diff --git a/charts/CHANGELOG b/charts/CHANGELOG new file mode 100644 index 00000000..4714a3d1 --- /dev/null +++ b/charts/CHANGELOG @@ -0,0 +1,188 @@ +0.8.18 +Fix ingress configuration snippet so that it is not bound by allow_django_admin + +0.8.17 +Feature to add NewRelic HTTP header and client-max-body-size to ingress + +0.8.16 +Updated the User ID use in k8s-cli-utils. It was updated in this PR (https://github.com/edx/k8s-cli-utils/pull/14) + +0.8.15 +Switch k8s-cli-utils image from dockerhub to ECR + +0.8.14 +Feature to allow configurable resource limits for CronJobs + +0.8.13 +Add feature to allow custom migration commands + +0.8.12 +Fix feature to allow worker resource limits to be configurable + +0.8.11 +Properly quote and escape shell script interpolations for deployments and cron jobs as well. + +0.8.10 +Add feature to allow worker resource limits to be configurable + +0.8.9 +Fix app deployment issue by adding the missing mounted volumes section when migrations are disabled + +0.8.8 +Proceed with running Django migrations only when it is enabled + +0.8.7 +Added additionalLabels env, owner and team for kubecost aggregations using range + +0.8.6 +Increase memory limit for celery workers to fix discovery celery workers from crashing due to resource limits being exceeded + +0.8.5 +Fix YAML injection prevention; `quote` output's escaping is only compatible with YAML, not Bash strings + +0.8.4 +Prevented YAML injection in worker command + +0.8.3 +Updated the Cron job template to support schedules that need to be quoted. + +0.8.2 +Updated the Cron job Api version to batch/v1. Previous api version was deprecated in k8s 1.21 and removed in 1.25. + +0.8.1 +Add option to configure the name of python (e.g. python, python3, python3.9) used to run command in migration init +container. Defaults to python3. + +0.8.0 +Removed ingress class variable in favor of new className variable. The class variable is used to set the old annotation +kubernetes.io/ingress.class which has been replaced by ingressClassName in the spec of the v1 of the ingress api + +0.7.2 +Add extra_tls_hosts variable to allow adding extra hostnames to TLS certs +Make ingress and tls secret names stable on ingresses using the new className variable to prevent shuffling. + +0.7.1 +Add new ingress class variable to fix issue with 0.7.0 that causes new ingresses to not be created, because kubernetes +doesn't allow you to set the new className variable on the spec and the old annotation at the same time. + +0.7.0 +Add ingressClassName to ingress spec for compatibility with networking.k8s.io/v1 Ingress and Kubernetes 1.22 + +0.6.2 +Add custom annotation to ingress object for external dns cloudflare + +0.6.1 +Adding option to specify command for collectstatic job + +0.6.0 +Changed imagePullPolicy to Always for app containers to fix issue with images not updating after rebuild. Currently +image tags are not immutable, so we need to always check the Docker image repository for updates images. + +0.5.8 +Add custom annotation for external dns + +0.5.7 +Add health_check.host_header to customize livenessProbe HTTP Host header + +0.5.6 +Add support for DB_MIGRATION_PASS with Bash special characters + +0.5.5 +Only create app HPA resource if app is enabled + +0.5.4 +Add option to toggle off app deployment (default set to True) + +0.5.3 +Upgrade ingress apiVersion from extensions/v1beta1 to networking.k8s.io/v1 + +0.5.2 +Adding option to specify resources for POD. + +0.5.1 +Adding option to specify initialDelaySeconds for readiness and liveness probes. + +0.5.0 +Removeing migrations from cronjobs and workers since this makes the db state harder to reason about. +Migrations will only be run when the application image is deployed. Remove migration secrets from cronjobs and workers since they +are no longer needed. + +0.4.1 +Removing mysql and elasticsearch subcharts + +0.4.0 +Removing support for development_mysql and development_elasticsearch + +0.3.8 +Default vault url updated to https://vault.prod.edx.org + +0.3.7 +Enabled tls by default for django-ida helm chart +added flag vault.use_tls to disable this behaviour. + +0.3.6 +New version of k8s-cli-util +Move from the older stable url to the newer one for the dev mysql deployment + +0.3.5 +New version of k8s-cli-util + +0.3.4 +Moved autoscaler api endpoints to use apps/v1 instead of apps/v1beta1, requires K8s > 1.10, but should +otherwise be reverse compatible. + +0.3.3 +Ingresses now have a generated number after them to prevent names colliding + +0.3.2 +Added parameter to allow the customization of the healthcheck endpoint with +/health as the default value. +health_check.endpoint: "/health" + +Added a liveness check that is different from the readiness check. + +0.3.1 +Added ability to override the app.port, default is backwards compatible + app.port: 18170 + +0.3.0 +Change defaults for the following variables as it was discovered +that the apps are mostly consistent, it is vault that is inconsistent. + app.migrations.migrate_db_user_env_name: DB_MIGRATION_USER + app.migrations.migrate_db_pass_env_name: DB_MIGRATION_PASS + +0.2.2 +Fix secret render indentation to fit configmap + +0.2.1 +Render config as Yaml instead of as a serialized map + +v0.2.0 +Added the following values to allow user to overwrite migration env names, +since they differ between applications. The following defaults were assigned: + + app.migrations.migrate_db_user_env_name: DATABASE_MIGRATE_USER + app.migrations.migrate_db_pass_env_name: DATABASE_MIGRATE_PASSWORD + +This is a breaking change since the default migrate_db_pass_env_name was +previously: DB_MIGRATION_PASS + +v0.1.1 +Fixed bug where image:tag pairings were not valid + +v0.1.0 +Added overridable issuer for ingresses for the cert issuer. +You will need to add an 'issuer' to each ingress using this version. + +v0.0.4 +Fix bug that resulted in an impossible autoscaling configuration min > max + +v0.0.3 +Allow applications to not specify a role_arn. Removed fake role ARN from service accounts by default. + +v0.0.2 +Added support for arbitrary application environment variables that get passed into all containers running the application image +to support applications that have non standard ENV setups. + +v0.0.1 +Initial commit diff --git a/charts/Chart.lock b/charts/Chart.lock new file mode 100644 index 00000000..b009d458 --- /dev/null +++ b/charts/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: django-ida + repository: https://25c38c15078aaa07ab0119be78db03b720b5e014@raw.githubusercontent.com/edx/helm-repo/master/ + version: 0.8.16 +digest: sha256:0e92ca10d7d40f4c92e8515b0db1c0ba1c6bcc2a43a5863bcbbf7ff75cab9679 +generated: "2023-10-30T14:08:00.791802-04:00" diff --git a/charts/Chart.yaml b/charts/Chart.yaml new file mode 100644 index 00000000..099604e8 --- /dev/null +++ b/charts/Chart.yaml @@ -0,0 +1,3 @@ +name: registrar +version: 0.0.1 +apiVersion: v2 diff --git a/charts/charts/django-ida-0.8.16.tgz b/charts/charts/django-ida-0.8.16.tgz new file mode 100644 index 00000000..c36d0b04 Binary files /dev/null and b/charts/charts/django-ida-0.8.16.tgz differ diff --git a/charts/development-config.yaml b/charts/development-config.yaml new file mode 100644 index 00000000..04409ca1 --- /dev/null +++ b/charts/development-config.yaml @@ -0,0 +1,130 @@ +django-ida: + app: + name: registrar + role_arn: arn:aws:iam::708756755355:role/development-edx-registrar + command: 'gunicorn --workers=2 --name registrar -c /edx/app/registrar/registrar/docker_gunicorn_configuration.py --log-file - --max-requests=1000 registrar.wsgi:application' + + port: 18734 + + secret_file_env_name: REGISTRAR_CFG + secret_file_name: registrar.yml + service_account_name: registrar + migrations: + name: registrar-migrations + enabled: true + database_migrate_user: db-user + + autoscaling: + enabled: false + minReplicas: 3 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + + health_check: + liveness_probe_initial_delay_seconds: 30 + readiness_probe_initial_delay_seconds: 30 + + # FILL-ME-IN + config: + API_ROOT: https://api.development.edx.org/registrar + BACKEND_SERVICE_EDX_OAUTH2_KEY: '{{ .Data.data.BACKEND_SERVICE_EDX_OAUTH2_KEY }}' + BACKEND_SERVICE_EDX_OAUTH2_PROVIDER_URL: https://courses.development.edx.org/oauth2 + BACKEND_SERVICE_EDX_OAUTH2_SECRET: '{{ .Data.data.BACKEND_SERVICE_EDX_OAUTH2_SECRET}}' + CACHES: + default: + BACKEND: django.core.cache.backends.memcached.MemcachedCache + KEY_PREFIX: registrar + LOCATION: + - development-edx-registrar.6sxrym.0001.use1.cache.amazonaws.com + - development-edx-registrar.6sxrym.0002.use1.cache.amazonaws.com + CELERY_ALWAYS_EAGER: false + CELERY_BROKER_HOSTNAME: edx-development-queues.6sxrym.ng.0001.use1.cache.amazonaws.com:6379 + CELERY_BROKER_PASSWORD: '' + CELERY_BROKER_TRANSPORT: redis + CELERY_BROKER_USER: '' + CELERY_BROKER_VHOST: 0 + CELERY_DEFAULT_EXCHANGE: registrar + CELERY_DEFAULT_QUEUE: registrar.default + CELERY_DEFAULT_ROUTING_KEY: registrar + CORS_ORIGIN_WHITELIST: + - https://development-edx-registrar.edx.org + - https://registrar.development.edx.org + - https://program-console.development.edx.org + CSRF_COOKIE_SECURE: true + CSRF_TRUSTED_ORIGINS: + - .edx.org + CSRF_TRUSTED_ORIGINS_WITH_SCHEMES: + - https://*.edx.org + DATABASES: + default: + ATOMIC_REQUESTS: false + CONN_MAX_AGE: 60 + ENGINE: django.db.backends.mysql + HOST: mysql.mysql + NAME: db + OPTIONS: + connect_timeout: 10 + init_command: SET sql_mode='STRICT_TRANS_TABLES' + PASSWORD: '{{ .Data.data.DATABASE_DEFAULT_PASSWORD }}' + PORT: '3306' + USER: db-user + DISCOVERY_BASE_URL: https://discovery.development.edx.org + EDX_DRF_EXTENSIONS: + OAUTH2_USER_INFO_URL: https://courses.development.edx.org/oauth2/user_info + JWT_AUTH: + JWT_AUTH_COOKIE_HEADER_PAYLOAD: development-edx-jwt-cookie-header-payload + JWT_AUTH_COOKIE_SIGNATURE: development-edx-jwt-cookie-signature + JWT_ISSUERS: + - AUDIENCE: '{{ .Data.data.JWT_ISSUERS_0_AUDIENCE }}' + ISSUER: https://courses.development.edx.org/oauth2 + SECRET_KEY: '{{ .Data.data.JWT_ISSUERS_0_SECRET_KEY }}' + JWT_PUBLIC_SIGNING_JWK_SET: '{"keys": [{"n": "hcm7899L5XQ6AVNYwNo3Yu-rx47f0FMAN3am6WgurbDulrcCIfhyTivzpnuOY0W-2tntlR51j4hHzywSSCqdOgG1MZLfVSJwVpVUhd9ROLuIRbifXyRJ1_d7C_L3YZdyYqFY7k8W5f62UqCePxVCh-zCKtkfjCJkhRujgDw4YeL63j80We48T0LYK5ZSRBOEj2N4fjbzsi9T2d1qCBaLvXwgYzMnUTc8mch6JMP8HWsrgqV4kkPyP3il_IgRARV5BF5cdJbUg2-__5QirmLF16xl9j0vo9yLyBnqlYZXWYjFOECI7FatHLGQDT5TopXWT4YF82_aZSNuIQUoDY8hDQ", + "kty": "RSA", "e": "AQAB", "kid": "lmsdevelopment002"}]}' + LMS_BASE_URL: https://courses.development.edx.org + MEDIA_STORAGE_BACKEND: + AWS_DEFAULT_ACL: null + AWS_LOCATION: '' + AWS_QUERYSTRING_AUTH: true + AWS_QUERYSTRING_EXPIRE: 3600 + DEFAULT_FILE_STORAGE: storages.backends.s3boto3.S3Boto3Storage + REGISTRAR_BUCKET: development-edx-registrar + PROGRAM_REPORTS_BUCKET: development-edx-program-reports + REGISTRAR_SERVICE_USER: registrar_service_user + SECRET_KEY: '{{ .Data.data.SECRET_KEY }}' + SEGMENT_KEY: '{{ .Data.data.SEGMENT_KEY }}' + SESSION_COOKIE_SECURE: true + SOCIAL_AUTH_EDX_OAUTH2_ISSUER: https://courses.development.edx.org + SOCIAL_AUTH_EDX_OAUTH2_KEY: '{{ .Data.data.SOCIAL_AUTH_EDX_OAUTH2_KEY }}' + SOCIAL_AUTH_EDX_OAUTH2_LOGOUT_URL: https://courses.development.edx.org/logout + SOCIAL_AUTH_EDX_OAUTH2_SECRET: '{{ .Data.data.SOCIAL_AUTH_EDX_OAUTH2_SECRET }}' + SOCIAL_AUTH_EDX_OAUTH2_URL_ROOT: https://courses.development.edx.org + STATIC_ROOT: /tmp/static + + workers: [] + # - name: registrar-worker + # command: celery -A registrar worker --loglevel info + # minReplicas: 3 + # maxReplicas: 6 + # targetCPUUtilizationPercentage: 100 + + newrelic: + enabled: false + app_name: development-edx-registrar + log_level: info + + collectstatic: + enabled: false + + vault: + enabled: false + vault_role: registrar + vault_addr: https://vault.stage.edx.org + secret_name: kv/registrar + secret_version: 8 + + ingresses: + - host: registrar-eks.development.edx.org + class: nginx + issuer: selfsigning-issuer + + cronjobs: [] diff --git a/charts/requirements.lock b/charts/requirements.lock new file mode 100644 index 00000000..e69de29b diff --git a/charts/requirements.yaml b/charts/requirements.yaml new file mode 100644 index 00000000..e69de29b diff --git a/charts/templates/app-deployment.yaml b/charts/templates/app-deployment.yaml new file mode 100644 index 00000000..20303805 --- /dev/null +++ b/charts/templates/app-deployment.yaml @@ -0,0 +1,218 @@ +{{ if .Values.app.enabled}} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: {{ .Values.app.name }} + app.kubernetes.io/name: {{ .Values.app.name }} + {{- range $key, $val := .Values.app.additionalLabels }} + {{ $key }}: {{ $val }} + {{- end}} + name: {{ .Values.app.name }} + annotations: + ignore-check.kube-linter.io/no-read-only-root-fs: "Temporarily ignore check no-read-only-root-fs until PSRE-2074 is resolved" +spec: + revisionHistoryLimit: 1 + selector: + matchLabels: + app.kubernetes.io/instance: {{ .Values.app.name }} + app.kubernetes.io/name: {{ .Values.app.name }} + template: + metadata: + labels: + app.kubernetes.io/instance: {{ .Values.app.name }} + app.kubernetes.io/name: {{ .Values.app.name }} + {{- range $key, $val := .Values.app.additionalLabels }} + {{ $key }}: {{ $val }} + {{- end}} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + spec: + containers: + - args: + - "source /vault-api-secrets/secrets/secret.env && \ + exec {{ if .Values.newrelic.enabled }}newrelic-admin run-program{{ end }} \ + {{ regexReplaceAll "^\"|\"$" (quote .Values.app.command) "" }}" + command: + - /bin/bash + - -c + - -- + env: + - name: {{ .Values.app.secret_file_env_name }} + value: /vault-api-secrets/secrets/{{ .Values.app.secret_file_name }} + - name: NEW_RELIC_APP_NAME + valueFrom: + configMapKeyRef: + key: NEW_RELIC_APP_NAME + name: app-cm + - name: NEW_RELIC_LOG_LEVEL + valueFrom: + configMapKeyRef: + key: NEW_RELIC_LOG_LEVEL + name: app-cm + - name: NEW_RELIC_LICENSE_KEY + value: Secret value filled in from secrets.env + {{- range $env := .Values.app.extraEnvs }} + - name: {{ $env.name }} + value: {{ $env.value }} + {{- end }} + image: {{ .Values.app.image.repository }}:{{ .Values.app.image.tag }} + imagePullPolicy: Always + livenessProbe: + initialDelaySeconds: {{ .Values.app.health_check.liveness_probe_initial_delay_seconds}} + exec: + command: + - ls + periodSeconds: 5 + name: {{ .Values.app.name }} + ports: + - containerPort: {{ .Values.app.port }} + name: http + protocol: TCP + readinessProbe: + initialDelaySeconds: {{ .Values.app.health_check.readiness_probe_initial_delay_seconds}} + httpGet: + httpHeaders: + - name: Host + value: {{ .Values.app.health_check.host_header }} + path: {{ .Values.app.health_check.endpoint }} + port: http + timeoutSeconds: 3 + resources: + limits: + cpu: {{ .Values.resources.limits.cpu }} + memory: {{ .Values.resources.limits.memory }} + requests: + cpu: {{ .Values.resources.requests.cpu }} + memory: {{ .Values.resources.requests.memory }} + volumeMounts: + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + readOnly: true + initContainers: + - env: + - name: VAULT_ADDR + valueFrom: + configMapKeyRef: + key: VAULT_ADDR + name: app-cm + - name: VAULT_ROLE + valueFrom: + configMapKeyRef: + key: VAULT_ROLE + name: app-cm + - name: TOKEN_DEST_PATH + value: /vault-auth-secrets/secrets/.vault-token + - name: ACCESSOR_DEST_PATH + value: /vault-auth-secrets/secrets/.vault-accessor + image: edxops/vault-kubernetes-authenticator:3b373bc86ade783492b6619552d2b172a6e12a8b + imagePullPolicy: IfNotPresent + name: vault-authenticator + volumeMounts: + - mountPath: /vault-auth-secrets/secrets + name: vault-auth-secrets + resources: + requests: + cpu: "50m" + memory: "48Mi" + limits: + cpu: "100m" + memory: "64Mi" + securityContext: + readOnlyRootFilesystem: true + - command: + - /bin/sh + - -c + - | + set -xe + /bin/consul-template -config /app-cm/vault.hcl -template "/app-cm/{{ .Values.app.secret_file_name }}:/vault-api-secrets/secrets/{{ .Values.app.secret_file_name }}" -once + /bin/consul-template -config /app-cm/vault.hcl -template "/app-cm/secret.env:/vault-api-secrets/secrets/secret.env" -once + /bin/consul-template -config /app-cm/vault.hcl -template "/app-cm/migrate.env:/vault-migrate-secrets/secrets/migrate.env" -once + env: + - name: VAULT_ADDR + valueFrom: + configMapKeyRef: + key: VAULT_ADDR + name: app-cm + image: hashicorp/consul-template:0.20.0-light + imagePullPolicy: IfNotPresent + name: secret-render + volumeMounts: + - mountPath: /vault-auth-secrets/secrets + name: vault-auth-secrets + readOnly: true + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + - mountPath: /vault-migrate-secrets/secrets + name: vault-migrate-secrets + - mountPath: /app-cm + name: app-cm + resources: + requests: + cpu: "50m" + memory: "48Mi" + limits: + cpu: "100m" + memory: "64Mi" + securityContext: + readOnlyRootFilesystem: true + {{ if .Values.app.migrations.enabled }} + - args: + - source /vault-migrate-secrets/secrets/migrate.env && {{ .Values.app.migrations.migration_command }} + command: + - /bin/bash + - -c + - -- + env: + - name: {{ .Values.app.secret_file_env_name }} + value: /vault-api-secrets/secrets/{{ .Values.app.secret_file_name }} + - name: DB_MIGRATION_USER + valueFrom: + configMapKeyRef: + key: {{ .Values.app.migrations.migrate_db_user_env_name }} + name: app-cm + optional: true + - name: {{ .Values.app.migrations.migrate_db_pass_env_name }} + value: Secret value filled in from migrate.env + {{- range $env := .Values.app.extraEnvs }} + - name: {{ $env.name }} + value: {{ $env.value }} + {{- end }} + image: {{ .Values.app.image.repository }}:{{ .Values.app.image.tag }} + name: {{ .Values.app.migrations.name}} + resources: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 25m + memory: 512Mi + volumeMounts: + - mountPath: /vault-migrate-secrets/secrets + name: vault-migrate-secrets + readOnly: true + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + readOnly: true + {{ end }} + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + serviceAccountName: {{ .Values.app.service_account_name }} + volumes: + - emptyDir: + medium: Memory + name: vault-auth-secrets + - emptyDir: + medium: Memory + name: vault-api-secrets + - emptyDir: + medium: Memory + name: vault-migrate-secrets + - configMap: + name: app-cm + name: app-cm + +{{ end }} diff --git a/charts/templates/app-hpa.yaml b/charts/templates/app-hpa.yaml new file mode 100644 index 00000000..ee4803b3 --- /dev/null +++ b/charts/templates/app-hpa.yaml @@ -0,0 +1,24 @@ + + +{{ if and .Values.app.enabled .Values.app.autoscaling.enabled}} +--- +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app.kubernetes.io/instance: {{ .Values.app.name }} + app.kubernetes.io/name: {{ .Values.app.name }} + {{- range $key, $val := .Values.app.additionalLabels }} + {{ $key }}: {{ $val }} + {{- end}} + name: {{ .Values.app.name }} +spec: + minReplicas: {{ .Values.app.autoscaling.minReplicas }} + maxReplicas: {{ .Values.app.autoscaling.maxReplicas }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ .Values.app.name }} + targetCPUUtilizationPercentage: {{ .Values.app.autoscaling.targetCPUUtilizationPercentage }} + +{{ end }} diff --git a/charts/templates/app-ingress.yaml b/charts/templates/app-ingress.yaml new file mode 100644 index 00000000..124eb385 --- /dev/null +++ b/charts/templates/app-ingress.yaml @@ -0,0 +1,68 @@ +{{- range $index, $ingress := .Values.ingresses }} +{{- with $ }} +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: {{ $ingress.issuer }} + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + {{- if $ingress.external_dns }} + kubernetes.io/external-dns: "true" + {{- end }} + {{- if $ingress.external_dns_cloudflare }} + kubernetes.io/external-dns-cloudflare: "true" + {{- end }} + {{- if hasKey $ingress "client-max-body-size" }} + nginx.ingress.kubernetes.io/proxy-body-size: {{ index $ingress "client-max-body-size" }} + {{- end }} + nginx.ingress.kubernetes.io/configuration-snippet: |- + {{- if .Values.newrelic.enabled }} + proxy_set_header X-Queue-Start "t=${msec}"; + {{- end }} + {{- if $ingress.allow_django_admin }} + {{- else }} + server_tokens off; + location /admin { + deny all; + return 403; + } + {{- end }} + labels: + app.kubernetes.io/instance: {{ $.Values.app.name }} + app.kubernetes.io/name: {{ $.Values.app.name }} + {{- range $key, $val := .Values.app.additionalLabels }} + {{ $key }}: {{ $val }} + {{- end}} + {{- /* + Append truncated sha256 of hostname in case we have mutliple ingresses of the same className + */}} + name: {{ $.Values.app.name }}-{{ $ingress.className }}-{{ $ingress.host | sha256sum | trunc 5 }} +spec: + ingressClassName: {{ $ingress.className }} + rules: + - host: {{ $ingress.host }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: {{ $.Values.app.name }} + port: + name: http + tls: + - hosts: + - {{ $ingress.host }} + {{- if $ingress.extra_tls_hosts }} + {{- range $ingress.extra_tls_hosts }} + - {{ . }} + {{- end }} + {{- end }} + {{- /* + Append truncated sha256 of hostname in case we have mutliple ingresses of the same className + */}} + secretName: {{ $.Values.app.name }}-tls-{{ $ingress.className }}-{{ $ingress.host | sha256sum | trunc 5 }} +{{- end }} +{{- end }} diff --git a/charts/templates/app-sa.yaml b/charts/templates/app-sa.yaml new file mode 100644 index 00000000..9d17152d --- /dev/null +++ b/charts/templates/app-sa.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + {{- if .Values.app.role_arn }} + annotations: + eks.amazonaws.com/role-arn: {{ .Values.app.role_arn }} + {{- end }} + name: {{ .Values.app.service_account_name }} diff --git a/charts/templates/app-service.yaml b/charts/templates/app-service.yaml new file mode 100644 index 00000000..517867e6 --- /dev/null +++ b/charts/templates/app-service.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/instance: {{ .Values.app.name }} + app.kubernetes.io/name: {{ .Values.app.name }} + name: {{ .Values.app.name }} +spec: + ports: + - name: http + port: {{ .Values.app.port }} + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/instance: {{ .Values.app.name }} + app.kubernetes.io/name: {{ .Values.app.name }} + type: ClusterIP diff --git a/charts/templates/collectstatic-deployment.yaml b/charts/templates/collectstatic-deployment.yaml new file mode 100644 index 00000000..1e4aa1d8 --- /dev/null +++ b/charts/templates/collectstatic-deployment.yaml @@ -0,0 +1,194 @@ + +{{ if .Values.collectstatic.enabled }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: {{ .Values.collectstatic.job_name }} + app.kubernetes.io/name: {{ .Values.collectstatic.job_name }} + {{- range $key, $val := .Values.app.additionalLabels }} + {{ $key }}: {{ $val }} + {{- end}} + name: {{ .Values.collectstatic.job_name }} +spec: + revisionHistoryLimit: 1 + selector: + matchLabels: + app.kubernetes.io/instance: {{ .Values.collectstatic.job_name }} + app.kubernetes.io/name: {{ .Values.collectstatic.job_name }} + template: + metadata: + labels: + app.kubernetes.io/instance: {{ .Values.collectstatic.job_name }} + app.kubernetes.io/name: {{ .Values.collectstatic.job_name }} + {{- range $key, $val := .Values.app.additionalLabels }} + {{ $key }}: {{ $val }} + {{- end}} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + spec: + containers: + - args: + - echo asset upload complete;date; while true; do sleep 999999; done; + command: + - /bin/sh + - -c + - -- + image: busybox:latest + imagePullPolicy: IfNotPresent + name: print-completion-time + resources: + limits: + cpu: 5m + memory: 500Mi + requests: + cpu: 5m + memory: 100Mi + initContainers: + - env: + - name: VAULT_ADDR + valueFrom: + configMapKeyRef: + key: VAULT_ADDR + name: app-cm + - name: VAULT_ROLE + valueFrom: + configMapKeyRef: + key: VAULT_ROLE + name: app-cm + - name: TOKEN_DEST_PATH + value: /vault-auth-secrets/secrets/.vault-token + - name: ACCESSOR_DEST_PATH + value: /vault-auth-secrets/secrets/.vault-accessor + image: edxops/vault-kubernetes-authenticator:latest + imagePullPolicy: IfNotPresent + name: vault-authenticator + volumeMounts: + - mountPath: /vault-auth-secrets/secrets + name: vault-auth-secrets + - command: + - /bin/sh + - -c + - | + set -xe + /bin/consul-template -config /app-cm/vault.hcl -template "/app-cm/{{ .Values.app.secret_file_name }}:/vault-api-secrets/secrets/{{ .Values.app.secret_file_name }}" -once + /bin/consul-template -config /app-cm/vault.hcl -template "/app-cm/secret.env:/vault-api-secrets/secrets/secret.env" -once + env: + - name: VAULT_ADDR + valueFrom: + configMapKeyRef: + key: VAULT_ADDR + name: app-cm + image: hashicorp/consul-template:0.20.0-light + imagePullPolicy: IfNotPresent + name: secret-render + volumeMounts: + - mountPath: /vault-auth-secrets/secrets + name: vault-auth-secrets + readOnly: true + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + - mountPath: /app-cm + name: app-cm + - args: + - source /vault-api-secrets/secrets/secret.env && {{ .Values.collectstatic.command }} + command: + - /bin/bash + - -c + - -- + env: + - name: {{ .Values.app.secret_file_env_name }} + value: /vault-api-secrets/secrets/{{ .Values.app.secret_file_name }} + - name: NEW_RELIC_APP_NAME + valueFrom: + configMapKeyRef: + key: NEW_RELIC_APP_NAME + name: app-cm + - name: NEW_RELIC_LOG_LEVEL + valueFrom: + configMapKeyRef: + key: NEW_RELIC_LOG_LEVEL + name: app-cm + - name: NEW_RELIC_LICENSE_KEY + value: Secret value filled in from secrets.env + {{- range $env := .Values.app.extraEnvs }} + - name: {{ $env.name }} + value: {{ $env.value }} + {{- end }} + image: {{ .Values.app.image.repository }}:{{ .Values.app.image.tag }} + imagePullPolicy: Always + name: run-collectstatic + resources: + limits: + cpu: 5m + memory: 500Mi + requests: + cpu: 5m + memory: 100Mi + volumeMounts: + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + readOnly: true + - mountPath: /tmp/static + name: app-static + readOnly: false + - args: + - '[[ -n "${S3_ASSET_BUCKET}" ]] && aws s3 sync /tmp/static $S3_ASSET_BUCKET' + command: + - /bin/bash + - -c + - -- + env: + - name: {{ .Values.app.secret_file_env_name }} + value: /vault-api-secrets/secrets/{{ .Values.app.secret_file_name }} + - name: NEW_RELIC_APP_NAME + valueFrom: + configMapKeyRef: + key: NEW_RELIC_APP_NAME + name: app-cm + - name: NEW_RELIC_LOG_LEVEL + valueFrom: + configMapKeyRef: + key: NEW_RELIC_LOG_LEVEL + name: app-cm + - name: NEW_RELIC_LICENSE_KEY + value: Secret value filled in from secrets.env + - name: S3_ASSET_BUCKET + valueFrom: + configMapKeyRef: + key: S3_ASSET_BUCKET + name: app-cm + {{- range $env := .Values.app.extraEnvs }} + - name: {{ $env.name }} + value: {{ $env.value }} + {{- end }} + image: 257477529851.dkr.ecr.us-east-1.amazonaws.com/k8s-cli-utils:latest + imagePullPolicy: IfNotPresent + name: s3-upload + volumeMounts: + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + readOnly: true + - mountPath: /tmp/static + name: app-static + readOnly: true + securityContext: + fsGroup: 999 + runAsGroup: 999 + runAsUser: 999 + serviceAccountName: {{ .Values.collectstatic.job_name }} + volumes: + - emptyDir: + medium: Memory + name: vault-auth-secrets + - emptyDir: + medium: Memory + name: vault-api-secrets + - configMap: + name: app-cm + name: app-cm + - emptyDir: + medium: Memory + name: app-static +{{ end }} diff --git a/charts/templates/collectstatic-sa.yaml b/charts/templates/collectstatic-sa.yaml new file mode 100644 index 00000000..e92a5e9c --- /dev/null +++ b/charts/templates/collectstatic-sa.yaml @@ -0,0 +1,9 @@ +{{ if .Values.collectstatic.enabled }} +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + annotations: + eks.amazonaws.com/role-arn: {{ .Values.collectstatic.asset_write_role }} + name: {{ .Values.collectstatic.job_name }} +{{ end }} diff --git a/charts/templates/configmap.yaml b/charts/templates/configmap.yaml new file mode 100644 index 00000000..970d1659 --- /dev/null +++ b/charts/templates/configmap.yaml @@ -0,0 +1,47 @@ +--- +kind: ConfigMap +metadata: + annotations: {} + labels: {} + name: app-cm +apiVersion: v1 +data: + {{- if .Values.app.migrations.enabled }} + {{ .Values.app.migrations.migrate_db_user_env_name }}: {{ .Values.app.migrations.database_migrate_user }} + {{- end }} + NEW_RELIC_APP_NAME: {{ .Values.newrelic.app_name }} + NEW_RELIC_LOG_LEVEL: {{ .Values.newrelic.log_level }} + S3_ASSET_BUCKET: {{ .Values.collectstatic.s3_bucket }} + VAULT_ADDR: {{ .Values.vault.vault_addr }} + VAULT_ROLE: {{ .Values.vault.vault_role }} + {{ .Values.app.secret_file_name }}: | + --- + {{"{{"}} with secret "{{ .Values.vault.secret_name }}?version={{ .Values.vault.secret_version }}" {{"}}"}} +{{ toYaml .Values.app.config | indent 4}} + {{"{{"}} end {{"}}"}} + migrate.env: |+ + #!/bin/bash + {{"{{"}} with secret "{{ .Values.vault.secret_name }}?version={{ .Values.vault.secret_version }}" {{"}}"}} + export {{ .Values.app.migrations.migrate_db_pass_env_name }}={{"$'{{"}} .Data.data.{{ .Values.app.migrations.migrate_db_pass_env_name }} | replaceAll "\\" "\\\\" | replaceAll "'" "\\'" {{"}}'"}} + {{"{{"}} end {{"}}"}} + + secret.env: | + #!/bin/bash + export NEW_RELIC_LICENSE_KEY={{"{{"}} with secret "{{ .Values.vault.secret_name }}?version={{ .Values.vault.secret_version }}" {{"}}"}}{{"{{"}} .Data.data.NEW_RELIC_LICENSE_KEY {{"}}"}}{{"{{"}} end {{"}}"}} +{{ if .Values.vault.use_tls }} + vault.hcl: | + "vault" = { + "vault_agent_token_file" = "/vault-auth-secrets/secrets/.vault-token" + ssl { + enabled = true + verify = true + ca_cert = "/etc/ssl/cert.pem" + } + } +{{ else }} + vault.hcl: | + "vault" = { + "vault_agent_token_file" = "/vault-auth-secrets/secrets/.vault-token" + } +{{ end }} + diff --git a/charts/templates/cronjobs.yaml b/charts/templates/cronjobs.yaml new file mode 100644 index 00000000..63ad0620 --- /dev/null +++ b/charts/templates/cronjobs.yaml @@ -0,0 +1,121 @@ +{{- range .Values.cronjobs }} +{{- $job := . -}} +{{- with $ }} +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: {{ $job.name }} +spec: + concurrencyPolicy: Forbid + schedule: "{{ $job.schedule }}" + jobTemplate: + spec: + template: + spec: + containers: + - args: + - "source /vault-api-secrets/secrets/secret.env && \ + exec {{ if $.Values.newrelic.enabled }}newrelic-admin run-program{{ end }} \ + {{ regexReplaceAll "^\"|\"$" (quote $job.command) "" }}" + command: + - /bin/bash + - -c + - -- + env: + - name: {{ .Values.app.secret_file_env_name }} + value: /vault-api-secrets/secrets/{{ .Values.app.secret_file_name }} + - name: NEW_RELIC_APP_NAME + valueFrom: + configMapKeyRef: + key: NEW_RELIC_APP_NAME + name: app-cm + - name: NEW_RELIC_LOG_LEVEL + valueFrom: + configMapKeyRef: + key: NEW_RELIC_LOG_LEVEL + name: app-cm + - name: NEW_RELIC_LICENSE_KEY + value: Secret value filled in from secrets.env + {{- range $env := .Values.app.extraEnvs }} + - name: {{ $env.name }} + value: {{ $env.value }} + {{- end }} + image: {{ .Values.app.image.repository }}:{{ .Values.app.image.tag }} + imagePullPolicy: Always + name: {{ $job.name }} + resources: + limits: + cpu: {{ (($job.resources).limits).cpu | default "100m" }} + memory: {{ (($job.resources).limits).memory | default "1Gi" }} + requests: + cpu: {{ (($job.resources).requests).cpu | default "25m" }} + memory: {{ (($job.resources).requests).memory | default "512Mi" }} + volumeMounts: + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + readOnly: true + initContainers: + - env: + - name: VAULT_ADDR + valueFrom: + configMapKeyRef: + key: VAULT_ADDR + name: app-cm + - name: VAULT_ROLE + valueFrom: + configMapKeyRef: + key: VAULT_ROLE + name: app-cm + - name: TOKEN_DEST_PATH + value: /vault-auth-secrets/secrets/.vault-token + - name: ACCESSOR_DEST_PATH + value: /vault-auth-secrets/secrets/.vault-accessor + image: edxops/vault-kubernetes-authenticator:latest + imagePullPolicy: IfNotPresent + name: vault-authenticator + volumeMounts: + - mountPath: /vault-auth-secrets/secrets + name: vault-auth-secrets + - command: + - /bin/sh + - -c + - | + set -xe + /bin/consul-template -config /app-cm/vault.hcl -template "/app-cm/{{ .Values.app.secret_file_name }}:/vault-api-secrets/secrets/{{ .Values.app.secret_file_name }}" -once + /bin/consul-template -config /app-cm/vault.hcl -template "/app-cm/secret.env:/vault-api-secrets/secrets/secret.env" -once + env: + - name: VAULT_ADDR + valueFrom: + configMapKeyRef: + key: VAULT_ADDR + name: app-cm + image: hashicorp/consul-template:0.20.0-light + imagePullPolicy: IfNotPresent + name: secret-render + volumeMounts: + - mountPath: /vault-auth-secrets/secrets + name: vault-auth-secrets + readOnly: true + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + - mountPath: /app-cm + name: app-cm + restartPolicy: Never + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + serviceAccountName: {{ .Values.app.service_account_name }} + volumes: + - emptyDir: + medium: Memory + name: vault-auth-secrets + - emptyDir: + medium: Memory + name: vault-api-secrets + - configMap: + name: app-cm + name: app-cm +{{- end }} +{{- end }} diff --git a/charts/templates/workers.yaml b/charts/templates/workers.yaml new file mode 100644 index 00000000..62c283d3 --- /dev/null +++ b/charts/templates/workers.yaml @@ -0,0 +1,158 @@ +{{- range .Values.workers }} +{{- $worker := . -}} +{{- with $ }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/instance: {{ $worker.name }} + app.kubernetes.io/name: {{ $worker.name }} + {{- range $key, $val := .Values.app.additionalLabels }} + {{ $key }}: {{ $val }} + {{- end}} + name: {{ $worker.name }} +spec: + revisionHistoryLimit: 1 + selector: + matchLabels: + app.kubernetes.io/instance: {{ $worker.name }} + app.kubernetes.io/name: {{ $worker.name }} + template: + metadata: + labels: + app.kubernetes.io/instance: {{ $worker.name }} + app.kubernetes.io/name: {{ $worker.name }} + {{- range $key, $val := .Values.app.additionalLabels }} + {{ $key }}: {{ $val }} + {{- end}} + annotations: + checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }} + spec: + containers: + - args: + - "source /vault-api-secrets/secrets/secret.env && \ + exec {{ if $.Values.newrelic.enabled }}newrelic-admin run-program{{ end }} \ + {{ regexReplaceAll "^\"|\"$" (quote $worker.command) "" }}" + command: + - /bin/bash + - -c + - -- + env: + - name: {{ .Values.app.secret_file_env_name }} + value: /vault-api-secrets/secrets/{{ .Values.app.secret_file_name }} + - name: NEW_RELIC_APP_NAME + valueFrom: + configMapKeyRef: + key: NEW_RELIC_APP_NAME + name: app-cm + - name: NEW_RELIC_LOG_LEVEL + valueFrom: + configMapKeyRef: + key: NEW_RELIC_LOG_LEVEL + name: app-cm + - name: NEW_RELIC_LICENSE_KEY + value: Secret value filled in from secrets.env + {{- range $env := .Values.app.extraEnvs }} + - name: {{ $env.name }} + value: {{ $env.value }} + {{- end }} + image: {{ .Values.app.image.repository }}:{{ .Values.app.image.tag }} + imagePullPolicy: Always + name: {{ $worker.name }} + resources: + limits: + cpu: {{ (($worker.resources).limits).cpu | default "125m" }} + memory: {{ (($worker.resources).limits).memory | default "2Gi" }} + requests: + cpu: {{ (($worker.resources).requests).cpu | default "25m" }} + memory: {{ (($worker.resources).requests).memory | default "512Mi" }} + volumeMounts: + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + readOnly: true + initContainers: + - env: + - name: VAULT_ADDR + valueFrom: + configMapKeyRef: + key: VAULT_ADDR + name: app-cm + - name: VAULT_ROLE + valueFrom: + configMapKeyRef: + key: VAULT_ROLE + name: app-cm + - name: TOKEN_DEST_PATH + value: /vault-auth-secrets/secrets/.vault-token + - name: ACCESSOR_DEST_PATH + value: /vault-auth-secrets/secrets/.vault-accessor + image: edxops/vault-kubernetes-authenticator:latest + imagePullPolicy: IfNotPresent + name: vault-authenticator + volumeMounts: + - mountPath: /vault-auth-secrets/secrets + name: vault-auth-secrets + - command: + - /bin/sh + - -c + - | + set -xe + /bin/consul-template -config /app-cm/vault.hcl -template "/app-cm/{{ .Values.app.secret_file_name }}:/vault-api-secrets/secrets/{{ .Values.app.secret_file_name }}" -once + /bin/consul-template -config /app-cm/vault.hcl -template "/app-cm/secret.env:/vault-api-secrets/secrets/secret.env" -once + env: + - name: VAULT_ADDR + valueFrom: + configMapKeyRef: + key: VAULT_ADDR + name: app-cm + image: hashicorp/consul-template:0.20.0-light + imagePullPolicy: IfNotPresent + name: secret-render + volumeMounts: + - mountPath: /vault-auth-secrets/secrets + name: vault-auth-secrets + readOnly: true + - mountPath: /vault-api-secrets/secrets + name: vault-api-secrets + - mountPath: /app-cm + name: app-cm + securityContext: + fsGroup: 1000 + runAsGroup: 1000 + runAsUser: 1000 + serviceAccountName: {{ .Values.app.service_account_name }} + volumes: + - emptyDir: + medium: Memory + name: vault-auth-secrets + - emptyDir: + medium: Memory + name: vault-api-secrets + - configMap: + name: app-cm + name: app-cm + +{{ if .Values.app.autoscaling.enabled}} +--- +apiVersion: autoscaling/v1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app.kubernetes.io/instance: {{ $worker.name }} + app.kubernetes.io/name: {{ $worker.name }} + {{- range $key, $val := .Values.app.additionalLabels }} + {{ $key }}: {{ $val }} + {{- end}} + name: {{ $worker.name }} +spec: + minReplicas: {{ $worker.minReplicas }} + maxReplicas: {{ $worker.maxReplicas }} + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ $worker.name }} + targetCPUUtilizationPercentage: {{ $worker.targetCPUUtilizationPercentage }} + {{ end }} + {{- end }} + {{- end }} diff --git a/charts/values.yaml b/charts/values.yaml new file mode 100644 index 00000000..35f1cec7 --- /dev/null +++ b/charts/values.yaml @@ -0,0 +1,130 @@ +registrar: + app: + name: registrar + role_arn: arn:aws:iam::708756755355:role/development-edx-registrar + command: 'gunicorn --workers=2 --name registrar -c /edx/app/registrar/registrar/docker_gunicorn_configuration.py --log-file - --max-requests=1000 registrar.wsgi:application' + + port: 18734 + + secret_file_env_name: REGISTRAR_CFG + secret_file_name: registrar.yml + service_account_name: registrar + migrations: + name: registrar-migrations + enabled: true + database_migrate_user: db-user + + autoscaling: + enabled: false + minReplicas: 3 + maxReplicas: 10 + targetCPUUtilizationPercentage: 50 + + health_check: + liveness_probe_initial_delay_seconds: 30 + readiness_probe_initial_delay_seconds: 30 + + # FILL-ME-IN + config: + API_ROOT: https://api.development.edx.org/registrar + BACKEND_SERVICE_EDX_OAUTH2_KEY: '{{ .Data.data.BACKEND_SERVICE_EDX_OAUTH2_KEY }}' + BACKEND_SERVICE_EDX_OAUTH2_PROVIDER_URL: https://courses.development.edx.org/oauth2 + BACKEND_SERVICE_EDX_OAUTH2_SECRET: '{{ .Data.data.BACKEND_SERVICE_EDX_OAUTH2_SECRET}}' + CACHES: + default: + BACKEND: django.core.cache.backends.memcached.MemcachedCache + KEY_PREFIX: registrar + LOCATION: + - development-edx-registrar.6sxrym.0001.use1.cache.amazonaws.com + - development-edx-registrar.6sxrym.0002.use1.cache.amazonaws.com + CELERY_ALWAYS_EAGER: false + CELERY_BROKER_HOSTNAME: edx-development-queues.6sxrym.ng.0001.use1.cache.amazonaws.com:6379 + CELERY_BROKER_PASSWORD: '' + CELERY_BROKER_TRANSPORT: redis + CELERY_BROKER_USER: '' + CELERY_BROKER_VHOST: 0 + CELERY_DEFAULT_EXCHANGE: registrar + CELERY_DEFAULT_QUEUE: registrar.default + CELERY_DEFAULT_ROUTING_KEY: registrar + CORS_ORIGIN_WHITELIST: + - https://development-edx-registrar.edx.org + - https://registrar.development.edx.org + - https://program-console.development.edx.org + CSRF_COOKIE_SECURE: true + CSRF_TRUSTED_ORIGINS: + - .edx.org + CSRF_TRUSTED_ORIGINS_WITH_SCHEMES: + - https://*.edx.org + DATABASES: + default: + ATOMIC_REQUESTS: false + CONN_MAX_AGE: 60 + ENGINE: django.db.backends.mysql + HOST: mysql.mysql + NAME: db + OPTIONS: + connect_timeout: 10 + init_command: SET sql_mode='STRICT_TRANS_TABLES' + PASSWORD: '{{ .Data.data.DATABASE_DEFAULT_PASSWORD }}' + PORT: '3306' + USER: db-user + DISCOVERY_BASE_URL: https://discovery.development.edx.org + EDX_DRF_EXTENSIONS: + OAUTH2_USER_INFO_URL: https://courses.development.edx.org/oauth2/user_info + JWT_AUTH: + JWT_AUTH_COOKIE_HEADER_PAYLOAD: development-edx-jwt-cookie-header-payload + JWT_AUTH_COOKIE_SIGNATURE: development-edx-jwt-cookie-signature + JWT_ISSUERS: + - AUDIENCE: '{{ .Data.data.JWT_ISSUERS_0_AUDIENCE }}' + ISSUER: https://courses.development.edx.org/oauth2 + SECRET_KEY: '{{ .Data.data.JWT_ISSUERS_0_SECRET_KEY }}' + JWT_PUBLIC_SIGNING_JWK_SET: '{"keys": [{"n": "hcm7899L5XQ6AVNYwNo3Yu-rx47f0FMAN3am6WgurbDulrcCIfhyTivzpnuOY0W-2tntlR51j4hHzywSSCqdOgG1MZLfVSJwVpVUhd9ROLuIRbifXyRJ1_d7C_L3YZdyYqFY7k8W5f62UqCePxVCh-zCKtkfjCJkhRujgDw4YeL63j80We48T0LYK5ZSRBOEj2N4fjbzsi9T2d1qCBaLvXwgYzMnUTc8mch6JMP8HWsrgqV4kkPyP3il_IgRARV5BF5cdJbUg2-__5QirmLF16xl9j0vo9yLyBnqlYZXWYjFOECI7FatHLGQDT5TopXWT4YF82_aZSNuIQUoDY8hDQ", + "kty": "RSA", "e": "AQAB", "kid": "lmsdevelopment002"}]}' + LMS_BASE_URL: https://courses.development.edx.org + MEDIA_STORAGE_BACKEND: + AWS_DEFAULT_ACL: null + AWS_LOCATION: '' + AWS_QUERYSTRING_AUTH: true + AWS_QUERYSTRING_EXPIRE: 3600 + DEFAULT_FILE_STORAGE: storages.backends.s3boto3.S3Boto3Storage + REGISTRAR_BUCKET: development-edx-registrar + PROGRAM_REPORTS_BUCKET: development-edx-program-reports + REGISTRAR_SERVICE_USER: registrar_service_user + SECRET_KEY: '{{ .Data.data.SECRET_KEY }}' + SEGMENT_KEY: '{{ .Data.data.SEGMENT_KEY }}' + SESSION_COOKIE_SECURE: true + SOCIAL_AUTH_EDX_OAUTH2_ISSUER: https://courses.development.edx.org + SOCIAL_AUTH_EDX_OAUTH2_KEY: '{{ .Data.data.SOCIAL_AUTH_EDX_OAUTH2_KEY }}' + SOCIAL_AUTH_EDX_OAUTH2_LOGOUT_URL: https://courses.development.edx.org/logout + SOCIAL_AUTH_EDX_OAUTH2_SECRET: '{{ .Data.data.SOCIAL_AUTH_EDX_OAUTH2_SECRET }}' + SOCIAL_AUTH_EDX_OAUTH2_URL_ROOT: https://courses.development.edx.org + STATIC_ROOT: /tmp/static + + workers: [] + # - name: registrar-worker + # command: celery -A registrar worker --loglevel info + # minReplicas: 3 + # maxReplicas: 6 + # targetCPUUtilizationPercentage: 100 + + newrelic: + enabled: false + app_name: development-edx-registrar + log_level: info + + collectstatic: + enabled: false + + vault: + enabled: true + vault_role: registrar + vault_addr: http://development-vault.vault:8200 + secret_name: kv/registrar + secret_version: 1 + + ingresses: + - host: registrar-eks.development.edx.org + class: nginx + issuer: selfsigning-issuer + + cronjobs: [] diff --git a/devspace.yaml b/devspace.yaml new file mode 100644 index 00000000..5d09341a --- /dev/null +++ b/devspace.yaml @@ -0,0 +1,98 @@ +version: v2beta1 +name: registrargit + +# This is a list of `pipelines` that DevSpace can execute (you can define your own) +pipelines: + # This is the pipeline for the main command: `devspace dev` (or `devspace run-pipeline dev`) + dev: + run: |- + run_dependencies --all # 1. Deploy any projects this project needs (see "dependencies") + ensure_pull_secrets --all # 2. Ensure pull secrets + create_deployments --all # 3. Deploy Helm charts and manifests specfied as "deployments" + start_dev app # 4. Start dev mode "app" (see "dev" section) + # You can run this pipeline via `devspace deploy` (or `devspace run-pipeline deploy`) + deploy: + run: |- + run_dependencies --all # 1. Deploy any projects this project needs (see "dependencies") + ensure_pull_secrets --all # 2. Ensure pull secrets + build_images --all -t $(git describe --always) # 3. Build, tag (git commit hash) and push all images (see "images") + create_deployments --all # 4. Deploy Helm charts and manifests specfied as "deployments" + +# This is a list of `images` that DevSpace can build for this project +# We recommend to skip image building during development (devspace dev) as much as possible +images: + app: + image: edxops/registrar + dockerfile: ./Dockerfile + +# This is a list of `deployments` that DevSpace can create for this project +deployments: + app: + # This deployment uses `helm` but you can also define `kubectl` deployments or kustomizations + helm: + # We are deploying this project with the Helm chart you provided + chart: + name: .devspace/chart-repo/argocd/applications/registrar + # Under `values` we can define the values for this Helm chart used during `helm install/upgrade` + # You may also use `valuesFiles` to load values from files, e.g. valuesFiles: ["values.yaml"] + valuesFiles: + - ./charts/development-config.yaml + vault: + helm: + chart: + name: .devspace/chart-repo/argocd/applications/vault + valuesFiles: + - .devspace/chart-repo/argocd/applications/vault/development.yaml + + vault-bootstrapper: + kubectl: + kustomize: true + manifests: + - ./vault-development-bootstrapper/ + +# This is a list of `dev` containers that are based on the containers created by your deployments +dev: + app: + # Search for the container that runs this image + imageSelector: edxops/registrar + # Sync files between the local filesystem and the development container + sync: + - path: ./ + uploadExcludeFile: .dockerignore + # Open a terminal and use the following command to start it + terminal: + command: ./devspace_start.sh + # Inject a lightweight SSH server into the container (so your IDE can connect to the remote dev env) + ssh: + enabled: true + # Make the following commands from my local machine available inside the dev container + proxyCommands: + - command: devspace + - command: kubectl + - command: helm + - gitCredentials: true + # Forward the following ports to be able access your application via localhost + ports: + - port: "18734" + # Open the following URLs once they return an HTTP status code other than 502 or 503 + open: + - url: http://localhost:18734 + +# Use the `commands` section to define repeatable dev workflows for this project +commands: + migrate-db: + command: |- + echo 'This is a cross-platform, shared command that can be used to codify any kind of dev task.' + echo 'Anyone using this project can invoke it via "devspace run migrate-db"' +hooks: + - events: + - before:deploy + command: if [ -d '.devspace/chart-repo/.git' ]; then cd ".devspace/chart-repo" && git pull origin master; else mkdir -p .devspace/chart-repo; git clone --single-branch --branch master git@github.com:edx/edx-internal.git .devspace/chart-repo; fi + +# Define dependencies to other projects with a devspace.yaml +# dependencies: +# api: +# git: https://... # Git-based dependencies +# tag: v1.0.0 +# ui: +# path: ./ui # Path-based dependencies (for monorepos) diff --git a/devspace_start.sh b/devspace_start.sh new file mode 100755 index 00000000..d681506b --- /dev/null +++ b/devspace_start.sh @@ -0,0 +1,36 @@ +#!/bin/bash +set +e # Continue on errors + +COLOR_BLUE="\033[0;94m" +COLOR_GREEN="\033[0;92m" +COLOR_RESET="\033[0m" + +# Print useful output for user +echo -e "${COLOR_BLUE} + %########% + %###########% ____ _____ + %#########% | _ \ ___ __ __ / ___/ ____ ____ ____ ___ + %#########% | | | | / _ \\\\\ \ / / \___ \ | _ \ / _ | / __// _ \\ + %#############% | |_| |( __/ \ V / ____) )| |_) )( (_| |( (__( __/ + %#############% |____/ \___| \_/ \____/ | __/ \__,_| \___\\\\\___| + %###############% |_| + %###########%${COLOR_RESET} + + +Welcome to your development container! + +This is how you can work with it: +- Files will be synchronized between your local machine and this container +- Some ports will be forwarded, so you can access this container via localhost +- Run \`${COLOR_GREEN}python main.py${COLOR_RESET}\` to start the application +" + +# Set terminal prompt +export PS1="\[${COLOR_BLUE}\]devspace\[${COLOR_RESET}\] ./\W \[${COLOR_BLUE}\]\\$\[${COLOR_RESET}\] " +if [ -z "$BASH" ]; then export PS1="$ "; fi + +# Include project's bin/ folder in PATH +export PATH="./bin:$PATH" + +# Open shell +bash --norc diff --git a/vault-development-bootstrapper/README b/vault-development-bootstrapper/README new file mode 100644 index 00000000..4633c87e --- /dev/null +++ b/vault-development-bootstrapper/README @@ -0,0 +1,3 @@ +This just enables the K8s auth method the same way a cluster administrator would do in a real cluster. + +Intended for use in the development stack for parity with production clusters which will have already been bootstrapped. diff --git a/vault-development-bootstrapper/install/kustomization.yaml b/vault-development-bootstrapper/install/kustomization.yaml new file mode 100644 index 00000000..4699e4a2 --- /dev/null +++ b/vault-development-bootstrapper/install/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - pipeline.yaml +namespace: argocd diff --git a/vault-development-bootstrapper/install/pipeline.yaml b/vault-development-bootstrapper/install/pipeline.yaml new file mode 100644 index 00000000..158a7751 --- /dev/null +++ b/vault-development-bootstrapper/install/pipeline.