Merge branch 'feat/rm-prod' into 'master'

Feat/rm prod

See merge request devops/k8s-deployments!47

01_onsite/00_infra/dashboard/dashboard.admin-user-role.yml

@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: admin-user
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- kind: ServiceAccount
+  name: admin-user
+  namespace: kubernetes-dashboard

01_onsite/00_infra/dashboard/dashboard.admin-user.yml

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: admin-user
+  namespace: kubernetes-dashboard

01_onsite/00_infra/dashboard/dashboard.ingress.yml

@@ -0,0 +1,16 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: dashboard-ingress
+  namespace: kubernetes-dashboard
+  annotations:
+    kubernetes.io/ingress.class: "traefik"
+spec:
+  rules:
+  - host: dashboard.k3s.semapp.lan
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: kubernetes-dashboard
+          servicePort: 443

01_onsite/00_infra/dashboard/recommended.yaml

@@ -0,0 +1,303 @@
+# Copyright 2017 The Kubernetes Authors.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kubernetes-dashboard
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
+spec:
+  ports:
+    - port: 443
+      targetPort: 8443
+  selector:
+    k8s-app: kubernetes-dashboard
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard-certs
+  namespace: kubernetes-dashboard
+type: Opaque
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard-csrf
+  namespace: kubernetes-dashboard
+type: Opaque
+data:
+  csrf: ""
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard-key-holder
+  namespace: kubernetes-dashboard
+type: Opaque
+
+---
+
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard-settings
+  namespace: kubernetes-dashboard
+
+---
+
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
+rules:
+  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
+    verbs: ["get", "update", "delete"]
+    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
+  - apiGroups: [""]
+    resources: ["configmaps"]
+    resourceNames: ["kubernetes-dashboard-settings"]
+    verbs: ["get", "update"]
+    # Allow Dashboard to get metrics.
+  - apiGroups: [""]
+    resources: ["services"]
+    resourceNames: ["heapster", "dashboard-metrics-scraper"]
+    verbs: ["proxy"]
+  - apiGroups: [""]
+    resources: ["services/proxy"]
+    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
+    verbs: ["get"]
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+rules:
+  # Allow Metrics Scraper to get metrics from the Metrics server
+  - apiGroups: ["metrics.k8s.io"]
+    resources: ["pods", "nodes"]
+    verbs: ["get", "list", "watch"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: kubernetes-dashboard
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kubernetes-dashboard
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-dashboard
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-dashboard
+subjects:
+  - kind: ServiceAccount
+    name: kubernetes-dashboard
+    namespace: kubernetes-dashboard
+
+---
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  labels:
+    k8s-app: kubernetes-dashboard
+  name: kubernetes-dashboard
+  namespace: kubernetes-dashboard
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      k8s-app: kubernetes-dashboard
+  template:
+    metadata:
+      labels:
+        k8s-app: kubernetes-dashboard
+    spec:
+      containers:
+        - name: kubernetes-dashboard
+          image: kubernetesui/dashboard:v2.4.0
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8443
+              protocol: TCP
+          args:
+            - --auto-generate-certificates
+            - --namespace=kubernetes-dashboard
+            # Uncomment the following line to manually specify Kubernetes API server Host
+            # If not specified, Dashboard will attempt to auto discover the API server and connect
+            # to it. Uncomment only if the default does not work.
+            # - --apiserver-host=http://my-address:port
+          volumeMounts:
+            - name: kubernetes-dashboard-certs
+              mountPath: /certs
+              # Create on-disk volume to store exec logs
+            - mountPath: /tmp
+              name: tmp-volume
+          livenessProbe:
+            httpGet:
+              scheme: HTTPS
+              path: /
+              port: 8443
+            initialDelaySeconds: 30
+            timeoutSeconds: 30
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1001
+            runAsGroup: 2001
+      volumes:
+        - name: kubernetes-dashboard-certs
+          secret:
+            secretName: kubernetes-dashboard-certs
+        - name: tmp-volume
+          emptyDir: {}
+      serviceAccountName: kubernetes-dashboard
+      nodeSelector:
+        "kubernetes.io/os": linux
+      # Comment the following tolerations if Dashboard must not be deployed on master
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  labels:
+    k8s-app: dashboard-metrics-scraper
+  name: dashboard-metrics-scraper
+  namespace: kubernetes-dashboard
+spec:
+  ports:
+    - port: 8000
+      targetPort: 8000
+  selector:
+    k8s-app: dashboard-metrics-scraper
+
+---
+
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  labels:
+    k8s-app: dashboard-metrics-scraper
+  name: dashboard-metrics-scraper
+  namespace: kubernetes-dashboard
+spec:
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      k8s-app: dashboard-metrics-scraper
+  template:
+    metadata:
+      labels:
+        k8s-app: dashboard-metrics-scraper
+    spec:
+      securityContext:
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: dashboard-metrics-scraper
+          image: kubernetesui/metrics-scraper:v1.0.7
+          ports:
+            - containerPort: 8000
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              scheme: HTTP
+              path: /
+              port: 8000
+            initialDelaySeconds: 30
+            timeoutSeconds: 30
+          volumeMounts:
+          - mountPath: /tmp
+            name: tmp-volume
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsUser: 1001
+            runAsGroup: 2001
+      serviceAccountName: kubernetes-dashboard
+      nodeSelector:
+        "kubernetes.io/os": linux
+      # Comment the following tolerations if Dashboard must not be deployed on master
+      tolerations:
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+      volumes:
+        - name: tmp-volume
+          emptyDir: {}

