This repository has been archived by the owner on May 2, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
21 changed files
with
582 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,111 @@ | ||
# Installing Zercurity on Kubernetes | ||
|
||
## Prerequisite | ||
|
||
You will obviously need a Kubernetes cluster. No special permissions are required at present. | ||
|
||
The only real requirement is an NFS server. To share compiled and signed binaries between the backend, and the NGINX proxy for download. | ||
|
||
If your kubernetes cluster supports shared disks you can also provision a shared PVC. | ||
|
||
## Installing via Kubectl | ||
|
||
This guide is designed to get you up and running with Zercurity on Kubernetes via the provided configuration. | ||
|
||
### Creating a namespace | ||
|
||
The default namespace used in this configuration is `zercurity` this can be overridden with your own namespace using the `-n` flag within your kubectl command. All the commands shown will use this flag to specify the `namespace`. | ||
|
||
``` | ||
kubectl create ns zercurity | ||
``` | ||
|
||
### Applying ConfigMaps and Secrets | ||
|
||
There are two configuration files. The non-sensitive configuration parameters are in `cm-config.yaml`, and the secrets are stored within `sc-config.yaml`. | ||
|
||
The only three things I would change for the initial configuration are the application domain name `ZERCURITY_DOMAIN` (which can be changed at anytime). I'd also change the application secret and database password. | ||
|
||
``` | ||
kubectl apply -n zercurity -f cm-config.yaml | ||
kubectl apply -n zercurity -f sc-config.yaml | ||
``` | ||
|
||
### Applying PersistentVolumeClaims | ||
|
||
We've currently designed the deployment to work around an NFS server. The NFS server is used to store and serve the installation binaries via the NGINX pod. Which is configured to be `readOnly` and backend pods will generate and store the installer binaries to these NFS server. | ||
|
||
If your kubernetes cluster supports shared PVCs you can just use a shared PVC instead. | ||
|
||
You will need to edit the `pv-nfs.yaml` with your server information. | ||
|
||
``` | ||
kubectl apply -n zercurity -f pv-nfs.yaml | ||
kubectl -n zercurity get pv | ||
``` | ||
|
||
Once the `PersistentVolume` has been created. Make sure the status is `Bound`. We can now create our `PersistentVolumeClaims`. | ||
|
||
This command will also create the PVC for our database server too. Feel free to resize as needed. Though we'd recommend using something like [https://google.com|pgo] for database management. | ||
|
||
``` | ||
kubectl apply -n zercurity -f pvc-*.yaml | ||
kubectl -n zercurity get pvc | ||
``` | ||
|
||
### Applying the Deployments | ||
|
||
Now for the fun part. Once the volumes are showing they've been successfully `Bound`. You can now deploy Zercurity. | ||
|
||
``` | ||
kubectl apply -n zercurity -f dp-*.yaml | ||
kubectl -n zercurity get deploy | ||
kubectl -n zercurity get pods | ||
``` | ||
|
||
It will take a few minutes to download the images and start the containers. | ||
|
||
### Applying the services and load-balancer | ||
|
||
Whilst this is happening you can deploy the services and load balancers. | ||
|
||
``` | ||
kubectl apply -n zercurity -f svc-*.yaml | ||
kubectl -n zercurity get svc | ||
``` | ||
|
||
### Initialising the database and running the migration scripts | ||
|
||
When the postgres container successfully comes up. It maybe the case that other containers are in a `CrashBackOff` state. This is because database hasn't been configured. | ||
|
||
We can fix this by running this migrations job. This needs to be run post an update. | ||
|
||
``` | ||
kubectl apply -n zercurity -f job-*.yaml | ||
``` | ||
|
||
This will now initialise the database. Post the migrations job running. It maye take the jobs a few more minutes to come up. However, once they're all in the running state you'll be able to visit the app via the LoadBalancer's IP address or hostname if you've already configured your DNS. | ||
|
||
### Accessing the web application | ||
|
||
If you've left the defaults as they are. Zercurity will be bound to the following hostname `https://app.zercurity.local`. | ||
|
||
You can also check the API server is happy and healthy like so: | ||
|
||
``` | ||
curl -k -vvv https://<Load balancer IP>/v1/healthcheck | json_pp | ||
{ | ||
"status": "HEALTHY" | ||
} | ||
``` | ||
|
||
### Creating your initial user | ||
|
||
You can create your first account using the Register button from within the app. However, if you're having issues with SMTP or the mailer and want to create an account to just get going. You can exec the following to create a registration link to create an account. | ||
|
||
This link is short-lived and unique to the email address provided. | ||
|
||
``` | ||
kubectl -n zercurity exec backend-77c9cbf84d-lhg2g -- ./zercurity --register --name "Tom" --email "tom@jerry.com" | ||
https://app.zercurity.local/register/3bUJQ7z..aJLGC7W9S | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
apiVersion: v1 | ||
kind: ConfigMap | ||
metadata: | ||
name: config | ||
namespace: zercurity | ||
data: | ||
HOSTNAME: zercurity.local | ||
PROVIDER: local | ||
