ncirc bootstrap (ZcashFoundation#44)

BUILD

@@ -3,6 +3,8 @@ load("@io_bazel_rules_k8s//k8s:objects.bzl", "k8s_objects")
 k8s_objects(
     name = "deploy",
     objects = [
+        # TODO: add common for eg sql-proxy out of free2z
         "//k8s/free2z:deploy-all",
+        "//k8s/ncirc:deploy-all",
     ],
 )

cloudbuild.yaml

@@ -12,14 +12,48 @@ steps:
     id: decrypt
     waitFor: ["-"]
 
+  ######## incircle.live
+  - name: gcr.io/cloud-builders/npm:node-16.18.0
+    # entrypoint: npm
+    args:
+      - install
+      - --legacy-peer-deps
+      # ??
+    dir: "/workspace/ts/react/ncirc"
+    id: "ncirc-npm-install"
+    waitFor:
+      - "-"
+  - name: gcr.io/cloud-builders/npm:node-16.18.0
+    # entrypoint: npm
+    args:
+      - run
+      - build
+    dir: "ts/react/ncirc"
+    id: ncirc-npm-build
+    waitFor:
+      - ncirc-npm-install
+  - name: gcr.io/free2z/free2z
+    entrypoint: bash
+    args:
+      - "-c"
+      - |
+        export DBPASS=fake
+        export DJANGO_SETTINGS_MODULE="dj.ncirc.prod_settings"
+        python manage.py collectstatic
+    dir: "py/dj/ncirc"
+    id: ncirc-collectstatic
+    waitFor:
+      - "-"
+
+  ######## free2z
+  # docs
   - name: gcr.io/cloud-builders/npm:node-16.18.0
     args:
       - install
     dir: "/workspace/docs/about-free2z"
     id: "docs-install"
     waitFor:
       - "-"
-
   - name: gcr.io/cloud-builders/npm:node-16.18.0
     args:
       - run
@@ -28,8 +62,7 @@ steps:
     id: "docs"
     waitFor:
       - "docs-install"
-
-  # TODO? This is slowish
+  # react
   - name: gcr.io/cloud-builders/npm:node-16.18.0
     # entrypoint: npm
     args:
@@ -40,7 +73,6 @@ steps:
     id: "npm-install"
     waitFor:
       - "-"
-
   - name: gcr.io/cloud-builders/npm:node-16.18.0
     # entrypoint: npm
     args:
@@ -50,7 +82,6 @@ steps:
     id: npm-build
     waitFor:
       - npm-install
-
   - name: gcr.io/free2z/free2z
     entrypoint: bash
     args:
@@ -108,6 +139,8 @@ steps:
       - collectstatic
       - docs
       - npm-build
+      - ncirc-npm-build
+      - ncirc-collectstatic
 
 availableSecrets:
   secretManager:
@@ -119,5 +152,7 @@ availableSecrets:
 # yeah, 4 minutes versus 12 ... almost $0.10 a build though ...
 # But, yeah, I think so ...
 options:
+  # :/
   # N1_HIGHCPU_32 even
-  machineType: "N1_HIGHCPU_8"
+  # machineType: "N1_HIGHCPU_8"
+  machineType: N1_HIGHCPU_32

docs/ncirc/ARCH.md

@@ -0,0 +1,23 @@
+Things are separate on the surface, shared deep down.
+
+## Separate
+
+### Ingress
+
+```
+gcloud compute addresses create ncirc-test --global
+gcloud compute addresses create ncirc-stage --global
+gcloud compute addresses create ncirc-prod --global
+```
+
+### Deployment manifests
+
+```
+cd k8s/common/certmanager
+```
+
+```
+kubectl apply -f blank-secret.yaml -n test
+kubectl apply -f blank-secret.yaml -n stage
+kubectl apply -f blank-secret.yaml -n prod
+```

docs/ncirc/README.md

@@ -0,0 +1,3 @@
+# Inner Circles
+
+Exclusive stars.

