158 lines
6.1 KiB
Bash
Executable File
158 lines
6.1 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
source ./setup_env.sh
|
|
|
|
snap install kubectl --classic
|
|
snap install vault --classic
|
|
|
|
kubectl create secret docker-registry registry-secret \
|
|
--docker-server=rg.fr-par.scw.cloud \
|
|
--docker-username=asr-projects \
|
|
--docker-password=$SCW_SECRET_KEY
|
|
|
|
kubectl get secret registry-secret --output=yaml
|
|
|
|
# Install traefik
|
|
helm repo add traefik https://traefik.github.io/charts
|
|
helm repo update
|
|
kubectl create ns traefik
|
|
helm --kubeconfig ./kubeconfig-k8s-projects.yaml install -n traefik traefik traefik/traefik
|
|
|
|
# Install cert-manager
|
|
helm repo add jetstack https://charts.jetstack.io
|
|
helm repo update
|
|
helm --kubeconfig ./kubeconfig-k8s-projects.yaml install cert-manager jetstack/cert-manager \
|
|
--namespace cert-manager \
|
|
--create-namespace \
|
|
--version v1.12\
|
|
--set installCRDs=true
|
|
|
|
# Install vault
|
|
helm repo add hashicorp https://helm.releases.hashicorp.com
|
|
helm repo update
|
|
helm install vault hashicorp/vault
|
|
vault secrets enable database
|
|
|
|
# Install traefik
|
|
helm repo add traefik https://traefik.github.io/charts
|
|
helm repo update
|
|
helm install traefik traefik/traefik
|
|
|
|
# Install prometheus
|
|
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
|
|
helm repo update
|
|
kubectl create ns monitoring
|
|
helm --kubeconfig ./kubeconfig-k8s-projects.yaml \
|
|
-n monitoring install kube-prometheus-stack prometheus-community/kube-prometheus-stack
|
|
|
|
kubectl port-forward vault-0 8200:8200 &
|
|
export VAULT_ADDR='http://127.0.0.1:8200'
|
|
|
|
# Enable db passwords management by Vault
|
|
# Cf. https://www.hashicorp.com/blog/dynamic-database-credentials-with-vault-and-kubernetes
|
|
vault auth enable kubernetes
|
|
vault write auth/kubernetes/config \
|
|
kubernetes_host=https://5c3a37c1-03b3-4a9d-b36f-45566ece9847.api.k8s.fr-par.scw.cloud:6443 \
|
|
disable_local_ca_jwt=true
|
|
|
|
vault secrets enable database
|
|
vault write database/config/carrramba_encore_rate \
|
|
plugin_name=postgresql-database-plugin \
|
|
verify_connection=false \
|
|
allowed_roles="*" \
|
|
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/carrramba_encore_rate?sslmode=disable" \
|
|
username="postgres" \
|
|
password="password"
|
|
|
|
vault policy write carrramba-encore-rate-api vault-carrramba-encore-rate-api-policy.hcl