# Any sensitive configuration options can be stored within the sc-config.yml configuration file. | ||
# This is an example and should be changed. | ||
# SECRET: R2u3FfUpTjf8NY6Pn5gaMbkmUBqFsZfj | ||
STAGE: prod | ||
|
||
DB_HOSTNAME: postgres | ||
DB_DATABASE: zercurity | ||
DB_USERNAME: zercurity | ||
|
||
# Any sensitive configuration options can be stored within the sc-config.yml configuration file. | ||
# This is an example and should be changed. | ||
# DB_PASSWORD: zercurity | ||
|
||
STORAGE_PATH: /tmp/zercurity | ||
|
||
# Please see example.env in the root of the project for more configuration options | ||
# cat ../example.env | ||
|
||
# ENROLL_DARWIN_DEVELOPER_KEY: | ||
# ENROLL_DARWIN_DEVELOPER_CER: | ||
# ENROLL_DARWIN_SIGNATORY_KEY: | ||
# ENROLL_DARWIN_SIGNATORY_CER: | ||
|
||
# ENROLL_LINUX_SIGNATORY_PEM: | ||
|
||
# ENROLL_WINDOWS_SIGNATORY_PEM: | ||
|
||
# STRIPE_API_KEY: | ||
# VIRUS_TOTAL_API_KEY: | ||
|
||
# LETSENCRYPT: False | ||
# LETSENCRYPT_EMAIL: admin@zercurity.com | ||
# LETSENCRYPT_METHOD: http | ||
|
||
# MAILER_HOSTNAME=mailer | ||
# MAILER_PORT=587 | ||
# MAILER_TLS=True | ||
# MAILER_USERNAME= | ||
# MAILER_PASSWORD= | ||
# MAILER_FROM= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: backend | ||
namespace: zercurity | ||
labels: | ||
app: zercurity | ||
spec: | ||
replicas: 2 | ||
selector: | ||
matchLabels: | ||
app: backend | ||
template: | ||
metadata: | ||
name: backend | ||
labels: | ||
app: backend | ||
spec: | ||
volumes: | ||
- name: nfs | ||
persistentVolumeClaim: | ||
claimName: nfs | ||
containers: | ||
- name: backend | ||
image: ghcr.io/zercurity/backend:latest | ||
imagePullPolicy: Always | ||
env: | ||
- name: PYTHONPATH | ||
value: ".:/opt/python:/var/runtime:/var/task/run" | ||
- name: PYTHONUNBUFFERED | ||
value: "0" | ||
envFrom: | ||
- configMapRef: | ||
name: config | ||
- secretRef: | ||
name: secrets | ||
ports: | ||
- containerPort: 5000 | ||
volumeMounts: | ||
- name: nfs | ||
readOnly: true | ||
mountPath: /var/task/run/libs/resources/certs | ||
subPath: certs | ||
- name: nfs | ||
mountPath: /tmp/zercurity | ||
subPath: downloads |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: frontend | ||
namespace: zercurity | ||
labels: | ||
app: zercurity | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: frontend | ||
template: | ||
metadata: | ||
labels: | ||
app: frontend | ||
spec: | ||
containers: | ||
- name: frontend | ||
image: ghcr.io/zercurity/frontend:latest | ||
imagePullPolicy: Always | ||
envFrom: | ||
- configMapRef: | ||
name: config | ||
ports: | ||
- containerPort: 80 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: mailer | ||
namespace: zercurity | ||
labels: | ||
app: zercurity | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: mailer | ||
template: | ||
metadata: | ||
name: mailer | ||
labels: | ||
app: mailer | ||
spec: | ||
containers: | ||
- name: mailer | ||
image: ghcr.io/zercurity/mailer:latest | ||
imagePullPolicy: Always | ||
envFrom: | ||
- configMapRef: | ||
name: config |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: nginx | ||
namespace: zercurity | ||
labels: | ||
app: zercurity | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: nginx | ||
template: | ||
metadata: | ||
labels: | ||
app: nginx | ||
spec: | ||
volumes: | ||
- name: nfs | ||
persistentVolumeClaim: | ||
claimName: nfs | ||
containers: | ||
- name: nginx | ||
image: ghcr.io/zercurity/nginx:latest | ||
imagePullPolicy: Always | ||
envFrom: | ||
- configMapRef: | ||
name: config | ||
ports: | ||
- containerPort: 80 | ||
- containerPort: 443 | ||
volumeMounts: | ||
- name: nfs | ||
mountPath: /etc/ssl/zercurity.local | ||
subPath: certs | ||
- name: nfs | ||
mountPath: /usr/share/nginx/html/download | ||
readOnly: true | ||
subPath: downloads |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: postgres | ||
namespace: zercurity | ||
labels: | ||
app: zercurity | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: postgres | ||
template: | ||
metadata: | ||
labels: | ||
app: postgres | ||
spec: | ||
volumes: | ||
- name: postgres | ||
persistentVolumeClaim: | ||
claimName: postgres | ||
containers: | ||
- name: backend | ||
image: ghcr.io/zercurity/postgres:latest | ||
imagePullPolicy: Always | ||
env: | ||
- name: POSTGRES_USER | ||
valueFrom: | ||
configMapKeyRef: | ||
name: config | ||
key: DB_USERNAME | ||
- name: POSTGRES_PASSWORD | ||
valueFrom: | ||
secretKeyRef: | ||
name: secrets | ||
key: DB_PASSWORD | ||
- name: POSTGRES_DB | ||
valueFrom: | ||
configMapKeyRef: | ||
name: config | ||
key: DB_DATABASE | ||
- name: PGDATA | ||
value: /var/lib/postgresql/data/zercurity | ||
ports: | ||
- containerPort: 5432 | ||
volumeMounts: | ||
- name: postgres | ||
mountPath: /var/lib/postgresql/data |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: redis | ||
namespace: zercurity | ||
labels: | ||
app: zercurity | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: redis | ||
template: | ||
metadata: | ||
labels: | ||
app: redis | ||
spec: | ||
containers: | ||
- name: redis | ||
image: ghcr.io/zercurity/redis:latest | ||
imagePullPolicy: Always | ||
envFrom: | ||
- configMapRef: | ||
name: config | ||
ports: | ||
- containerPort: 6379 |
Oops, something went wrong.