From 11b8708bbf2a9bae806b73bcb0397cdf744660c9 Mon Sep 17 00:00:00 2001 From: Roger Dansou Date: Thu, 9 Sep 2021 12:32:05 -0400 Subject: [PATCH] fix: use shippy to get Vault secrets --- openshift/README.md | 127 ++++++++++++------------------------------- openshift/install.sh | 10 ++-- 2 files changed, 40 insertions(+), 97 deletions(-) diff --git a/openshift/README.md b/openshift/README.md index eb45ac568..06a24a05c 100644 --- a/openshift/README.md +++ b/openshift/README.md @@ -1,117 +1,58 @@ # OpenShift -We use OpenShift to orchestrate the deployment of our Docker containers. It uses shared swarm of "minion" hosts as generic infrastructure for our autoscaling applications. This makes it quick to deploy and scale these containers ephemerally. Every time a new application is deployed, its running as if it is an entirely new application "server", built from scratch. +*NOTE*: These manual installation instructions are not necessary if you are using Shippy to install your pipeline. -The script and configuration for the initial deployment to OpenShift is [install.sh](https://github.com/telus/telus-isomorphic-starter-kit/blob/master/openshift/install.sh). It sets up the jenkins server, templates, builds and secrets necessary for exposing our application to consumers. - -After installation, we can use our newly created Jenkins pipeline to build and deploy the docker image to staging and production environments. We can also use our templates to create ephemeral/disposable testing environments, pinned to a specific version or custom builds of a docker container. - -#### Get access - -To use OpenShift, you will need a TELUS Google account. If you have one, [edit this file](https://github.com/telus/openshift-cluster-provisioning/blob/master/dp/data.yaml#L58), add yourself to your respective outcome team, and submit a pull request (for faster results, notify us in #g-delivery on slack). - -## Quickstart - -### Dependencies - -This application requires `openshift-cli` & `vault`. Either install them with `brew` on Mac or `apt-get` on Linux. Also install [ship.py](https://github.com/telus/ship.py). - -### Login - -#### Vault - -In order to kick off the initial installation of a project, or to add or edit any application secrets, you'll need to log in with HashiCorp Vault. - -Use our [ship.py](https://github.com/telus/ship.py) utility command line tool to log into vault. - -It will ask for your github credentials, create an access token, and use it to authenticate you. You should now be able to read secrets: - -> `vault read --format json secret/common/starter-kit` - -#### Openshift - -For the main cluster (for production apps), log in with: - -> `oc login --server=https://api.telusdigital.openshift.com` - -For the sandbox cluster (for development apps), log in with: - -> `oc login --server=https://api.telusdigitalsandbox.openshift.com` - -Visit the URL it tells you to, copy the first `oc login` line, with the token in it, and paste it into your terminal. - -### Select project +## Configuration -If you are on the sandbox environment, you can create a new personal project space: +The OpenShift configuration is in [openshift-template.yml][openshift-template]. It has two templates: one for build, one for deployment. This file defines all of the necessary resources to support the delivery pipeline, staging and production infrastructure. -> `oc new-project my-project` +## Setup -To select an existing project (on either main or sandbox): +### Login on OpenShift and select project -> `oc project my-project` +```bash +oc login --server=https://api.telusdigital.openshift.com # MAIN +oc login --server=https://api.telusdigitalsandbox.openshift.com # SANDBOX +oc project +``` -Each outcome team also gets an `o-outcome-team` namespace. Only users who are administrators of their outcome teams can make modifications to these spaces. Otherwise, users will only get view access. +Projects, users, squads and access control is manged by [shippy][shippy]. ### Install Jenkins -First your project will need Jenkins. We can clone the [default Jenkins starter kit](https://github.com/telus/openshift-jenkins-starter-kit): - -> `git clone git@github.com:telusdigital/openshift-jenkins-starter-kit.git` - -To install Jenkins in your cluster, run - -> `openshift-jenkins-starter-kit/openshift/install.sh` +Any new project will need a Jenkins server. We can clone and deploy the [Jenkins starter kit][jenkins-starter-kit]: +```bash +git clone git@github.com:telus/openshift-jenkins-starter-kit.git +openshift-jenkins-starter-kit/openshift/install.sh +``` ### Install pipeline -Now you are ready to check out the project, e.g.: - -> `git clone git@github.com:telusdigital/telus-isomorphic-starter-kit.git` - -To create your Jenkins build pipeline in your project run: - -> `telus-isomorphic-starter-kit/openshift/install.sh` - -Now Jenkins will build your Docker image, and deploy it to OpenShift. When the pipeline is done, you’ll have a staging environment populated. You can visit the OpenShift console ([Sandbox](https://console.telusdigitalsandbox.openshift.com/console/), [Main](https://console.telusdigital.openshift.com/console/)), and, after clicking on your project, you should see your staging environment. Look under `Builds > Pipelines` to see the status of your