Merge pull request #160 from dappradar/k8s_poc

K8s poc
dappradar · Jul 4, 2023 · 23fac58 · 23fac58
2 parents bfafd0c + 48b6e36
commit 23fac58
Show file tree

Hide file tree

Showing 16 changed files with 345 additions and 5 deletions.
diff --git a/.github/workflows/build-push-image.yml b/.github/workflows/build-push-image.yml
@@ -0,0 +1,87 @@
+name: Build and push image
+
+on:
+ push:
+ branches:
+ - staging
+ - master
+ workflow_dispatch:
+
+permissions:
+ id-token: write # Required for requesting the JWT
+ contents: read # Required for actions/checkout
+ security-events: write # Required for uploading security scan results
+
+env:
+ ECR_REPOSITORY_URL_APP: "${{ secrets.IMAGE_REGISTRY_URL }}/defi-providers"
+ ECR_REPOSITORY_URL_INFRA: "${{ secrets.IMAGE_REGISTRY_URL }}/defi-providers-infra"
+ IMAGE_TAG: "${{ github.ref_name }}-${{ github.sha }}"
+ MANIFESTS_PATH: "${{ github.ref_name == 'master' && './kubernetes/production' || './kubernetes/staging' }}"
+ AWS_DEFAULT_REGION: eu-central-1
+ AWS_IAM_ROLE_GITHUB: "${{ secrets.AWS_IAM_ROLE_GITHUB }}"
+
+jobs:
+ build:
+ name: Build and push image
+ runs-on: dappradar-runner
+
+ steps:
+ - uses: actions/checkout@v3
+
+ - name: Configure AWS credentials
+ uses: aws-actions/configure-aws-credentials@v2
+ with:
+ aws-region: ${{ env.AWS_DEFAULT_REGION }}
+ role-to-assume: ${{ env.AWS_IAM_ROLE_GITHUB }}
+
+ - name: Authenticate to Amazon ECR
+ uses: aws-actions/amazon-ecr-login@v1
+
+ - name: Set up Docker Buildx
+ uses: docker/setup-buildx-action@v2
+ with:
+ driver: docker
+
+ - name: Build Docker image
+ uses: docker/build-push-action@v4
+ with:
+ context: .
+ tags: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}"
+ push: false
+
+ - name: Scan image - High and Critical Severity
+ uses: aquasecurity/trivy-action@master
+ with:
+ image-ref: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}" 
+ format: sarif
+ output: trivy-results.sarif
+ hide-progress: false
+ exit-code: 1
+
+ - name: Upload Trivy scan results to GitHub Security tab
+ uses: github/codeql-action/upload-sarif@v2
+ if: always()
+ with:
+ sarif_file: trivy-results.sarif
+
+ - name: Push Docker image
+ uses: docker/build-push-action@v4
+ with:
+ context: .
+ tags: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}"
+ push: true
+
+ - name: Bake and push manifests
+ run: |
+ kubectl kustomize $MANIFESTS_PATH | \
+ envsubst '$CONTAINER_IMAGE' | \
+ flux push artifact oci://$OCI_IMAGE_URL_INFRA -f - \
+ --source="$(git config --get remote.origin.url)" \
+ --revision="$(git branch --show-current)@sha1:$(git rev-parse HEAD)" \
+ --provider=aws && \
+ flux tag artifact oci://$OCI_IMAGE_URL_INFRA \
+ --tag $GITHUB_REF_NAME \
+ --provider aws
+ env:
+ OCI_IMAGE_URL_INFRA: "${{ env.ECR_REPOSITORY_URL_INFRA }}:${{ env.IMAGE_TAG }}"
+ CONTAINER_IMAGE: "${{ env.ECR_REPOSITORY_URL_APP }}:${{ env.IMAGE_TAG }}"
diff --git a/Dockerfile b/Dockerfile
@@ -1,16 +1,24 @@
-FROM --platform=linux/amd64 node:16.10.0-alpine as builder
+FROM --platform=linux/amd64 node:18-alpine as builder
 
 RUN apk --no-cache upgrade && \
  apk --no-cache add protoc
 
 WORKDIR /usr/src/app
-COPY .git/ ./.git/
 COPY package*.json ./
-RUN npm install
+RUN npm ci
 COPY . .
 RUN npm run build
 
