Adrien/projects-platform
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Adrien:4c23ce19c3c6fcf51ce6ab6f505314111ca8739c
Branches Tags
Adrien:develop
..
compare: Adrien:develop
Branches Tags
Adrien:develop

8 Commits
4c23ce19c3 ... develop

Author SHA1 Message Date
Adrien
67011c2b98 Add tools namespace, plantuml and dicebear tools 2024-03-05 21:53:42 +01:00
Adrien
7d9909fbe9 🐛 Use a volume sub directory to store db data (PGDATA) 2024-02-14 22:37:02 +01:00
Adrien
4643d14df3 Add woodpecker CI/CD 2024-02-11 11:51:39 +01:00
Adrien
52f68f8eb7 🐛 Redirect http to https for the frontend of carrramba service 2024-01-08 22:35:31 +01:00
Adrien
f49b2f1231 🐛 Fix ingress class used by carrramba cluster issuer 2024-01-08 22:26:52 +01:00
Adrien
ebcadfcdee 👽️ Take carrramba-encore-rate reorg into account 2023-10-22 23:57:01 +02:00
Adrien
cdb10d130c ✏️ Fix init.sh file indentation 2023-09-20 22:21:08 +02:00
Adrien
d6761b5a00 👽️ Take the reorganization of the back-end components into account 2023-09-20 22:19:31 +02:00
7 changed files with 609 additions and 34 deletions
Expand all files Collapse all files

39
carrramba-encore-rate-deployment.yaml
View File

@@ -13,7 +13,7 @@ spec:
solvers:
- http01:
ingress:
class: istio
class: traefik
---
apiVersion: apps/v1
@@ -63,9 +63,11 @@ metadata:
name: carrramba-encore-rate-frontend-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/router.middlewares: default-websecure-redirect@kubernetescrd
spec:
rules:
- http:
- host: carrramba.adrien.run
http:
paths:
- path: /
pathType: Prefix
@@ -75,6 +77,32 @@ spec:
port:
name: web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: carrramba-encore-rate-websecure-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-carrramba
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
tls:
- hosts:
- carrramba.adrien.run
secretName: tls-carrramba-encore-rate-ingress
rules:
- host: carrramba.adrien.run
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: carrramba-encore-rate-frontend
port:
name: web
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
@@ -100,7 +128,8 @@ spec:
- carrramba.adrien.run
secretName: tls-carrramba-encore-rate-ingress
rules:
- http:
- host: carrramba.adrien.run
http:
paths:
- path: /api/
pathType: Prefix
@@ -154,7 +183,7 @@ spec:
- name: carrramba-encore-rate-api
image: rg.fr-par.scw.cloud/asr-projects/carrramba-encore-rate-api:latest
command: ["/bin/bash"]
args: ["-c", "source ${BASH_ENV} ; python ./main.py "]
args: ["-c", "source ${BASH_ENV} ; python ./api_server.py "]
# args: ["-c", "while true; do echo hello; sleep 10;done"]
ports:
- name: web
@@ -219,7 +248,7 @@ spec:
- name: db-update
image: rg.fr-par.scw.cloud/asr-projects/carrramba-encore-rate-db-updater:latest
command: ["/bin/bash"]
args: ["-c", "source ${BASH_ENV} ; python -m db_updater.fill_db"]
args: ["-c", "source ${BASH_ENV} ; python ./db_updater.py"]
imagePullPolicy: IfNotPresent
env:
- name: BASH_ENV

