#!/bin/bash source ./setup_env.sh snap install kubectl --classic snap install vault --classic kubectl create secret docker-registry registry-secret \ --docker-server=rg.fr-par.scw.cloud \ --docker-username=asr-projects \ --docker-password=$SCW_SECRET_KEY kubectl get secret registry-secret --output=yaml # Install traefik helm repo add traefik https://traefik.github.io/charts helm repo update kubectl create ns traefik helm --kubeconfig ./kubeconfig-k8s-projects.yaml install -n traefik traefik traefik/traefik # Install cert-manager helm repo add jetstack https://charts.jetstack.io helm repo update helm --kubeconfig ./kubeconfig-k8s-projects.yaml install cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.12\ --set installCRDs=true # Install vault helm repo add hashicorp https://helm.releases.hashicorp.com helm repo update helm install vault hashicorp/vault vault secrets enable database # Install traefik helm repo add traefik https://traefik.github.io/charts helm repo update helm install traefik traefik/traefik # Install prometheus helm repo add prometheus-community https://prometheus-community.github.io/helm-charts helm repo update kubectl create ns monitoring helm --kubeconfig ./kubeconfig-k8s-projects.yaml \ -n monitoring install kube-prometheus-stack prometheus-community/kube-prometheus-stack kubectl port-forward vault-0 8200:8200 & export VAULT_ADDR='http://127.0.0.1:8200' # Enable db passwords management by Vault # Cf. https://www.hashicorp.com/blog/dynamic-database-credentials-with-vault-and-kubernetes vault auth enable kubernetes vault write auth/kubernetes/config \ kubernetes_host=https://5c3a37c1-03b3-4a9d-b36f-45566ece9847.api.k8s.fr-par.scw.cloud:6443 \ disable_local_ca_jwt=true vault secrets enable database vault write database/config/carrramba_encore_rate \ plugin_name=postgresql-database-plugin \ verify_connection=false \ allowed_roles="*" \ connection_url="postgresql://{{username}}:{{password}}@postgres:5432/carrramba_encore_rate?sslmode=disable" \ username="postgres" \ password="password" vault policy write carrramba-encore-rate-api vault-carrramba-encore-rate-api-policy.hcl vault write --force /database/rotate-root/carrramba_encore_rate # TODO: Restore default_ttl and max_ttl once the api able to reload env variable on change. vault write database/roles/carrramba-encore-rate-api \ db_name=carrramba_encore_rate \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \ revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\ default_ttl="768h" \ max_ttl="768h" # default_ttl="1h" \ # max_ttl="24h" vault write auth/kubernetes/role/carrramba_encore_rate_api \ bound_service_account_names=carrramba-encore-rate-api \ bound_service_account_namespaces=default \ policies=carrramba-encore-rate-api \ ttl=1h vault policy write carrramba-encore-rate-admin vault-carrramba-encore-rate-admin-policy.hcl vault write database/roles/carrramba-encore-rate-admin \ db_name=carrramba_encore_rate \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ ALTER ROLE \"{{name}}\" SUPERUSER;" \ revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\ default_ttl="1h" \ max_ttl="24h" vault write auth/kubernetes/role/carrramba-encore-rate-admin \ bound_service_account_names=carrramba-encore-rate-admin \ bound_service_account_namespaces=default \ policies=carrramba-encore-rate-admin \ ttl=1h vault secrets enable -path="carrramba-encore-rate-api" -description="carrramba-encore-rate secrets" kv vault kv put carrramba-encore-rate-api/idfm-api-key key=$(pass dev/idfm_prim_api_token) # Install tracing (cf. https://www.jaegertracing.io/docs/1.49/operator/) kubectl create namespace observability kubectl create -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.49.0/jaeger-operator.yaml -n observability kubectl apply -f observability.yaml -n observability kubectl apply -f carrramba-cert.yaml kubectl apply -f carrramba-encore-rate-deployment.yaml # Install NFS server provisioner helm repo add stable https://charts.helm.sh/stable helm repo update helm install nfs-server stable/nfs-server-provisioner --set persistence.enabled=true,persistence.storageClass=scw-bssd,persistence.size=10Gi # Install CICD vault write database/config/cicd_woodpecker \ plugin_name=postgresql-database-plugin \ verify_connection=false \ allowed_roles="*" \ connection_url="postgresql://{{username}}:{{password}}@postgres:5432/cicd_woodpecker?sslmode=disable" \ username="postgres" \ password="password" vault policy write cicd-woodpecker-server vault-cicd-woodpecker-server-policy.hcl vault policy write cicd-woodpecker-agent vault-cicd-woodpecker-agent-policy.hcl vault write --force /database/rotate-root/cicd_woodpecker vault write database/roles/cicd-woodpecker-server \ db_name=cicd_woodpecker \ creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \ ALTER ROLE \"{{name}}\" SUPERUSER;" \ revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\ default_ttl="768h" \ max_ttl="768h" # default_ttl="1h" \ # max_ttl="24h" vault write auth/kubernetes/role/cicd-woodpecker-server \ bound_service_account_names=woodpecker-server \ bound_service_account_namespaces=cicd \ policies=cicd-woodpecker-server \ ttl=1h vault write auth/kubernetes/role/cicd-woodpecker-agent \ bound_service_account_names=woodpecker-agent \ bound_service_account_namespaces=cicd \ policies=cicd-woodpecker-agent \ ttl=1h vault secrets enable -path=cicd-woodpecker-server -description="CI/CD Woodpecker server secrets" kv vault kv put cicd-woodpecker-server/oauth2-secret key=$(pass dev/git.adrien.run/woodpecker-ci-oauth2-secret) vault kv put cicd-woodpecker-server/oauth2-id key=$(pass dev/git.adrien.run/woodpecker-ci-oauth2-id) vault secrets enable -path=cicd-woodpecker -description="CI/CD Woodpecker server secrets" kv vault kv put cicd-woodpecker/agent-secret key=$(pass dev/git.adrien.run/woodpecker-ci-agent-secret)