Skip to content

Commit

Permalink
feat: deploy the sandbox environment for s42 devs (#255)
Browse files Browse the repository at this point in the history
**Describe the pull request**

With the new IaC, the sandbox is not automated anymore. 

**Breaking changes ?**
no

Signed-off-by: 42Atomys <contact@atomys.fr>
  • Loading branch information
42atomys authored Nov 17, 2022
1 parent a771f86 commit 4453e64
Show file tree
Hide file tree
Showing 15 changed files with 2,522 additions and 16 deletions.
13 changes: 3 additions & 10 deletions .github/workflows/deploy.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -44,15 +44,6 @@ jobs:
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Detect stack to deploy
id: detect_changes
uses: dorny/paths-filter@v2
with:
filters: |
pre-cluster:
- 'deploy/stacks/pre-cluster/**'
cluster:
- 'deploy/stacks/cluster/**'
- name: Expose stack to deploy
uses: actions/github-script@v6
id: detected_stack
Expand All @@ -62,7 +53,9 @@ jobs:
if (context.eventName == 'release' && context.payload.action == 'released') {
stacks = ['pre-cluster', 'cluster'];
}
stacks.push('apps');
if (context.eventName == 'push' && context.ref == 'refs/heads/main' ) {
stacks.push('sandbox');
}
console.log(`Stack to deploy: ${stacks}`);
core.setOutput('stacks', stacks);
Expand Down
3 changes: 3 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,9 @@
config/*
!config/*example.yaml

# Terraform
.terraform

# =================================================
# Backend ignores 💻
# =================================================
Expand Down
2 changes: 1 addition & 1 deletion deploy/stacks/apps/s42/routing.tf
Original file line number Diff line number Diff line change
Expand Up @@ -130,7 +130,7 @@ module "istio" {
}
}
]
},
}
]
}
}
Expand Down
4 changes: 2 additions & 2 deletions deploy/stacks/cluster/certificates.tf
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,8 @@ module "cert_manager" {
dns_names = ["next.s42.app", "*.next.s42.app"]
issuer_name = "ovh-issuer"
}
"dev-s42" = {
dns_names = ["s42.dev", "*.s42.dev", "*.sandbox.s42.dev"]
"dev-s42-sandbox" = {
dns_names = ["sandbox.s42.dev"]
issuer_name = "ovh-issuer"
}
"dev-s42-previews" = {
Expand Down
6 changes: 3 additions & 3 deletions deploy/stacks/cluster/istio.tf
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,13 @@ module "istio" {
tlsMode = "SIMPLE"
tlsCredentialName = "app-s42-next-tls"
},
"dev-s42" = {
"dev-s42-sandbox" = {
ingressSelectorName = "ingressgateway"
namespace = "sandbox"
serverHttpsRedirect = true
hosts = ["sandbox.s42.dev", "*.sandbox.s42.dev"]
hosts = ["sandbox.s42.dev"]
tlsMode = "SIMPLE"
tlsCredentialName = "dev-s42-tls"
tlsCredentialName = "dev-s42-sandbox-tls"
extraServers = [
{
port = {
Expand Down
41 changes: 41 additions & 0 deletions deploy/stacks/pre-cluster/operators.tf
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,47 @@ resource "helm_release" "gateway" {
name = "nodeSelector.nodepool"
value = "medium"
}

set {
name = "service.ports[0].name"
value = "status-port"
}

set {
name = "service.ports[0].port"
value = "15021"
}

set {
name = "service.ports[1].name"
value = "http2"
}

set {
name = "service.ports[1].port"
value = "80"
}

set {
name = "service.ports[2].name"
value = "https"
}

set {
name = "service.ports[2].port"
value = "443"
}

set {
name = "service.ports[3].name"
value = "grpc"
}

set {
name = "service.ports[3].port"
value = "51000"
}

}


Expand Down
59 changes: 59 additions & 0 deletions deploy/stacks/sandbox/.terraform.lock.hcl