252
ci-cd.yaml Normal file
View File

@@ -0,0 +1,252 @@
apiVersion: v1
kind: Namespace
metadata:
name: cicd
labels:
name: cicd
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-woodpecker
namespace: cicd
spec:
acme:
email: me@adrien.run
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-woodpecker
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: woodpecker-websecure-ingress
namespace: cicd
annotations:
cert-manager.io/cluster-issuer: letsencrypt-woodpecker
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
tls:
- hosts:
- woodpecker.adrien.run
secretName: tls-woodpecker-ingress
rules:
- host: woodpecker.adrien.run
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: woodpecker
port:
name: web
---
# Service account to allow pod access to Vault via K8s auth
apiVersion: v1
kind: ServiceAccount
metadata:
name: woodpecker-server
namespace: cicd
automountServiceAccountToken: true
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: woodpecker-server
namespace: cicd
labels:
app: woodpecker-server
spec:
replicas: 1
selector:
matchLabels:
app: woodpecker-server
template:
metadata:
labels:
app: woodpecker-server
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-woodpecker-server: "database/creds/cicd-woodpecker-server"
vault.hashicorp.com/agent-inject-template-woodpecker-server: |
{{ with secret "database/creds/cicd-woodpecker-server" -}}
export WOODPECKER_DATABASE_DATASOURCE=postgres://{{ .Data.username }}:{{ .Data.password }}@postgres.default:5432/cicd_woodpecker?sslmode=disable
{{- end }}
{{ with secret "cicd-woodpecker-server/oauth2-id" -}}
export WOODPECKER_GITEA_CLIENT={{ .Data.key }}
{{- end}}
{{ with secret "cicd-woodpecker-server/oauth2-secret" -}}
export WOODPECKER_GITEA_SECRET={{ .Data.key }}
{{- end}}
{{ with secret "cicd-woodpecker/agent-secret" -}}
export WOODPECKER_AGENT_SECRET={{ .Data.key }}
{{- end}}
vault.hashicorp.com/role: "cicd-woodpecker-server"
spec:
containers:
- name: woodpecker-server
image: woodpeckerci/woodpecker-server:latest-alpine
command: ["/bin/sh"]
args: ["-c", "source /vault/secrets/woodpecker-server ; /bin/woodpecker-server"]
env:
- name: WOODPECKER_DATABASE_DRIVER
value: postgres
- name: WOODPECKER_OPEN
value: "false"
- name: WOODPECKER_ADMIN
value: Adrien
- name: WOODPECKER_HOST
value: https://woodpecker.adrien.run
- name: WOODPECKER_LOG_LEVEL
value: trace
- name: WOODPECKER_GITEA
value: "true"
- name: WOODPECKER_GITEA_URL
value: https://git.adrien.run
ports:
- name: web
containerPort: 8000
- name: agents
containerPort: 9000
serviceAccountName: woodpecker-server
---
# Service account to allow pod access to Vault via K8s auth
apiVersion: v1
kind: ServiceAccount
metadata:
name: woodpecker-agent
namespace: cicd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pod-creator
namespace: cicd
rules:
- apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["create", "get", "watch", "list", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: woodpecker-agent-pod-creator
namespace: cicd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pod-creator
subjects:
- kind: ServiceAccount
name: woodpecker-agent
namespace: cicd
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: pvc-creator
namespace: cicd
rules:
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["create", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: woodpecker-agent-pvc-creator
namespace: cicd
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: pvc-creator
subjects:
- kind: ServiceAccount
name: woodpecker-agent
namespace: cicd
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: woodpecker-agent
namespace: cicd
labels:
app: woodpecker-agent
spec:
replicas: 1
selector:
matchLabels:
app: woodpecker-agent
template:
metadata:
labels:
app: woodpecker-agent
annotations:
vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-inject-secret-woodpecker-agent: "database/creds/cicd-woodpecker-agent"
vault.hashicorp.com/agent-inject-template-woodpecker-agent: |
{{ with secret "cicd-woodpecker/agent-secret" -}}
export WOODPECKER_AGENT_SECRET={{ .Data.key }}
{{- end}}
vault.hashicorp.com/role: "cicd-woodpecker-agent"
spec:
containers:
- name: woodpecker-agent
image: woodpeckerci/woodpecker-agent:latest-alpine
command: ["/bin/sh"]
args: ["-c", "source /vault/secrets/woodpecker-agent ; /bin/woodpecker-agent"]
env:
- name: WOODPECKER_USERNAME
value: woodpecker-agent
- name: WOODPECKER_SERVER
value: woodpecker:9000
- name: WOODPECKER_BACKEND_K8S_NAMESPACE
value: cicd
- name: WOODPECKER_BACKEND_K8S_STORAGE_CLASS
value: nfs
- name: WOODPECKER_BACKEND_K8S_VOLUME_SIZE
value: 1Gi
- name: WOODPECKER_DEBUG_PRETTY
value: "true"
- name: WOODPECKER_BACKEND
value: kubernetes
- name: WOODPECKER_LOG_LEVEL
value: trace
ports:
- name: web
containerPort: 3000
serviceAccountName: woodpecker-agent
---
apiVersion: v1
kind: Service
metadata:
name: woodpecker
namespace: cicd
labels:
app: woodpecker-server
spec:
ports:
- name: web
port: 8000
targetPort: web
- name: agents
port: 9000
targetPort: agents
selector:
app: woodpecker-server

