From d0c2914d9e31b5fef170dc6f627a9e6797f54d5b Mon Sep 17 00:00:00 2001 From: Bill Monkman Date: Mon, 27 Apr 2020 15:15:04 -0700 Subject: [PATCH 1/3] A bunch of small fixes to get the pipeline running --- .circleci/README.md | 6 +++++- .circleci/config.yml | 13 ++++++++----- kubernetes/base/deployment.yml | 15 ++++++++++----- kubernetes/base/service.yml | 2 +- kubernetes/overlays/production/kustomization.yml | 4 +--- kubernetes/overlays/staging/deployment.yml | 2 +- kubernetes/overlays/staging/kustomization.yml | 4 +--- kubernetes/secrets/README.md | 2 +- 8 files changed, 28 insertions(+), 20 deletions(-) diff --git a/.circleci/README.md b/.circleci/README.md index 97d4f3c..2e916b6 100644 --- a/.circleci/README.md +++ b/.circleci/README.md @@ -13,11 +13,15 @@ $ aws eks list-clusters --query "clusters" - AWS_ACCESS_KEY_ID # AWS access key for the circleci user - this should be in AWS secret manager - AWS_SECRET_ACCESS_KEY # AWS secret for the circleci user - this should be in AWS secret manager -- AWS_DEFAULT_REGION # Region of your cluster +- AWS_REGION # Region of your EKS cluster - AWS_ECR_ACCOUNT_URL # {awsAccountNum}.dkr.ecr.{region}.amazonaws.com - AWS_ECR_REPO_NAME # The ECR repository name to write images to - PRODUCTION_EKS_CLUSTER_NAME # The name of the production EKS cluster to deploy into - STAGING_EKS_CLUSTER_NAME # The name of the staging EKS cluster to deploy into +- AWS_CLUSTER_AUTH_ROLE_ARN_STAGING # The ARN of the role to assume that allows access to the EK cluster. Most likely ends with `kubernetes-admin-staging` +- AWS_CLUSTER_AUTH_ROLE_ARN_PRODUCTION # The ARN of the role to assume that allows access to the EKS cluster. Same as above but for production +- SLACK_WEBHOOK # Webhook for slack notifications. Must be specified, but doesn't need to be set to a real value +- CIRCLECI_API_KEY # Needed for the queueing orb. You can generate this in the project settings in CircleCI. It needs the `status` scope. ## Deployment Process diff --git a/.circleci/config.yml b/.circleci/config.yml index 69346c5..0f2658a 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -193,17 +193,20 @@ jobs: - version-tag/get - run: *install-binaries - aws-cli/install - - aws-cli/setup + - aws-cli/setup: + aws-region: AWS_REGION - aws-eks/update-kubeconfig-with-authenticator: cluster-name: << parameters.cluster-name >> cluster-authentication-role-arn: << parameters.cluster-authentication-role-arn >> aws-region: << parameters.region >> install-kubectl: true + aws-profile: assumed-role - queue/until_front_of_line: time: '30' - run: name: Deploy command: | + kubectl create namespace << parameters.namespace >> || echo "Namespace already exists" cd kubernetes/overlays/<< parameters.config-environment >> IMAGE=${AWS_ECR_ACCOUNT_URL}/<< parameters.repo >> kustomize edit set image fake-image=${IMAGE}:${VERSION_TAG} @@ -233,8 +236,8 @@ workflows: cluster-name: "${STAGING_EKS_CLUSTER_NAME}" config-environment: "staging" cluster-authentication-role-arn: "${AWS_CLUSTER_AUTH_ROLE_ARN_STAGING}" - region: "${AWS_DEFAULT_REGION}" - namespace: "${CIRCLE_BRANCH}" + region: "${AWS_REGION}" + namespace: "${AWS_ECR_REPO_NAME}" tag: "${VERSION_TAG}" requires: - build_and_push @@ -255,8 +258,8 @@ workflows: cluster-name: "${PRODUCTION_EKS_CLUSTER_NAME}" config-environment: "production" cluster-authentication-role-arn: "${AWS_CLUSTER_AUTH_ROLE_ARN_PRODUCTION}" - region: "${AWS_DEFAULT_REGION}" - namespace: "${CIRCLE_BRANCH}" + region: "${AWS_REGION}" + namespace: "${AWS_ECR_REPO_NAME}" tag: "${VERSION_TAG}" requires: - queue/block_workflow diff --git a/kubernetes/base/deployment.yml b/kubernetes/base/deployment.yml index 05d8224..462170a 100644 --- a/kubernetes/base/deployment.yml +++ b/kubernetes/base/deployment.yml @@ -28,19 +28,24 @@ spec: periodSeconds: 5 readinessProbe: httpGet: - port: http + name: http + port: 80 path: /status/ready initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 2 + ports: + - containerPort: 80 envFrom: - configMapRef: name: <% .Name %>-config env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name + - name: SERVER_PORT + value: "80" + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name - name: DATABASE_USERNAME valueFrom: secretKeyRef: diff --git a/kubernetes/base/service.yml b/kubernetes/base/service.yml index 67742a8..8a2533f 100644 --- a/kubernetes/base/service.yml +++ b/kubernetes/base/service.yml @@ -7,6 +7,6 @@ spec: - name: http protocol: TCP port: 80 - targetPort: 80 + targetPort: http selector: app: <% .Name %> diff --git a/kubernetes/overlays/production/kustomization.yml b/kubernetes/overlays/production/kustomization.yml index 71f5f64..249d4e0 100644 --- a/kubernetes/overlays/production/kustomization.yml +++ b/kubernetes/overlays/production/kustomization.yml @@ -1,13 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -bases: -- ../../base - patchesStrategicMerge: - deployment.yml resources: +- ../../base - ingress.yaml - pdb.yaml diff --git a/kubernetes/overlays/staging/deployment.yml b/kubernetes/overlays/staging/deployment.yml index 7df50fd..569c23a 100644 --- a/kubernetes/overlays/staging/deployment.yml +++ b/kubernetes/overlays/staging/deployment.yml @@ -10,7 +10,7 @@ spec: resources: requests: memory: 128Mi - cpu: 0.5 + cpu: 0.1 limits: memory: 512Mi cpu: 1.0 diff --git a/kubernetes/overlays/staging/kustomization.yml b/kubernetes/overlays/staging/kustomization.yml index bcc5ea0..613cbe0 100644 --- a/kubernetes/overlays/staging/kustomization.yml +++ b/kubernetes/overlays/staging/kustomization.yml @@ -1,13 +1,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -bases: -- ../../base - patchesStrategicMerge: - deployment.yml resources: +- ../../base - ingress.yml configMapGenerator: diff --git a/kubernetes/secrets/README.md b/kubernetes/secrets/README.md index efd8c4d..405ce62 100644 --- a/kubernetes/secrets/README.md +++ b/kubernetes/secrets/README.md @@ -17,7 +17,7 @@ Application secrets are stored in the kubernetes secrets management system, wher ## Adding a new secret to staging / production kuberenetes (Similar to the dev process) -1. Download the `secrets.env` and `settings.ini` for the correct environment from lastpass +1. Download the `secrets.env` for the correct environment from where it is stored 2. Make sure your `kubectl` context is set to the proper environment 3. Run `kubectl apply -k .` (Change the namespace if necessary using `-n `) From 388d1e554ae7f3bef30889d3708d7e06e2518e4b Mon Sep 17 00:00:00 2001 From: Bill Monkman Date: Mon, 27 Apr 2020 17:27:59 -0700 Subject: [PATCH 2/3] Oops, removed line that was added accidentally --- .circleci/config.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index 0f2658a..80f4552 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -200,7 +200,6 @@ jobs: cluster-authentication-role-arn: << parameters.cluster-authentication-role-arn >> aws-region: << parameters.region >> install-kubectl: true - aws-profile: assumed-role - queue/until_front_of_line: time: '30' - run: From 9ae688606ec31f27fac747efbbeab2ed2c9420e0 Mon Sep 17 00:00:00 2001 From: Bill Monkman Date: Tue, 28 Apr 2020 11:23:22 -0700 Subject: [PATCH 3/3] Fixed name in the wrong place --- kubernetes/base/deployment.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/base/deployment.yml b/kubernetes/base/deployment.yml index 462170a..e567226 100644 --- a/kubernetes/base/deployment.yml +++ b/kubernetes/base/deployment.yml @@ -28,14 +28,14 @@ spec: periodSeconds: 5 readinessProbe: httpGet: - name: http - port: 80 + port: http path: /status/ready initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 2 ports: - containerPort: 80 + name: http envFrom: - configMapRef: name: <% .Name %>-config