Merge pull request #255 from JensDll/staging

github-actions: merge staging into main

.gitignore

@@ -453,6 +453,45 @@ $RECYCLE.BIN/
 !.vscode/launch.json
 !.vscode/extensions.json
 
+##
+## Terraform
+##
+
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version
+# control as they are data points which are potentially sensitive and subject
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+*tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
 ##
 ## Others
 ##

deploy/kube/infrastructure/cert_manager/values.yaml

@@ -0,0 +1 @@
+installCRDs: true

deploy/infrastructure/traefik/values.yaml → deploy/kube/infrastructure/traefik/values.yaml

@@ -1,3 +1,4 @@
+installCRDs: true
 metrics:
   prometheus: null
 globalArguments: ""

deploy/services/web/certfificate.yaml → deploy/kube/services/app/certificate.yaml

@@ -1,10 +1,10 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: web-cert
+  name: app-cert
   namespace: services
 spec:
-  secretName: web-cert
+  secretName: app-cert
   dnsNames:
     - steganography.app
     - www.steganography.app

deploy/kube/services/app/config.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: app-config
+data:
+  appsettings.json: |
+    {
+      "Kestrel": {
+        "Endpoints": {
+          "Https": {
+            "Url": "https://0.0.0.0:8443",
+            "Path": "/usr/local/certs/tls.crt",
+            "KeyPath": "/usr/local/certs/tls.key"
+          }
+        },
+        "Limits": {
+          "MaxRequestBodySize": 31457280
+        }
+      },
+      "HttpHeaders": {
+        "ContentSecurityPolicy": "default-src 'self';upgrade-insecure-requests;script-src 'self' 'sha256-8atrH6Pge+As3TgWrRwcD2pUDCYuTIBfIIqQGFDl3eA=';form-action 'none';img-src 'self' data: blob:; connect-src 'self' sentry.io;report-uri https://o4504621394165760.ingest.sentry.io/api/4504621566001152/security/?sentry_key=ab4ccfc57221482aafb411c6b9b4744a"
+      }
+    }

deploy/services/api/deployment.yaml → deploy/kube/services/app/deployment.yaml

@@ -1,26 +1,42 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: api-deployment
+  name: app-deployment
 spec:
   replicas: 2
   selector:
     matchLabels:
-      app: api
+      app: app
   revisionHistoryLimit: 4
   strategy:
     type: Recreate
   template:
     metadata:
       labels:
-        app: api
+        app: app
     spec:
       automountServiceAccountToken: false
       imagePullSecrets:
         - name: docker-pull
+      volumes:
+        - name: appsettings
+          configMap:
+            name: app-config
+            items:
+              - key: appsettings.json
+                path: appsettings.json
+        - name: cert
+          secret:
+            secretName: app-cert
+            items:
+              - key: tls.crt
+                path: tls.crt
+              - key: tls.key
+                path: tls.key
+                mode: 0004
       containers:
-        - name: api
-          image: jensdll/steganography:api.latest
+        - name: app
+          image: jensdll/steganography:app.latest
           imagePullPolicy: Always
           securityContext:
             capabilities:
@@ -33,34 +49,18 @@ spec:
             allowPrivilegeEscalation: false
           volumeMounts:
             - name: appsettings
-              mountPath: /app/Properties/
+              mountPath: /app/properties/
               readOnly: true
             - name: cert
               mountPath: /usr/local/certs/
               readOnly: true
           resources:
             requests:
-              cpu: '450m'
-              memory: '768Mi'
+              cpu: "256m"
+              memory: "768Mi"
             limits:
-              cpu: '700m'
-              memory: '1024Mi'
+              cpu: "512m"
+              memory: "1024Mi"
           ports:
             - containerPort: 8433
               protocol: TCP
-      volumes:
-        - name: appsettings
-          configMap:
-            name: api-config
-            items:
-              - key: appsettings.json
-                path: appsettings.json
-        - name: cert
-          secret:
-            secretName: api-cert
-            items:
-              - key: tls.crt
-                path: tls.crt
-              - key: tls.key
-                path: tls.key
-                mode: 0004

deploy/services/web/route.yaml → deploy/kube/services/app/route.yaml

@@ -1,14 +1,14 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRouteTCP
 metadata:
-  name: web-route-tcp
+  name: app-route-tcp
 spec:
   entryPoints:
     - websecure
   routes:
     - match: HostSNI(`steganography.app`) || HostSNI(`www.steganography.app`)
       services:
-        - name: web-service
+        - name: app-service
           port: websecure
   tls:
     passthrough: true

deploy/services/web/service.yaml → deploy/kube/services/app/service.yaml

@@ -1,11 +1,11 @@
 apiVersion: v1
 kind: Service
 metadata:
-  name: web-service
+  name: app-service
 spec:
   type: ClusterIP
   selector:
-    app: web
+    app: app
   ports:
     - name: websecure
       port: 8443

deploy/kube/services/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: services
+
+resources:
+  - app/config.yaml
+  - app/deployment.yaml
+  - app/service.yaml
+  - app/route.yaml