pipeline. You'll notice that it is waiting at a `User Input` step, asking if you would like to deploy to production. You can find the login credentials for Jenkins by going to `Applications > Deployments > Jenkins > Environment`, and copying the password (the username is `admin`). After logging into Jenkins, click the button to proceed through to production now, and see the other container come online. - -On the sandbox server, you can also override the configured branch, if you want to test specific features or build pipeline changes in isolation. - -> `telus-isomorphic-starter-kit/openshift/install.sh my-branch` +Once your Jenkins is running, we can launch our pipeline on the project: +```bash +telus-isomorphic-starter-kit/openshift/install.sh +``` ### Setup webhook -If you create your own project from the starter kit, you can add a GitHub web hook to compile on commit. From the OpenShift pipeline view, if you click `Edit Pipeline` you should be able to copy your GitHub web hook URL. Under GitHub settings for your project you can click `Webhooks`. - -Add an `application/json` webhook and paste in your web hook URL e.g.: - -> `https://api.telusdigitalsandbox.openshift.com/oapi/v1/namespaces/tom-test-project/buildconfigs/telus-isomorphic-starter-kit-pipeline/webhooks/tisk/github` - -## Configuration - -* [Reference Architecture OpenShift standards](https://github.com/telus/reference-architecture/blob/master/delivery/openshift.md) -* [Reference Architecture Kubernetes standards](https://github.com/telus/reference-architecture/blob/master/delivery/kubernetes.md) - -* [OpenShift documentation](https://docs.openshift.com/container-platform/3.4/dev_guide/index.html) -* [Kubernetes documentation](https://kubernetes.io/docs/home/) - -Our [openshift-template.yml](https://github.com/telus/telus-isomorphic-starter-kit/blob/master/openshift/openshift-template.yml) sets up the jenkins server, templates, builds and secrets necessary for exposing our application to consumers. In order to run this, you must first log in to OpenShift with `oc login` and create or select an existing OpenShift project namespace with `oc project`. +The OpenShift webhook triggers the pipeline to build for each commit to GitHub. -## Local testing +To get the webhook URL: +```bash +oc describe bc telus-isomorphic-starter-kit-pipeline +``` -To test OpenShift locally, we recommend using [minishift](https://docs.openshift.org/latest/minishift/getting-started/quickstart.html). +Under GitHub settings for your repository, click `Webhooks`, and add an `application/json` webhook to `push` to the URL. -On Mac we can install minishift with brew: +### Cleanup -``` -$ brew update -$ brew install docker-machine-driver-xhyve -$ sudo chown root:wheel $(brew --prefix)/opt/docker-machine-driver-xhyve/bin/docker-machine-driver-xhyve -$ sudo chmod u+s $(brew --prefix)/opt/docker-machine-driver-xhyve/bin/docker-machine-driver-xhyve -$ brew cask install minishift -$ minishift config set memory 8192 -$ minishift start +If you are testing on sandbox, you may want to delete your project and all of its assets. This can be done in one command: +```bash +oc delete all -l=app=telus-isomorphic-starter-kit ``` -On other platforms: [see instructions](https://docs.openshift.org/latest/minishift/getting-started/installing.html#installing-instructions) +*NOTE*: With great power, comes great responsibility... -Once minishift is running, you can log in, create projects, and install your Jenkins and applications normally. +[openshift-template]: ./openshift-template.yml +[shippy]: https://www.npmjs.com/package/@telus/shippy-cli +[jenkins-starter-kit]: https://github.com/telus/openshift-jenkins-starter-kit \ No newline at end of file diff --git a/openshift/install.sh b/openshift/install.sh index 27c9144da..4151ad691 100755 --- a/openshift/install.sh +++ b/openshift/install.sh @@ -9,16 +9,18 @@ BRANCH=${1:-master} cd `dirname $0` # Github Token -vault read -field=ssh-key secret/common/github > id_rsa +shippy get secret github --common --field=ssh-key > id_rsa oc create secret generic github-secret --from-file=ssh-privatekey=id_rsa --dry-run=client -o yaml | oc apply -f - rm id_rsa # NPM Read and Publish Token -oc create secret generic npmrc-secret --from-literal=.npmrc=$(vault read -field=npmrc secret/projects/npm-libraries/npm) --dry-run=client -o yaml | oc apply -f - +shippy project npm-libraries +oc create secret generic npmrc-secret --from-literal=.npmrc=$(shippy get secret npm --field=npmrc) --dry-run=client -o yaml | oc apply -f - # AWS -oc create secret generic aws-client-secret --from-literal=aws.client=$(vault read -field=client secret/projects/o-design-outcomes/tds-s3) --dry-run=client -o yaml | oc apply -f - -oc create secret generic aws-secret-key-secret --from-literal=aws.secret=$(vault read -field=secret secret/projects/o-design-outcomes/tds-s3) --dry-run=client -o yaml | oc apply -f - +shippy project o-design-outcomes +oc create secret generic aws-client-secret --from-literal=aws.client=$(shippy get secret tds-s3 --field=client) --dry-run=client -o yaml | oc apply -f - +oc create secret generic aws-secret-key-secret --from-literal=aws.secret=$(shippy get secret tds-s3 --field=secret) --dry-run=client -o yaml | oc apply -f - # Install templates oc apply -f openshift-template.yml