From 2cc2f5c700ae5f77390af71658248aebfbccc393 Mon Sep 17 00:00:00 2001 From: Andrey Platov Date: Sat, 23 Oct 2021 02:05:45 +0200 Subject: [PATCH] k8s deployment use secret Signed-off-by: Andrey Platov --- cloud/app/index.ts | 8 +-- deploy/README.md | 49 ++++++++++++++++++- .../letsencrypt.yaml | 0 deploy/secret.yaml | 27 ++++++++++ dev/tool/run.sh | 11 +++-- pods/account/kube/deployment.yml | 5 +- server/front/kube/issuer.yml | 18 ------- server/server/kube/transactor.yml | 10 +++- server/upload/kube/deployment.yml | 20 ++++++-- 9 files changed, 113 insertions(+), 35 deletions(-) rename server/front/kube/issuer-prod.yml => deploy/letsencrypt.yaml (100%) create mode 100644 deploy/secret.yaml delete mode 100644 server/front/kube/issuer.yml diff --git a/cloud/app/index.ts b/cloud/app/index.ts index c24e0402da..4531a38340 100644 --- a/cloud/app/index.ts +++ b/cloud/app/index.ts @@ -283,7 +283,7 @@ new aws.route53.Record("frontRecord", { type: "A", ttl: 300, records: [ - "8.9.31.18" + "107.191.38.121" ] }) @@ -293,7 +293,7 @@ new aws.route53.Record("transactorRecord", { type: "A", ttl: 300, records: [ - "8.9.31.18" + "107.191.38.121" ] }) @@ -303,7 +303,7 @@ new aws.route53.Record("uploadRecord", { type: "A", ttl: 300, records: [ - "8.9.31.18" + "107.191.38.121" ] }) @@ -313,6 +313,6 @@ new aws.route53.Record("accountRecord", { type: "A", ttl: 300, records: [ - "8.9.31.18" + "107.191.38.121" ] }) diff --git a/deploy/README.md b/deploy/README.md index 38e0e8c914..d1533e14fc 100644 --- a/deploy/README.md +++ b/deploy/README.md @@ -1,2 +1,49 @@ -helm upgrade dev --set master.persistence.size=10Gi,data.persistence.size=10Gi,image.repository=anticrm/elasticsearch,ingest.enabled=true,data.heapSize=8192m,master.heapSize=512m,coordinating.heapSize=512m,ingest.heapSize=512m bitnami/elasticsearch +# Deploying Platform on k8s cluster + +We need [MongoDb](https://www.mongodb.com), [Elastic Search](https://www.elastic.co), and [MinIO](https://www.min.io) servers installed on the network/cloud. +You should have credentials to access these servers to continue deployment. + +ElasticSearch should have `ingest` plugin installed. + +## Secrets + +`secret.yaml` provide exemplary configuration values to access data storage servers. Provide correct values and + +``` +kubectl apply -f secret.yaml +``` + +## Deploying Transactor service + +``` +cd server/server +kubectl apply -f kube/transactor.yml +kubectl apply -f kube/ingress.yml +``` + +## Deploying Front-end services + +``` +cd server/front +kubectl apply -f kube/front.yml +kubectl apply -f kube/ingress.yml +``` + +## Deploying Account services + +``` +cd pods/account +kubectl apply -f kube/deployment.yml +kubectl apply -f kube/service.yml +kubectl apply -f kube/ingress.yml +``` + +## Deploying Upload services + +``` +cd server/upload +kubectl apply -f kube/deployment.yml +kubectl apply -f kube/service.yml +kubectl apply -f kube/ingress.yml +``` diff --git a/server/front/kube/issuer-prod.yml b/deploy/letsencrypt.yaml similarity index 100% rename from server/front/kube/issuer-prod.yml rename to deploy/letsencrypt.yaml diff --git a/deploy/secret.yaml b/deploy/secret.yaml new file mode 100644 index 0000000000..29a6bbc040 --- /dev/null +++ b/deploy/secret.