Skip to content

ci: migrate to using secret instead of configmap #7685

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
rjsparks merged 1 commit into from
Jul 15, 2024
Merged

ci: migrate to using secret instead of configmap #7685

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions k8s/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Kustomize deployment

## Run locally

The `secrets.yaml` file is provided as a reference only and must be referenced manually in the `kustomization.yaml` file.
58 changes: 29 additions & 29 deletions k8s/auth.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,34 +19,9 @@ spec:
runAsNonRoot: true
containers:
# -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
# -----------------------------------------------------
# Datatracker Container
# Auth Container
# -----------------------------------------------------
- name: datatracker
- name: auth
image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
imagePullPolicy: Always
ports:
Expand All @@ -72,8 +47,8 @@ spec:
- name: "DEPLOY_UID"
value: "$DEPLOY_UID"
envFrom:
- configMapRef:
name: django-config
- secretRef:
name: dt-secrets-env
securityContext:
allowPrivilegeEscalation: false
capabilities:
Expand All @@ -82,6 +57,31 @@ spec:
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
# -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
volumes:
# To be overriden with the actual shared volume
- name: dt-vol
Expand Down
7 changes: 5 additions & 2 deletions k8s/beat.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,9 @@ spec:
securityContext:
runAsNonRoot: true
containers:
# -----------------------------------------------------
# Beat Container
# -----------------------------------------------------
- name: beat
image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
imagePullPolicy: Always
Expand All @@ -39,8 +42,8 @@ spec:
- name: "CONTAINER_ROLE"
value: "beat"
envFrom:
- configMapRef:
name: django-config
- secretRef:
name: dt-secrets-env
securityContext:
allowPrivilegeEscalation: false
capabilities:
Expand Down
54 changes: 27 additions & 27 deletions k8s/celery.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,31 +21,6 @@ spec:
runAsNonRoot: true
containers:
# -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
# -----------------------------------------------------
# Celery Container
# -----------------------------------------------------
- name: celery
Expand All @@ -71,8 +46,8 @@ spec:
- name: "CONTAINER_ROLE"
value: "celery"
envFrom:
- configMapRef:
name: django-config
- secretRef:
name: dt-secrets-env
securityContext:
allowPrivilegeEscalation: false
capabilities:
Expand All @@ -81,6 +56,31 @@ spec:
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
# -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
volumes:
# To be overriden with the actual shared volume
- name: dt-vol
Expand Down
54 changes: 27 additions & 27 deletions k8s/datatracker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,31 +19,6 @@ spec:
runAsNonRoot: true
containers:
# -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
# -----------------------------------------------------
# Datatracker Container
# -----------------------------------------------------
- name: datatracker
Expand Down Expand Up @@ -72,8 +47,8 @@ spec:
- name: "DEPLOY_UID"
value: "$DEPLOY_UID"
envFrom:
- configMapRef:
name: django-config
- secretRef:
name: dt-secrets-env
securityContext:
allowPrivilegeEscalation: false
capabilities:
Expand All @@ -82,6 +57,31 @@ spec:
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
# -----------------------------------------------------
# ScoutAPM Container
# -----------------------------------------------------
- name: scoutapm
image: "scoutapp/scoutapm:version-1.4.0"
imagePullPolicy: IfNotPresent
# Replace command with one that will shut down on a TERM signal
# The ./core-agent start command line is from the scoutapm docker image
command:
- "sh"
- "-c"
- >-
trap './core-agent shutdown --tcp 0.0.0.0:6590' TERM;
./core-agent start --daemonize false --log-level debug --tcp 0.0.0.0:6590 &
wait $!
livenessProbe:
exec:
command:
- "sh"
- "-c"
- "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
securityContext:
readOnlyRootFilesystem: true
runAsUser: 65534 # "nobody" user by default
runAsGroup: 65534 # "nogroup" group by default
initContainers:
- name: migration
image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
Expand Down
1 change: 0 additions & 1 deletion k8s/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,5 @@ resources:
- beat.yaml
- celery.yaml
- datatracker.yaml
- django-config.yaml
- memcached.yaml
- rabbitmq.yaml
34 changes: 20 additions & 14 deletions k8s/memcached.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,38 +16,44 @@ spec:
securityContext:
runAsNonRoot: true
containers:
- image: "quay.io/prometheus/memcached-exporter:v0.14.3"
# -----------------------------------------------------
# Memcached
# -----------------------------------------------------
- image: "memcached:1.6-alpine"
imagePullPolicy: IfNotPresent
name: memcached-exporter
args: ["-m", "1024"]
name: memcached
ports:
- name: metrics
containerPort: 9150
- name: memcached
containerPort: 11211
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 65534 # nobody
runAsGroup: 65534 # nobody
- image: "memcached:1.6-alpine"
# memcached image sets up uid/gid 11211
runAsUser: 11211
runAsGroup: 11211
# -----------------------------------------------------
# Memcached Exporter for Prometheus
# -----------------------------------------------------
- image: "quay.io/prometheus/memcached-exporter:v0.14.3"
imagePullPolicy: IfNotPresent
args: ["-m", "1024"]
name: memcached
name: memcached-exporter
ports:
- name: memcached
containerPort: 11211
- name: metrics
containerPort: 9150
protocol: TCP
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
# memcached image sets up uid/gid 11211
runAsUser: 11211
runAsGroup: 11211
runAsUser: 65534 # nobody
runAsGroup: 65534 # nobody
dnsPolicy: ClusterFirst
restartPolicy: Always
terminationGracePeriodSeconds: 30
Expand Down
41 changes: 22 additions & 19 deletions k8s/rabbitmq.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,23 +15,6 @@ spec:
spec:
securityContext:
runAsNonRoot: true
initContainers:
# -----------------------------------------------------
# Init RabbitMQ data
# -----------------------------------------------------
- name: init-rabbitmq
image: busybox:stable
command:
- "sh"
- "-c"
- "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq"
securityContext:
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: true
volumeMounts:
- name: "rabbitmq-data"
mountPath: "/mnt"
containers:
# -----------------------------------------------------
# RabbitMQ Container
Expand All @@ -52,8 +35,11 @@ spec:
- name: rabbitmq-config
mountPath: "/etc/rabbitmq"
env:
- name: "CELERY_PASSWORD"
value: "this-is-a-secret"
- name: CELERY_PASSWORD
valueFrom:
secretKeyRef:
name: dt-secrets-env
key: CELERY_PASSWORD
livenessProbe:
exec:
command: ["rabbitmq-diagnostics", "-q", "ping"]
Expand All @@ -76,6 +62,23 @@ spec:
# rabbitmq image sets up uid/gid 100/101
runAsUser: 100
runAsGroup: 101
initContainers:
# -----------------------------------------------------
# Init RabbitMQ data
# -----------------------------------------------------
- name: init-rabbitmq
image: busybox:stable
command:
- "sh"
- "-c"
- "mkdir -p -m700 /mnt/rabbitmq && chown 100:101 /mnt/rabbitmq"
securityContext:
runAsNonRoot: false
runAsUser: 0
readOnlyRootFilesystem: true
volumeMounts:
- name: "rabbitmq-data"
mountPath: "/mnt"
volumes:
- name: rabbitmq-tmp
emptyDir:
Expand Down
Loading