103
init.sh
View File

@@ -57,12 +57,12 @@ vault write auth/kubernetes/config \
vault secrets enable database
vault write database/config/carrramba_encore_rate \
plugin_name=postgresql-database-plugin \
verify_connection=false \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/carrramba_encore_rate?sslmode=disable" \
username="postgres" \
password="password"
plugin_name=postgresql-database-plugin \
verify_connection=false \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/carrramba_encore_rate?sslmode=disable" \
username="postgres" \
password="password"
vault policy write carrramba-encore-rate-api vault-carrramba-encore-rate-api-policy.hcl
@@ -70,33 +70,33 @@ vault write --force /database/rotate-root/carrramba_encore_rate
# TODO: Restore default_ttl and max_ttl once the api able to reload env variable on change.
vault write database/roles/carrramba-encore-rate-api \
db_name=carrramba_encore_rate \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
default_ttl="768h" \
max_ttl="768h"
# default_ttl="1h" \
# max_ttl="24h"
db_name=carrramba_encore_rate \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
default_ttl="768h" \
max_ttl="768h"
# default_ttl="1h" \
# max_ttl="24h"
vault write auth/kubernetes/role/carrramba_encore_rate_api \
bound_service_account_names=carrramba-encore-rate-api \
bound_service_account_namespaces=default \
policies=carrramba-encore-rate-api \
ttl=1h
bound_service_account_names=carrramba-encore-rate-api \
bound_service_account_namespaces=default \
policies=carrramba-encore-rate-api \
ttl=1h
vault policy write carrramba-encore-rate-admin vault-carrramba-encore-rate-admin-policy.hcl
vault write database/roles/carrramba-encore-rate-admin \
db_name=carrramba_encore_rate \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
ALTER ROLE \"{{name}}\" SUPERUSER;" \
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
default_ttl="1h" \
max_ttl="24h"
db_name=carrramba_encore_rate \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
ALTER ROLE \"{{name}}\" SUPERUSER;" \
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
default_ttl="1h" \
max_ttl="24h"
vault write auth/kubernetes/role/carrramba-encore-rate-admin \
bound_service_account_names=carrramba-encore-rate-admin \
bound_service_account_namespaces=default \
policies=carrramba-encore-rate-admin \
ttl=1h
bound_service_account_names=carrramba-encore-rate-admin \
bound_service_account_namespaces=default \
policies=carrramba-encore-rate-admin \
ttl=1h
vault secrets enable -path="carrramba-encore-rate-api" -description="carrramba-encore-rate secrets" kv
vault kv put carrramba-encore-rate-api/idfm-api-key key=$(pass dev/idfm_prim_api_token)
@@ -108,3 +108,50 @@ kubectl apply -f observability.yaml -n observability
kubectl apply -f carrramba-cert.yaml
kubectl apply -f carrramba-encore-rate-deployment.yaml
# Install NFS server provisioner
helm repo add stable https://charts.helm.sh/stable
helm repo update
helm install nfs-server stable/nfs-server-provisioner --set persistence.enabled=true,persistence.storageClass=scw-bssd,persistence.size=10Gi
# Install CICD
vault write database/config/cicd_woodpecker \
plugin_name=postgresql-database-plugin \
verify_connection=false \
allowed_roles="*" \
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/cicd_woodpecker?sslmode=disable" \
username="postgres" \
password="password"
vault policy write cicd-woodpecker-server vault-cicd-woodpecker-server-policy.hcl
vault policy write cicd-woodpecker-agent vault-cicd-woodpecker-agent-policy.hcl
vault write --force /database/rotate-root/cicd_woodpecker
vault write database/roles/cicd-woodpecker-server \
db_name=cicd_woodpecker \
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
ALTER ROLE \"{{name}}\" SUPERUSER;" \
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
default_ttl="768h" \
max_ttl="768h"
# default_ttl="1h" \
# max_ttl="24h"
vault write auth/kubernetes/role/cicd-woodpecker-server \
bound_service_account_names=woodpecker-server \
bound_service_account_namespaces=cicd \
policies=cicd-woodpecker-server \
ttl=1h
vault write auth/kubernetes/role/cicd-woodpecker-agent \
bound_service_account_names=woodpecker-agent \
bound_service_account_namespaces=cicd \
policies=cicd-woodpecker-agent \
ttl=1h
vault secrets enable -path=cicd-woodpecker-server -description="CI/CD Woodpecker server secrets" kv
vault kv put cicd-woodpecker-server/oauth2-secret key=$(pass dev/git.adrien.run/woodpecker-ci-oauth2-secret)
vault kv put cicd-woodpecker-server/oauth2-id key=$(pass dev/git.adrien.run/woodpecker-ci-oauth2-id)
vault secrets enable -path=cicd-woodpecker -description="CI/CD Woodpecker server secrets" kv
vault kv put cicd-woodpecker/agent-secret key=$(pass dev/git.adrien.run/woodpecker-ci-agent-secret)

