From a9c272cc881633774492c51d3273d8440cba4266 Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 23 Feb 2020 16:36:52 -0800 Subject: [PATCH 1/8] v1 rework kube configs to use EKS+fargate for everything Signed-off-by: Irving Popovetsky --- SETUP.md | 285 +----------------- .../aws-alb-ingress-controller/README.txt | 4 + .../external-dns.yaml | 64 ++++ kubernetes/create_operationcode.sh | 55 ---- .../default-http-backend/deployment.yaml | 37 --- kubernetes/default-http-backend/service.yaml | 13 - kubernetes/external-dns/external-dns.yaml | 72 +++++ kubernetes/kube-lego/base/configmap.yaml | 10 - kubernetes/kube-lego/base/deployment.yaml | 42 --- kubernetes/kube-lego/base/kustomization.yaml | 7 - kubernetes/kube-lego/base/rbac.yaml | 40 --- .../overlays/prod/kustomization.yaml | 7 - .../base/configmap.yaml | 13 - .../base/deployment.yaml | 57 ---- .../base/kustomization.yaml | 11 - .../nginx-ingress-controller/base/rbac.yaml | 130 -------- .../base/service.yaml | 19 -- .../base/serviceAccount.yaml | 4 - .../base/tcp-services-configmap.yaml | 4 - .../base/udp-services-configmap.yaml | 4 - .../overlays/prod/deployment.yaml | 6 - .../overlays/prod/kustomization.yaml | 10 - kubernetes/operationcode-namespace.yml | 14 - .../base/deployment.yaml | 17 +- .../overlays/prod/ingress.yaml | 17 +- .../overlays/staging/ingress.yaml | 17 +- kubernetes/vertical-pod-autoscaler/README.md | 3 + 27 files changed, 182 insertions(+), 780 deletions(-) create mode 100644 kubernetes/aws-alb-ingress-controller/README.txt create mode 100644 kubernetes/aws-alb-ingress-controller/external-dns.yaml delete mode 100755 kubernetes/create_operationcode.sh delete mode 100644 kubernetes/default-http-backend/deployment.yaml delete mode 100644 kubernetes/default-http-backend/service.yaml create mode 100644 kubernetes/external-dns/external-dns.yaml delete mode 100644 kubernetes/kube-lego/base/configmap.yaml delete mode 100644 kubernetes/kube-lego/base/deployment.yaml delete mode 100644 kubernetes/kube-lego/base/kustomization.yaml delete mode 100644 kubernetes/kube-lego/base/rbac.yaml delete mode 100644 kubernetes/kube-lego/overlays/prod/kustomization.yaml delete mode 100644 kubernetes/nginx-ingress-controller/base/configmap.yaml delete mode 100644 kubernetes/nginx-ingress-controller/base/deployment.yaml delete mode 100644 kubernetes/nginx-ingress-controller/base/kustomization.yaml delete mode 100644 kubernetes/nginx-ingress-controller/base/rbac.yaml delete mode 100644 kubernetes/nginx-ingress-controller/base/service.yaml delete mode 100644 kubernetes/nginx-ingress-controller/base/serviceAccount.yaml delete mode 100644 kubernetes/nginx-ingress-controller/base/tcp-services-configmap.yaml delete mode 100644 kubernetes/nginx-ingress-controller/base/udp-services-configmap.yaml delete mode 100644 kubernetes/nginx-ingress-controller/overlays/prod/deployment.yaml delete mode 100644 kubernetes/nginx-ingress-controller/overlays/prod/kustomization.yaml create mode 100644 kubernetes/vertical-pod-autoscaler/README.md diff --git a/SETUP.md b/SETUP.md index a647f14..505fc28 100644 --- a/SETUP.md +++ b/SETUP.md @@ -2,284 +2,9 @@ Greetings! Much of Operation Code's web site runs in a [Kubernetes](https://kubernetes.io/) cluster. These instructions will guide you through setting up access to our cluster so you can run rails console, tail logs, and more! -## What you need -* An Operation Code Google account in the form of walt@operationcode.org -* Access to 1Password to get the Google Application Client Secret and the Kubernetes cluster Certificate Authority data - -# From OS X - -## Installing the Kubernetes Command Line - -This is what you will use to interact with our Kubernetes cluster - where both the front end and back end of the site runs. If you have not already, install the [Homebrew Package Manager](https://brew.sh/), and run the following: - -```bash -brew install kubernetes-cli -``` - -## Authenticating to the Operation Code Kubernetes Cluster - -You will use your email@operationcode.org gmail account to authenticate to our cluster. We use a helper to do this - the k8s-oidc-helper. This helper is written in go - and to use it, we'll need to install the go language and create some configuration. - -### Installing Go - -First, install the go language onto your workstation: - -```bash -$ brew install golang -``` - -Now, let's add in some configuration for go. Open up your profile file (this is bash_profile if you are using bash as your shell) - -```bash -$ vim ~/.bash_profile -``` - -At the end of the file, add this line: - -```bash -export GOPATH=$HOME/gocode -export PATH=$PATH:$GOPATH/bin -``` - -Now save and close the file, the source it - -```bash -$ source ~/.bash_profile -``` - -Now, check that you can run go commands with this command, you should see it output your version of go - -```bash -$ go version -``` - -## Installing the helper - -Alright, now we're ready to install the k8s-oidc-helper. Run this command: - -```bash -$ go get github.com/micahhausler/k8s-oidc-helper -``` - -(Don't fret if you do not see any output, this is normal). - -Once it finishes running, check that the helper was installed correctly with: - -```bash -$ k8s-oidc-helper --version -``` - -And it should display the version of the helper. - -## Configuring the helper - -Now, you'll need to download something from 1Password. If you do not have access to the Operation Code 1Password, reach out to the Project lead, seargent, or any of the maintainers for information. Once you are in 1Password look for a credential called "oauth-oc". - -That credential contains a file called client_secret_(...)apps.googleusercontent.com.json. Download this file to your local workstation. I like to save it as "client_secret.json". Now run the helper, passing it this config file. - -```bash -$ k8s-oidc-helper -c path/to/client_secret.json -``` - -If it works correctly, it will tell you to open a url in your browser. Open that url - log in to or select your operation.org account if necessary - and copy the code that is displayed, then paste it next to the prompt "Enter the code Google gave you:" - -Copy the output that starts with "#Add the following to your ~/.kube/config". - -## Configuring Kubernetes - -Now we'll use this to configure access to Operation Code's Kubernetes cluster. - -Create a ~/.kube directory - -```bash -$ mkdir ~/.kube -``` - -Now create a file at ~/.kube/config - -```bash -$ vim ~/.kube/config -``` - -And paste in the content you just copied when you ran the k8s-oidc-helper. - -Save and close the file. - -Alright - we're almost there! First, run a couple of commands to further configure Kubernetes: - -```bash -$ kubectl config set-context op-code-prod --cluster k8s.operationcode.org --user nell@operationcode.org -$ kubectl config use-context op-code-prod -``` - -Now, head back to 1Password and look for a note called "Kubernetes Cluster CA". Copy the content of that note and open your kube config file. - -```bash -$ vim ~/.kube/config -``` - -And replace this line: - -```bash -clusters: [] -``` - -With this line: - -```bash -clusters: -``` - -Then, directly after that line, paste the contents of the note you just copied from 1Password. - -Save and close the file, then run this command: - -```bash -$ kubectl get pods -n operationcode -``` - -After a few seconds, you should see a list of running Kubernetes pods including operationcode-backend, operationcode-frontend, and more! - -# From Linux (Ubuntu) - -## Installing the Kubernetes Command Line - -This is what you will use to interact with our Kubernetes cluster - where both the front end and back end of the site runs. - -* Install the Kubernetes command line -```bash -$ sudo snap install kubectl --classic -``` - -## Authenticating to the Operation Code Kubernetes Cluster - -You will use your email@operationcode.org gmail account to authenticate to our cluster. We use a helper to do this - the k8s-oidc-helper. This helper is written in go - and to use it, we'll need to install the go language and create some configuration. - -### Installing Go - -First, install the go language on your workstation with these commands (you will want to do it this way, as the one in the ubuntu package manager is quite out of date) - -```bash -$ sudo curl -O https://storage.googleapis.com/golang/go1.9.3.linux-amd64.tar.gz -$ sudo tar -xvf go1.9.3.linux-amd64.tar.gz -$ sudo mv go /usr/local -``` - -Now, let's add in some configuration for go. Open up your profile file - -```bash -$ vim ~/.profile -``` - -At the end of the file, add this line: - -```bash -export PATH=$PATH:/usr/local/go/bin -``` - -Now save and close the file, the source it - -```bash -$ source ~/.profile -``` - -Now, check that you can run go commands with this command, you should see it output your version of go - -```bash -$ go version -``` - -Next, we need to se the $GOPATH environmental variable - I'm going to set mine to /usr/local, but you can set it wherever you would like your go packages to be installed. - -```bash -export GOPATH=/usr/local -``` - -## Installing the helper - -Alright, now we're ready to install the k8s-oidc-helper. Run this command: - -```bash -$ go get github.com/micahhausler/k8s-oidc-helper -``` - -(Don't fret if you do not see any output, this is normal). - -Once it finishes running, check that the helper was installed correctly with: - -```bash -$ k8s-oidc-helper --version -``` - -And it should display the version of the helper. - -## Configuring the helper - -Now, you'll need to download something from 1Password. If you do not have access to the Operation Code 1Password, reach out to the Project lead, seargent, or any of the maintainers for information. Once you are in 1Password look for a credential called "oauth-oc". - -That credential contains a file called client_secret_(...)apps.googleusercontent.com.json. Download this file to your local workstation. I like to save it as "client_secret.json". Now run the helper, passing it this config file. - -```bash -$ k8s-oidc-helper -c path/to/client_secret.json -``` - -If it works correctly, it will tell you to open a url in your browser. Open that url - log in to or select your operation.org account if necessary - and copy the code that is displayed, then paste it next to the prompt "Enter the code Google gave you:" - -Copy the output that starts with "#Add the following to your ~/.kube/config". - -## Configuring Kubernetes - -Now we'll use this to configure access to Operation Code's Kubernetes cluster. - -Create a ~/.kube directory - -```bash -$ mkdir ~/.kube -``` - -Now create a file at ~/.kube/config - -```bash -$ vim ~/.kube/config -``` - -And paste in the content you just copied when you ran the k8s-oidc-helper. - -Save and close the file. - -Alright - we're almost there! First, run a couple of commands to further configure Kubernetes: - -```bash -$ kubectl config set-context op-code-prod --cluster k8s.operationcode.org --user nell@operationcode.org -$ kubectl config use-context op-code-prod -``` - -Now, head back to 1Password and look for a note called "Kubernetes Cluster CA". Copy the content of that note and open your kube config file. - -```bash -$ vim ~/.kube/config -``` - -And replace this line: - -```bash -clusters: [] -``` - -With this line: - -```bash -clusters: -``` - -Then, directly after that line, paste the contents of the note you just copied from 1Password. - -Save and close the file, then run this command: - -```bash -$ kubectl get pods -n operationcode -``` - -After a few seconds, you should see a list of running