docs/streaming/dyte.md

@@ -16,3 +16,13 @@ https://docs.dyte.io/react-ui-kit/quickstart
 https://docs.dyte.io/api#/operations/create_meeting
 
 https://dev.dyte.io/roles-presets?orgId=7dba0970-3d0b-45e4-97dc-17029162fcc5
+
+## Daily Driver Links
+
+https://dev.dyte.io/dashboard?orgId=7dba0970-3d0b-45e4-97dc-17029162fcc5
+
+https://docs.dyte.io/api?v=v2#/operations/GetActiveSession
+
+https://docs.dyte.io/api#/operations/get_all_participants
+
+https://docs.dyte.io/react-ui-kit

k8s/common/certmanager/blank-secret.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: Secret
 metadata:
-  name: free2z-ssl
+  name: ncirc-ssl
 type: kubernetes.io/tls
 stringData:
   tls.key: ""

k8s/free2z/BUILD.bazel

@@ -82,6 +82,12 @@ container_push(
     repository = "free2z/nginx",
 )
 
+k8s_deploy(
+    name = "issuer",
+    kind = "Issuer",
+    template = "issuer.yaml",
+)
+
 k8s_deploy(
     name = "ingress",
     kind = "Ingress",
@@ -119,6 +125,7 @@ k8s_objects(
         "//k8s/free2z/sql-proxy:deployment",
         ":config",
         ":secret",
+        ":issuer",
         ":ingress",
         ":service",
         ":deployment",

k8s/free2z/deployment.yaml

@@ -22,7 +22,6 @@ spec:
       serviceAccountName: free2z-db
       containers:
         # NGINX FRONTEND
-        # TODO: put docs and react in this container
         - name: free2z-nginx
           image: gcr.io/free2z/nginx:latest
           resources:

k8s/free2z/ingress.yaml

@@ -9,7 +9,7 @@ metadata:
     kubernetes.io/ingress.class: gce
     # This enables HTTP connections from Internet clients
     # TODO: no http?
-    kubernetes.io/ingress.allow-http: "false"
+    kubernetes.io/ingress.allow-http: "true"
     # This tells Google Cloud to associate the External Load Balancer
     # with the static IP which we created earlier
     # gcloud compute addresses create free2z-test --global

k8s/common/certmanager/lets-encrypt-production.yaml → k8s/free2z/issuer.yaml

@@ -1,6 +1,7 @@
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
+  # should be renamed "letsencrypt-free2z" but let's leave well enough
   name: letsencrypt-production
 spec:
   acme:

k8s/ncirc/BUILD.bazel

@@ -0,0 +1,96 @@
+load("@io_bazel_rules_k8s//k8s:objects.bzl", "k8s_objects")
+load("@k8s_deploy//:defaults.bzl", "k8s_deploy")
+load("@io_bazel_rules_docker//container:container.bzl", "container_image", "container_push")
+
+package(default_visibility = ["//visibility:public"])
+
+k8s_deploy(
+    name = "config",
+    kind = "ConfigMap",
+    substitutions = {
+        # same namespace test/stage/prod as free2z
+        "%{DBNAME}": "$(NAMESPACE)",
+    },
+    template = "config.yaml",
+)
+
+k8s_deploy(
+    name = "secret",
+    kind = "Secret",
+    template = ":secret.yaml",
+    # Secret Manager secrets
+    # https://console.cloud.google.com/security/secret-manager/secret/DBPASS/overview?project=free2z
+)
+
+container_image(
+    name = "nginx",
+    base = "@nginx//image",
+    cmd = [
+        "nginx",
+        "-g",
+        "daemon off",
+    ],
+    directory = "/base",
+    files = [
+        "nginx.conf",
+    ],
+    symlinks = {
+        "/etc/nginx/conf.d/default.conf": "/base/nginx.conf",
+    },
+    tars = [
+        "//py:ncirc-statictar",
+        "//ts/react/ncirc:tar",
+    ],
+)
+
+k8s_deploy(
+    name = "issuer",
+    kind = "Issuer",
+    template = "issuer.yaml",
+)
+
+k8s_deploy(
+    name = "ingress",
+    kind = "Ingress",
+    substitutions = {
+        "%{NAMESPACE}": "$(NAMESPACE)",
+        "%{PREFIX}": "$(PREFIX)",
+    },
+    template = "ingress.yaml",
+)
+
+k8s_deploy(
+    name = "service",
+    kind = "Service",
+    substitutions = {
+    },
+    template = "service.yaml",
+)
+
+k8s_deploy(
+    name = "deployment",
+    images = {
+        "gcr.io/free2z/ncirc-nginx:latest": ":nginx",
+        # TODO: could just be called "django"
+        "gcr.io/free2z/free2z:latest": "//k8s/free2z:container",
+    },
+    kind = "Deployment",
+    substitutions = {
+        "%{REPLICAS}": "3",
+    },
+    template = ":deployment.yaml",
+)
+
+k8s_objects(
+    name = "deploy-all",
+    objects = [
+        # depends on ye' ol' commonproxy. should be moved out to common
+        # "//k8s/free2z/sql-proxy:deployment",
+        ":config",
+        ":secret",
+        ":issuer",
+        ":ingress",
+        ":service",
+        ":deployment",
+    ],
+)