02_hetzner/01_prod/rm/deployment.yaml

@@ -0,0 +1,249 @@
+# Deployment description
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: rm-deployment
+  namespace: prod-environment 
+  labels:
+    app: rm-qa
+spec:
+  strategy:
+    type: Recreate
+  replicas: 1
+  selector:
+    matchLabels:
+      app: rm-qa
+  template:
+    metadata:
+      labels:
+        app: rm-qa
+    spec:
+      # securityContext:
+      #   runAsUser: 1000
+      #   runAsGroup: 1000
+      #   fsGroup: 1000
+      containers:
+        - name: rm-backend
+          image: packages.semapp.lan:5000/rm-backend:0.0.4
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "4"
+          ports:
+            - containerPort: 5000
+              name: rm-backend
+              protocol: TCP
+          volumeMounts:
+          - mountPath: /etc/flexrm/
+            readOnly: true
+            name: flexrm-conf
+          env:
+            - name: DJANGO_ENV
+              value: "development"
+          imagePullPolicy: Always
+        - name: rm-frontend
+          image: packages.semapp.lan:5000/rm-frontend:0.0.1
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "4"
+          ports:
+            - containerPort: 80
+              name: rm-frontend
+              protocol: TCP
+          volumeMounts:
+          - mountPath: /etc/nginx/conf.d/
+            readOnly: true
+            name: flexrm-frontend-conf
+          imagePullPolicy: Always
+      volumes:
+      - name: flexrm-frontend-conf
+        configMap:
+          name: flexrm-frontend-conf
+      - name: flexrm-conf
+        configMap:
+          name: flexrm-conf
+
+---
+
+# Backend configuration
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: prod-environment 
+  name: flexrm-conf
+data:
+  flexrm.conf: | 
+    [general]
+    allowed_hosts = *
+    secret_key = some_very_long_and_hyper_random_secret_key
+
+    [db]
+    driver = postgresql
+    db_name = rm_prod
+    db_user = rm_prod
+    db_password = NsG}e(EgT\b+95Q'L:+{
+    db_host = psql.semprod.local
+
+    [analytics]
+    piwik_site_id = 3
+
+    [frontend]
+    frontend_url = http://rm.k8s.semprod.local/
+
+    [email]
+    host = smtp.strato.de
+    port = 587
+    username = support@semantic-applications.de
+    password = uN1zPIqN9@br
+    use_tls = True
+    auto_from = support@semantic-applications.de
+
+    [tex]
+    host = texservice.semprod.local
+    delete_after_render = False
+
+    [media-storage]
+    #
+    # the used media-storage is defined via type:
+    #
+    # media_type = django.core.files.storage.FileSystemStorage  ... the default django file storage
+    #     -> no additional settings are required
+    #
+    # media_type = minio_storage.storage.MinioMediaStorage      ... the storage used with minio
+    #     -> additional settings for minio:
+    #     minio_endpoint = 127.0.0.1:9000                 ... the endpoint and port
+    #     minio_use_https = True|False                    ... use https for communication
+    #     minio_media_bucket = media-rm                   ... the media bucket name
+    #     minio_access_key = #your ACCESS_KEY             ... the access key
+    #     minio_secret_key = #your SECRET_KEY             ... the secret key
+    #     minio_auto_create_bucket = True|False           ... if True the bucket is created
+
+    #
+    # To setup minio storage as default for development just comment the file system storage line and uncomment
+    # all minio storage lines
+    #
+
+
+    # media_type = django.core.files.storage.FileSystemStorage
+
+    media_type = flexrm.kernel.minio.storage.MinIOMediaStorage
+    minio_endpoint = minio-api.semprod.local
+    minio_use_https = False
+    minio_media_bucket = rm-prod
+    minio_access_key =  rm-prod
+    minio_secret_key = "uM7(zFm3;4H9PTz!m~ww"
+    minio_auto_create_bucket = True
+---
+
+# Frontend nginx configuration
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: prod-environment
+  name: flexrm-frontend-conf
+data:
+  default.conf: | 
+    upstream backend {
+      server rm-backend-srv:5000;
+    }
+
+    server {
+    listen 80;
+
+    server_name $K8S_HOSTNAME;
+
+    #access_log /var/log/rm/access.log;
+    #error_log /var/log/rm/error.log;
+
+    charset utf-8;
+    client_max_body_size 1G;
+
+    location / {
+      root /srv/rm-web;
+
+      try_files $uri /index.html =404;
+    }
+
+    location ~ ^/(api|drf|manage) {
+      proxy_pass        http://backend;
+      proxy_redirect    off;
+
+      proxy_set_header  Host    $host;
+      proxy_set_header  X-Real-IP $remote_addr;
+      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+    }
+
+    location /storage {
+      # TODO: still needed when we use minio?
+      alias /srv/media;
+    }
+
+    location /static {
+      # TODO: still needed when we use minio?
+      alias /srv/public;
+    }
+
+    # Redirect Angular routes
+    error_page 404 =200 /index.html;
+    }
+
+---
+
+# RM backend Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: rm-backend-srv
+  namespace: prod-environment
+spec:
+  selector:
+    app: rm-qa
+  ports:
+    - name: rm-backend
+      port: 5000
+      targetPort: rm-backend
+  type: NodePort
+
+---
+
+#RM frontend service
+apiVersion: v1
+kind: Service
+metadata:
+  name: rm-frontend-srv
+  namespace: prod-environment
+spec:
+  selector:
+    app: rm-qa
+  ports:
+    - name: rm-frontend
+      port: 80
+      targetPort: rm-frontend
+  type: NodePort
+
+--- 
+
+  # Ingress description
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: rm-qa-ingress
+  namespace: prod-environment 
+  annotations:
+    kubernetes.io/ingress.class: "traefik"
+spec:
+  rules:
+  - host: rm.k8s.semprod.local
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: rm-frontend-srv
+          servicePort: 80