Kubernetes pods including operationcode-backend, operationcode-frontend, and more! - +# Getting access to the cluster +1. Ensure you have AWS access, and the aws CLI is operating correctly +2. Install eksctl: https://eksctl.io/introduction/installation/ +3. Run: `eksctl utils write-kubeconfig --region us-east-2 --cluster operationcode-backend` +4. Verify everything works: `kubectl get namespaces` diff --git a/kubernetes/aws-alb-ingress-controller/README.txt b/kubernetes/aws-alb-ingress-controller/README.txt new file mode 100644 index 0000000..caabad5 --- /dev/null +++ b/kubernetes/aws-alb-ingress-controller/README.txt @@ -0,0 +1,4 @@ + +# Recreating the ALB ingress controller +1. Follow these instructions: https://docs.aws.amazon.com/eks/latest/userguide/alb-ingress.html +2. Create the external DNS controller from this folder diff --git a/kubernetes/aws-alb-ingress-controller/external-dns.yaml b/kubernetes/aws-alb-ingress-controller/external-dns.yaml new file mode 100644 index 0000000..7ee2e68 --- /dev/null +++ b/kubernetes/aws-alb-ingress-controller/external-dns.yaml @@ -0,0 +1,64 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-dns +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: external-dns +rules: +- apiGroups: [""] + resources: ["services"] + verbs: ["get","watch","list"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get","watch","list"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get","watch","list"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: external-dns-viewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-dns +subjects: +- kind: ServiceAccount + name: external-dns + namespace: default +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-dns +spec: + selector: + matchLabels: + app: external-dns + strategy: + type: Recreate + template: + metadata: + labels: + app: external-dns + spec: + serviceAccountName: external-dns + containers: + - name: external-dns + image: registry.opensource.zalan.do/teapot/external-dns:v0.5.9 + args: + - --source=service + - --source=ingress + - --domain-filter=k8s.operationcode.org # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones + - --provider=aws + - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization + - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) + - --registry=txt + - --txt-owner-id=Z2QGEWMWUT7EEB diff --git a/kubernetes/create_operationcode.sh b/kubernetes/create_operationcode.sh deleted file mode 100755 index 820f04d..0000000 --- a/kubernetes/create_operationcode.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/usr/bin/env bash - -# DEPRECATED, ONLY HERE FOR HISTORICAL REFERENCE -# Ask @ohaiwalt for more info - -set -euf -o pipefail - -# This is a quick hacky script to standup operationcode.org on kubernetes -# If run by itself it will standup all apps. Alternatively you can provide -# it with one or more app names to install - -KUBECTL=$(which kubectl) -HELM=$(which helm) - -function add_k8s_resources(){ - if [[ -f "deployment.yml" ]]; then $KUBECTL create -f deployment.yml; fi - if [[ -f "service.yml" ]]; then $KUBECTL create -f service.yml; fi - if [[ -f "daemonset.yml" ]]; then $KUBECTL create -f daemonset.yml; fi -} - -# Create namespace -echo $KUBECTL create -f operationcode-namespace.yml - -if [[ $* ]]; then - apps=$* -else - apps=$(find . -type d -depth 1) -fi - -for app in $apps; do - app_name=$(basename $app) - echo "Standing up $app_name" - cd $app_name - - if [[ -d "secrets" ]]; then - create_secrets_for $app_name - fi - - add_k8s_resources - - cd .. -done - -exit 0 - -# Helm is a kubernetes package manager -# You can get a list of apps here: https://kubeapps.com/ -$HELM init - -## Backend Postgresql -$HELM install --name operationcode-psql stable/postgresql --set postgresPassword=$POSTGRES_PASSWORD - -## Backend Redis -$HELM install --name operationcode-redis stable/redis --version 0.10.2 --set usePassword=false -$HELM install --name operationcode-staging-redis --namespace operationcode-staging stable/redis --version 0.10.2 --set usePassword=false diff --git a/kubernetes/default-http-backend/deployment.yaml b/kubernetes/default-http-backend/deployment.yaml deleted file mode 100644 index ebed766..0000000 --- a/kubernetes/default-http-backend/deployment.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: default-http-backend - labels: - app: default-http-backend - namespace: ingress-nginx -spec: - replicas: 1 - template: - metadata: - labels: - app: default-http-backend - spec: - terminationGracePeriodSeconds: 60 - containers: - - name: default-http-backend - # Any image is permissable as long as: - # 1. It serves a 404 page at / - # 2. It serves 200 on a /healthz endpoint - image: gcr.io/google_containers/defaultbackend:1.4 - livenessProbe: - httpGet: - path: /healthz - port: 8080 - scheme: HTTP - initialDelaySeconds: 30 - timeoutSeconds: 5 - ports: - - containerPort: 8080 - resources: - limits: - cpu: 10m - memory: 20Mi - requests: - cpu: 10m - memory: 20Mi \ No newline at end of file diff --git a/kubernetes/default-http-backend/service.yaml b/kubernetes/default-http-backend/service.yaml deleted file mode 100644 index d4f560d..0000000 --- a/kubernetes/default-http-backend/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: default-http-backend - namespace: ingress-nginx - labels: - app: default-http-backend -spec: - ports: - - port: 80 - targetPort: 8080 - selector: - app: default-http-backend \ No newline at end of file diff --git a/kubernetes/external-dns/external-dns.yaml b/kubernetes/external-dns/external-dns.yaml new file mode 100644 index 0000000..a3f25ee --- /dev/null +++ b/kubernetes/external-dns/external-dns.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-dns + namespace: kube-system + annotations: + eks.amazonaws.com/role-arn: arn:aws:iam::633607774026:role/eksctl-operationcode-backend-addon-iamservic-Role1-Z635VDQWDH8 +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + name: external-dns + namespace: kube-system +rules: +- apiGroups: [""] + resources: ["services"] + verbs: ["get","watch","list"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["get","watch","list"] +- apiGroups: ["extensions"] + resources: ["ingresses"] + verbs: ["get","watch","list"] +- apiGroups: [""] + resources: ["nodes"] + verbs: ["list"] +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + name: external-dns-viewer +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: external-dns +subjects: +- kind: ServiceAccount + name: external-dns + namespace: kube-system +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-dns + namespace: kube-system +spec: + selector: + matchLabels: + app: external-dns + strategy: + type: Recreate + template: + metadata: + labels: + app: external-dns + spec: + serviceAccountName: external-dns + containers: + - name: external-dns + image: us.gcr.io/k8s-artifacts-prod/external-dns/external-dns:v0.6.0 + args: + - --source=service + - --source=ingress + - --domain-filter=k8s.operationcode.org + - --provider=aws + - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization + - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) + - --registry=txt + - --txt-owner-id=operationcode-backend + - --log-level=debug + securityContext: + fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes and AWS token files diff --git a/kubernetes/kube-lego/base/configmap.yaml b/kubernetes/kube-lego/base/configmap.yaml deleted file mode 100644 index 8f220f0..0000000 --- a/kubernetes/kube-lego/base/configmap.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -metadata: - name: kube-lego -data: - # modify this to specify your address - lego.email: "tech@operationcode.org" - # configure letencrypt's production api - lego.url: "https://acme-v01.api.letsencrypt.org/directory" - # lego.url: "https://acme-staging.api.letsencrypt.org/directory" -kind: ConfigMap diff --git a/kubernetes/kube-lego/base/deployment.yaml b/kubernetes/kube-lego/base/deployment.yaml deleted file mode 100644 index c4e099c..0000000 --- a/kubernetes/kube-lego/base/deployment.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: kube-lego -spec: - replicas: 1 - template: - metadata: - labels: - app: kube-lego - spec: - containers: - - name: kube-lego - image: jetstack/kube-lego:0.1.5 - imagePullPolicy: Always - ports: - - containerPort: 8080 - env: - - name: LEGO_EMAIL - valueFrom: - configMapKeyRef: - name: kube-lego - key: lego.email - - name: LEGO_URL - valueFrom: - configMapKeyRef: - name: kube-lego - key: lego.url - - name: LEGO_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LEGO_POD_IP - valueFrom: - fieldRef: - fieldPath: status.podIP - readinessProbe: - httpGet: - path: /healthz - port: 8080 - initialDelaySeconds: 5 - timeoutSeconds: 1 diff --git a/kubernetes/kube-lego/base/kustomization.yaml b/kubernetes/kube-lego/base/kustomization.yaml deleted file mode 100644 index 5958ee9..0000000 --- a/kubernetes/kube-lego/base/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- configmap.yaml -- deployment.yaml -- rbac.yaml diff --git a/kubernetes/kube-lego/base/rbac.yaml b/kubernetes/kube-lego/base/rbac.yaml deleted file mode 100644 index 92a1aba..0000000 --- a/kubernetes/kube-lego/base/rbac.yaml +++ /dev/null @@ -1,40 +0,0 @@ -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: ingress-secret-admin -rules: -- apiGroups: [""] - resources: ["secrets"] - verbs: - - get - - watch - - list - - create - - update - - patch -- apiGroups: [""] - resources: ["services"] - verbs: - - get - - create -- apiGroups: ["extensions"] - resources: ["ingresses"] - verbs: - - get - - watch - - list - - create - - update - - patch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: kube-lego -roleRef: - kind: ClusterRole - name: ingress-secret-admin - apiGroup: rbac.authorization.k8s.io -subjects: -- kind: ServiceAccount - name: default diff --git a/kubernetes/kube-lego/overlays/prod/kustomization.yaml b/kubernetes/kube-lego/overlays/prod/kustomization.yaml deleted file mode 100644 index 8bae283..0000000 --- a/kubernetes/kube-lego/overlays/prod/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: kube-lego - -bases: -- ../../base diff --git a/kubernetes/nginx-ingress-controller/base/configmap.yaml b/kubernetes/nginx-ingress-controller/base/configmap.yaml deleted file mode 100644 index f08639d..0000000 --- a/kubernetes/nginx-ingress-controller/base/configmap.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -data: - proxy-connect-timeout: "15" - proxy-read-timeout: "600" - proxy-send-timeout: "600" - proxy-body-size: "64m" - use-proxy-protocol: "true" - hsts-include-subdomains: "false" - server-name-hash-bucket-size: "256" - server-tokens: "false" -kind: ConfigMap -metadata: - name: nginx-configuration diff --git a/kubernetes/nginx-ingress-controller/base/deployment.yaml b/kubernetes/nginx-ingress-controller/base/deployment.yaml deleted file mode 100644 index 121885a..0000000 --- a/kubernetes/nginx-ingress-controller/base/deployment.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: nginx-ingress-controller -spec: - replicas: 1 - selector: - matchLabels: - app: ingress-nginx - template: - metadata: - labels: - app: ingress-nginx - spec: - serviceAccountName: nginx-ingress-serviceaccount - containers: - - name: nginx-ingress-controller - image: gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.15 - args: - - /nginx-ingress-controller - - --default-backend-service=$(POD_NAMESPACE)/default-http-backend - - --configmap=$(POD_NAMESPACE)/nginx-configuration - - --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services - - --udp-services-configmap=$(POD_NAMESPACE)/udp-services - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - ports: - - name: http - containerPort: 80 - - name: https - containerPort: 443 - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 \ No newline at end of file diff --git a/kubernetes/nginx-ingress-controller/base/kustomization.yaml b/kubernetes/nginx-ingress-controller/base/kustomization.yaml deleted file mode 100644 index f4cca2a..0000000 --- a/kubernetes/nginx-ingress-controller/base/kustomization.