-
Notifications
You must be signed in to change notification settings - Fork 23
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #160 from dappradar/k8s_poc
K8s poc
- Loading branch information
Showing
16 changed files
with
345 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,87 @@ | ||
name: Build and push image | ||
|
||
on: | ||
push: | ||
branches: | ||
- staging | ||
- master | ||
workflow_dispatch: | ||
|
||
permissions: | ||
id-token: write # Required for requesting the JWT | ||
contents: read # Required for actions/checkout | ||
security-events: write # Required for uploading security scan results | ||
|
||
env: | ||
ECR_REPOSITORY_URL_APP: "${{ secrets.IMAGE_REGISTRY_URL }}/defi-providers" | ||
ECR_REPOSITORY_URL_INFRA: "${{ secrets.IMAGE_REGISTRY_URL }}/defi-providers-infra" | ||
IMAGE_TAG: "${{ github.ref_name }}-${{ github.sha }}" | ||
MANIFESTS_PATH: "${{ github.ref_name == 'master' && './kubernetes/production' || './kubernetes/staging' }}" | ||
AWS_DEFAULT_REGION: eu-central-1 | ||
AWS_IAM_ROLE_GITHUB: "${{ secrets.AWS_IAM_ROLE_GITHUB }}" | ||
|
||
jobs: | ||
build: | ||
name: Build and push image | ||
runs-on: dappradar-runner | ||
|
||
steps: | ||
- uses: actions/checkout@v3 | ||
|
||
- name: Configure AWS credentials | ||
uses: aws-actions/configure-aws-credentials@v2 | ||
with: | ||
aws-region: ${{ env.AWS_DEFAULT_REGION }} | ||
role-to-assume: ${{ env.AWS_IAM_ROLE_GITHUB }} | ||
|
||
- name: Authenticate to Amazon ECR | ||
uses: aws-actions/amazon-ecr-login@v1 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v2 | ||
with: | ||
driver: docker | ||
|
||
- name: Build Docker image | ||
uses: docker/build-push-action@v4 | ||
with: | ||
context: . | ||
tags: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}" | ||
push: false | ||
|
||
- name: Scan image - High and Critical Severity | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
image-ref: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}" | ||
format: sarif | ||
output: trivy-results.sarif | ||
hide-progress: false | ||
exit-code: 1 | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v2 | ||
if: always() | ||
with: | ||
sarif_file: trivy-results.sarif | ||
|
||
- name: Push Docker image | ||
uses: docker/build-push-action@v4 | ||
with: | ||
context: . | ||
tags: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}" | ||
push: true | ||
|
||
- name: Bake and push manifests | ||
run: | | ||
kubectl kustomize $MANIFESTS_PATH | \ | ||
envsubst '$CONTAINER_IMAGE' | \ | ||
flux push artifact oci://$OCI_IMAGE_URL_INFRA -f - \ | ||
--source="$(git config --get remote.origin.url)" \ | ||
--revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \ | ||
--provider=aws && \ | ||
flux tag artifact oci://$OCI_IMAGE_URL_INFRA \ | ||
--tag $GITHUB_REF_NAME \ | ||
--provider aws | ||
env: | ||
OCI_IMAGE_URL_INFRA: "${{ env.ECR_REPOSITORY_URL_INFRA }}:${{ env.IMAGE_TAG }}" | ||
CONTAINER_IMAGE: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,24 @@ | ||
FROM --platform=linux/amd64 node:16.10.0-alpine as builder | ||
FROM --platform=linux/amd64 node:18-alpine as builder | ||
|
||
RUN apk --no-cache upgrade && \ | ||
apk --no-cache add protoc | ||
|
||
WORKDIR /usr/src/app | ||
COPY .git/ ./.git/ | ||
COPY package*.json ./ | ||
RUN npm install | ||
RUN npm ci | ||
COPY . . | ||
RUN npm run build | ||
|
||
FROM --platform=linux/amd64 node:16.10.0-alpine | ||
FROM --platform=linux/amd64 node:18-alpine | ||
|
||
WORKDIR /usr/src/app | ||
COPY --from=builder /usr/src/app/ /usr/src/app/ | ||
|
||
# TODO: optimize this part further, as it makes image big | ||
COPY package*.json ./ | ||
RUN npm install --production | ||
|
||
COPY --from=builder /usr/src/app/dist/ dist/ | ||
|
||
EXPOSE 3002 | ||
|
||
CMD [ "node", "dist/main.js" ] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: defi-providers | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
component: defi-providers | ||
template: | ||
metadata: | ||
labels: | ||
component: defi-providers | ||
spec: | ||
containers: | ||
- name: defi-providers | ||
image: "${CONTAINER_IMAGE}" # image name:tag will be replaced during runtime | ||
envFrom: | ||
- secretRef: | ||
name: defi-providers-secrets | ||
ports: | ||
- name: app-port | ||
containerPort: 3002 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
apiVersion: networking.k8s.io/v1 | ||
kind: Ingress | ||
metadata: | ||
name: defi-providers | ||
annotations: | ||
# SSL certificate | ||
cert-manager.io/issuer: prod-issuer | ||
cert-manager.io/issuer-kind: OriginIssuer | ||
cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com | ||
spec: | ||
ingressClassName: nginx | ||
rules: | ||
