log/nginx/access.log; + charset utf-8; + client_max_body_size 1G; + + location / { + root /srv/web; + add_header X-Frame-Options "SAMEORIGIN"; + index index.html index.htm; + try_files $uri $uri /index.html =404; + } + + location ~ ^/api { + proxy_pass http://backend; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_read_timeout 300s; + proxy_send_timeout 300s; + send_timeout 300s; + } + + error_page 404 =200 /index.html; + + add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + + expires off; + open_file_cache off; + sendfile off; + } + +--- +# EFC Service +apiVersion: v1 +kind: Service +metadata: + name: baseline-frontend-prod + namespace: prod-environment +spec: + selector: + app: baseline-prod + ports: + - name: baseline-http + port: 8000 + targetPort: baseline-http + type: NodePort + +--- +# EFC backend +apiVersion: v1 +kind: Service +metadata: + name: baseline-backend-prod + namespace: prod-environment +spec: + selector: + app: baseline-prod + ports: + - name: bl-bck-http + port: 5000 + targetPort: bl-bck-http + type: NodePort +--- + +# Ingress description +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: baseline-prod-ingress + namespace: prod-environment + annotations: + kubernetes.io/ingress.class: "traefik" +spec: + rules: + - host: baseline.k8s.semprod.local + http: + paths: + - path: / + backend: + serviceName: baseline-frontend-prod + servicePort: 8000 \ No newline at end of file From e6777197be743a79e659846d7c36e2bd782a6720 Mon Sep 17 00:00:00 2001 From: Antun Franjin Date: Wed, 15 Dec 2021 00:48:22 +0100 Subject: [PATCH 3/7] Add trialytix production deployment and baseline prod deployment. For baseline just need entry domain for its infra keycloak instance to run working deployment. --- 01_onsite/01_dev/baseline/deployment.yaml | 8 +- 01_onsite/02_qa/trialytix/deployment.yaml | 4 +- 02_hetzner/01_prod/baseline/deployment.yaml | 35 +--- 02_hetzner/01_prod/trialytix/deployment.yaml | 184 +++++++++++++++++++ 4 files changed, 199 insertions(+), 32 deletions(-) create mode 100644 02_hetzner/01_prod/trialytix/deployment.yaml diff --git a/01_onsite/01_dev/baseline/deployment.yaml b/01_onsite/01_dev/baseline/deployment.yaml index b11e709..f25ee79 100644 --- a/01_onsite/01_dev/baseline/deployment.yaml +++ b/01_onsite/01_dev/baseline/deployment.yaml @@ -20,7 +20,7 @@ spec: spec: containers: - name: baseline-frontend - image: packages.semapp.lan:5000/baseline_frontend:develop + image: packages.semapp.lan:5000/baseline_frontend:qa1 workingDir: /srv/web resources: requests: @@ -40,7 +40,7 @@ spec: imagePullPolicy: Always env: - name: KEYCLOAK_REALM - value: "baseline" + value: "baseline_develop" - name: KEYCLOAK_CLIENT value: "baseline" - name: KEYCLOAK_TOKEN_VALIDITY @@ -49,7 +49,7 @@ spec: value: "http://keycloak.semapp.lan/auth/" - name: baseline-backend - image: packages.semapp.lan:5000/baseline_backend:develop + image: packages.semapp.lan:5000/baseline_backend:qa1 workingDir: /opt/www resources: requests: @@ -110,7 +110,7 @@ data: KEYCLOAK_URL: "http://keycloak.semapp.lan" KEYCLOAK_PORT: "80" - KEYCLOAK_REALM: "baseline" + KEYCLOAK_REALM: "baseline_develop" REDIRECT_URL: "http://baseline-dev.k3s.semapp.lan/" diff --git a/01_onsite/02_qa/trialytix/deployment.yaml b/01_onsite/02_qa/trialytix/deployment.yaml index 41c60c8..2a94884 100644 --- a/01_onsite/02_qa/trialytix/deployment.yaml +++ b/01_onsite/02_qa/trialytix/deployment.yaml @@ -18,7 +18,7 @@ spec: containers: # Backend container - name: trialytix-backend - image: packages.semapp.lan:5000/trialytix_backend:$IMAGE_TAG + image: packages.semapp.lan:5000/trialytix_backend:develop