Skip to content

Commit c9dab33

Browse files
authored
ci: migrate to using secret instead of configmap (ietf-tools#7685)
1 parent 475cf2f commit c9dab33

9 files changed

Lines changed: 140 additions & 124 deletions

File tree

k8s/README.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
# Kustomize deployment
2+
3+
## Run locally
4+
5+
The `secrets.yaml` file is provided as a reference only and must be referenced manually in the `kustomization.yaml` file.

k8s/auth.yaml

Lines changed: 29 additions & 29 deletions
Original file line numberDiff line numberDiff line change
@@ -19,34 +19,9 @@ spec:
1919
runAsNonRoot: true
2020
containers:
2121
# -----------------------------------------------------
22-
# ScoutAPM Container
23-
# -----------------------------------------------------
24-
- name: scoutapm
25-
image: "scoutapp/scoutapm:version-1.4.0"
26-
imagePullPolicy: IfNotPresent
27-
# Replace command with one that will shut down on a TERM signal
28-
# The ./core-agent start command line is from the scoutapm docker image
29-
command:
30-
- "sh"
31-
- "-c"
32-
- >-
33-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
34-
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
35-
wait $!
36-
livenessProbe:
37-
exec:
38-
command:
39-
- "sh"
40-
- "-c"
41-
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
42-
securityContext:
43-
readOnlyRootFilesystem: true
44-
runAsUser: 65534 # "nobody" user by default
45-
runAsGroup: 65534 # "nogroup" group by default
46-
# -----------------------------------------------------
47-
# Datatracker Container
22+
# Auth Container
4823
# -----------------------------------------------------
49-
- name: datatracker
24+
- name: auth
5025
image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
5126
imagePullPolicy: Always
5227
ports:
@@ -72,8 +47,8 @@ spec:
7247
- name: "DEPLOY_UID"
7348
value: "$DEPLOY_UID"
7449
envFrom:
75-
- configMapRef:
76-
name: django-config
50+
- secretRef:
51+
name: dt-secrets-env
7752
securityContext:
7853
allowPrivilegeEscalation: false
7954
capabilities:
@@ -82,6 +57,31 @@ spec:
8257
readOnlyRootFilesystem: true
8358
runAsUser: 1000
8459
runAsGroup: 1000
60+
# -----------------------------------------------------
61+
# ScoutAPM Container
62+
# -----------------------------------------------------
63+
- name: scoutapm
64+
image: "scoutapp/scoutapm:version-1.4.0"
65+
imagePullPolicy: IfNotPresent
66+
# Replace command with one that will shut down on a TERM signal
67+
# The ./core-agent start command line is from the scoutapm docker image
68+
command:
69+
- "sh"
70+
- "-c"
71+
- >-
72+
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
73+
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
74+
wait $!
75+
livenessProbe:
76+
exec:
77+
command:
78+
- "sh"
79+
- "-c"
80+
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
81+
securityContext:
82+
readOnlyRootFilesystem: true
83+
runAsUser: 65534 # "nobody" user by default
84+
runAsGroup: 65534 # "nogroup" group by default
8585
volumes:
8686
# To be overriden with the actual shared volume
8787
- name: dt-vol

k8s/beat.yaml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,9 @@ spec:
2020
securityContext:
2121
runAsNonRoot: true
2222
containers:
23+
# -----------------------------------------------------
24+
# Beat Container
25+
# -----------------------------------------------------
2326
- name: beat
2427
image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
2528
imagePullPolicy: Always
@@ -39,8 +42,8 @@ spec:
3942
- name: "CONTAINER_ROLE"
4043
value: "beat"
4144
envFrom:
42-
- configMapRef:
43-
name: django-config
45+
- secretRef:
46+
name: dt-secrets-env
4447
securityContext:
4548
allowPrivilegeEscalation: false
4649
capabilities:

k8s/celery.yaml

Lines changed: 27 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -21,31 +21,6 @@ spec:
2121
runAsNonRoot: true
2222
containers:
2323
# -----------------------------------------------------
24-
# ScoutAPM Container
25-
# -----------------------------------------------------
26-
- name: scoutapm
27-
image: "scoutapp/scoutapm:version-1.4.0"
28-
imagePullPolicy: IfNotPresent
29-
# Replace command with one that will shut down on a TERM signal
30-
# The ./core-agent start command line is from the scoutapm docker image
31-
command:
32-
- "sh"
33-
- "-c"
34-
- >-
35-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
36-
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
37-
wait $!
38-
livenessProbe:
39-
exec:
40-
command:
41-
- "sh"
42-
- "-c"
43-
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
44-
securityContext:
45-
readOnlyRootFilesystem: true
46-
runAsUser: 65534 # "nobody" user by default
47-
runAsGroup: 65534 # "nogroup" group by default
48-
# -----------------------------------------------------
4924
# Celery Container
5025
# -----------------------------------------------------
5126
- name: celery
@@ -71,8 +46,8 @@ spec:
7146
- name: "CONTAINER_ROLE"
7247
value: "celery"
7348
envFrom:
74-
- configMapRef:
75-
name: django-config
49+
- secretRef:
50+
name: dt-secrets-env
7651
securityContext:
7752
allowPrivilegeEscalation: false
7853
capabilities:
@@ -81,6 +56,31 @@ spec:
8156
readOnlyRootFilesystem: true
8257
runAsUser: 1000
8358
runAsGroup: 1000
59+
# -----------------------------------------------------
60+
# ScoutAPM Container
61+
# -----------------------------------------------------
62+
- name: scoutapm
63+
image: "scoutapp/scoutapm:version-1.4.0"
64+
imagePullPolicy: IfNotPresent
65+
# Replace command with one that will shut down on a TERM signal
66+
# The ./core-agent start command line is from the scoutapm docker image
67+
command:
68+
- "sh"
69+
- "-c"
70+
- >-
71+
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
72+
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
73+
wait $!
74+
livenessProbe:
75+
exec:
76+
command:
77+
- "sh"
78+
- "-c"
79+
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
80+
securityContext:
81+
readOnlyRootFilesystem: true
82+
runAsUser: 65534 # "nobody" user by default
83+
runAsGroup: 65534 # "nogroup" group by default
8484
volumes:
8585
# To be overriden with the actual shared volume
8686
- name: dt-vol

k8s/datatracker.yaml

Lines changed: 27 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -19,31 +19,6 @@ spec:
1919
runAsNonRoot: true
2020
containers:
2121
# -----------------------------------------------------
22-
# ScoutAPM Container
23-
# -----------------------------------------------------
24-
- name: scoutapm
25-
image: "scoutapp/scoutapm:version-1.4.0"
26-
imagePullPolicy: IfNotPresent
27-
# Replace command with one that will shut down on a TERM signal
28-
# The ./core-agent start command line is from the scoutapm docker image
29-
command:
30-
- "sh"
31-
- "-c"
32-
- >-
33-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
34-
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
35-
wait $!
36-
livenessProbe:
37-
exec:
38-
command:
39-
- "sh"
40-
- "-c"
41-
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
42-
securityContext:
43-
readOnlyRootFilesystem: true
44-
runAsUser: 65534 # "nobody" user by default
45-
runAsGroup: 65534 # "nogroup" group by default
46-
# -----------------------------------------------------
4722
# Datatracker Container
4823
# -----------------------------------------------------
4924
- name: datatracker
@@ -72,8 +47,8 @@ spec:
7247
- name: "DEPLOY_UID"
7348
value: "$DEPLOY_UID"
7449
envFrom:
75-
- configMapRef:
76-
name: django-config
50+
- secretRef:
51+
name: dt-secrets-env
7752
securityContext:
7853
allowPrivilegeEscalation: false
7954
capabilities:
@@ -82,6 +57,31 @@ spec:
8257
readOnlyRootFilesystem: true
8358
runAsUser: 1000
8459
runAsGroup: 1000
60+
# -----------------------------------------------------
61+
# ScoutAPM Container
62+
# -----------------------------------------------------
63+
- name: scoutapm
64+
image: "scoutapp/scoutapm:version-1.4.0"
65+
imagePullPolicy: IfNotPresent
66+
# Replace command with one that will shut down on a TERM signal
67+
# The ./core-agent start command line is from the scoutapm docker image
68+
command:
69+
- "sh"
70+
- "-c"
71+
- >-
72+
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
73+
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
74+
wait $!
75+
livenessProbe:
76+
exec:
77+
command:
78+
- "sh"
79+
- "-c"
80+
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
81+
securityContext:
82+
readOnlyRootFilesystem: true
83+
runAsUser: 65534 # "nobody" user by default
84+
runAsGroup: 65534 # "nogroup" group by default
8585
initContainers:
8686
- name: migration
8787
image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"