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: vault-development-bootstrapper +spec: + destination: + namespace: vault-development-bootstrapper + server: https://kubernetes.default.svc + project: default + source: + path: argocd/applications/vault-development-bootstrapper + repoURL: git@github.com:edx/edx-internal.git + targetRevision: HEAD + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/vault-development-bootstrapper/kustomization.yaml b/vault-development-bootstrapper/kustomization.yaml new file mode 100644 index 00000000..a5c12b61 --- /dev/null +++ b/vault-development-bootstrapper/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- vault-development-bootstrapper-cm.yaml +- vault-development-bootstrapper.yaml diff --git a/vault-development-bootstrapper/vault-development-bootstrapper-cm.yaml b/vault-development-bootstrapper/vault-development-bootstrapper-cm.yaml new file mode 100644 index 00000000..b8fad48d --- /dev/null +++ b/vault-development-bootstrapper/vault-development-bootstrapper-cm.yaml @@ -0,0 +1,227 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: vault-development-bootstrapper-cm + namespace: registrar +data: + start.sh: | + #!/bin/sh + + export VAULT_ADDR=http://localhost:8200 + + # I return a 130 when vault isnt initialized + # but my output is useful for debugging + vault status + + if vault status | grep Initialized | grep false ; then + + # Now that I wont get the 130 + set -ex + + echo "Initializing vault..." + vault operator init -key-threshold=1 -key-shares=1 | tee bootstrap_secrets + export VAULT_TOKEN=$(cat bootstrap_secrets | grep 'Initial Root Token' | cut -d ' ' -f4) + export UNSEAL_KEY_1=$(cat bootstrap_secrets | grep 'Unseal Key 1' | cut -d ' ' -f4) + + # If you are doing this for real dont inline these + # but this is a development environment + vault operator unseal $UNSEAL_KEY_1 + + if ! vault auth list | grep kubernetes ; then + vault auth enable kubernetes + fi + + if ! vault auth list | grep approle ; then + vault auth enable approle + fi + + export SA_JWT_TOKEN=$(cat /run/secrets/kubernetes.io/serviceaccount/token) + export SA_CA_CRT=$(cat /run/secrets/kubernetes.io/serviceaccount/ca.crt) + export KUBERNETES_URL=https://kubernetes.default.svc + + vault write auth/kubernetes/config token_reviewer_jwt="$SA_JWT_TOKEN" kubernetes_host="$KUBERNETES_URL:443" kubernetes_ca_cert="$SA_CA_CRT" disable_iss_validation=true + vault secrets disable secret/ + + vault policy write vault-acl-job-policy /vault-development-bootstrapper-cm/vault-acl-job-policy.hcl + vault write auth/kubernetes/role/vault-acl-job bound_service_account_names=vault-acl-job bound_service_account_namespaces=vault policies=vault-acl-job-policy ttl=1h + vault policy write argocd /vault-development-bootstrapper-cm/argocd-policy.hcl + vault write auth/kubernetes/role/argocd bound_service_account_names=argocd-repo-server bound_service_account_namespaces=argocd policies=argocd ttl=1h + /vault-development-bootstrapper-cm/secrets.sh + + + set +ex + echo "\n\n\n\n\n" + echo "Unseal key is: $UNSEAL_KEY_1" + + echo "" + echo "Root token is: $VAULT_TOKEN" + echo "" + + echo "Write these down for the lifetime of this cluster, if you lose the unseal key you will need to rebootstrap" + + else + echo "Skipping initialization of vault..." + fi + + secrets.sh: | + #!/bin/sh -x + + if ! vault secrets list | grep 'kv/' | grep kv; then + vault secrets enable -path=kv kv-v2 + fi + + vault kv put kv/asg-metrics-and-alarms opsgenie_api_key=def456 + vault kv put kv/atlantis ATLANTIS_GH_TOKEN=AAAAA ATLANTIS_GH_WEBHOOK_SECRET=AAAAA TF_VAR_newrelic_edx_api_key=AAAAA TF_VAR_newrelic_mckinsey_api_key=AAAA TF_VAR_snowflake_password=AAAAA TF_VAR_opsgenie_api_key=OPSGENIEDUMMY TF_VAR_CLOUDFLARE_API_KEY=AAAAA CLOUDFLARE_ACCOUNT_ID=AAAAA + vault kv put kv/celery-monitoring opsgenie_api_key=abc123 + vault kv put kv/elb-tls-policy-management opsgenie_api_key=abc123 + vault kv put kv/commerce-coordinator BACKEND_SERVICE_EDX_OAUTH2_KEY=commerce-coordinator-backend-service-key BACKEND_SERVICE_EDX_OAUTH2_SECRET=commerce-coordinator-backend-service-secret JWT_ISSUERS_0_SECRET_KEY=aaaa JWT_ISSUERS_0_AUDIENCE=bbb SECRET_KEY=cccc DATABASE_DEFAULT_PASSWORD=db-pass DB_MIGRATION_PASS=db-pass SOCIAL_AUTH_EDX_OAUTH2_KEY=aaaaaaaaa SOCIAL_AUTH_EDX_OAUTH2_SECRET=ccccccccc NEW_RELIC_LICENSE_KEY=uuuuuuuuuuu + vault kv put kv/demographics BACKEND_SERVICE_EDX_OAUTH2_KEY=demographics-backend-service-key BACKEND_SERVICE_EDX_OAUTH2_SECRET=demographics-backend-service-secret JWT_ISSUERS_SECRET_KEY=aaaa SOCIAL_AUTH_EDX_OAUTH2_KEY=bbb SOCIAL_AUTH_EDX_OAUTH2_SECRET=cccc NEW_RELIC_LICENSE_KEY=uuuuuuuuuuu DATABASE_DEFAULT_PASSWORD=db-pass DB_MIGRATION_PASS=db-pass + vault kv put kv/edx-notes-api CLIENT_ID=aaaaaaa CLIENT_SECRET=bbbbbbb SECRET_KEY=ccccccccc NEW_RELIC_LICENSE_KEY=uuuuuuuuuuu DATABASE_DEFAULT_PASSWORD=db-pass DB_MIGRATION_PASS=db-pass + vault kv put kv/edx-platform CLIENT_ID=aaaaaaa CLIENT_SECRET=bbbbbbb SECRET_KEY=ccccccccc NEW_RELIC_LICENSE_KEY=uuuuuuuuuuu DATABASE_DEFAULT_PASSWORD=db-pass DB_MIGRATION_PASS=db-pass + vault kv put kv/argo-workflows/postgresql username=argo_workflows password=argoworkflows + # The SSH key below is the same deploy key dev ArgoCD uses to pull stuff from edx-internal, so it's safe enough to use here + vault kv put kv/gocd GOCD_USERNAME=admin GOCD_PASSWORD=admin GOCD_PRIVATE_KEY=\ + "-----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEAqztt7hpUgwH5SOC8ozrKU8yn3aslkKH6J8usICs8cE4nQm4S + 9nIr7bf27QKPvFieE/PM+VLFi1Dl6O3f4fe/zaQ4m0vF+VL4C0ZtDnwV9dUSjVU0 + oH6nNVLgC9oMwP9iq1W/I97e88RzJSoi2/Ys5i0JmyXgAm/HVA+B0jubeGe0ZfOx + zKJGzV5j4kTkcI/pC0AMPzys7gqXSLyDpk3X9yb7rmVQvPdBysPNx2cJKPUZarSn + d67jbK/jYNdmlbXs3iHpynjQuVz6JuqtA5iaT34tt0+JATZIZlST4k94Ta+uEcfF + Pt+DnKSnHoewSahpQw29THHalhYgB753LCnzqwIDAQABAoIBAFZL9EIsqO0BoKX3 + BXrqVS/Yk71m1N7Ik29c+VmZELO035peKVZlAfijX2HhiZktvDVoCKSa744f7k7v + G4chulukaRbzIEpgYzwjeTD0noivotLx3z0Ht7NrGhk/AnB+BTc+Vr94Qjruhe10 + B+99aPF0P0Qe2X/A399glVfjzJ3oKrIjw6aaML7AW+JGMCjDuhE5WoIqbTsL9fAf + s797tIWJOK5aMvgdx4esNWS55p6RmkP9gT1EayF4YctiASFRcgFgMTqtRUph+iXS + BTDlNbSS1tqykM67zDDMPAIMmiPv0nIJTsLggWFokaK0h5aXpBx3VpVpdyDY0SEl + ZhfxAgECgYEA3KHHBLlUJ9LMj/fW7VXPln0DYGsjQ8FAFSWTubgZm49YdUViCaiO + Lt7Fu9mqTZrx9Gq7pVOg04H1bFXhnbchYgVYC9+JFO8aPGUsXlZSMMcUs8lH6zHp + JbXXVC6bv0mqmuyrG71V3W49TepogpN4+05buMxSBAcanFRrfqWemQECgYEAxq5m + KElWQ63aDWAAFklDtP2etnNmtsGml2ef503wH0i0dSEaJc2h5cMr1H0luMi4/ItH + ac8f7LLDjfqpa441RnSZwsx+zh+SQJFqg4O0YBwPUuaKDNZPocA2Vq5HjzA7AGuT + eaTDSiJEMsnnbss8DNCOzjNYTForUEg+Qkd5wKsCgYAOaKJOtKvCTgn9/PmUVl5Q + PanSyixraFt/Bg03u8YwWpQ0VGuqpc9jUDkpo3VzzAKxK6dFjMicB4i3ooQxgJw1 + gpPVcqvJKjRUbWcQYiLL/LRlaWfA/Gl1hQKjBMg3HeB+baZfEWZiJ6jpRb29iVQF + VYC3+OACU1RxkTHT+4z4AQKBgQCJPjl1RMuhLru8l38X5f4uTS/QisD+J6EDX2KW + 7kCb66Y0buxYBsb6JyrkuppPHeCjGzb2gUxlPktVjTxw/qgQhkUcyhQiIK7viUPR + my4DYf633maoXXZenp8qm3L1F3T6YlVaJxV75VXE27HR1/QgSgULrW4mN/dJms3f + DO6uxwKBgAl6kssIAAE2cQ+VkyZMoeylEfkQey4g/6QFmLWskl4Sep12X/+nPN/g + YAJsovB6bQbLOhKJjzgiVDRWwWhlXfM5wGOZviPPxZYKlt4Y8A3vpPGtn9fEFs6V + YZ1D3Qcu8O0rQ19C1W+A030ITkuIXBQefgPL7AyEc8tQpFHY5M// + -----END RSA PRIVATE KEY-----" + # The SSH key below is the same deploy key dev ArgoCD uses to pull stuff from edx-internal, so it's safe enough to use here + vault kv put kv/test-gocd GOCD_USERNAME=admin GOCD_PASSWORD=admin GOCD_PRIVATE_KEY=\ + "-----BEGIN RSA PRIVATE KEY----- + MIIEowIBAAKCAQEAqztt7hpUgwH5SOC8ozrKU8yn3aslkKH6J8usICs8cE4nQm4S + 9nIr7bf27QKPvFieE/PM+VLFi1Dl6O3f4fe/zaQ4m0vF+VL4C0ZtDnwV9dUSjVU0 + oH6nNVLgC9oMwP9iq1W/I97e88RzJSoi2/Ys5i0JmyXgAm/HVA+B0jubeGe0ZfOx + zKJGzV5j4kTkcI/pC0AMPzys7gqXSLyDpk3X9yb7rmVQvPdBysPNx2cJKPUZarSn + d67jbK/jYNdmlbXs3iHpynjQuVz6JuqtA5iaT34tt0+JATZIZlST4k94Ta+uEcfF + Pt+DnKSnHoewSahpQw29THHalhYgB753LCnzqwIDAQABAoIBAFZL9EIsqO0BoKX3 + BXrqVS/Yk71m1N7Ik29c+VmZELO035peKVZlAfijX2HhiZktvDVoCKSa744f7k7v + G4chulukaRbzIEpgYzwjeTD0noivotLx3z0Ht7NrGhk/AnB+BTc+Vr94Qjruhe10 + B+99aPF0P0Qe2X/A399glVfjzJ3oKrIjw6aaML7AW+JGMCjDuhE5WoIqbTsL9fAf + s797tIWJOK5aMvgdx4esNWS55p6RmkP9gT1EayF4YctiASFRcgFgMTqtRUph+iXS + BTDlNbSS1tqykM67zDDMPAIMmiPv0nIJTsLggWFokaK0h5aXpBx3VpVpdyDY0SEl + ZhfxAgECgYEA3KHHBLlUJ9LMj/fW7VXPln0DYGsjQ8FAFSWTubgZm49YdUViCaiO + Lt7Fu9mqTZrx9Gq7pVOg04H1bFXhnbchYgVYC9+JFO8aPGUsXlZSMMcUs8lH6zHp + JbXXVC6bv0mqmuyrG71V3W49TepogpN4+05buMxSBAcanFRrfqWemQECgYEAxq5m + KElWQ63aDWAAFklDtP2etnNmtsGml2ef503wH0i0dSEaJc2h5cMr1H0luMi4/ItH + ac8f7LLDjfqpa441RnSZwsx+zh+SQJFqg4O0YBwPUuaKDNZPocA2Vq5HjzA7AGuT + eaTDSiJEMsnnbss8DNCOzjNYTForUEg+Qkd5wKsCgYAOaKJOtKvCTgn9/PmUVl5Q + PanSyixraFt/Bg03u8YwWpQ0VGuqpc9jUDkpo3VzzAKxK6dFjMicB4i3ooQxgJw1 + gpPVcqvJKjRUbWcQYiLL/LRlaWfA/Gl1hQKjBMg3HeB+baZfEWZiJ6jpRb29iVQF + VYC3+OACU1RxkTHT+4z4AQKBgQCJPjl1RMuhLru8l38X5f4uTS/QisD+J6EDX2KW + 7kCb66Y0buxYBsb6JyrkuppPHeCjGzb2gUxlPktVjTxw/qgQhkUcyhQiIK7viUPR + my4DYf633maoXXZenp8qm3L1F3T6YlVaJxV75VXE27HR1/QgSgULrW4mN/dJms3f + DO6uxwKBgAl6kssIAAE2cQ+VkyZMoeylEfkQey4g/6QFmLWskl4Sep12X/+nPN/g + YAJsovB6bQbLOhKJjzgiVDRWwWhlXfM5wGOZviPPxZYKlt4Y8A3vpPGtn9fEFs6V + YZ1D3Qcu8O0rQ19C1W+A030ITkuIXBQefgPL7AyEc8tQpFHY5M// + -----END RSA PRIVATE KEY-----" + vault kv put kv/gocd-monitor username=example_user password=example_password + vault kv put kv/gocd-pipelines-sre-managed EDGE_ASGARD_API_TOKEN=someedgetoken EDX_ASGARD_API_TOKEN=someedxtoken + vault kv put kv/license-manager CLIENT_ID=kkkkkkk CLIENT_SECRET=lllllll BACKEND_SERVICE_EDX_OAUTH2_KEY=license-manager-backend-service-key BACKEND_SERVICE_EDX_OAUTH2_SECRET=license-manager-backend-service-secret JWT_ISSUERS_SECRET_KEY=aaaa SOCIAL_AUTH_EDX_OAUTH2_KEY=bbb SOCIAL_AUTH_EDX_OAUTH2_SECRET=cccc NEW_RELIC_LICENSE_KEY=uuuuuuuuuuu DATABASE_DEFAULT_PASSWORD=db-pass DB_MIGRATION_PASS=db-pass + vault kv put kv/newrelic NRIA_LICENSE_KEY=ffffff + vault kv put kv/newrelic-minions MINION_PRIVATE_LOCATION_KEY=fake_key + vault kv put kv/newrelic-logging NEW_RELIC_LICENSE_KEY=ooooooooooooo + vault kv put kv/prefect PREFECT_CLOUD_AGENT_TOKEN=jjjjjjjjjjjjjj + vault kv put kv/registrar BACKEND_SERVICE_EDX_OAUTH2_KEY=registrar-backend-service-key BACKEND_SERVICE_EDX_OAUTH2_SECRET=registrar-backend-service-secret JWT_ISSUERS_0_SECRET_KEY=aaaa JWT_ISSUERS_0_AUDIENCE=bbb SECRET_KEY=cccc SEGMENT_KEY=uuuuuuuuuuu DATABASE_DEFAULT_PASSWORD=db-pass DB_MIGRATION_PASS=db-pass SOCIAL_AUTH_EDX_OAUTH2_KEY=aaaaaaaaa SOCIAL_AUTH_EDX_OAUTH2_SECRET=ccccccccc NEW_RELIC_LICENSE_KEY=uuuuuuuuuuu + vault kv put kv/splunk-connect splunk_hec_token=zzzzzz + vault kv put kv/taxonomy CLIENT_ID=kkkkkkk CLIENT_SECRET=lllllll BACKEND_SERVICE_EDX_OAUTH2_KEY=license-manager-backend-service-key BACKEND_SERVICE_EDX_OAUTH2_SECRET=license-manager-backend-service-secret JWT_ISSUERS_SECRET_KEY=aaaa SOCIAL_AUTH_EDX_OAUTH2_KEY=bbb SOCIAL_AUTH_EDX_OAUTH2_SECRET=cccc NEW_RELIC_LICENSE_KEY=uuuuuuuuuuu DATABASE_DEFAULT_PASSWORD=db-pass DB_MIGRATION_PASS=db-pass + vault kv put kv/video-encode-manager CLIENT_ID=aaaaaaa CLIENT_SECRET=bbbbbbb SECRET_KEY=ccccccccc NEW_RELIC_LICENSE_KEY=uuuuuuuuuuu DATABASE_DEFAULT_PASSWORD=db-pass DATABASE_MIGRATE_PASSWORD=db-pass DB_MIGRATION_PASS=db-pass + vault kv put kv/course-discovery CLIENT_ID=aaaaaaa CLIENT_SECRET=bbbbbbb SECRET_KEY=ccccccccc NEW_RELIC_LICENSE_KEY=uuuuuuuuuuu DATABASE_DEFAULT_PASSWORD=db-pass DATABASE_MIGRATE_PASSWORD=db-pass DB_MIGRATION_PASS=db-pass + vault kv put kv/noname USERNAME=aaaaaaa PASSWORD=bbbbbbb EMAIL=ccccccccc SNIFF_SOURCE_INDEX=uuuuuuuuuuu SNIFF_SOURCE_KEY=db-pass ENCODED_AUTH=1234456 + vault kv put kv/datadog eks_api_key=abc123 eks_app_key=abc123 + vault-acl-job-policy.hcl: | + # Manage auth methods broadly across Vault + path "auth/*" + { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + + # Create, update, and delete auth methods + path "sys/auth/*" + { + capabilities = ["create", "update", "delete", "sudo"] + } + + # List auth methods + path "sys/auth" + { + capabilities = ["read"] + } + + # List existing policies + path "sys/policies/acl" + { + capabilities = ["list"] + } + + # Create and manage ACL policies + path "sys/policies/acl/*" + { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + + # List, create, update, and delete key/value secrets + path "secret/*" + { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + + # Manage secrets engines + path "sys/mounts/*" + { + capabilities = ["create", "read", "update", "delete", "list", "sudo"] + } + + # List existing secrets engines. + path "sys/mounts" + { + capabilities = ["read"] + } + + # Read health checks + path "sys/health" + { + capabilities = ["read", "sudo"] + } + + # Read vault-acl-job secrets + path "kv/data/vault-acl" + { + capabilities = ["read", "list"] + } + path "kv/data/vault-acl/*" + { + capabilities = ["read", "list"] + } + argocd-policy.hcl: | + path "kv/data" + { + capabilities = ["read", "list"] + } + path "kv/data/*" + { + capabilities = ["read", "list"] + } diff --git a/vault-development-bootstrapper/vault-development-bootstrapper.yaml b/vault-development-bootstrapper/vault-development-bootstrapper.yaml new file mode 100644 index 00000000..b7cef826 --- /dev/null +++ b/vault-development-bootstrapper/vault-development-bootstrapper.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: vault-development-bootstrapper-job + namespace: vault + annotations: + ignore-check.kube-linter.io/latest-tag: Ignore check for k8s-cli-utils latest image + ignore-check.kube-linter.io/run-as-non-root: "we should probably not be using busybox here (TODO) but the vault container requires an ignore for the time being in either case: PSRE-2002" + ignore-check.kube-linter.io/non-existent-service-account: "Ignore check as service account is created when Vault is installed" + ignore-check.kube-linter.io/no-liveness-probe: "Dev environment that no doubtedly takes a while to spin up" +spec: + template: + spec: + initContainers: + - name: vault-wait + image: busybox:1.28 + command: ['sh', '-c', 'until nslookup development-vault; do sleep 2; done;'] + resources: + requests: + cpu: "50m" + memory: "48Mi" + limits: + cpu: "100m" + memory: "64Mi" + securityContext: + readOnlyRootFilesystem: true + containers: + - name: vault-development-bootstrapper-job + image: vault:1.13.1 + command: [ "/bin/sh", "-c", "--" ] + args: [ "cd /tmp/vault; /vault-development-bootstrapper-cm/start.sh" ] + # args: [ "while true; do echo \"ka thump\"; sleep 30; done;" ] + volumeMounts: + - name: vault-development-bootstrapper-cm + mountPath: /vault-development-bootstrapper-cm + - name: tmp-vault + mountPath: /tmp/vault + resources: + requests: + cpu: "50m" + memory: "48Mi" + limits: + cpu: "100m" + memory: "64Mi" + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: vault-development-bootstrapper-cm + configMap: + name: vault-development-bootstrapper-cm + defaultMode: 0550 + - name: tmp-vault + emptyDir: {} + restartPolicy: Never + serviceAccountName: development-vault + backoffLimit: 20