|
|
|
|
vault write --force /database/rotate-root/carrramba_encore_rate
|
|
|
|
# TODO: Restore default_ttl and max_ttl once the api able to reload env variable on change.
|
|
vault write database/roles/carrramba-encore-rate-api \
|
|
db_name=carrramba_encore_rate \
|
|
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
|
GRANT SELECT ON ALL TABLES IN SCHEMA public TO \"{{name}}\";" \
|
|
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
|
|
default_ttl="768h" \
|
|
max_ttl="768h"
|
|
# default_ttl="1h" \
|
|
# max_ttl="24h"
|
|
vault write auth/kubernetes/role/carrramba_encore_rate_api \
|
|
bound_service_account_names=carrramba-encore-rate-api \
|
|
bound_service_account_namespaces=default \
|
|
policies=carrramba-encore-rate-api \
|
|
ttl=1h
|
|
|
|
vault policy write carrramba-encore-rate-admin vault-carrramba-encore-rate-admin-policy.hcl
|
|
vault write database/roles/carrramba-encore-rate-admin \
|
|
db_name=carrramba_encore_rate \
|
|
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
|
ALTER ROLE \"{{name}}\" SUPERUSER;" \
|
|
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
|
|
default_ttl="1h" \
|
|
max_ttl="24h"
|
|
vault write auth/kubernetes/role/carrramba-encore-rate-admin \
|
|
bound_service_account_names=carrramba-encore-rate-admin \
|
|
bound_service_account_namespaces=default \
|
|
policies=carrramba-encore-rate-admin \
|
|
ttl=1h
|
|
|
|
vault secrets enable -path="carrramba-encore-rate-api" -description="carrramba-encore-rate secrets" kv
|
|
vault kv put carrramba-encore-rate-api/idfm-api-key key=$(pass dev/idfm_prim_api_token)
|
|
|
|
# Install tracing (cf. https://www.jaegertracing.io/docs/1.49/operator/)
|
|
kubectl create namespace observability
|
|
kubectl create -f https://github.com/jaegertracing/jaeger-operator/releases/download/v1.49.0/jaeger-operator.yaml -n observability
|
|
kubectl apply -f observability.yaml -n observability
|
|
|
|
kubectl apply -f carrramba-cert.yaml
|
|
kubectl apply -f carrramba-encore-rate-deployment.yaml
|
|
|
|
# Install NFS server provisioner
|
|
helm repo add stable https://charts.helm.sh/stable
|
|
helm repo update
|
|
helm install nfs-server stable/nfs-server-provisioner --set persistence.enabled=true,persistence.storageClass=scw-bssd,persistence.size=10Gi
|
|
|
|
# Install CICD
|
|
vault write database/config/cicd_woodpecker \
|
|
plugin_name=postgresql-database-plugin \
|
|
verify_connection=false \
|
|
allowed_roles="*" \
|
|
connection_url="postgresql://{{username}}:{{password}}@postgres:5432/cicd_woodpecker?sslmode=disable" \
|
|
username="postgres" \
|
|
password="password"
|
|
|
|
vault policy write cicd-woodpecker-server vault-cicd-woodpecker-server-policy.hcl
|
|
vault policy write cicd-woodpecker-agent vault-cicd-woodpecker-agent-policy.hcl
|
|
|
|
vault write --force /database/rotate-root/cicd_woodpecker
|
|
|
|
vault write database/roles/cicd-woodpecker-server \
|
|
db_name=cicd_woodpecker \
|
|
creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
|
|
ALTER ROLE \"{{name}}\" SUPERUSER;" \
|
|
revocation_statements="ALTER ROLE \"{{name}}\" NOLOGIN;"\
|
|
default_ttl="768h" \
|
|
max_ttl="768h"
|
|
# default_ttl="1h" \
|
|
# max_ttl="24h"
|
|
vault write auth/kubernetes/role/cicd-woodpecker-server \
|
|
bound_service_account_names=woodpecker-server \
|
|
bound_service_account_namespaces=cicd \
|
|
policies=cicd-woodpecker-server \
|
|
ttl=1h
|
|
|
|
vault write auth/kubernetes/role/cicd-woodpecker-agent \
|
|
bound_service_account_names=woodpecker-agent \
|
|
bound_service_account_namespaces=cicd \
|
|
policies=cicd-woodpecker-agent \
|
|
ttl=1h
|
|
|
|
vault secrets enable -path=cicd-woodpecker-server -description="CI/CD Woodpecker server secrets" kv
|
|
vault kv put cicd-woodpecker-server/oauth2-secret key=$(pass dev/git.adrien.run/woodpecker-ci-oauth2-secret)
|
|
vault kv put cicd-woodpecker-server/oauth2-id key=$(pass dev/git.adrien.run/woodpecker-ci-oauth2-id)
|
|
|
|
vault secrets enable -path=cicd-woodpecker -description="CI/CD Woodpecker server secrets" kv
|
|
vault kv put cicd-woodpecker/agent-secret key=$(pass dev/git.adrien.run/woodpecker-ci-agent-secret)
|