resources: requests: @@ -37,7 +37,7 @@ spec: imagePullPolicy: Always # Frontend container - name: trialytix-frontend - image: packages.semapp.lan:5000/trialytix_frontend:$IMAGE_TAG + image: packages.semapp.lan:5000/trialytix_frontend:develop resources: requests: diff --git a/02_hetzner/01_prod/baseline/deployment.yaml b/02_hetzner/01_prod/baseline/deployment.yaml index 9ab995c..5be1db7 100644 --- a/02_hetzner/01_prod/baseline/deployment.yaml +++ b/02_hetzner/01_prod/baseline/deployment.yaml @@ -37,12 +37,15 @@ spec: - mountPath: /etc/nginx/conf.d readOnly: true name: baseline-prod-frontend-conf - - - mountPath: /srv/web/appConfiguration.json - subPath: appConfiguration.json - name: basiline-prod-env-frontend - readOnly: true - + env: + - name: KEYCLOAK_REALM + value: "baseline_production" + - name: KEYCLOAK_CLIENT + value: "baseline_prod" + - name: KEYCLOAK_TOKEN_VALIDITY + value: "600" + - name: KEYCLOAK_URL + value: "http://keycloak.semapp.lan/auth/" imagePullPolicy: Always - name: baseline-backend @@ -64,30 +67,10 @@ spec: - configMapRef: name: baseline-prod-backend-conf volumes: - - name: basiline-prod-env-frontend - configMap: - name: basiline-env-frontend - name: baseline-prod-frontend-conf configMap: name: baseline-prod-frontend-conf ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: basiline-prod-env-frontend - namespace: prod-environment - labels: - app: baseline-prod -data: - appConfiguration.json: | - { - "REACT_APP_KEYCLOAK_URL": "http://keycloak.semapp.lan/auth/", - "REACT_APP_KEYCLOAK_REALM": "baseline_prod", - "REACT_APP_KEYCLOAK_CLIENT_ID": "baseline_prod", - "REACT_APP_TOKEN_MIN_VALIDITY": "600" - } - --- apiVersion: v1 kind: ConfigMap diff --git a/02_hetzner/01_prod/trialytix/deployment.yaml b/02_hetzner/01_prod/trialytix/deployment.yaml new file mode 100644 index 0000000..504fbdf --- /dev/null +++ b/02_hetzner/01_prod/trialytix/deployment.yaml @@ -0,0 +1,184 @@ +# Deployment description +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: trialytix-deployment + namespace: prod-environment +spec: + replicas: 1 + selector: + matchLabels: + app: trialytix-prod + template: + metadata: + labels: + app: trialytix-prod + spec: + containers: + # Backend container + - name: trialytix-backend + image: packages.semapp.lan:5000/trialytix_backend:develop + + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "4" + ports: + - containerPort: 5100 + name: trialytix-back + protocol: TCP + envFrom: + - configMapRef: + name: trialytix-config-backend-prod + imagePullPolicy: Always + # Frontend container + - name: trialytix-frontend + image: packages.semapp.lan:5000/trialytix_frontend:develop + + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "4" + ports: + - containerPort: 8100 + name: trialytix-front + protocol: TCP + volumeMounts: + - mountPath: /etc/nginx/conf.d + readOnly: true + name: nginx-trialytix-prod-conf + envFrom: + - configMapRef: + name: trialytix-config-backend-prod + imagePullPolicy: Always + volumes: + - name: nginx-trialytix-prod-conf + configMap: + name: nginx-trialytix-prod-conf + +# Env Configuration +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: prod-environment + name: trialytix-config-backend-prod + labels: + app: trialytix-prod +data: + DJANGO_DB_ENGINE: 'django.db.backends.postgresql' + DJANGO_DB_NAME: 'trialytix_prod' + DJANGO_DB_USER: 'trialytix_prod' + DJANGO_DB_PASSWORD: '1E45fbe8sbmPESHu' + DJANGO_DB_HOST: 'psql.semprod.local' + DJANGO_DB_PORT: '5432' + ALLOWED_HOSTS: '["*"]' + FRONTEND_URL: 'http://trialytix.k8s.semprod.local' + API_URL: 'http://trialytix.k8s.semprod.local' + FRONTEND_PORT: '8100' + BACKEND_PORT: '5100' + +# Nginx configuration +--- +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: prod-environment + name: nginx-trialytix-prod-conf +data: + default.conf: | + upstream backend { + server backend-trialytix-prod:5100; + } + + server { + listen 8100; + + access_log /var/log/nginx/access.log; + charset utf-8; + client_max_body_size 1G; + + location / { + root /srv/trialytix; + index index.html index.htm; + try_files $uri /index.html =404; + } + + location ~ ^/api { + proxy_pass http://backend; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + + proxy_read_timeout 300s; + proxy_send_timeout 300s; + send_timeout 300s; + } + + error_page 404 =200 /index.html; + + add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; + + expires off; + open_file_cache off; + sendfile off; + } + +# Trialytix service +--- +apiVersion: v1 +kind: Service +metadata: + name: backend-trialytix-prod + namespace: prod-environment +spec: + selector: + app: trialytix-prod + ports: + - name: trialytix-back + port: 5100 + targetPort: trialytix-back + type: NodePort + +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend-trialytix-prod + namespace: prod-environment +spec: + selector: + app: trialytix-prod + ports: + - name: trialytix-front + port: 8100 + targetPort: trialytix-front + type: NodePort + +# Ingress description +--- +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: trialytix-prod-ingress + namespace: prod-environment + annotations: + kubernetes.io/ingress.class: "traefik" +spec: + rules: + - host: trialytix.k8s.semprod.local + http: + paths: + - path: / + backend: + serviceName: frontend-trialytix-prod + servicePort: 8100 \ No newline at end of file From c850ccd945e10a6ccd91bbd18b74b3e89d654179 Mon Sep 17 00:00:00 2001 From: Domagoj Zecevic Date: Wed, 15 Dec 2021 11:39:06 +0100 Subject: [PATCH 4/7] added keycloak.semprod.local url to ingress --- 02_hetzner/00_infra/keycloak/deployment.yaml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/02_hetzner/00_infra/keycloak/deployment.yaml b/02_hetzner/00_infra/keycloak/deployment.yaml index 0816570..bb41d03 100644 --- a/02_hetzner/00_infra/keycloak/deployment.yaml +++ b/02_hetzner/00_infra/keycloak/deployment.yaml @@ -75,10 +75,10 @@ spec: backend: serviceName: keycloak-srv servicePort: 8080 - # - host: keycloak.semapp.lan - # http: - # paths: - # - path: / - # backend: - # serviceName: keycloack-srv - # servicePort: 8080 \ No newline at end of file + - host: keycloak.semprod.local + http: + paths: + - path: / + backend: + serviceName: keycloak-srv + servicePort: 8080 \ No newline at end of file From 27068da0fdff19e026208e9d8a6b39dfbe8b7ca9 Mon Sep 17 00:00:00 2001 From: Domagoj Zecevic Date: Mon, 20 Dec 2021 15:31:52 +0100 Subject: [PATCH 5/7] added dashboard --- .../dashboard/dashboard.admin-user-role.yml | 12 + .../dashboard/dashboard.admin-user.yml | 5 + .../00_infra/dashboard/dashboard.ingress.yml | 16 + 01_onsite/00_infra/dashboard/recommended.yaml | 303 ++++++++++++++++++ 4 files changed, 336 insertions(+) create mode 100644 01_onsite/00_infra/dashboard/dashboard.admin-user-role.yml create mode 100644 01_onsite/00_infra/dashboard/dashboard.admin-user.yml create mode 100644 01_onsite/00_infra/dashboard/dashboard.ingress.yml create mode 100644 01_onsite/00_infra/dashboard/recommended.yaml diff --git a/01_onsite/00_infra/dashboard/dashboard.admin-user-role.yml b/01_onsite/00_infra/dashboard/dashboard.admin-user-role.yml new file mode 100644 index 0000000..23c1190 --- /dev/null +++ b/01_onsite/00_infra/dashboard/dashboard.admin-user-role.yml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: +- kind: ServiceAccount + name: admin-user + namespace: kubernetes-dashboard \ No newline at end of file diff --git a/01_onsite/00_infra/dashboard/dashboard.admin-user.yml b/01_onsite/00_infra/dashboard/dashboard.admin-user.yml new file mode 100644 index 0000000..219059b --- /dev/null +++ b/01_onsite/00_infra/dashboard/dashboard.admin-user.yml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kubernetes-dashboard \ No newline at end of file diff --git a/01_onsite/00_infra/dashboard/dashboard.ingress.yml b/01_onsite/00_infra/dashboard/dashboard.ingress.yml new file mode 100644 index 0000000..6c9cd37 --- /dev/null +++ b/01_onsite/00_infra/dashboard/dashboard.ingress.yml @@ -0,0 +1,16 @@ +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: dashboard-ingress + namespace: kubernetes-dashboard + annotations: + kubernetes.io/ingress.class: "traefik" +spec: + rules: + - host: dashboard.k3s.semapp.lan + http: + paths: + - path: / + backend: + serviceName: kubernetes-dashboard + servicePort: 443 \ No newline at end of file diff --git a/01_onsite/00_infra/dashboard/recommended.yaml b/01_onsite/00_infra/dashboard/recommended.yaml new file mode 100644 index 0000000..5bc4004 --- /dev/null +++ b/01_onsite/00_infra/dashboard/recommended.yaml @@ -0,0 +1,303 @@ +# Copyright 2017 The Kubernetes Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Namespace +metadata: + name: kubernetes-dashboard + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + ports: + - port: 443 + targetPort: 8443 + selector: + k8s-app: kubernetes-dashboard + +--- + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kubernetes-dashboard +type: Opaque + +--- + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-csrf + namespace: kubernetes-dashboard +type: Opaque +data: + csrf: "" + +--- + +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-key-holder + namespace: kubernetes-dashboard +type: Opaque + +--- + +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-settings + namespace: kubernetes-dashboard + +--- + +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +rules: + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. + - apiGroups: [""] + resources: ["secrets"] + resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics. + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] + verbs: ["get"] + +--- + +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard +rules: + # Allow Metrics Scraper to get metrics from the Metrics server + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + containers: + - name: kubernetes-dashboard + image: kubernetesui/dashboard:v2.4.0 + imagePullPolicy: Always + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + - --namespace=kubernetes-dashboard + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=http://my-address:port + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + nodeSelector: + "kubernetes.io/os": linux + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + +--- + +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + ports: + - port: 8000 + targetPort: 8000 + selector: + k8s-app: dashboard-metrics-scraper + +--- + +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: dashboard-metrics-scraper + template: + metadata: + labels: + k8s-app: dashboard-metrics-scraper + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: dashboard-metrics-scraper + image: kubernetesui/metrics-scraper:v1.0.7 + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumeMounts: + - mountPath: /tmp + name: tmp-volume + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + serviceAccountName: kubernetes-dashboard + nodeSelector: + "kubernetes.io/os": linux + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + volumes: + - name: tmp-volume + emptyDir: {} From 2709ce692a269721fbf09c88093456fa3c4d51a3 Mon Sep 17 00:00:00 2001 From: Domagoj Zecevic Date: Tue, 21 Dec 2021 12:06:54 +0100 Subject: [PATCH 6/7] added rm-prod deplyoment --- 01_onsite/02_qa/trialytix/deployment.yaml | 4 +- 02_hetzner/01_prod/rm/deployment.yaml | 249 ++++++++++++++++++++++ 2 files changed, 251 insertions(+), 2 deletions(-) create mode 100644 02_hetzner/01_prod/rm/deployment.yaml diff --git a/01_onsite/02_qa/trialytix/deployment.yaml b/01_onsite/02_qa/trialytix/deployment.yaml index 2a94884..b5ef798 100644 --- a/01_onsite/02_qa/trialytix/deployment.yaml +++ b/01_onsite/02_qa/trialytix/deployment.yaml @@ -18,7 +18,7 @@ spec: containers: # Backend container - name: trialytix-backend - image: packages.semapp.lan:5000/trialytix_backend:develop + image: packages.semapp.lan:5000/trialytix_backend:1.5.2-rc1 resources: requests: @@ -37,7 +37,7 @@ spec: imagePullPolicy: Always # Frontend container - name: trialytix-frontend - image: packages.semapp.lan:5000/trialytix_frontend:develop + image: packages.semapp.lan:5000/trialytix_frontend:1.5.2-rc1 resources: requests: diff --git a/02_hetzner/01_prod/rm/deployment.yaml b/02_hetzner/01_prod/rm/deployment.yaml new file mode 100644 index 0000000..de98a77 --- /dev/null +++ b/02_hetzner/01_prod/rm/deployment.yaml @@ -0,0 +1,249 @@ +# Deployment description +apiVersion: apps/v1 +kind: Deployment +metadata: + name: rm-deployment + namespace: prod-environment + labels: + app: rm-qa +spec: + strategy: + type: Recreate + replicas: 1 + selector: + matchLabels: + app: rm-qa + template: + metadata: + labels: + app: rm-qa + spec: + # securityContext: + # runAsUser: 1000 + # runAsGroup: 1000 + # fsGroup: 1000 + containers: + - name: rm-backend + image: packages.semapp.lan:5000/rm-backend:0.0.4 + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "4" + ports: + - containerPort: 5000 + name: rm-backend + protocol: TCP + volumeMounts: + - mountPath: /etc/flexrm/ + readOnly: true + name: flexrm-conf + env: + - name: DJANGO_ENV + value: "development" + imagePullPolicy: Always + - name: rm-frontend + image: packages.semapp.lan:5000/rm-frontend:0.0.1 + resources: + requests: + memory: "256Mi" + cpu: "100m" + limits: + memory: "512Mi" + cpu: "4" + ports: + - containerPort: 80 + name: rm-frontend + protocol: TCP + volumeMounts: + - mountPath: /etc/nginx/conf.d/ + readOnly: true + name: flexrm-frontend-conf + imagePullPolicy: Always + volumes: + - name: flexrm-frontend-conf + configMap: + name: flexrm-frontend-conf + - name: flexrm-conf + configMap: + name: flexrm-conf + +--- + +# Backend configuration +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: prod-environment + name: flexrm-conf +data: + flexrm.conf: | + [general] + allowed_hosts = * + secret_key = some_very_long_and_hyper_random_secret_key + + [db] + driver = postgresql + db_name = rm_prod + db_user = rm_prod + db_password = NsG}e(EgT\b+95Q'L:+{ + db_host = psql.semprod.local + + [analytics] + piwik_site_id = 3 + + [frontend] + frontend_url = http://rm.k8s.semprod.local/ + + [email] + host = smtp.strato.de + port = 587 + username = support@semantic-applications.de + password = uN1zPIqN9@br + use_tls = True + auto_from = support@semantic-applications.de + + [tex] + host = texservice.semprod.local + delete_after_render = False + + [media-storage] + # + # the used media-storage is defined via type: + # + # media_type = django.core.files.storage.FileSystemStorage ... the default django file storage + # -> no additional settings are required + # + # media_type = minio_storage.storage.MinioMediaStorage ... the storage used with minio + # -> additional settings for minio: + # minio_endpoint = 127.0.0.1:9000 ... the endpoint and port + # minio_use_https = True|False ... use https for communication + # minio_media_bucket = media-rm ... the media bucket name + # minio_access_key = #your ACCESS_KEY ... the access key + # minio_secret_key = #your SECRET_KEY ... the secret key + # minio_auto_create_bucket = True|False ... if True the bucket is created + + # + # To setup minio storage as default for development just comment the file system storage line and uncomment + # all minio storage lines + # + + + # media_type = django.core.files.storage.FileSystemStorage + + media_type = flexrm.kernel.minio.storage.MinIOMediaStorage + minio_endpoint = minio-api.semapp.lan + minio_use_https = False + minio_media_bucket = rm-qa + minio_access_key = rm-qa + minio_secret_key = "rm-qa123456!" + minio_auto_create_bucket = True +--- + +# Frontend nginx configuration +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: prod-environment + name: flexrm-frontend-conf +data: + default.conf: | + upstream backend { + server rm-backend-srv:5000; + } + + server { + listen 80; + + server_name $K8S_HOSTNAME; + + #access_log /var/log/rm/access.log; + #error_log /var/log/rm/error.log; + + charset utf-8; + client_max_body_size 1G; + + location / { + root /srv/rm-web; + + try_files $uri /index.html =404; + } + + location ~ ^/(api|drf|manage) { + proxy_pass http://backend; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + } + + location /storage { + # TODO: still needed when we use minio? + alias /srv/media; + } + + location /static { + # TODO: still needed when we use minio? + alias /srv/public; + } + + # Redirect Angular routes + error_page 404 =200 /index.html; + } + +--- + +# RM backend Service +apiVersion: v1 +kind: Service +metadata: + name: rm-backend-srv + namespace: prod-environment +spec: + selector: + app: rm-qa + ports: + - name: rm-backend + port: 5000 + targetPort: rm-backend + type: NodePort + +--- + +#RM frontend service +apiVersion: v1 +kind: Service +metadata: + name: rm-frontend-srv + namespace: prod-environment +spec: + selector: + app: rm-qa + ports: + - name: rm-frontend + port: 80 + targetPort: rm-frontend + type: NodePort + +--- + + # Ingress description +apiVersion: networking.k8s.io/v1beta1 +kind: Ingress +metadata: + name: rm-qa-ingress + namespace: prod-environment + annotations: + kubernetes.io/ingress.class: "traefik" +spec: + rules: + - host: rm.k8s.semprod.local + http: + paths: + - path: / + backend: + serviceName: rm-frontend-srv + servicePort: 80 \ No newline at end of file From e70d3d41f9d2d25898c45e4558c6bfa2489b5560 Mon Sep 17 00:00:00 2001 From: Domagoj Zecevic Date: Tue, 21 Dec 2021 13:04:03 +0100 Subject: [PATCH 7/7] added rm minio settings --- 02_hetzner/01_prod/rm/deployment.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/02_hetzner/01_prod/rm/deployment.yaml b/02_hetzner/01_prod/rm/deployment.yaml index de98a77..28de449 100644 --- a/02_hetzner/01_prod/rm/deployment.yaml +++ b/02_hetzner/01_prod/rm/deployment.yaml @@ -134,11 +134,11 @@ data: # media_type = django.core.files.storage.FileSystemStorage media_type = flexrm.kernel.minio.storage.MinIOMediaStorage - minio_endpoint = minio-api.semapp.lan + minio_endpoint = minio-api.semprod.local minio_use_https = False - minio_media_bucket = rm-qa - minio_access_key = rm-qa - minio_secret_key = "rm-qa123456!" + minio_media_bucket = rm-prod + minio_access_key = rm-prod + minio_secret_key = "uM7(zFm3;4H9PTz!m~ww" minio_auto_create_bucket = True ---