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -resources: -- configmap.yaml -- deployment.yaml -- rbac.yaml -- service.yaml -- serviceAccount.yaml -- tcp-services-configmap.yaml -- udp-services-configmap.yaml diff --git a/kubernetes/nginx-ingress-controller/base/rbac.yaml b/kubernetes/nginx-ingress-controller/base/rbac.yaml deleted file mode 100644 index 618f412..0000000 --- a/kubernetes/nginx-ingress-controller/base/rbac.yaml +++ /dev/null @@ -1,130 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress-serviceaccount - ---- - -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRole -metadata: - name: nginx-ingress-clusterrole -rules: - - apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - "" - resources: - - nodes - verbs: - - get - - apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch - - apiGroups: - - "extensions" - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - "" - resources: - - events - verbs: - - create - - patch - - apiGroups: - - "extensions" - resources: - - ingresses/status - verbs: - - update - ---- - -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: Role -metadata: - name: nginx-ingress-role -rules: - - apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - namespaces - verbs: - - get - - apiGroups: - - "" - resources: - - configmaps - resourceNames: - # Defaults to "-" - # Here: "-" - # This has to be adapted if you change either parameter - # when launching the nginx-ingress-controller. - - "ingress-controller-leader-nginx" - verbs: - - get - - update - - apiGroups: - - "" - resources: - - configmaps - verbs: - - create - - apiGroups: - - "" - resources: - - endpoints - verbs: - - get - ---- - -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: RoleBinding -metadata: - name: nginx-ingress-role-nisa-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: nginx-ingress-role -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx - ---- - -apiVersion: rbac.authorization.k8s.io/v1beta1 -kind: ClusterRoleBinding -metadata: - name: nginx-ingress-clusterrole-nisa-binding -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: nginx-ingress-clusterrole -subjects: - - kind: ServiceAccount - name: nginx-ingress-serviceaccount - namespace: ingress-nginx \ No newline at end of file diff --git a/kubernetes/nginx-ingress-controller/base/service.yaml b/kubernetes/nginx-ingress-controller/base/service.yaml deleted file mode 100644 index c71ee81..0000000 --- a/kubernetes/nginx-ingress-controller/base/service.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: nginx - labels: - app: ingress-controller - annotations: - service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*' - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '120' -spec: - type: LoadBalancer - ports: - - port: 80 - name: http - - port: 443 - name: https - selector: - app: ingress-nginx diff --git a/kubernetes/nginx-ingress-controller/base/serviceAccount.yaml b/kubernetes/nginx-ingress-controller/base/serviceAccount.yaml deleted file mode 100644 index e15f9d8..0000000 --- a/kubernetes/nginx-ingress-controller/base/serviceAccount.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - name: nginx-ingress-controller diff --git a/kubernetes/nginx-ingress-controller/base/tcp-services-configmap.yaml b/kubernetes/nginx-ingress-controller/base/tcp-services-configmap.yaml deleted file mode 100644 index 3b29a29..0000000 --- a/kubernetes/nginx-ingress-controller/base/tcp-services-configmap.yaml +++ /dev/null @@ -1,4 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: tcp-services \ No newline at end of file diff --git a/kubernetes/nginx-ingress-controller/base/udp-services-configmap.yaml b/kubernetes/nginx-ingress-controller/base/udp-services-configmap.yaml deleted file mode 100644 index df8685c..0000000 --- a/kubernetes/nginx-ingress-controller/base/udp-services-configmap.yaml +++ /dev/null @@ -1,4 +0,0 @@ -kind: ConfigMap -apiVersion: v1 -metadata: - name: udp-services \ No newline at end of file diff --git a/kubernetes/nginx-ingress-controller/overlays/prod/deployment.yaml b/kubernetes/nginx-ingress-controller/overlays/prod/deployment.yaml deleted file mode 100644 index 0407495..0000000 --- a/kubernetes/nginx-ingress-controller/overlays/prod/deployment.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - name: nginx-ingress-controller -spec: - replicas: 3 \ No newline at end of file diff --git a/kubernetes/nginx-ingress-controller/overlays/prod/kustomization.yaml b/kubernetes/nginx-ingress-controller/overlays/prod/kustomization.yaml deleted file mode 100644 index 6ec663b..0000000 --- a/kubernetes/nginx-ingress-controller/overlays/prod/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: ingress-nginx - -bases: -- ../../base - -patchesStrategicMerge: -- deployment.yaml diff --git a/kubernetes/operationcode-namespace.yml b/kubernetes/operationcode-namespace.yml index f03df31..9e9cb33 100644 --- a/kubernetes/operationcode-namespace.yml +++ b/kubernetes/operationcode-namespace.yml @@ -11,17 +11,3 @@ metadata: name: operationcode-staging labels: name: operationcode-staging ---- -kind: Namespace -apiVersion: v1 -metadata: - name: ingress-nginx - labels: - name: ingress-nginx ---- -kind: Namespace -apiVersion: v1 -metadata: - name: kube-lego - labels: - name: kube-lego diff --git a/kubernetes/operationcode_python_backend/base/deployment.yaml b/kubernetes/operationcode_python_backend/base/deployment.yaml index 9bfb4cd..cecf024 100644 --- a/kubernetes/operationcode_python_backend/base/deployment.yaml +++ b/kubernetes/operationcode_python_backend/base/deployment.yaml @@ -1,9 +1,20 @@ +--- +apiVersion: "autoscaling.k8s.io/v1beta2" +kind: VerticalPodAutoscaler +metadata: + name: back-end-vpa +spec: + targetRef: + apiVersion: "apps/v1" + kind: Deployment + name: back-end +--- apiVersion: extensions/v1beta1 kind: Deployment metadata: name: back-end spec: - replicas: 2 + replicas: 1 revisionHistoryLimit: 5 template: spec: @@ -13,6 +24,10 @@ spec: imagePullPolicy: Always ports: - containerPort: 8000 + resources: + requests: + memory: 200Mi + cpu: 100m env: - name: DB_HOST value: # Requires overlay diff --git a/kubernetes/operationcode_python_backend/overlays/prod/ingress.yaml b/kubernetes/operationcode_python_backend/overlays/prod/ingress.yaml index 03785ef..85a085b 100644 --- a/kubernetes/operationcode_python_backend/overlays/prod/ingress.yaml +++ b/kubernetes/operationcode_python_backend/overlays/prod/ingress.yaml @@ -1,20 +1,21 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: - annotations: - kubernetes.io/ingress.class: nginx - kubernetes.io/tls-acme: "true" name: back-end + annotations: + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:633607774026:certificate/d59d030e-0239-4bfa-8553-e4bafb6481b4 + alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01 + external-dns.alpha.kubernetes.io/hostname: backend.k8s.operationcode.org + labels: + app: back-end spec: rules: - - host: api.operationcode.org + - host: backend.k8s.operationcode.org http: paths: - backend: serviceName: back-end-service servicePort: 80 path: / - tls: - - hosts: - - api.operationcode.org - secretName: back-end-tls diff --git a/kubernetes/operationcode_python_backend/overlays/staging/ingress.yaml b/kubernetes/operationcode_python_backend/overlays/staging/ingress.yaml index e06515b..382cda4 100644 --- a/kubernetes/operationcode_python_backend/overlays/staging/ingress.yaml +++ b/kubernetes/operationcode_python_backend/overlays/staging/ingress.yaml @@ -1,20 +1,21 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: - annotations: - kubernetes.io/ingress.class: nginx - kubernetes.io/tls-acme: "true" name: back-end + annotations: + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:633607774026:certificate/d59d030e-0239-4bfa-8553-e4bafb6481b4 + alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01 + external-dns.alpha.kubernetes.io/hostname: backend-staging.k8s.operationcode.org + labels: + app: back-end spec: rules: - - host: api.staging.operationcode.org + - host: backend-staging.k8s.operationcode.org http: paths: - backend: serviceName: back-end-service servicePort: 80 path: / - tls: - - hosts: - - api.staging.operationcode.org - secretName: back-end-tls diff --git a/kubernetes/vertical-pod-autoscaler/README.md b/kubernetes/vertical-pod-autoscaler/README.md new file mode 100644 index 0000000..37fec87 --- /dev/null +++ b/kubernetes/vertical-pod-autoscaler/README.md @@ -0,0 +1,3 @@ +# Setup + +to recreate, follow these instructions: https://docs.aws.amazon.com/eks/latest/userguide/vertical-pod-autoscaler.html From 88f46ffa71a5f086fd7c14fb49c9917189c27fae Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 23 Feb 2020 16:47:17 -0800 Subject: [PATCH 2/8] cleanup: remove grafana ingress bits Signed-off-by: Irving Popovetsky --- kubernetes/monitoring/base/kustomization.yaml | 2 -- .../monitoring/overlays/prod/ingress.yaml | 20 ------------------- .../overlays/prod/kustomization.yaml | 10 ---------- 3 files changed, 32 deletions(-) delete mode 100644 kubernetes/monitoring/base/kustomization.yaml delete mode 100644 kubernetes/monitoring/overlays/prod/ingress.yaml delete mode 100644 kubernetes/monitoring/overlays/prod/kustomization.yaml diff --git a/kubernetes/monitoring/base/kustomization.yaml b/kubernetes/monitoring/base/kustomization.yaml deleted file mode 100644 index 4ea1bcc..0000000 --- a/kubernetes/monitoring/base/kustomization.yaml +++ /dev/null @@ -1,2 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization diff --git a/kubernetes/monitoring/overlays/prod/ingress.yaml b/kubernetes/monitoring/overlays/prod/ingress.yaml deleted file mode 100644 index af567c4..0000000 --- a/kubernetes/monitoring/overlays/prod/ingress.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - annotations: - kubernetes.io/ingress.class: nginx - kubernetes.io/tls-acme: "true" - name: grafana -spec: - rules: - - host: dashboards.operationcode.org - http: - paths: - - backend: - serviceName: grafana - servicePort: 3000 - path: / - tls: - - hosts: - - dashboards.operationcode.org - secretName: grafana-tls diff --git a/kubernetes/monitoring/overlays/prod/kustomization.yaml b/kubernetes/monitoring/overlays/prod/kustomization.yaml deleted file mode 100644 index e98d0a8..0000000 --- a/kubernetes/monitoring/overlays/prod/kustomization.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization - -namespace: monitoring - -bases: -- ../../base - -resources: -- ingress.yaml \ No newline at end of file From cd89c2e922e5bdef662559a3439cfc562b607c30 Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 23 Feb 2020 16:56:34 -0800 Subject: [PATCH 3/8] fix service type for ALB ingress controller to work right, disable external-dns debug logging Signed-off-by: Irving Popovetsky --- kubernetes/external-dns/external-dns.yaml | 2 +- kubernetes/operationcode_python_backend/base/service.