Add kubernetes configuration for Sam.

Based on https://github.com/DataBiosphere/kernel-service-poc/tree/master/config and https://github.com/broadinstitute/firecloud-develop/blob/dev/run-context/live/configs/sam/docker-compose.yaml.ctmpl.

k8s-config/README.md

@@ -0,0 +1,4 @@
+# Overview
+Sam k8s configuration to be customized for different deployments.
+
+See https://dsp-security.broadinstitute.org/devops/framework-kernel-new-stack/terra-framework-deployment#Java-Service

k8s-config/deployment.yaml

@@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sam-deployment
+  labels:
+    version: v1
+spec:
+  replicas: 1
+  template:
+    metadata:
+      name: sam
+      labels:
+        version: v1
+    spec:
+      serviceAccountName: sam-sa
+      containers:
+        - name: sam-service
+          image: gcr.io/broad-dsp-gcr-public/sam:0.0.0
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8080
+          # TODO do we want a livenessProbe or a readinessProbe?
+          env:
+            - name: JAVA_OPTS
+              value: >-
+                server -Xms8g -Xmx8g -XX:NewSize=1g -XX:MaxNewSize=1g -XX:SurvivorRatio=8 -XX:+UseParNewGC
+                -XX:+UseConcMarkSweepGC -XX:+CMSParallelRemarkEnabled -XX:+UseCMSInitiatingOccupancyOnly
+                -XX:CMSInitiatingOccupancyFraction=60 -XX:+ScavengeBeforeFullGC -XX:+CMSScavengeBeforeRemark
+                -Xloggc:/var/log/gc/sam-gc.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=2 -XX:GCLogFileSize=100M
+                -XX:+PrintGCDateStamps -verbose:gc -XX:+PrintGCDetails -XX:+PrintClassHistogramBeforeFullGC
+                -XX:+PrintClassHistogramAfterFullGC -Dconfig.file=/etc/sam.conf
+                -Dcom.sun.jndi.ldap.connect.pool.protocol=ssl -Dcom.sun.jndi.ldap.connect.pool.maxsize=100
+                -javaagent:/etc/newrelic.jar
+          volumeMounts:
+            - name: sam-configs
+              mountPath: /etc
+              readOnly: true
+        - name: sam-sqlproxy
+          image: broadinstitute/cloudsqlproxy:1.11_20180808
+          envFrom:
+            secretRef:
+              sqlproxy-env
+          env:
+            - name: CLOUDSQL_CREDENTIAL_FILE
+              value: /etc/sa/sqlproxy-service-account.json
+          volumeMounts:
+            - name: sqlproxy-sa-creds
+              mountPath: /etc/sa
+              readOnly: true
+          securityContext:
+            runAsUser: 2  # non-root user
+            allowPrivilegeEscalation: false
+      volumes:
+        - name: sam-configs
+          secret:
+            secretName: sam-configs
+        - name: sqlproxy-env
+          secret:
+            secretName: sqlproxy-env
+        - name: sqlproxy-sa-creds
+          secret:
+            secretName: sqlproxy-sa-creds

k8s-config/istio.yaml

@@ -0,0 +1,21 @@
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: sam-vservice
+# Basic Istio virtual service to illustrate kustomize base+overlay
+# The below spec will be overwritten by the environment overlay to
+#   namespace traffic to the right environment based on a prefix.
+spec:
+  hosts:
+    - "*"
+  gateways:
+    - template-gateway.default.svc.cluster.local
+  http:
+    - match:
+        - uri:
+            prefix: /sam
+      route:
+        - destination:
+            port:
+              number: 8080
+            host: sam.default.svc.cluster.local

k8s-config/kustomization.yaml

@@ -0,0 +1,27 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app: sam
+resources:
+  - service-account.yaml
+  - psp.yaml
+  - role.yaml
+  - rolebinding.yaml
+  - istio-service.yaml
+  - deployment.yaml
+  - service.yaml
+secretGenerator:
+  - name: sam-configs
+    files:
+      - sam.conf
+      - newrelic.yml
+      - newrelic.jar
+      - sam-account.pem
+      - sam-account.json
+      - sam-firestore-account.json
+      - billing-account.pem
+  - name: sqlproxy-sa-creds
+    files:
+      - sqlproxy-service-account.json
+  - name: sqlproxy-env
+    env: sqlproxy.env

k8s-config/psp.yaml

@@ -0,0 +1,18 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: sam-psp
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*'
+spec:
+  privileged: false
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  fsGroup:
+    rule: RunAsAny
+  volumes:
+    - '*'

k8s-config/role.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: sam-role
+rules:
+  - apiGroups: ['policy']
+    resources: ['podsecuritypolicies']
+    verbs:     ['use']
+    resourceNames:
+      - sam-psp
+  - apiGroups: ['']
+    resources: ['secrets']
+    verbs: ['get', 'create']

k8s-config/rolebinding.yaml

@@ -0,0 +1,11 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: sam-role-binding
+roleRef:
+  kind: Role
+  name: sam-role
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: sam-sa

k8s-config/service-account.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: sam-sa

k8s-config/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: sam
+spec:
+  ports:
+    - name: http
+      port: 8080
+  selector:
+    app: sam-service