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions deploy/stacks/sandbox/configs.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
resource "kubernetes_config_map" "stud42_config" {
metadata {
name = "stud42-config"
namespace = var.namespace
labels = {
"kubernetes.io/name" = "stud42-config"
"app.kubernetes.io/part-of" = "stud42"
"app.kubernetes.io/managed-by" = "terraform"
"app.kubernetes.io/created-by" = "github-actions"
}
}

data = {
"stud42.yaml" = templatefile("${path.root}/../apps/configs/stud42/stud42.yaml.tftpl", {
rootDomain = var.rootDomain
namespace = var.namespace
})
}
}
138 changes: 138 additions & 0 deletions deploy/stacks/sandbox/jwtks_service.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,138 @@

module "jwtks_service" {
source = "../../modules/service"

name = "jwtks-service"
appName = "jwtks-service"
appVersion = var.appVersion
namespace = var.namespace
image = "ghcr.io/42atomys/stud42:${var.appVersion}"

command = ["stud42cli"]
args = ["--config", "/config/stud42.yaml", "serve", "jwtks"]

nodeSelector = {
nodepool = "small"
}

podLabels = {
# Disable istio sidecar injection for this pod due to the fact this is a
# job and we dont implement the /quitquitquit endpoint of envoy actually.
"sidecar.istio.io/inject" = "false"
}

replicas = 1
autoscaling = {
enabled = true
minReplicas = 1
maxReplicas = 10
metrics = {
cpu = {
targetAverageUtilization = 75
}
}
}

prometheus = {
enabled = false
}

podSecurityContext = {
fsGroup = 1001
}

containerSecurityContext = {
runAsGroup = 1001
runAsNonRoot = true
runAsUser = 1001
}

resources = {
limits = {
memory = "60Mi"
}
requests = {
cpu = "100m"
memory = "40Mi"
}
}

ports = {
signing = {
containerPort = 5000
istioProtocol = "grpc"
}

wellknow = {
containerPort = 5500
istioProtocol = "http"
}
}

env = {
GO_ENV = var.namespace
}

envFromSecret = {
SENTRY_DSN = {
key = "JWTKS_SERVICE_DSN"
name = "sentry-dsns"
}
S42_SERVICE_TOKEN = {
key = "TOKEN"
name = "s42-service-token"
}
}

volumeMounts = [
{
volumeName = "configuration"
mountPath = "/config"
readOnly = true
},
{
volumeName = "certs-grpc"
mountPath = "/etc/certs/grpc"
readOnly = true
},
{
volumeName = "certs-jwk"
mountPath = "/etc/certs/jwk"
readOnly = true
}
]

volumesFromConfig = {
configuration = {
configMapName = "stud42-config"
}
}

volumesFromSecret = {
certs-grpc = {
secretName = "jwtks-service-grpc-internal-tls"
}
certs-jwk = {
# secret defined in the secrets.tf file, not on the app module
# TODO: move it to the app module (add sealedSecret to the app module)
secretName = "jwtks-service-certs-jwk"
}
}

certificates = {
grpc-internal = {
dnsNames = ["jwtks-service", "jwtks-service.${var.namespace}.svc.cluster.local"]
issuerRefKind = "ClusterIssuer"
issuerRefName = "selfsigned-issuer"
}
}

secrets = var.hasProvidedJWTKSCertificates ? {
certs-jwk = {
data = {
"private.key" = file("${path.root}/../../../certs/private.key")
"public.pem" = file("${path.root}/../../../certs/public.pem")
}
}
} : {}
}
15 changes: 15 additions & 0 deletions deploy/stacks/sandbox/locals.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
locals {
// reversedRootDomain is the root domain name, reversed, for use in the
// reverse proxy configuration. For example, if the root domain is
// example.tld, the reversed root domain is tld-example
// If the root domain is pr-23.previews.example.tld, the reversed root
// domain is tld-example-previews
reversedRootDomain = join(
"-",
slice(
reverse(split(".", var.rootDomain)),
0,
min(3, length(split(".", var.rootDomain)))
)
)
}
32 changes: 32 additions & 0 deletions deploy/stacks/sandbox/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
terraform {
required_providers {
kubernetes = {
source = "hashicorp/kubernetes"
version = ">= 2.14"
}
helm = {
source = "hashicorp/helm"
version = ">= 2.7.1"
}
}
}

provider "kubernetes" {
config_path = "~/.kube/config"

ignore_labels = [
"security.istio.io/tlsMode",
"service.istio.io/canonical-name",
"service.istio.io/canonical-revision"
]

ignore_annotations = [
"sidecar.istio.io/status",
]
}

provider "helm" {
kubernetes {
config_path = "~/.kube/config"
}
}
Loading

0 comments on commit 4453e64

Please sign in to comment.