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/kubernetes/external-dns/external-dns.yaml b/kubernetes/external-dns/external-dns.yaml index a3f25ee..b84b621 100644 --- a/kubernetes/external-dns/external-dns.yaml +++ b/kubernetes/external-dns/external-dns.yaml @@ -67,6 +67,6 @@ spec: - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) - --registry=txt - --txt-owner-id=operationcode-backend - - --log-level=debug + # - --log-level=debug securityContext: fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes and AWS token files diff --git a/kubernetes/operationcode_python_backend/base/service.yaml b/kubernetes/operationcode_python_backend/base/service.yaml index f026dce..15760b8 100644 --- a/kubernetes/operationcode_python_backend/base/service.yaml +++ b/kubernetes/operationcode_python_backend/base/service.yaml @@ -10,4 +10,4 @@ spec: name: http port: 80 targetPort: 8000 - type: ClusterIP + type: NodePort From 15cf4b3510b9425fa5372c4ef4709029c6b570ec Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 23 Feb 2020 18:09:36 -0800 Subject: [PATCH 4/8] Cleanup ingresses so they actually allow requests, fix EXTRA_HOSTS so they recognize the new names Signed-off-by: Irving Popovetsky --- .../operationcode_python_backend/base/deployment.yaml | 4 ++-- .../overlays/prod/deployment.yaml | 4 ++-- .../overlays/prod/ingress.yaml | 8 +++++--- .../overlays/staging/deployment.yaml | 4 +++- .../overlays/staging/ingress.yaml | 7 ++++--- 5 files changed, 16 insertions(+), 11 deletions(-) diff --git a/kubernetes/operationcode_python_backend/base/deployment.yaml b/kubernetes/operationcode_python_backend/base/deployment.yaml index cecf024..a5a3424 100644 --- a/kubernetes/operationcode_python_backend/base/deployment.yaml +++ b/kubernetes/operationcode_python_backend/base/deployment.yaml @@ -9,13 +9,13 @@ spec: kind: Deployment name: back-end --- -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: back-end spec: replicas: 1 - revisionHistoryLimit: 5 + revisionHistoryLimit: 1 template: spec: containers: diff --git a/kubernetes/operationcode_python_backend/overlays/prod/deployment.yaml b/kubernetes/operationcode_python_backend/overlays/prod/deployment.yaml index 3bd0fd3..1b31d03 100644 --- a/kubernetes/operationcode_python_backend/overlays/prod/deployment.yaml +++ b/kubernetes/operationcode_python_backend/overlays/prod/deployment.yaml @@ -1,4 +1,4 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: back-end @@ -14,7 +14,7 @@ spec: - name: ENVIRONMENT value: aws_prod - name: EXTRA_HOSTS - value: api.operationcode.org + value: backend.k8s.operationcode.org - name: RELEASE value: 1.0.1 - name: SITE_ID diff --git a/kubernetes/operationcode_python_backend/overlays/prod/ingress.yaml b/kubernetes/operationcode_python_backend/overlays/prod/ingress.yaml index 85a085b..3587e92 100644 --- a/kubernetes/operationcode_python_backend/overlays/prod/ingress.yaml +++ b/kubernetes/operationcode_python_backend/overlays/prod/ingress.yaml @@ -4,8 +4,9 @@ metadata: name: back-end annotations: kubernetes.io/ingress.class: alb - alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:633607774026:certificate/d59d030e-0239-4bfa-8553-e4bafb6481b4 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]' + alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01 external-dns.alpha.kubernetes.io/hostname: backend.k8s.operationcode.org labels: @@ -15,7 +16,8 @@ spec: - host: backend.k8s.operationcode.org http: paths: - - backend: + - path: /* + backend: serviceName: back-end-service servicePort: 80 - path: / + diff --git a/kubernetes/operationcode_python_backend/overlays/staging/deployment.yaml b/kubernetes/operationcode_python_backend/overlays/staging/deployment.yaml index 2154713..fcc7b24 100644 --- a/kubernetes/operationcode_python_backend/overlays/staging/deployment.yaml +++ b/kubernetes/operationcode_python_backend/overlays/staging/deployment.yaml @@ -1,4 +1,4 @@ -apiVersion: extensions/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: name: back-end @@ -13,6 +13,8 @@ spec: value: python-staging.czwauqf3tjaz.us-east-2.rds.amazonaws.com - name: ENVIRONMENT value: aws_staging + - name: EXTRA_HOSTS + value: backend-staging.k8s.operationcode.org - name: RELEASE value: 1.0.1 - name: DJANGO_ENV diff --git a/kubernetes/operationcode_python_backend/overlays/staging/ingress.yaml b/kubernetes/operationcode_python_backend/overlays/staging/ingress.yaml index 382cda4..c68deb7 100644 --- a/kubernetes/operationcode_python_backend/overlays/staging/ingress.yaml +++ b/kubernetes/operationcode_python_backend/overlays/staging/ingress.yaml @@ -4,8 +4,9 @@ metadata: name: back-end annotations: kubernetes.io/ingress.class: alb - alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:633607774026:certificate/d59d030e-0239-4bfa-8553-e4bafb6481b4 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]' + alb.ingress.kubernetes.io/scheme: internet-facing alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01 external-dns.alpha.kubernetes.io/hostname: backend-staging.k8s.operationcode.org labels: @@ -15,7 +16,7 @@ spec: - host: backend-staging.k8s.operationcode.org http: paths: - - backend: + - path: /* + backend: serviceName: back-end-service servicePort: 80 - path: / From 16e56361525526e7d5c1b7cdf83cf40db9e865a6 Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Sun, 23 Feb 2020 18:36:38 -0800 Subject: [PATCH 5/8] Add the template for eksctl plus a simple readme Signed-off-by: Irving Popovetsky --- kubernetes/README.md | 8 +++ .../aws-alb-ingress-controller/README.txt | 0 .../external-dns.yaml | 0 .../external-dns/external-dns.yaml | 0 kubernetes/eksctl/operationcode-backend.yaml | 50 +++++++++++++++++++ .../vertical-pod-autoscaler/README.md | 0 6 files changed, 58 insertions(+) create mode 100644 kubernetes/README.md rename kubernetes/{ => eksctl}/aws-alb-ingress-controller/README.txt (100%) rename kubernetes/{ => eksctl}/aws-alb-ingress-controller/external-dns.yaml (100%) rename kubernetes/{ => eksctl}/external-dns/external-dns.yaml (100%) create mode 100644 kubernetes/eksctl/operationcode-backend.yaml rename kubernetes/{ => eksctl}/vertical-pod-autoscaler/README.md (100%) diff --git a/kubernetes/README.md b/kubernetes/README.md new file mode 100644 index 0000000..e42b22b --- /dev/null +++ b/kubernetes/README.md @@ -0,0 +1,8 @@ +# Setup + +To re-create a cluster, everything you need is in the eksctl/ folder. Use eksctl with the `operationcode-backend.yaml` config file to create the cluster. +Then install the controllers: +* aws-alb-ingress-controller +* external-dns +* vertical-pod-autoscaler + diff --git a/kubernetes/aws-alb-ingress-controller/README.txt b/kubernetes/eksctl/aws-alb-ingress-controller/README.txt similarity index 100% rename from kubernetes/aws-alb-ingress-controller/README.txt rename to kubernetes/eksctl/aws-alb-ingress-controller/README.txt diff --git a/kubernetes/aws-alb-ingress-controller/external-dns.yaml b/kubernetes/eksctl/aws-alb-ingress-controller/external-dns.yaml similarity index 100% rename from kubernetes/aws-alb-ingress-controller/external-dns.yaml rename to kubernetes/eksctl/aws-alb-ingress-controller/external-dns.yaml diff --git a/kubernetes/external-dns/external-dns.yaml b/kubernetes/eksctl/external-dns/external-dns.yaml similarity index 100% rename from kubernetes/external-dns/external-dns.yaml rename to kubernetes/eksctl/external-dns/external-dns.yaml diff --git a/kubernetes/eksctl/operationcode-backend.yaml b/kubernetes/eksctl/operationcode-backend.yaml new file mode 100644 index 0000000..fec026e --- /dev/null +++ b/kubernetes/eksctl/operationcode-backend.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: eksctl.io/v1alpha5 +kind: ClusterConfig + +metadata: + name: operationcode-backend + region: us-east-2 + +fargateProfiles: + - name: fp-default + selectors: + - namespace: default + - namespace: kube-system + - name: operationcode-backends + selectors: + - namespace: operationcode + - namespace: operationcode-staging + +nodeGroups: + - name: eks-infra-nodes-spot + minSize: 1 + desiredCapacity: 1 + maxSize: 2 + # use Spot instance pricing + instancesDistribution: + instanceTypes: + - t3a.micro + - t3a.small + volumeSize: 10 + volumeType: gp2 + ssh: + allow: true + publicKeyName: oc-ops + labels: + nodegroup-type: infra + tags: + Name: eks-infra-nodes + iam: + withAddonPolicies: + imageBuilder: true + autoScaler: true + externalDNS: true + certManager: true + appMesh: true + ebs: true + fsx: true + efs: true + albIngress: true + xRay: true + cloudWatch: true diff --git a/kubernetes/vertical-pod-autoscaler/README.md b/kubernetes/eksctl/vertical-pod-autoscaler/README.md similarity index 100% rename from kubernetes/vertical-pod-autoscaler/README.md rename to kubernetes/eksctl/vertical-pod-autoscaler/README.md From fadc3709e9ce0bfed729e5be3d5edc161ed2d46f Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Mon, 24 Feb 2020 07:32:10 -0800 Subject: [PATCH 6/8] worried spot types aren't going to work for us, rather going with 1 small managed node Signed-off-by: Irving Popovetsky --- kubernetes/eksctl/operationcode-backend.yaml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/kubernetes/eksctl/operationcode-backend.yaml b/kubernetes/eksctl/operationcode-backend.yaml index fec026e..7f9c21d 100644 --- a/kubernetes/eksctl/operationcode-backend.yaml +++ b/kubernetes/eksctl/operationcode-backend.yaml @@ -16,18 +16,13 @@ fargateProfiles: - namespace: operationcode - namespace: operationcode-staging -nodeGroups: - - name: eks-infra-nodes-spot +managedNodeGroups: + - name: eks-infra-nodes minSize: 1 desiredCapacity: 1 maxSize: 2 - # use Spot instance pricing - instancesDistribution: - instanceTypes: - - t3a.micro - - t3a.small - volumeSize: 10 - volumeType: gp2 + instanceType: t3a.small + volumeSize: 20 ssh: allow: true publicKeyName: oc-ops From 120fb3c3c08e019b233914b6f7b5c91873066b0d Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Mon, 24 Feb 2020 12:44:19 -0800 Subject: [PATCH 7/8] Add ArgoCD install notes and modified install.yaml Signed-off-by: Irving Popovetsky --- kubernetes/argocd/README.md | 4 + kubernetes/argocd/install.yaml | 2413 ++++++++++++++++++++++++++++++++ 2 files changed, 2417 insertions(+) create mode 100644 kubernetes/argocd/README.md create mode 100644 kubernetes/argocd/install.yaml diff --git a/kubernetes/argocd/README.md b/kubernetes/argocd/README.md new file mode 100644 index 0000000..b36f1bf --- /dev/null +++ b/kubernetes/argocd/README.md @@ -0,0 +1,4 @@ +# Setup + +The install.yaml in this folder is slightly modified from the [ArgoCD setup instructions](https://argoproj.github.io/argo-cd/getting_started/), the Redis server has been configured to persist data. Please keep that in mind and don't update from the stock install.yaml file + diff --git a/kubernetes/argocd/install.yaml b/kubernetes/argocd/install.yaml new file mode 100644 index 0000000..ad8267b --- /dev/null +++ b/kubernetes/argocd/install.yaml @@ -0,0 +1,2413 @@ +# This is an auto-generated file. DO NOT EDIT +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/name: applications.argoproj.io + app.kubernetes.io/part-of: argocd + name: applications.argoproj.io +spec: + group: argoproj.io + names: + kind: Application + listKind: ApplicationList + plural: applications + shortNames: + - app + - apps + singular: application + scope: Namespaced + validation: + openAPIV3Schema: + description: Application is a definition of Application resource. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + operation: + description: Operation contains requested operation parameters. + properties: + sync: + description: SyncOperation contains sync operation details. + properties: + dryRun: + description: DryRun will perform a `kubectl apply --dry-run` without + actually performing the sync + type: boolean + manifests: + description: Manifests is an optional field that overrides sync + source with a local directory for development + items: + type: string + type: array + prune: + description: Prune deletes resources that are no longer tracked + in git + type: boolean + resources: + description: Resources describes which resources to sync + items: + description: SyncOperationResource contains resources to sync. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + type: array + revision: + description: Revision is the revision in which to sync the application + to. If omitted, will use the revision specified in app spec. + type: string + source: + description: Source overrides the source definition set in the application. + This is typically set in a Rollback operation and nil during a + Sync operation + properties: + chart: + description: Chart is a Helm chart name + type: string + directory: + description: Directory holds path/directory specific options + properties: + jsonnet: + description: ApplicationSourceJsonnet holds jsonnet specific + options + properties: + extVars: + description: ExtVars is a list of Jsonnet External Variables + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level Arguments + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + parameters: + description: Parameters are parameters to the helm template + items: + description: HelmParameter is a parameter to a helm template + properties: + forceString: + description: ForceString determines whether to tell + Helm to interpret booleans and numbers as strings + type: boolean + name: + description: Name is the name of the helm parameter + type: string + value: + description: Value is the value for the helm parameter + type: string + type: object + type: array + releaseName: + description: The Helm release name. If omitted it will use + the application name + type: string + valueFiles: + description: ValuesFiles is a list of Helm value files to + use when generating a template + items: + type: string + type: array + values: + description: Values is Helm values, typically defined as + a block + type: string + type: object + ksonnet: + description: Ksonnet holds ksonnet specific options + properties: + environment: + description: Environment is a ksonnet application environment + name + type: string + parameters: + description: Parameters are a list of ksonnet component + parameter override values + items: + description: KsonnetParameter is a ksonnet component parameter + properties: + component: + type: string + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonLabels: + additionalProperties: + type: string + description: CommonLabels adds additional kustomize commonLabels + type: object + images: + description: Images are kustomize image overrides + items: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for kustomize apps + type: string + type: object + path: + description: Path is a directory path within the Git repository + type: string + plugin: + description: ConfigManagementPlugin holds config management + plugin specific options + properties: + env: + items: + properties: + name: + description: the name, usually uppercase + type: string + value: + description: the value + type: string + required: + - name + - value + type: object + type: array + name: + type: string + type: object + repoURL: + description: RepoURL is the repository URL of the application + manifests + type: string + targetRevision: + description: TargetRevision defines the commit, tag, or branch + in which to sync the application to. If omitted, will sync + to HEAD + type: string + required: + - repoURL + type: object + syncStrategy: + description: SyncStrategy describes how to perform the sync + properties: + apply: + description: Apply wil perform a `kubectl apply` to perform + the sync. + properties: + force: + description: Force indicates whether or not to supply the + --force flag to `kubectl apply`. The --force flag deletes + and re-create the resource, when PATCH encounters conflict + and has retried for 5 times. + type: boolean + type: object + hook: + description: Hook will submit any referenced resources to perform + the sync. This is the default strategy + properties: + force: + description: Force indicates whether or not to supply the + --force flag to `kubectl apply`. The --force flag deletes + and re-create the resource, when PATCH encounters conflict + and has retried for 5 times. + type: boolean + type: object + type: object + type: object + type: object + spec: + description: ApplicationSpec represents desired application state. Contains + link to repository with application definition and additional parameters + link definition revision. + properties: + destination: + description: Destination overrides the kubernetes server and namespace + defined in the environment ksonnet app.yaml + properties: + namespace: + description: Namespace overrides the environment namespace value + in the ksonnet app.yaml + type: string + server: + description: Server overrides the environment server value in the + ksonnet app.yaml + type: string + type: object + ignoreDifferences: + description: IgnoreDifferences controls resources fields which should + be ignored during comparison + items: + description: ResourceIgnoreDifferences contains resource filter and + list of json paths which should be ignored during comparison with + live state. + properties: + group: + type: string + jsonPointers: + items: + type: string + type: array + kind: + type: string + name: + type: string + namespace: + type: string + required: + - jsonPointers + - kind + type: object + type: array + info: + description: Infos contains a list of useful information (URLs, email + addresses, and plain text) that relates to the application + items: + properties: + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + project: + description: Project is a application project name. Empty name means + that application belongs to 'default' project. + type: string + revisionHistoryLimit: + description: This limits this number of items kept in the apps revision + history. This should only be changed in exceptional circumstances. + Setting to zero will store no history. This will reduce storage used. + Increasing will increase the space used to store the history, so we + do not recommend increasing it. Default is 10. + format: int64 + type: integer + source: + description: Source is a reference to the location ksonnet application + definition + properties: + chart: + description: Chart is a Helm chart name + type: string + directory: + description: Directory holds path/directory specific options + properties: + jsonnet: + description: ApplicationSourceJsonnet holds jsonnet specific + options + properties: + extVars: + description: ExtVars is a list of Jsonnet External Variables + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level Arguments + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + parameters: + description: Parameters are parameters to the helm template + items: + description: HelmParameter is a parameter to a helm template + properties: + forceString: + description: ForceString determines whether to tell Helm + to interpret booleans and numbers as strings + type: boolean + name: + description: Name is the name of the helm parameter + type: string + value: + description: Value is the value for the helm parameter + type: string + type: object + type: array + releaseName: + description: The Helm release name. If omitted it will use the + application name + type: string + valueFiles: + description: ValuesFiles is a list of Helm value files to use + when generating a template + items: + type: string + type: array + values: + description: Values is Helm values, typically defined as a block + type: string + type: object + ksonnet: + description: Ksonnet holds ksonnet specific options + properties: + environment: + description: Environment is a ksonnet application environment + name + type: string + parameters: + description: Parameters are a list of ksonnet component parameter + override values + items: + description: KsonnetParameter is a ksonnet component parameter + properties: + component: + type: string + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonLabels: + additionalProperties: + type: string + description: CommonLabels adds additional kustomize commonLabels + type: object + images: + description: Images are kustomize image overrides + items: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources for + kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources for + kustomize apps + type: string + type: object + path: + description: Path is a directory path within the Git repository + type: string + plugin: + description: ConfigManagementPlugin holds config management plugin + specific options + properties: + env: + items: + properties: + name: + description: the name, usually uppercase + type: string + value: + description: the value + type: string + required: + - name + - value + type: object + type: array + name: + type: string + type: object + repoURL: + description: RepoURL is the repository URL of the application manifests + type: string + targetRevision: + description: TargetRevision defines the commit, tag, or branch in + which to sync the application to. If omitted, will sync to HEAD + type: string + required: + - repoURL + type: object + syncPolicy: + description: SyncPolicy controls when a sync will be performed + properties: + automated: + description: Automated will keep an application synced to the target + revision + properties: + prune: + description: 'Prune will prune resources automatically as part + of automated sync (default: false)' + type: boolean + selfHeal: + description: 'SelfHeal enables auto-syncing if (default: false)' + type: boolean + type: object + type: object + required: + - destination + - project + - source + type: object + status: + description: ApplicationStatus contains information about application sync, + health status + properties: + conditions: + items: + description: ApplicationCondition contains details about current application + condition + properties: + lastTransitionTime: + description: LastTransitionTime is the time the condition was + first observed. + format: date-time + type: string + message: + description: Message contains human-readable message indicating + details about condition + type: string + type: + description: Type is an application condition type + type: string + required: + - message + - type + type: object + type: array + health: + properties: + message: + type: string + status: + type: string + type: object + history: + description: RevisionHistories is a array of history, oldest first and + newest last + items: + description: RevisionHistory contains information relevant to an application + deployment + properties: + deployedAt: + format: date-time + type: string + id: + format: int64 + type: integer + revision: + type: string + source: + description: ApplicationSource contains information about github + repository, path within repository and target application environment. + properties: + chart: + description: Chart is a Helm chart name + type: string + directory: + description: Directory holds path/directory specific options + properties: + jsonnet: + description: ApplicationSourceJsonnet holds jsonnet specific + options + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level Arguments + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + parameters: + description: Parameters are parameters to the helm template + items: + description: HelmParameter is a parameter to a helm + template + properties: + forceString: + description: ForceString determines whether to tell + Helm to interpret booleans and numbers as strings + type: boolean + name: + description: Name is the name of the helm parameter + type: string + value: + description: Value is the value for the helm parameter + type: string + type: object + type: array + releaseName: + description: The Helm release name. If omitted it will + use the application name + type: string + valueFiles: + description: ValuesFiles is a list of Helm value files + to use when generating a template + items: + type: string + type: array + values: + description: Values is Helm values, typically defined + as a block + type: string + type: object + ksonnet: + description: Ksonnet holds ksonnet specific options + properties: + environment: + description: Environment is a ksonnet application environment + name + type: string + parameters: + description: Parameters are a list of ksonnet component + parameter override values + items: + description: KsonnetParameter is a ksonnet component + parameter + properties: + component: + type: string + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonLabels: + additionalProperties: + type: string + description: CommonLabels adds additional kustomize commonLabels + type: object + images: + description: Images are kustomize image overrides + items: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for kustomize apps + type: string + type: object + path: + description: Path is a directory path within the Git repository + type: string + plugin: + description: ConfigManagementPlugin holds config management + plugin specific options + properties: + env: + items: + properties: + name: + description: the name, usually uppercase + type: string + value: + description: the value + type: string + required: + - name + - value + type: object + type: array + name: + type: string + type: object + repoURL: + description: RepoURL is the repository URL of the application + manifests + type: string + targetRevision: + description: TargetRevision defines the commit, tag, or branch + in which to sync the application to. If omitted, will sync + to HEAD + type: string + required: + - repoURL + type: object + required: + - deployedAt + - id + - revision + type: object + type: array + observedAt: + description: ObservedAt indicates when the application state was updated + without querying latest git state + format: date-time + type: string + operationState: + description: OperationState contains information about state of currently + performing operation on application. + properties: + finishedAt: + description: FinishedAt contains time of operation completion + format: date-time + type: string + message: + description: Message hold any pertinent messages when attempting + to perform operation (typically errors). + type: string + operation: + description: Operation is the original requested operation + properties: + sync: + description: SyncOperation contains sync operation details. + properties: + dryRun: + description: DryRun will perform a `kubectl apply --dry-run` + without actually performing the sync + type: boolean + manifests: + description: Manifests is an optional field that overrides + sync source with a local directory for development + items: + type: string + type: array + prune: + description: Prune deletes resources that are no longer + tracked in git + type: boolean + resources: + description: Resources describes which resources to sync + items: + description: SyncOperationResource contains resources + to sync. + properties: + group: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + type: array + revision: + description: Revision is the revision in which to sync the + application to. If omitted, will use the revision specified + in app spec. + type: string + source: + description: Source overrides the source definition set + in the application. This is typically set in a Rollback + operation and nil during a Sync operation + properties: + chart: + description: Chart is a Helm chart name + type: string + directory: + description: Directory holds path/directory specific + options + properties: + jsonnet: + description: ApplicationSourceJsonnet holds jsonnet + specific options + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + parameters: + description: Parameters are parameters to the helm + template + items: + description: HelmParameter is a parameter to a + helm template + properties: + forceString: + description: ForceString determines whether + to tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the helm + parameter + type: string + value: + description: Value is the value for the helm + parameter + type: string + type: object + type: array + releaseName: + description: The Helm release name. If omitted it + will use the application name + type: string + valueFiles: + description: ValuesFiles is a list of Helm value + files to use when generating a template + items: + type: string + type: array + values: + description: Values is Helm values, typically defined + as a block + type: string + type: object + ksonnet: + description: Ksonnet holds ksonnet specific options + properties: + environment: + description: Environment is a ksonnet application + environment name + type: string + parameters: + description: Parameters are a list of ksonnet component + parameter override values + items: + description: KsonnetParameter is a ksonnet component + parameter + properties: + component: + type: string + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonLabels: + additionalProperties: + type: string + description: CommonLabels adds additional kustomize + commonLabels + type: object + images: + description: Images are kustomize image overrides + items: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to + resources for kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to + resources for kustomize apps + type: string + type: object + path: + description: Path is a directory path within the Git + repository + type: string + plugin: + description: ConfigManagementPlugin holds config management + plugin specific options + properties: + env: + items: + properties: + name: + description: the name, usually uppercase + type: string + value: + description: the value + type: string + required: + - name + - value + type: object + type: array + name: + type: string + type: object + repoURL: + description: RepoURL is the repository URL of the application + manifests + type: string + targetRevision: + description: TargetRevision defines the commit, tag, + or branch in which to sync the application to. If + omitted, will sync to HEAD + type: string + required: + - repoURL + type: object + syncStrategy: + description: SyncStrategy describes how to perform the sync + properties: + apply: + description: Apply wil perform a `kubectl apply` to + perform the sync. + properties: + force: + description: Force indicates whether or not to supply + the --force flag to `kubectl apply`. The --force + flag deletes and re-create the resource, when + PATCH encounters conflict and has retried for + 5 times. + type: boolean + type: object + hook: + description: Hook will submit any referenced resources + to perform the sync. This is the default strategy + properties: + force: + description: Force indicates whether or not to supply + the --force flag to `kubectl apply`. The --force + flag deletes and re-create the resource, when + PATCH encounters conflict and has retried for + 5 times. + type: boolean + type: object + type: object + type: object + type: object + phase: + description: Phase is the current phase of the operation + type: string + startedAt: + description: StartedAt contains time of operation start + format: date-time + type: string + syncResult: + description: SyncResult is the result of a Sync operation + properties: + resources: + description: Resources holds the sync result of each individual + resource + items: + description: ResourceResult holds the operation result details + of a specific resource + properties: + group: + type: string + hookPhase: + description: 'the state of any operation associated with + this resource OR hook note: can contain values for non-hook + resources' + type: string + hookType: + description: the type of the hook, empty for non-hook + resources + type: string + kind: + type: string + message: + description: message for the last sync OR operation + type: string + name: + type: string + namespace: + type: string + status: + description: the final result of the sync, this is be + empty if the resources is yet to be applied/pruned and + is always zero-value for hooks + type: string + syncPhase: + description: indicates the particular phase of the sync + that this is for + type: string + version: + type: string + required: + - group + - kind + - name + - namespace + - version + type: object + type: array + revision: + description: Revision holds the revision of the sync + type: string + source: + description: Source records the application source information + of the sync, used for comparing auto-sync + properties: + chart: + description: Chart is a Helm chart name + type: string + directory: + description: Directory holds path/directory specific options + properties: + jsonnet: + description: ApplicationSourceJsonnet holds jsonnet + specific options + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + parameters: + description: Parameters are parameters to the helm template + items: + description: HelmParameter is a parameter to a helm + template + properties: + forceString: + description: ForceString determines whether to + tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the helm parameter + type: string + value: + description: Value is the value for the helm parameter + type: string + type: object + type: array + releaseName: + description: The Helm release name. If omitted it will + use the application name + type: string + valueFiles: + description: ValuesFiles is a list of Helm value files + to use when generating a template + items: + type: string + type: array + values: + description: Values is Helm values, typically defined + as a block + type: string + type: object + ksonnet: + description: Ksonnet holds ksonnet specific options + properties: + environment: + description: Environment is a ksonnet application environment + name + type: string + parameters: + description: Parameters are a list of ksonnet component + parameter override values + items: + description: KsonnetParameter is a ksonnet component + parameter + properties: + component: + type: string + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonLabels: + additionalProperties: + type: string + description: CommonLabels adds additional kustomize + commonLabels + type: object + images: + description: Images are kustomize image overrides + items: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for kustomize apps + type: string + type: object + path: + description: Path is a directory path within the Git repository + type: string + plugin: + description: ConfigManagementPlugin holds config management + plugin specific options + properties: + env: + items: + properties: + name: + description: the name, usually uppercase + type: string + value: + description: the value + type: string + required: + - name + - value + type: object + type: array + name: + type: string + type: object + repoURL: + description: RepoURL is the repository URL of the application + manifests + type: string + targetRevision: + description: TargetRevision defines the commit, tag, or + branch in which to sync the application to. If omitted, + will sync to HEAD + type: string + required: + - repoURL + type: object + required: + - revision + type: object + required: + - operation + - phase + - startedAt + type: object + reconciledAt: + description: ReconciledAt indicates when the application state was reconciled + using the latest git version + format: date-time + type: string + resources: + items: + description: ResourceStatus holds the current sync and health status + of a resource + properties: + group: + type: string + health: + properties: + message: + type: string + status: + type: string + type: object + hook: + type: boolean + kind: + type: string + name: + type: string + namespace: + type: string + requiresPruning: + type: boolean + status: + description: SyncStatusCode is a type which represents possible + comparison results + type: string + version: + type: string + type: object + type: array + sourceType: + type: string + summary: + properties: + externalURLs: + description: ExternalURLs holds all external URLs of application + child resources. + items: + type: string + type: array + images: + description: Images holds all images of application child resources. + items: + type: string + type: array + type: object + sync: + description: SyncStatus is a comparison result of application spec and + deployed application. + properties: + comparedTo: + description: ComparedTo contains application source and target which + was used for resources comparison + properties: + destination: + description: ApplicationDestination contains deployment destination + information + properties: + namespace: + description: Namespace overrides the environment namespace + value in the ksonnet app.yaml + type: string + server: + description: Server overrides the environment server value + in the ksonnet app.yaml + type: string + type: object + source: + description: ApplicationSource contains information about github + repository, path within repository and target application + environment. + properties: + chart: + description: Chart is a Helm chart name + type: string + directory: + description: Directory holds path/directory specific options + properties: + jsonnet: + description: ApplicationSourceJsonnet holds jsonnet + specific options + properties: + extVars: + description: ExtVars is a list of Jsonnet External + Variables + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + tlas: + description: TLAS is a list of Jsonnet Top-level + Arguments + items: + description: JsonnetVar is a jsonnet variable + properties: + code: + type: boolean + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + recurse: + type: boolean + type: object + helm: + description: Helm holds helm specific options + properties: + parameters: + description: Parameters are parameters to the helm template + items: + description: HelmParameter is a parameter to a helm + template + properties: + forceString: + description: ForceString determines whether to + tell Helm to interpret booleans and numbers + as strings + type: boolean + name: + description: Name is the name of the helm parameter + type: string + value: + description: Value is the value for the helm parameter + type: string + type: object + type: array + releaseName: + description: The Helm release name. If omitted it will + use the application name + type: string + valueFiles: + description: ValuesFiles is a list of Helm value files + to use when generating a template + items: + type: string + type: array + values: + description: Values is Helm values, typically defined + as a block + type: string + type: object + ksonnet: + description: Ksonnet holds ksonnet specific options + properties: + environment: + description: Environment is a ksonnet application environment + name + type: string + parameters: + description: Parameters are a list of ksonnet component + parameter override values + items: + description: KsonnetParameter is a ksonnet component + parameter + properties: + component: + type: string + name: + type: string + value: + type: string + required: + - name + - value + type: object + type: array + type: object + kustomize: + description: Kustomize holds kustomize specific options + properties: + commonLabels: + additionalProperties: + type: string + description: CommonLabels adds additional kustomize + commonLabels + type: object + images: + description: Images are kustomize image overrides + items: + type: string + type: array + namePrefix: + description: NamePrefix is a prefix appended to resources + for kustomize apps + type: string + nameSuffix: + description: NameSuffix is a suffix appended to resources + for kustomize apps + type: string + type: object + path: + description: Path is a directory path within the Git repository + type: string + plugin: + description: ConfigManagementPlugin holds config management + plugin specific options + properties: + env: + items: + properties: + name: + description: the name, usually uppercase + type: string + value: + description: the value + type: string + required: + - name + - value + type: object + type: array + name: + type: string + type: object + repoURL: + description: RepoURL is the repository URL of the application + manifests + type: string + targetRevision: + description: TargetRevision defines the commit, tag, or + branch in which to sync the application to. If omitted, + will sync to HEAD + type: string + required: + - repoURL + type: object + required: + - destination + - source + type: object + revision: + type: string + status: + description: SyncStatusCode is a type which represents possible + comparison results + type: string + required: + - status + type: object + type: object + required: + - metadata + - spec + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +--- +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition +metadata: + labels: + app.kubernetes.io/name: appprojects.argoproj.io + app.kubernetes.io/part-of: argocd + name: appprojects.argoproj.io +spec: + group: argoproj.io + names: + kind: AppProject + listKind: AppProjectList + plural: appprojects + shortNames: + - appproj + - appprojs + singular: appproject + scope: Namespaced + validation: + openAPIV3Schema: + description: 'AppProject provides a logical grouping of applications, providing + controls for: * where the apps may deploy to (cluster whitelist) * what may + be deployed (repository whitelist, resource whitelist/blacklist) * who can + access these applications (roles, OIDC group claims bindings) * and what they + can do (RBAC policies) * automation access to these roles (JWT tokens)' + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: AppProjectSpec is the specification of an AppProject + properties: + clusterResourceWhitelist: + description: ClusterResourceWhitelist contains list of whitelisted cluster + level resources + items: + description: GroupKind specifies a Group and a Kind, but does not + force a version. This is useful for identifying concepts during + lookup stages without having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + description: + description: Description contains optional project description + type: string + destinations: + description: Destinations contains list of destinations available for + deployment + items: + description: ApplicationDestination contains deployment destination + information + properties: + namespace: + description: Namespace overrides the environment namespace value + in the ksonnet app.yaml + type: string + server: + description: Server overrides the environment server value in + the ksonnet app.yaml + type: string + type: object + type: array + namespaceResourceBlacklist: + description: NamespaceResourceBlacklist contains list of blacklisted + namespace level resources + items: + description: GroupKind specifies a Group and a Kind, but does not + force a version. This is useful for identifying concepts during + lookup stages without having partially valid types + properties: + group: + type: string + kind: + type: string + required: + - group + - kind + type: object + type: array + orphanedResources: + description: OrphanedResources specifies if controller should monitor + orphaned resources of apps in this project + properties: + warn: + description: Warn indicates if warning condition should be created + for apps which have orphaned resources + type: boolean + type: object + roles: + description: Roles are user defined RBAC roles associated with this + project + items: + description: ProjectRole represents a role that has access to a project + properties: + description: + description: Description is a description of the role + type: string + groups: + description: Groups are a list of OIDC group claims bound to this + role + items: + type: string + type: array + jwtTokens: + description: JWTTokens are a list of generated JWT tokens bound + to this role + items: + description: JWTToken holds the issuedAt and expiresAt values + of a token + properties: + exp: + format: int64 + type: integer + iat: + format: int64 + type: integer + required: + - iat + type: object + type: array + name: + description: Name is a name for this role + type: string + policies: + description: Policies Stores a list of casbin formated strings + that define access policies for the role in the project + items: + type: string + type: array + required: + - name + type: object + type: array + sourceRepos: + description: SourceRepos contains list of repository URLs which can + be used for deployment + items: + type: string + type: array + syncWindows: + description: SyncWindows controls when syncs can be run for apps in + this project + items: + description: SyncWindow contains the kind, time, duration and attributes + that are used to assign the syncWindows to apps + properties: + applications: + description: Applications contains a list of applications that + the window will apply to + items: + type: string + type: array + clusters: + description: Clusters contains a list of clusters that the window + will apply to + items: + type: string + type: array + duration: + description: Duration is the amount of time the sync window will + be open + type: string + kind: + description: Kind defines if the window allows or blocks syncs + type: string + manualSync: + description: ManualSync enables manual syncs when they would otherwise + be blocked + type: boolean + namespaces: + description: Namespaces contains a list of namespaces that the + window will apply to + items: + type: string + type: array + schedule: + description: Schedule is the time the window will begin, specified + in cron format + type: string + type: object + type: array + type: object + required: + - metadata + - spec + type: object + version: v1alpha1 + versions: + - name: v1alpha1 + served: true + storage: true +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch +- apiGroups: + - argoproj.io + resources: + - applications + - appprojects + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - "" + resources: + - events + verbs: + - create + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +rules: +- apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - create + - get + - list + - watch + - update + - patch + - delete +- apiGroups: + - argoproj.io + resources: + - applications + - appprojects + verbs: + - create + - get + - list + - watch + - update + - delete + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +- nonResourceURLs: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - delete + - get + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - list +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-application-controller +subjects: +- kind: ServiceAccount + name: argocd-application-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-dex-server +subjects: +- kind: ServiceAccount + name: argocd-dex-server +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-server +subjects: +- kind: ServiceAccount + name: argocd-server +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argocd-application-controller +subjects: +- kind: ServiceAccount + name: argocd-application-controller + namespace: argocd +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: argocd-server +subjects: +- kind: ServiceAccount + name: argocd-server + namespace: argocd +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: argocd-cm + app.kubernetes.io/part-of: argocd + name: argocd-cm +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: argocd-rbac-cm + app.kubernetes.io/part-of: argocd + name: argocd-rbac-cm +--- +apiVersion: v1 +data: + ssh_known_hosts: | + bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= + gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: argocd-ssh-known-hosts-cm + app.kubernetes.io/part-of: argocd + name: argocd-ssh-known-hosts-cm +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: argocd-tls-certs-cm + app.kubernetes.io/part-of: argocd + name: argocd-tls-certs-cm +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/name: argocd-secret + app.kubernetes.io/part-of: argocd + name: argocd-secret +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +spec: + ports: + - name: http + port: 5556 + protocol: TCP + targetPort: 5556 + - name: grpc + port: 5557 + protocol: TCP + targetPort: 5557 + selector: + app.kubernetes.io/name: argocd-dex-server +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: metrics + app.kubernetes.io/name: argocd-metrics + app.kubernetes.io/part-of: argocd + name: argocd-metrics +spec: + ports: + - name: metrics + port: 8082 + protocol: TCP + targetPort: 8082 + selector: + app.kubernetes.io/name: argocd-application-controller +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: redis + app.kubernetes.io/name: argocd-redis + app.kubernetes.io/part-of: argocd + name: argocd-redis +spec: + ports: + - name: tcp-redis + port: 6379 + targetPort: 6379 + selector: + app.kubernetes.io/name: argocd-redis +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: repo-server + app.kubernetes.io/name: argocd-repo-server + app.kubernetes.io/part-of: argocd + name: argocd-repo-server +spec: + ports: + - name: server + port: 8081 + protocol: TCP + targetPort: 8081 + - name: metrics + port: 8084 + protocol: TCP + targetPort: 8084 + selector: + app.kubernetes.io/name: argocd-repo-server +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server-metrics + app.kubernetes.io/part-of: argocd + name: argocd-server-metrics +spec: + ports: + - name: metrics + port: 8083 + protocol: TCP + targetPort: 8083 + selector: + app.kubernetes.io/name: argocd-server +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/name: argocd-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-application-controller + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: argocd-application-controller + spec: + containers: + - command: + - argocd-application-controller + - --status-processors + - "20" + - --operation-processors + - "10" + image: argoproj/argocd:v1.4.2 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8082 + initialDelaySeconds: 5 + periodSeconds: 10 + name: argocd-application-controller + ports: + - containerPort: 8082 + readinessProbe: + httpGet: + path: /healthz + port: 8082 + initialDelaySeconds: 5 + periodSeconds: 10 + serviceAccountName: argocd-application-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-dex-server + template: + metadata: + labels: + app.kubernetes.io/name: argocd-dex-server + spec: + containers: + - command: + - /shared/argocd-util + - rundex + image: quay.io/dexidp/dex:v2.21.0 + imagePullPolicy: Always + name: dex + ports: + - containerPort: 5556 + - containerPort: 5557 + volumeMounts: + - mountPath: /shared + name: static-files + initContainers: + - command: + - cp + - /usr/local/bin/argocd-util + - /shared + image: argoproj/argocd:v1.4.2 + imagePullPolicy: Always + name: copyutil + volumeMounts: + - mountPath: /shared + name: static-files + serviceAccountName: argocd-dex-server + volumes: + - emptyDir: {} + name: static-files +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + labels: + app.kubernetes.io/component: redis + app.kubernetes.io/name: argocd-redis + app.kubernetes.io/part-of: argocd + name: argocd-redis +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-redis + serviceName: argocd-redis + template: + metadata: + labels: + app.kubernetes.io/name: argocd-redis + spec: + terminationGracePeriodSeconds: 10 + containers: + - name: redis + resources: + requests: + memory: "100Mi" + cpu: "100m" # equivalent to 0.1 of a CPU core + args: + - --save + - "60 1000" + - --appendonly + - "yes" + image: redis:5 + imagePullPolicy: Always + ports: + - containerPort: 6379 + volumeMounts: + - name: redis-data + mountPath: /data + volumeClaimTemplates: + - metadata: + name: redis-data + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 10Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: repo-server + app.kubernetes.io/name: argocd-repo-server + app.kubernetes.io/part-of: argocd + name: argocd-repo-server +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-repo-server + template: + metadata: + labels: + app.kubernetes.io/name: argocd-repo-server + spec: + automountServiceAccountToken: false + containers: + - command: + - uid_entrypoint.sh + - argocd-repo-server + - --redis + - argocd-redis:6379 + image: argoproj/argocd:v1.4.2 + imagePullPolicy: Always + livenessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 + tcpSocket: + port: 8081 + name: argocd-repo-server + ports: + - containerPort: 8081 + - containerPort: 8084 + readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 + tcpSocket: + port: 8081 + volumeMounts: + - mountPath: /app/config/ssh + name: ssh-known-hosts + - mountPath: /app/config/tls + name: tls-certs + volumes: + - configMap: + name: argocd-ssh-known-hosts-cm + name: ssh-known-hosts + - configMap: + name: argocd-tls-certs-cm + name: tls-certs +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-server + template: + metadata: + labels: + app.kubernetes.io/name: argocd-server + spec: + containers: + - command: + - argocd-server + - --staticassets + - /shared/app + image: argoproj/argocd:v1.4.2 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 30 + name: argocd-server + ports: + - containerPort: 8080 + - containerPort: 8083 + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 30 + volumeMounts: + - mountPath: /app/config/ssh + name: ssh-known-hosts + - mountPath: /app/config/tls + name: tls-certs + serviceAccountName: argocd-server + volumes: + - emptyDir: {} + name: static-files + - configMap: + name: argocd-ssh-known-hosts-cm + name: ssh-known-hosts + - configMap: + name: argocd-tls-certs-cm + name: tls-certs From bf5917000b88452569eb22339582c81407306f4d Mon Sep 17 00:00:00 2001 From: Irving Popovetsky Date: Mon, 24 Feb 2020 14:51:30 -0800 Subject: [PATCH 8/8] Update ingresses for resources-api Signed-off-by: Irving Popovetsky --- kubernetes/resources_api/base/deployment.yaml | 11 +++++++-- .../resources_api/overlays/prod/ingress.yaml | 23 +++++++++++-------- .../overlays/staging/deployment.yaml | 2 ++ .../overlays/staging/ingress.yaml | 23 +++++++++++-------- kubernetes/town_crier/base/deployment.yaml | 2 +- 5 files changed, 38 insertions(+), 23 deletions(-) diff --git a/kubernetes/resources_api/base/deployment.yaml b/kubernetes/resources_api/base/deployment.yaml index 331abc7..417d561 100644 --- a/kubernetes/resources_api/base/deployment.yaml +++ b/kubernetes/resources_api/base/deployment.yaml @@ -3,8 +3,8 @@ kind: Deployment metadata: name: resources-api spec: - replicas: 2 - revisionHistoryLimit: 5 + replicas: 1 + revisionHistoryLimit: 1 template: spec: containers: @@ -42,6 +42,13 @@ spec: value: resources_api - name: POSTGRES_HOST value: resources-postgres + - name: HONEYCOMB_WRITEKEY + valueFrom: + secretKeyRef: + name: python-backend-secrets + key: honeycomb_writekey + - name: HONEYCOMB_DATASET + value: production-traces volumes: - name: resources-api-secrets secret: diff --git a/kubernetes/resources_api/overlays/prod/ingress.yaml b/kubernetes/resources_api/overlays/prod/ingress.yaml index de7eaee..0dc038a 100644 --- a/kubernetes/resources_api/overlays/prod/ingress.yaml +++ b/kubernetes/resources_api/overlays/prod/ingress.yaml @@ -1,20 +1,23 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: - annotations: - kubernetes.io/ingress.class: nginx - kubernetes.io/tls-acme: "true" name: resources-api + annotations: + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:633607774026:certificate/d59d030e-0239-4bfa-8553-e4bafb6481b4 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]' + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01 + external-dns.alpha.kubernetes.io/hostname: resources.k8s.operationcode.org + labels: + app: resources-api spec: rules: - - host: resources.operationcode.org + - host: resources.k8s.operationcode.org http: paths: - - backend: + - path: /* + backend: serviceName: resources-api-service servicePort: 80 - path: / - tls: - - hosts: - - resources.operationcode.org - secretName: resources-api-tls + diff --git a/kubernetes/resources_api/overlays/staging/deployment.yaml b/kubernetes/resources_api/overlays/staging/deployment.yaml index e46c01e..644aa41 100644 --- a/kubernetes/resources_api/overlays/staging/deployment.yaml +++ b/kubernetes/resources_api/overlays/staging/deployment.yaml @@ -11,3 +11,5 @@ spec: env: - name: FLASK_ENV value: staging + - name: HONEYCOMB_DATASET + value: staging-traces diff --git a/kubernetes/resources_api/overlays/staging/ingress.yaml b/kubernetes/resources_api/overlays/staging/ingress.yaml index f15c71e..bbdb28b 100644 --- a/kubernetes/resources_api/overlays/staging/ingress.yaml +++ b/kubernetes/resources_api/overlays/staging/ingress.yaml @@ -1,20 +1,23 @@ apiVersion: extensions/v1beta1 kind: Ingress metadata: - annotations: - kubernetes.io/ingress.class: nginx - kubernetes.io/tls-acme: "true" name: resources-api + annotations: + kubernetes.io/ingress.class: alb + alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-2:633607774026:certificate/d59d030e-0239-4bfa-8553-e4bafb6481b4 + alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS": 443}]' + alb.ingress.kubernetes.io/scheme: internet-facing + alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01 + external-dns.alpha.kubernetes.io/hostname: resources-staging.k8s.operationcode.org + labels: + app: resources-api spec: rules: - - host: resources.staging.operationcode.org + - host: resources-staging.k8s.operationcode.org http: paths: - - backend: + - path: /* + backend: serviceName: resources-api-service servicePort: 80 - path: / - tls: - - hosts: - - resources.staging.operationcode.org - secretName: resources-api-tls + diff --git a/kubernetes/town_crier/base/deployment.yaml b/kubernetes/town_crier/base/deployment.yaml index 4d1e545..d367e5c 100644 --- a/kubernetes/town_crier/base/deployment.yaml +++ b/kubernetes/town_crier/base/deployment.yaml @@ -4,7 +4,7 @@ metadata: name: town-crier spec: replicas: 1 - revisionHistoryLimit: 5 + revisionHistoryLimit: 1 template: metadata: labels: