infra: added k8s configs

new-eden-social · Jul 15, 2018 · 7aa480b · 7aa480b
1 parent 0cf1225
commit 7aa480b
Show file tree

Hide file tree

Showing 12 changed files with 400 additions and 0 deletions.
diff --git a/infra/k8s/admin-permissions.yml b/infra/k8s/admin-permissions.yml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: evebook-cluster-admin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+- apiGroup: rbac.authorization.k8s.io
+  kind: User
+  name: tine.jozelj@tjo.space
diff --git a/infra/k8s/api-certificate.yml b/infra/k8s/api-certificate.yml
@@ -0,0 +1,14 @@
+---
+apiVersion: voyager.appscode.com/v1beta1
+kind: Certificate
+metadata:
+  name: api-evebook-online
+  namespace: default
+spec:
+  domains:
+  - api.evebook.online
+  acmeUserSecretName: acme-account
+  challengeProvider:
+    dns:
+      provider: gce
+      credentialSecretName: voyager-gce
diff --git a/infra/k8s/api-deployment.yaml b/infra/k8s/api-deployment.yaml
@@ -0,0 +1,168 @@
+---
+apiVersion: "v1"
+kind: "Secret"
+metadata:
+  name: "evebook-api-secrets"
+  namespace: "default"
+  labels:
+    app: "evebook-api"
+data:
+  ESI_CLIENT: "base64"
+  ESI_SECRET: "base64"
+
+---
+apiVersion: "v1"
+kind: "ConfigMap"
+metadata:
+  name: "evebook-api-config"
+  namespace: "default"
+  labels:
+    app: "evebook-api"
+data:
+  DB_HOST: "127.0.0.1"
+  DB_PORT: "5432"
+  DB_NAME: "postgres" 
+  DB_LOG: "debug"
+  DB_SYNC: "true"
+  LOG_LEVEL: "debug"
+  PORT: "8080"
+  APP_AUTHENTICATION: "http://evebook.online/authentication/callback"
+  ESI_REDIRECT: "https://api.evebook.online/authentication/sso/callback"
+  ESI_SCOPE: "publicData"
+  ESI_ENDPOINT: "https://esi.evebook.online"
+
+---
+apiVersion: "extensions/v1beta1"
+kind: "Deployment"
+metadata:
+  name: "evebook-api"
+  namespace: "default"
+  labels:
+    app: "evebook-api"
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app: "evebook-api"
+  template:
+    metadata:
+      labels:
+        app: "evebook-api"
+    spec:
+      containers:
+      - name: "api"
+        image: "evebook/api:0cf12255adcb6f26f77286cefde23666fb02f0a2"
+        env:
+        - name: "DB_USERNAME"
+          valueFrom:
+            secretKeyRef:
+              key: username
+              name: cloudsql-db-credentials
+        - name: "DB_PASSWORD"
+          valueFrom:
+            secretKeyRef:
+              key: password
+              name: cloudsql-db-credentials
+        - name: "DB_HOST"
+          valueFrom:
+            configMapKeyRef:
+              key: "DB_HOST"
+              name: "evebook-api-config"
+        - name: "DB_PORT"
+          valueFrom:
+            configMapKeyRef:
+              key: "DB_PORT"
+              name: "evebook-api-config"
+        - name: "DB_NAME"
+          valueFrom:
+            configMapKeyRef:
+              key: "DB_NAME"
+              name: "evebook-api-config"
+        - name: "DB_LOG"
+          valueFrom:
+            configMapKeyRef:
+              key: "DB_LOG"
+              name: "evebook-api-config"
+        - name: "DB_SYNC"
+          valueFrom:
+            configMapKeyRef:
+              key: "DB_SYNC"
+              name: "evebook-api-config"
+        - name: "LOG_LEVEL"
+          valueFrom:
+            configMapKeyRef:
+              key: "LOG_LEVEL"
+              name: "evebook-api-config"
+        - name: "PORT"
+          valueFrom:
+            configMapKeyRef:
+              key: "PORT"
+              name: "evebook-api-config"
+        - name: "APP_AUTHENTICATION"
+          valueFrom:
+            configMapKeyRef:
+              key: "APP_AUTHENTICATION"
+              name: "evebook-api-config"
+        - name: "ESI_CLIENT"
+          valueFrom:
+            secretKeyRef:
+              key: "ESI_CLIENT"
+              name: "evebook-api-secrets"
+        - name: "ESI_SECRET"
+          valueFrom:
+            secretKeyRef:
+              key: "ESI_SECRET"
+              name: "evebook-api-secrets"
+        - name: "ESI_REDIRECT"
+          valueFrom:
+            configMapKeyRef:
+              key: "ESI_REDIRECT"
+              name: "evebook-api-config"
+        - name: "ESI_SCOPE"
+          valueFrom:
+            configMapKeyRef:
+              key: "ESI_SCOPE"
+              name: "evebook-api-config"
+        - name: "ESI_ENDPOINT"
+          valueFrom:
+            configMapKeyRef:
+              key: "ESI_ENDPOINT"
+              name: "evebook-api-config"
+        livenessProbe:
+          httpGet:
+            path: /status
+            port: 8080
+          initialDelaySeconds: 15
+          timeoutSeconds: 1
+
+      - name: cloudsql-proxy
+        image: gcr.io/cloudsql-docker/gce-proxy:1.11
+        command: ["/cloud_sql_proxy",
+                  "-instances=eve-book:europe-west1:eve-book-main-db=tcp:5432",
+                  "-credential_file=/secrets/cloudsql/credentials.json"]
+        volumeMounts:
+          - name: cloudsql-instance-credentials
+            mountPath: /secrets/cloudsql
+            readOnly: true
+
+      volumes:
+        - name: cloudsql-instance-credentials
+          secret:
+            secretName: cloudsql-instance-credentials
+
+---
+apiVersion: "autoscaling/v1"
+kind: "HorizontalPodAutoscaler"
+metadata:
+  name: "evebook-api-hpa"
+  namespace: "default"
+  labels:
+    app: "evebook-api"
+spec:
+  scaleTargetRef:
+    kind: "Deployment"
+    name: "evebook-api"
+    apiVersion: "apps/v1beta1"
+  minReplicas: 2
+  maxReplicas: 5
+  targetCPUUtilizationPercentage: 80
diff --git a/infra/k8s/api-ingress.yml b/infra/k8s/api-ingress.yml
@@ -0,0 +1,24 @@
+---
+apiVersion: voyager.appscode.com/v1beta1
+kind: Ingress
+metadata:
+  name: evebook-api-ingress
+  namespace: default
+  annotations:
+    ingress.appscode.com/type: LoadBalancer
+    ingress.appscode.com/limit-rpm: 420
+spec:
+  tls:
+  - hosts:
+    - api.evebook.online
+    ref:
+      kind: Secret
+      name: tls-api-evebook-online
+  rules:
+  - host: api.evebook.online
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: evebook-api
+          servicePort: 80
diff --git a/infra/k8s/api-service.yml b/infra/k8s/api-service.yml
@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: evebook-api
+  annotations:
+    ingress.appscode.com/affinity: 'cookie'
+spec:
+  ports:
+  - targetPort: 8080
+    port: 80
+    protocol: TCP
+  selector:
+    app: evebook-api
diff --git a/infra/k8s/esi-certificate.yml b/infra/k8s/esi-certificate.yml
@@ -0,0 +1,14 @@
+---
+apiVersion: voyager.appscode.com/v1beta1
+kind: Certificate
+metadata:
+  name: esi-evebook-online
+  namespace: default
+spec:
+  domains:
+  - esi.evebook.online
+  acmeUserSecretName: acme-account
+  challengeProvider:
+    dns:
+      provider: gce
+      credentialSecretName: voyager-gce
diff --git a/infra/k8s/esi-deployment.yaml b/infra/k8s/esi-deployment.yaml
@@ -0,0 +1,65 @@
+---
+apiVersion: "extensions/v1beta1"
+kind: "Deployment"
+metadata:
+  name: "evebook-esi-cache"
+  namespace: "default"
+  labels:
+    app: "evebook-esi-cache"
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: "evebook-esi-cache"
+  template:
+    metadata:
+      labels:
+        app: "evebook-esi-cache"
+    spec:
+      containers:
+      - name: "esi-varnish"
+        image: "million12/varnish"
+        env:
+        - name: "VCL_CONFIG"
+          value: "/varnish-esi.vcl"
+        volumeMounts:
+          - name: esi-varnish-configuration
+            mountPath: /varnish-esi.vcl
+            subPath: varnish-esi.vcl
+            readOnly: true
+
+      - name: "esi-nginx"
+        image: "nginx:alpine"
+        ports:
+          - containerPort: 8080
+        volumeMounts:
+          - name: esi-nginx-configuration
+            mountPath: /etc/nginx/nginx.conf
+            subPath: nginx.conf
+            readOnly: true
+
+      volumes:
+        - name: esi-varnish-configuration
+          secret:
+            secretName: esi-varnish-configuration
+
+        - name: esi-nginx-configuration
+          secret:
+            secretName: esi-nginx-configuration
+
+---
+apiVersion: "autoscaling/v1"
+kind: "HorizontalPodAutoscaler"
+metadata:
+  name: "evebook-esi-cache-hpa"
+  namespace: "default"
+  labels:
+    app: "evebook-esi-cache"
+spec:
+  scaleTargetRef:
+    kind: "Deployment"
+    name: "evebook-esi-cache"
+    apiVersion: "apps/v1beta1"
+  minReplicas: 2
+  maxReplicas: 5
+  targetCPUUtilizationPercentage: 80
diff --git a/infra/k8s/esi-ingress.yml b/infra/k8s/esi-ingress.yml
@@ -0,0 +1,25 @@
+---
+apiVersion: voyager.appscode.com/v1beta1
+kind: Ingress
+metadata:
+  name: evebook-esi-cache-ingress
+  namespace: default
+  annotations:
+    ingress.appscode.com/type: LoadBalancer
+    ingress.appscode.com/limit-rpm: 420
+spec:
+  tls:
+  - hosts:
+    - esi.evebook.online
+    ref:
+      kind: Secret
+      name: tls-esi-evebook-online
+
+  rules:
+  - host: esi.evebook.online
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: evebook-esi-cache
+          servicePort: 80
diff --git a/infra/k8s/esi-service.yml b/infra/k8s/esi-service.yml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: evebook-esi-cache
+spec:
+  ports:
+  - targetPort: 80
+    port: 80
+    protocol: TCP
+  selector:
+    app: evebook-esi-cache
diff --git a/infra/k8s/steps.sh b/infra/k8s/steps.sh
@@ -0,0 +1,18 @@
+# Database credentials
+kubectl create secret generic cloudsql-instance-credentials --from-file=credentials.json=/path/to/credentials.json
+kubectl create secret generic cloudsql-db-credentials --from-literal=username=proxyuser --from-literal=password=banana-apple-pie
+
+
+
+# Settup Voyager
+curl -fsSL https://raw.githubusercontent.com/appscode/voyager/7.4.0/hack/deploy/voyager.sh \
+    | bash -s -- --provider=gke --enable-analytics=false
+
+## Voyager letsencrypt
+kubectl create secret generic voyager-gce --namespace default --from-literal=GCE_PROJECT=eve-book --from-file=GOOGLE_SERVICE_ACCOUNT_JSON_KEY=/path/to/credentials.json
+kubectl create secret generic acme-account --from-literal=ACME_EMAIL=tine.jozelj@tjo.space
+
+
+# Create api-secrets
+echo -n 'clientid/clientsecret' | base64
+# and store them to api-deployment.yaml