- host: "" # set in overlay | ||
http: | ||
paths: | ||
- path: / | ||
pathType: Prefix | ||
backend: | ||
service: | ||
name: defi-providers | ||
port: | ||
number: 443 | ||
|
||
tls: | ||
# specifying a host in the TLS section will tell cert-manager what | ||
# DNS SANs should be on the created certificate. | ||
- hosts: | ||
- "" # set in overlay | ||
# cert-manager will create this secret | ||
secretName: defi-providers-tls |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- deployment.yml | ||
- service.yml | ||
- ingress.yml | ||
- secrets.yml | ||
- redis.yml |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,50 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: defi-providers-redis | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
component: defi-providers-redis | ||
template: | ||
metadata: | ||
labels: | ||
component: defi-providers-redis | ||
spec: | ||
containers: | ||
- name: defi-providers-redis | ||
image: redis:7 | ||
imagePullPolicy: Always | ||
args: ["--requirepass", "$(REDIS_PASS)"] | ||
resources: | ||
requests: | ||
cpu: 250m | ||
memory: 512Mi | ||
limits: | ||
cpu: 1000m | ||
memory: 1Gi | ||
ports: | ||
- name: redis-port | ||
containerPort: 6379 | ||
env: | ||
- name: MASTER | ||
value: "true" | ||
- name: REDIS_PASS | ||
valueFrom: | ||
secretKeyRef: | ||
name: defi-providers-secrets | ||
key: REDIS_PASS | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: defi-providers-redis | ||
spec: | ||
ports: | ||
- name: redis | ||
port: 6379 | ||
targetPort: redis-port | ||
protocol: TCP | ||
selector: | ||
component: defi-providers-redis |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: defi-providers | ||
spec: | ||
refreshInterval: 1m | ||
secretStoreRef: | ||
kind: SecretStore | ||
name: dappradar-defi-secret-store | ||
target: | ||
name: defi-providers-secrets | ||
creationPolicy: Owner | ||
dataFrom: | ||
- extract: | ||
key: "" # set in overlay |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: defi-providers | ||
spec: | ||
selector: | ||
component: defi-providers | ||
ports: | ||
- name: defi-providers | ||
port: 443 | ||
targetPort: app-port |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- ../base | ||
patches: | ||
- path: ./patch-deployment.yml | ||
target: | ||
kind: Deployment | ||
name: defi-providers | ||
|
||
- path: ./patch-ingress.yml | ||
target: | ||
kind: Ingress | ||
name: defi-providers | ||
|
||
- path: ./patch-secrets.yml | ||
target: | ||
kind: ExternalSecret | ||
name: defi-providers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: defi-providers | ||
spec: | ||
replicas: 3 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: networking.k8s.io/v1 | ||
kind: Ingress | ||
metadata: | ||
name: defi-providers | ||
spec: | ||
rules: | ||
- host: defi-providers-k8s.dappradar.com # TODO: change after testing to actual DNS entry | ||
http: | ||
paths: | ||
- path: / | ||
pathType: Prefix | ||
backend: | ||
service: | ||
name: defi-providers | ||
port: | ||
number: 443 | ||
|
||
tls: | ||
- hosts: | ||
- defi-providers-k8s.dappradar.com # TODO: change after testing to actual DNS entry | ||
secretName: defi-providers-tls |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: defi-providers | ||
spec: | ||
dataFrom: | ||
- extract: | ||
key: "/defi-providers/prod" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
apiVersion: kustomize.config.k8s.io/v1beta1 | ||
kind: Kustomization | ||
resources: | ||
- ../base | ||
patches: | ||
- path: ./patch-deployment.yml | ||
target: | ||
kind: Deployment | ||
name: defi-providers | ||
|
||
- path: ./patch-ingress.yml | ||
target: | ||
kind: Ingress | ||
name: defi-providers | ||
|
||
- path: ./patch-secrets.yml | ||
target: | ||
kind: ExternalSecret | ||
name: defi-providers |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: defi-providers | ||
spec: | ||
replicas: 2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
apiVersion: networking.k8s.io/v1 | ||
kind: Ingress | ||
metadata: | ||
name: defi-providers | ||
spec: | ||
rules: | ||
- host: defi-providers-k8s.dappradar.dev # TODO: change after testing to actual DNS entry | ||
http: | ||
paths: | ||
- path: / | ||
pathType: Prefix | ||
backend: | ||
service: | ||
name: defi-providers | ||
port: | ||
number: 443 | ||
|
||
tls: | ||
- hosts: | ||
- defi-providers-k8s.dappradar.dev # TODO: change after testing to actual DNS entry | ||
secretName: defi-providers-tls |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,8 @@ | ||
apiVersion: external-secrets.io/v1beta1 | ||
kind: ExternalSecret | ||
metadata: | ||
name: defi-providers | ||
spec: | ||
dataFrom: | ||
- extract: | ||
key: "/defi-providers/qa" |