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Secret +metadata: + name: mongodb +type: Opaque +data: + url: bW9uZ29kYjovLzEwLjEuOTYuNzoyNzAxNy8= +--- +apiVersion: v1 +kind: Secret +metadata: + name: elastic +type: Opaque +data: + url: aHR0cDovLzEwLjEuOTYuODo5MjAwLw== +--- +apiVersion: v1 +kind: Secret +metadata: + name: minio +type: Opaque +data: + endpoint: MTAuMS45Ni45 + accessKey: RGdkZjQ1RUdnZWdI + secretKey: Z3NkZkRnc2Rnc1NHZ3FrRlFFR2xmV2ZncmprNDNtMg== + + diff --git a/dev/tool/run.sh b/dev/tool/run.sh index 0f3cfd7afc..8eed812a64 100755 --- a/dev/tool/run.sh +++ b/dev/tool/run.sh @@ -14,13 +14,14 @@ # limitations under the License. # -export MONGODB_ROOT_PASSWORD=$(kubectl get secret --namespace default mng-mongodb -o jsonpath="{.data.mongodb-root-password}" | base64 --decode) -export MINIO_ACCESS_KEY=$(kubectl get secret --namespace default minio -o jsonpath="{.data.access-key}" | base64 --decode) -export MINIO_SECRET_KEY=$(kubectl get secret --namespace default minio -o jsonpath="{.data.secret-key}" | base64 --decode) +export MONGO_URL=$(kubectl get secret mongodb -o jsonpath="{.data.url}" | base64 --decode) +export MINIO_ENDPOINT=$(kubectl get secret minio -o jsonpath="{.data.endpoint}" | base64 --decode) +export MINIO_ACCESS_KEY=$(kubectl get secret minio -o jsonpath="{.data.accessKey}" | base64 --decode) +export MINIO_SECRET_KEY=$(kubectl get secret minio -o jsonpath="{.data.secretKey}" | base64 --decode) kubectl run anticrm-tool --rm --tty -i --restart='Never' \ - --env="MONGO_URL=mongodb://root:$MONGODB_ROOT_PASSWORD@mng-mongodb:27017/" \ + --env="MONGO_URL=$MONGO_URL" \ --env="TRANSACTOR_URL=ws://transactor/" \ - --env="MINIO_ENDPOINT=minio" \ + --env="MINIO_ENDPOINT=$MINIO_ENDPOINT" \ --env="MINIO_ACCESS_KEY=$MINIO_ACCESS_KEY" \ --env="MINIO_SECRET_KEY=$MINIO_SECRET_KEY" --image anticrm/tool --command -- bash diff --git a/pods/account/kube/deployment.yml b/pods/account/kube/deployment.yml index fc5c54b332..866aea3a0e 100644 --- a/pods/account/kube/deployment.yml +++ b/pods/account/kube/deployment.yml @@ -20,4 +20,7 @@ spec: imagePullPolicy: Always env: - name: MONGO_URL - value: mongodb://root:WZCwnHRazX@mng-mongodb:27017/ + valueFrom: + secretKeyRef: + name: mongodb + key: url diff --git a/server/front/kube/issuer.yml b/server/front/kube/issuer.yml deleted file mode 100644 index 986587df9f..0000000000 --- a/server/front/kube/issuer.yml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: letsencrypt-staging -spec: - acme: - # The ACME server URL - server: https://acme-staging-v02.api.letsencrypt.org/directory - # Email address used for ACME registration - email: andrey@hardcoreeng.com - # Name of a secret used to store the ACME account private key - privateKeySecretRef: - name: letsencrypt-staging - # Enable the HTTP-01 challenge provider - solvers: - - http01: - ingress: - class: nginx diff --git a/server/server/kube/transactor.yml b/server/server/kube/transactor.yml index 58b5fb801a..2e8608d01f 100644 --- a/server/server/kube/transactor.yml +++ b/server/server/kube/transactor.yml @@ -21,9 +21,15 @@ spec: imagePullPolicy: Always env: - name: MONGO_URL - value: mongodb://root:WZCwnHRazX@mng-mongodb:27017/ + valueFrom: + secretKeyRef: + name: mongodb + key: url - name: ELASTIC_URL - value: http://dev-elasticsearch-coordinating-only:9200/ + valueFrom: + secretKeyRef: + name: elastic + key: url --- apiVersion: v1 kind: Service diff --git a/server/upload/kube/deployment.yml b/server/upload/kube/deployment.yml index fc06218a5f..8de285fb45 100644 --- a/server/upload/kube/deployment.yml +++ b/server/upload/kube/deployment.yml @@ -22,10 +22,22 @@ spec: - name: TRANSACTOR_URL value: ws://transactor/ - name: ELASTIC_URL - value: http://dev-elasticsearch-coordinating-only:9200/ + valueFrom: + secretKeyRef: + name: elastic + key: url - name: MINIO_ENDPOINT - value: minio + valueFrom: + secretKeyRef: + name: minio + key: endpoint - name: MINIO_ACCESS_KEY - value: 22pYVftgFj + valueFrom: + secretKeyRef: + name: minio + key: accessKey - name: MINIO_SECRET_KEY - value: l8FkhAXSbQBUpeYJ7APYOSXyWp4qEXR4Gccjb2zo + valueFrom: + secretKeyRef: + name: minio + key: secretKey