k8s/ncirc/config.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: ncirc
+data:
+  DBHOST: sql-proxy-service
+  DBNAME: "%{DBNAME}"
+  DJANGO_SETTINGS_MODULE: "dj.ncirc.prod_settings"

k8s/ncirc/deployment.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ncirc
+  labels:
+    app: ncirc
+spec:
+  selector:
+    matchLabels:
+      app: ncirc
+  replicas: 3
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 50%
+      maxUnavailable: 50%
+  template:
+    metadata:
+      labels:
+        app: ncirc
+    spec:
+      # uses free2z workload identity
+      serviceAccountName: free2z-db
+      containers:
+        # NGINX FRONTEND
+        - name: ncirc-nginx
+          image: gcr.io/free2z/ncirc-nginx:latest
+          resources:
+            limits:
+              memory: 50Mi
+            requests:
+              cpu: 50m
+              memory: 25Mi
+          args: ["nginx", "-g", "daemon off;"]
+          ports:
+            - containerPort: 8080
+
+        # DJANGO APP
+        - name: ncirc-dj
+          image: gcr.io/free2z/free2z:latest
+          command:
+            - "/usr/local/bin/daphne"
+            - "-p"
+            - "8000"
+            - "dj.ncirc.asgi:application"
+          resources:
+            limits:
+              cpu: 500m
+              memory: 1200Mi
+            requests:
+              cpu: 10m
+              memory: 100Mi
+          envFrom:
+            - configMapRef:
+                name: ncirc
+            - secretRef:
+                name: ncirc
+          ports:
+            - containerPort: 8000
+
+        # https://cloud.google.com/sql/docs/postgres/connect-kubernetes-engine
+        - name: cloud-sql-proxy
+          # It is recommended to use the latest version of the Cloud SQL proxy
+          # Make sure to update on a regular schedule!
+          image: gcr.io/cloudsql-docker/gce-proxy:1.28.0 # make sure the use the latest version
+          command:
+            - "/cloud_sql_proxy"
+
+            # If connecting from a VPC-native GKE cluster, you can use the
+            # following flag to have the proxy connect over private IP
+            # - "-ip_address_types=PRIVATE"
+
+            # By default, the proxy will write all logs to stderr. In some
+            # environments, anything printed to stderr is consider an error. To
+            # disable this behavior and write all logs to stdout (except errors
+            # which will still go to stderr), use:
+            - "-log_debug_stdout"
+
+            # Replace DB_PORT with the port the proxy should listen on
+            # Defaults: MySQL: 3306, Postgres: 5432, SQLServer: 1433
+            - "-instances=free2z:us-east1:free2z=tcp:5432"
+          securityContext:
+            # The default Cloud SQL proxy image runs as the
+            # "nonroot" user and group (uid: 65532) by default.
+            runAsNonRoot: true