feat: Set up kustomization (#449)

* chore: Remove existing k8s directory * feat: Set up kustomization * chore: Consistent indentation * chore: Add bib.bib.svc.cluster.local to INTERNAL_HOSTNAMES to be consistent with the current production settings * chore: Remove bib- prefix from app label * refactor: Remove /bin/sh -c from commands as redundant * chore: Remove duplicate bib- prefix * chore: Add missing labels * chore: Remove config map in favour of external secret * chore: Add secrets.yaml (placeholders) * chore: Remove bibxml- and bibxml-service- prefixes * chore: Name deployment appropriately * fix: Use correct image tag for redis container * revert: Bring back /bin/sh -c ref: f59fc9b * fix: Add security context to redis container * fix: Mount /tmp volume in celery container * chore: Specify correct var for database password * fix: Specify uid and gid in celery worker command * fix: Use 33 for user, group and fs group * fix: Remove uid and gid params from celery worker command * fix: Provide pidfile and schedule params to celery worker command * fix: Give redis container access to dump file (/data/dump.rdb) * fix: Use uid 999 and gid 999 in redis container
ietf-tools · Aug 8, 2024 · 2349d7d · 2349d7d
1 parent cd5fbf0
commit 2349d7d
Show file tree

Hide file tree

Showing 5 changed files with 162 additions and 77 deletions.
diff --git a/k8s/bib.yaml b/k8s/bib.yaml
@@ -0,0 +1,120 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bibxml
+  labels:
+    app: bibxml
+spec:
+  replicas: 1
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: bibxml
+  template:
+    metadata:
+      labels:
+        app: bibxml
+    spec:
+      securityContext:
+        fsGroup: 33
+        runAsNonRoot: true
+      containers:
+        - name: app
+          image: "ghcr.io/ietf-tools/bibxml-service:$APP_IMAGE_TAG"
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+          volumeMounts:
+            - name: datasets
+              mountPath: /data/datasets
+          envFrom:
+            - secretRef:
+                name: bib-secrets-env
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsUser: 33
+            runAsGroup: 33
+          command:
+            - /bin/sh
+            - -c
+            - |
+              python manage.py migrate &&
+              python manage.py check --deploy &&
+              python manage.py clear_cache &&
+              hypercorn -b '0.0.0.0:8000' -w 1 bibxml.asgi:application
+        - name: celery
+          image: "ghcr.io/ietf-tools/bibxml-service:$APP_IMAGE_TAG"
+          imagePullPolicy: Always
+          volumeMounts:
+            - name: datasets
+              mountPath: /data/datasets
+            - name: tmp
+              mountPath: /tmp
+          envFrom:
+            - secretRef:
+                name: bib-secrets-env
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsUser: 33
+            runAsGroup: 33
+          command:
+            - /bin/sh
+            - -c
+            - |
+              celery -A sources.celery:app worker -B -l info -c 1 --pidfile=/tmp/celery_pid --schedule /tmp/celery-schedule.db
+        - name: redis
+          image: "redis:5.0.4"
+          command:
+            - redis-server
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: redis-data
+              mountPath: /data
+          ports:
+            - name: redis
+              containerPort: 6379
+              protocol: TCP
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsUser: 999
+            runAsGroup: 999
+      volumes:
+        - name: datasets
+          emptyDir:
+            sizeLimit: 5Gi
+        - name: redis-data
+          emptyDir:
+            sizeLimit: 1Gi
+        - name: tmp
+          emptyDir:
+            sizeLimit: 1Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: service
+  labels:
+    app: service
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8000
+      protocol: TCP
+      name: http
+  selector:
+    app: bibxml
diff --git a/k8s/kustomization.yaml b/k8s/kustomization.yaml
@@ -0,0 +1,4 @@
+namespace: bib
+namePrefix: bib-
+resources:
+  - bib.yaml
diff --git a/k8s/secrets.yaml b/k8s/secrets.yaml
@@ -0,0 +1,38 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: secrets-env
+type: Opaque
+stringData:
+  AUTO_REINDEX_INTERVAL: "5400"
+  CELERY_BROKER_URL: "redis://localhost:6379"
+  CELERY_RESULT_BACKEND: "redis://localhost:6379"
+  CONTACT_EMAIL: "[email protected]"
+  DATASET_TMP_ROOT: "/data/datasets"
+  DEBUG: "0"
+  INTERNAL_HOSTNAMES: "localhost,bib.bib.svc.cluster.local,127.0.0.1"
+
+  # DATATRACKER_CLIENT_ID: null
+
+  # MATOMO_SITE_ID: null
+  # MATOMO_TAG_MANAGER_CONTAINER: null
+  # MATOMO_URL: "analytics.ietf.org"
+
+  PORT: "8000"
+  PRIMARY_HOSTNAME: "bib.ietf.org"
+  PYTHONUNBUFFERED: "1"
+  REDIS_HOST: "localhost"
+  REDIS_PORT: "6379"
+  SERVER_EMAIL: "[email protected]"
+  SERVICE_NAME: "IETF BibXML Service"
+  SOURCE_REPO_URL: "https://github.com/ietf-tools/bibxml-service"
+
+  # Secrets from Vault:
+  # DB_HOST: ""
+  # DB_NAME: ""
+  # DB_PORT: ""
+  # DB_SECRET: ""
+  # DB_USER: ""
+  # DJANGO_SECRET: ""
+  # EXTRA_API_SECRETS: ""
+  # SENTRY_DSN: ""
diff --git a/k8s/ws/ws-deployment.yaml b/k8s/ws/ws-deployment.yaml
diff --git a/k8s/ws/ws-service.yaml b/k8s/ws/ws-service.yaml