k8s/kustomization.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,5 @@ resources:
99
- beat.yaml
1010
- celery.yaml
1111
- datatracker.yaml
12-
- django-config.yaml
1312
- memcached.yaml
1413
- rabbitmq.yaml

k8s/memcached.yaml

Lines changed: 20 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -16,38 +16,44 @@ spec:
1616
securityContext:
1717
runAsNonRoot: true
1818
containers:
19-
- image: "quay.io/prometheus/memcached-exporter:v0.14.3"
19+
# -----------------------------------------------------
20+
# Memcached
21+
# -----------------------------------------------------
22+
- image: "memcached:1.6-alpine"
2023
imagePullPolicy: IfNotPresent
21-
name: memcached-exporter
24+
args: ["-m", "1024"]
25+
name: memcached
2226
ports:
23-
- name: metrics
24-
containerPort: 9150
27+
- name: memcached
28+
containerPort: 11211
2529
protocol: TCP
2630
securityContext:
2731
allowPrivilegeEscalation: false
2832
capabilities:
2933
drop:
3034
- ALL
3135
readOnlyRootFilesystem: true
32-
runAsUser: 65534 # nobody
33-
runAsGroup: 65534 # nobody
34-
- image: "memcached:1.6-alpine"
36+
# memcached image sets up uid/gid 11211
37+
runAsUser: 11211
38+
runAsGroup: 11211
39+
# -----------------------------------------------------
40+
# Memcached Exporter for Prometheus
41+
# -----------------------------------------------------
42+
- image: "quay.io/prometheus/memcached-exporter:v0.14.3"
3543
imagePullPolicy: IfNotPresent
36-
args: ["-m", "1024"]
37-
name: memcached
44+
name: memcached-exporter
3845
ports:
39-
- name: memcached
40-
containerPort: 11211
46+
- name: metrics
47+
containerPort: 9150
4148
protocol: TCP
4249
securityContext:
4350
allowPrivilegeEscalation: false
4451
capabilities:
4552
drop:
4653
- ALL
4754
readOnlyRootFilesystem: true
48-
# memcached image sets up uid/gid 11211
49-
runAsUser: 11211
50-
runAsGroup: 11211
55+
runAsUser: 65534 # nobody
56+
runAsGroup: 65534 # nobody
5157
dnsPolicy: ClusterFirst
5258
restartPolicy: Always
5359
terminationGracePeriodSeconds: 30

k8s/rabbitmq.yaml

Lines changed: 22 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -15,23 +15,6 @@ spec:
1515
spec:
1616
securityContext:
1717
runAsNonRoot: true
18-
initContainers:
19-
# -----------------------------------------------------
20-
# Init RabbitMQ data
21-
# -----------------------------------------------------
22-
- name: init-rabbitmq
23-
image: busybox:stable
24-
command:
25-
- "sh"
26-
- "-c"
27-
- "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq"
28-
securityContext:
29-
runAsNonRoot: false
30-
runAsUser: 0
31-
readOnlyRootFilesystem: true
32-
volumeMounts:
33-
- name: "rabbitmq-data"
34-
mountPath: "/mnt"
3518
containers:
3619
# -----------------------------------------------------
3720
# RabbitMQ Container
@@ -52,8 +35,11 @@ spec:
5235
- name: rabbitmq-config
5336
mountPath: "/etc/rabbitmq"
5437
env:
55-
- name: "CELERY_PASSWORD"
56-
value: "this-is-a-secret"
38+
- name: CELERY_PASSWORD
39+
valueFrom:
40+
secretKeyRef:
41+
name: dt-secrets-env
42+
key: CELERY_PASSWORD
5743
livenessProbe:
5844
exec:
5945
command: ["rabbitmq-diagnostics", "-q", "ping"]
@@ -76,6 +62,23 @@ spec:
7662
# rabbitmq image sets up uid/gid 100/101
7763
runAsUser: 100
7864
runAsGroup: 101
65+
initContainers:
66+
# -----------------------------------------------------
67+
# Init RabbitMQ data
68+
# -----------------------------------------------------
69+
- name: init-rabbitmq
70+
image: busybox:stable
71+
command:
72+
- "sh"
73+
- "-c"
74+
- "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq"
75+
securityContext:
76+
runAsNonRoot: false
77+
runAsUser: 0
78+
readOnlyRootFilesystem: true
79+
volumeMounts:
80+
- name: "rabbitmq-data"
81+
mountPath: "/mnt"
7982
volumes:
8083
- name: rabbitmq-tmp
8184
emptyDir:

0 commit comments

Comments
 (0)