-FROM --platform=linux/amd64 node:16.10.0-alpine
+FROM --platform=linux/amd64 node:18-alpine
+
 WORKDIR /usr/src/app
-COPY --from=builder /usr/src/app/ /usr/src/app/
+
+# TODO: optimize this part further, as it makes image big
+COPY package*.json ./
+RUN npm install --production
+
+COPY --from=builder /usr/src/app/dist/ dist/
+
+EXPOSE 3002
+
 CMD [ "node", "dist/main.js" ]
diff --git a/kubernetes/base/deployment.yml b/kubernetes/base/deployment.yml
@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: defi-providers
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ component: defi-providers
+ template:
+ metadata:
+ labels:
+ component: defi-providers
+ spec:
+ containers:
+ - name: defi-providers
+ image: "${CONTAINER_IMAGE}" # image name:tag will be replaced during runtime
+ envFrom:
+ - secretRef:
+ name: defi-providers-secrets
+ ports:
+ - name: app-port
+ containerPort: 3002
diff --git a/kubernetes/base/ingress.yml b/kubernetes/base/ingress.yml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: defi-providers
+ annotations:
+ # SSL certificate
+ cert-manager.io/issuer: prod-issuer
+ cert-manager.io/issuer-kind: OriginIssuer
+ cert-manager.io/issuer-group: cert-manager.k8s.cloudflare.com
+spec:
+ ingressClassName: nginx
+ rules:
+ - host: "" # set in overlay
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: defi-providers
+ port:
+ number: 443
+
+ tls:
+ # specifying a host in the TLS section will tell cert-manager what
+ # DNS SANs should be on the created certificate.
+ - hosts:
+ - "" # set in overlay
+ # cert-manager will create this secret
+ secretName: defi-providers-tls
diff --git a/kubernetes/base/kustomization.yml b/kubernetes/base/kustomization.yml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- deployment.yml
+- service.yml
+- ingress.yml
+- secrets.yml
+- redis.yml
diff --git a/kubernetes/base/redis.yml b/kubernetes/base/redis.yml
@@ -0,0 +1,50 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: defi-providers-redis
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ component: defi-providers-redis
+ template:
+ metadata:
+ labels:
+ component: defi-providers-redis
+ spec:
+ containers:
+ - name: defi-providers-redis
+ image: redis:7
+ imagePullPolicy: Always
+ args: ["--requirepass", "$(REDIS_PASS)"]
+ resources:
+ requests:
+ cpu: 250m
+ memory: 512Mi
+ limits:
+ cpu: 1000m
+ memory: 1Gi
+ ports:
+ - name: redis-port
+ containerPort: 6379
+ env:
+ - name: MASTER
+ value: "true"
+ - name: REDIS_PASS
+ valueFrom:
+ secretKeyRef:
+ name: defi-providers-secrets
+ key: REDIS_PASS
+---
+apiVersion: v1
+kind: Service
+metadata:
+ name: defi-providers-redis
+spec:
+ ports:
+ - name: redis
+ port: 6379
+ targetPort: redis-port
+ protocol: TCP
+ selector:
+ component: defi-providers-redis
diff --git a/kubernetes/base/secrets.yml b/kubernetes/base/secrets.yml
@@ -0,0 +1,15 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: defi-providers
+spec:
+ refreshInterval: 1m
+ secretStoreRef:
+ kind: SecretStore
+ name: dappradar-defi-secret-store
+ target:
+ name: defi-providers-secrets
+ creationPolicy: Owner
+ dataFrom:
+ - extract:
+ key: "" # set in overlay
diff --git a/kubernetes/base/service.yml b/kubernetes/base/service.yml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: defi-providers
+spec:
+ selector:
+ component: defi-providers
+ ports:
+ - name: defi-providers
+ port: 443
+ targetPort: app-port
diff --git a/kubernetes/production/kustomization.yml b/kubernetes/production/kustomization.yml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - ../base
+patches:
+ - path: ./patch-deployment.yml
+ target:
+ kind: Deployment
+ name: defi-providers
+
+ - path: ./patch-ingress.yml
+ target:
+ kind: Ingress
+ name: defi-providers
+
+ - path: ./patch-secrets.yml
+ target:
+ kind: ExternalSecret
+ name: defi-providers
diff --git a/kubernetes/production/patch-deployment.yml b/kubernetes/production/patch-deployment.yml
@@ -0,0 +1,6 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: defi-providers
+spec:
+ replicas: 3
diff --git a/kubernetes/production/patch-ingress.yml b/kubernetes/production/patch-ingress.yml
@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: defi-providers
+spec:
+ rules:
+ - host: defi-providers-k8s.dappradar.com # TODO: change after testing to actual DNS entry
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: defi-providers
+ port:
+ number: 443
+
+ tls:
+ - hosts:
+ - defi-providers-k8s.dappradar.com # TODO: change after testing to actual DNS entry
+ secretName: defi-providers-tls
diff --git a/kubernetes/production/patch-secrets.yml b/kubernetes/production/patch-secrets.yml
@@ -0,0 +1,8 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: defi-providers
+spec:
+ dataFrom:
+ - extract:
+ key: "/defi-providers/prod"
diff --git a/kubernetes/staging/kustomization.yml b/kubernetes/staging/kustomization.yml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+ - ../base
+patches:
+ - path: ./patch-deployment.yml
+ target:
+ kind: Deployment
+ name: defi-providers
+
+ - path: ./patch-ingress.yml
+ target:
+ kind: Ingress
+ name: defi-providers
+
+ - path: ./patch-secrets.yml
+ target:
+ kind: ExternalSecret
+ name: defi-providers
diff --git a/kubernetes/staging/patch-deployment.yml b/kubernetes/staging/patch-deployment.yml
@@ -0,0 +1,6 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: defi-providers
+spec:
+ replicas: 2
diff --git a/kubernetes/staging/patch-ingress.yml b/kubernetes/staging/patch-ingress.yml
@@ -0,0 +1,21 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+ name: defi-providers
+spec:
+ rules:
+ - host: defi-providers-k8s.dappradar.dev # TODO: change after testing to actual DNS entry
+ http:
+ paths:
+ - path: /
+ pathType: Prefix
+ backend:
+ service:
+ name: defi-providers
+ port:
+ number: 443
+
+ tls:
+ - hosts:
+ - defi-providers-k8s.dappradar.dev # TODO: change after testing to actual DNS entry
+ secretName: defi-providers-tls
diff --git a/kubernetes/staging/patch-secrets.yml b/kubernetes/staging/patch-secrets.yml
@@ -0,0 +1,8 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ name: defi-providers
+spec:
+ dataFrom:
+ - extract:
+ key: "/defi-providers/qa"