From 2349d7dc178dbfc2b793523c02359c734b547db9 Mon Sep 17 00:00:00 2001 From: Sangho Na Date: Thu, 8 Aug 2024 13:04:08 +1200 Subject: [PATCH] feat: Set up kustomization (#449) * chore: Remove existing k8s directory * feat: Set up kustomization * chore: Consistent indentation * chore: Add bib.bib.svc.cluster.local to INTERNAL_HOSTNAMES to be consistent with the current production settings * chore: Remove bib- prefix from app label * refactor: Remove /bin/sh -c from commands as redundant * chore: Remove duplicate bib- prefix * chore: Add missing labels * chore: Remove config map in favour of external secret * chore: Add secrets.yaml (placeholders) * chore: Remove bibxml- and bibxml-service- prefixes * chore: Name deployment appropriately * fix: Use correct image tag for redis container * revert: Bring back /bin/sh -c ref: f59fc9bb435a12d5366092d14d95a3d300050aaa * fix: Add security context to redis container * fix: Mount /tmp volume in celery container * chore: Specify correct var for database password * fix: Specify uid and gid in celery worker command * fix: Use 33 for user, group and fs group * fix: Remove uid and gid params from celery worker command * fix: Provide pidfile and schedule params to celery worker command * fix: Give redis container access to dump file (/data/dump.rdb) * fix: Use uid 999 and gid 999 in redis container --- k8s/bib.yaml | 120 ++++++++++++++++++++++++++++++++++++++ k8s/kustomization.yaml | 4 ++ k8s/secrets.yaml | 38 ++++++++++++ k8s/ws/ws-deployment.yaml | 62 -------------------- k8s/ws/ws-service.yaml | 15 ----- 5 files changed, 162 insertions(+), 77 deletions(-) create mode 100644 k8s/bib.yaml create mode 100644 k8s/kustomization.yaml create mode 100644 k8s/secrets.yaml delete mode 100644 k8s/ws/ws-deployment.yaml delete mode 100644 k8s/ws/ws-service.yaml diff --git a/k8s/bib.yaml b/k8s/bib.yaml new file mode 100644 index 00000000..0de84f41 --- /dev/null +++ b/k8s/bib.yaml @@ -0,0 +1,120 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bibxml + labels: + app: bibxml +spec: + replicas: 1 + revisionHistoryLimit: 2 + selector: + matchLabels: + app: bibxml + template: + metadata: + labels: + app: bibxml + spec: + securityContext: + fsGroup: 33 + runAsNonRoot: true + containers: + - name: app + image: "ghcr.io/ietf-tools/bibxml-service:$APP_IMAGE_TAG" + imagePullPolicy: Always + ports: + - name: http + containerPort: 80 + protocol: TCP + volumeMounts: + - name: datasets + mountPath: /data/datasets + envFrom: + - secretRef: + name: bib-secrets-env + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 33 + runAsGroup: 33 + command: + - /bin/sh + - -c + - | + python manage.py migrate && + python manage.py check --deploy && + python manage.py clear_cache && + hypercorn -b '0.0.0.0:8000' -w 1 bibxml.asgi:application + - name: celery + image: "ghcr.io/ietf-tools/bibxml-service:$APP_IMAGE_TAG" + imagePullPolicy: Always + volumeMounts: + - name: datasets + mountPath: /data/datasets + - name: tmp + mountPath: /tmp + envFrom: + - secretRef: + name: bib-secrets-env + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 33 + runAsGroup: 33 + command: + - /bin/sh + - -c + - | + celery -A sources.celery:app worker -B -l info -c 1 --pidfile=/tmp/celery_pid --schedule /tmp/celery-schedule.db + - name: redis + image: "redis:5.0.4" + command: + - redis-server + imagePullPolicy: IfNotPresent + volumeMounts: + - name: redis-data + mountPath: /data + ports: + - name: redis + containerPort: 6379 + protocol: TCP + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + runAsUser: 999 + runAsGroup: 999 + volumes: + - name: datasets + emptyDir: + sizeLimit: 5Gi + - name: redis-data + emptyDir: + sizeLimit: 1Gi + - name: tmp + emptyDir: + sizeLimit: 1Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: service + labels: + app: service +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: 8000 + protocol: TCP + name: http + selector: + app: bibxml diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml new file mode 100644 index 00000000..b212b8e0 --- /dev/null +++ b/k8s/kustomization.yaml @@ -0,0 +1,4 @@ +namespace: bib +namePrefix: bib- +resources: + - bib.yaml diff --git a/k8s/secrets.yaml b/k8s/secrets.yaml new file mode 100644 index 00000000..6eb9dd62 --- /dev/null +++ b/k8s/secrets.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: Secret +metadata: + name: secrets-env +type: Opaque +stringData: + AUTO_REINDEX_INTERVAL: "5400" + CELERY_BROKER_URL: "redis://localhost:6379" + CELERY_RESULT_BACKEND: "redis://localhost:6379" + CONTACT_EMAIL: "tools-help@ietf.org" + DATASET_TMP_ROOT: "/data/datasets" + DEBUG: "0" + INTERNAL_HOSTNAMES: "localhost,bib.bib.svc.cluster.local,127.0.0.1" + + # DATATRACKER_CLIENT_ID: null + + # MATOMO_SITE_ID: null + # MATOMO_TAG_MANAGER_CONTAINER: null + # MATOMO_URL: "analytics.ietf.org" + + PORT: "8000" + PRIMARY_HOSTNAME: "bib.ietf.org" + PYTHONUNBUFFERED: "1" + REDIS_HOST: "localhost" + REDIS_PORT: "6379" + SERVER_EMAIL: "support@ietf.org" + SERVICE_NAME: "IETF BibXML Service" + SOURCE_REPO_URL: "https://github.com/ietf-tools/bibxml-service" + + # Secrets from Vault: + # DB_HOST: "" + # DB_NAME: "" + # DB_PORT: "" + # DB_SECRET: "" + # DB_USER: "" + # DJANGO_SECRET: "" + # EXTRA_API_SECRETS: "" + # SENTRY_DSN: "" diff --git a/k8s/ws/ws-deployment.yaml b/k8s/ws/ws-deployment.yaml deleted file mode 100644 index 82149df3..00000000 --- a/k8s/ws/ws-deployment.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: ws - name: ws -spec: - replicas: 1 - selector: - matchLabels: - app: ws - strategy: - type: Recreate - template: - metadata: - labels: - app: ws - spec: - containers: - - name: ws - image: bibxml/base - imagePullPolicy: Never - command: ["/bin/sh"] - args: ["-c", "python manage.py collectstatic --noinput && python manage.py check --deploy && python manage.py runserver 0.0.0.0:8800"] - env: - - name: PRIMARY_HOSTNAME - value: localhost - - name: DEBUG - value: "1" - - name: DJANGO_SECRET - valueFrom: - secretKeyRef: - name: django-credentials - key: secret - - name: DB_HOST - value: db-service - - name: DB_NAME - valueFrom: - secretKeyRef: - name: postgres-credentials - key: db - - name: DB_PORT - value: "5432" - - name: DB_SECRET - valueFrom: - secretKeyRef: - name: postgres-credentials - key: password - - name: DB_USER - valueFrom: - secretKeyRef: - name: postgres-credentials - key: user - - name: REDIS_HOST - value: redis-service - - name: REDIS_PORT - value: "6379" - ports: - - containerPort: 8800 - resources: {} - restartPolicy: Always -status: {} diff --git a/k8s/ws/ws-service.yaml b/k8s/ws/ws-service.yaml deleted file mode 100644 index 4b0494b9..00000000 --- a/k8s/ws/ws-service.yaml +++ /dev/null @@ -1,15 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: ws - name: ws-service -spec: - ports: - - name: "8800" - port: 8800 - targetPort: 8800 - selector: - app: ws -status: - loadBalancer: {}