4
postgres.yaml
View File

@@ -72,6 +72,8 @@ spec:
value: postgres
- name: POSTGRES_PASSWORD
value: password
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
# envFrom:
# - configMapRef:
# name: postgres-config
@@ -97,6 +99,7 @@ data:
initdb.sql: |
CREATE DATABASE carrramba_encore_rate;
CREATE EXTENSION IF NOT EXISTS pg_trgm;
CREATE DATABASE cicd_woodpecker;
---
apiVersion: v1
kind: Service
@@ -111,4 +114,3 @@ spec:
targetPort: 5432
selector:
app: postgres

229
tools.yaml Normal file
View File

@@ -0,0 +1,229 @@
apiVersion: v1
kind: Namespace
metadata:
name: tools
labels:
name: tools
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
namespace: tools
name: letsencrypt-plantuml-server
spec:
acme:
email: me@adrien.run
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-plantuml-server
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: tools
name: plantuml-server
labels:
app: plantuml-server
spec:
replicas: 1
selector:
matchLabels:
app: plantuml-server
template:
metadata:
labels:
app: plantuml-server
spec:
containers:
- name: plantuml-server
image: plantuml/plantuml-server:latest
ports:
- name: web
containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
namespace: tools
name: plantuml-server
labels:
app: plantuml-server
spec:
ports:
- name: web
port: 8080
targetPort: web
selector:
app: plantuml-server
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
namespace: tools
name: websecure-redirect
spec:
redirectScheme:
scheme: https
permanent: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: tools
name: plantuml-server-web-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/router.middlewares: default-websecure-redirect@kubernetescrd
spec:
rules:
- host: plantuml.tools.adrien.run
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: plantuml-server
port:
name: web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: tools
name: plantuml-server-websecure-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-plantuml-server
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
tls:
- hosts:
- plantuml.tools.adrien.run
secretName: tls-plantuml-server-ingress
rules:
- host: plantuml.tools.adrien.run
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: plantuml-server
port:
name: web
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dicebear-api-server
namespace: tools
spec:
acme:
email: me@adrien.run
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-dicebear-api-server
solvers:
- http01:
ingress:
class: traefik
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: tools
name: dicebear-api
labels:
app: dicebear-api
spec:
replicas: 1
selector:
matchLabels:
app: dicebear-api
template:
metadata:
labels:
app: dicebear-api
spec:
containers:
- name: dicebear-api
image: dicebear/api:latest
ports:
- name: web
containerPort: 3000
---
apiVersion: v1
kind: Service
metadata:
namespace: tools
name: dicebear-api
labels:
app: dicebear-api
spec:
ports:
- name: web
port: 3000
targetPort: web
selector:
app: dicebear-api
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: tools
name: dicebear-api-web-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/router.middlewares: default-websecure-redirect@kubernetescrd
spec:
rules:
- host: dicebear.tools.adrien.run
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dicebear-api
port:
name: web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: tools
name: dicebear-api-websecure-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-dicebear-api-server
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
tls:
- hosts:
- dicebear.tools.adrien.run
secretName: tls-dicebear-api-server-ingress
rules:
- host: dicebear.tools.adrien.run
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dicebear-api
port:
name: web

4
vault-cicd-woodpecker-agent-policy.hcl Normal file
View File

@@ -0,0 +1,4 @@
path "cicd-woodpecker/*" {
capabilities = ["read"]
}

12
vault-cicd-woodpecker-server-policy.hcl Normal file
View File

@@ -0,0 +1,12 @@
path "database/creds/cicd-woodpecker-server" {
capabilities = ["read"]
}
path "cicd-woodpecker/*" {
capabilities = ["read"]
}
path "cicd-woodpecker-server/*" {
capabilities = ["read"]
}