WP : Kubernetes manifests

Makefile

@@ -14,6 +14,9 @@ export DC_BUILD_ARGS = --pull --no-cache
 export DC_UP_ARGS = --build --force-recreate
 export DC_NETWORK_OPT = --opt com.docker.network.driver.mtu=1450
 
+# kubernetes 
+export KUBE_DIR = deployments
+
 # elasticsearch defaut configuration
 export ES_HOST = ${APP}-elasticsearch
 export ES_PORT = 9200
@@ -165,6 +168,27 @@ backend-stop:
 backend-exec:
 	$(DC) -f ${DC_FILE}.yml exec backend bash
 
+## Deploy backend
+# Create env-bakend configmap from .env-index
+deploy-k8s: deploy-k8s-traefik deploy-k8s-elasticsearch deploy-k8s-frontend deploy-k8s-backend
+
+create-namespace:
+	@echo $@
+	(cat ${KUBE_DIR}/namespace.yaml | envsubst | kubectl apply -f -) && touch $@
+
+deploy-k8s-traefik:
+	helm upgrade --install --values ${KUBE_DIR}/traefik/values.yaml traefik traefik/traefik --namespace traefik	
+
+deploy-k8s-configmap: create-namespace
+	kubectl create configmap env-${INDEX_NAME} --from-file=${ENV_FILE} --namespace ridoc -o yaml --dry-run=client | kubectl apply -f -
+
+deploy-traefik:
+	helm upgrade --install --values ${KUBE_DIR}/traefik/values.yaml traefik traefik/traefik --namespace traefik
+deploy-k8s-elasticsearch: deploy-k8s-namespace
+	@echo $@
+	@cat ${KUBE_DIR}/elasticsearch.yaml | envsubst | kubectl apply -f -
+
+
 ##############
 #Test backend#
 ##############
@@ -264,7 +288,7 @@ nginx-build: nginx-check-build
 
 
 #############
-# SWIFT 	  #
+# SWIFT     #
 #############
 chmod:
 	chmod +x swift/*.sh

deployments/backend.yaml

@@ -0,0 +1,52 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: backend
+  name: backend
+  namespace: ridoc
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: backend
+  template:
+    metadata:
+      labels:
+        app: backend
+    spec:
+      containers:
+      - args:
+        - FLASK_DEBUG=0
+        command:
+        - ./start.sh
+        envFrom:
+        - configMapRef:
+            name: env-${INDEX_NAME}
+
+        image: ghcr.io/datalab-mi/ridoc/backend:latest
+        resources:
+          requests:
+            cpu: "1"
+        imagePullPolicy: Always
+        name: backend
+        ports:
+        - containerPort: 5000
+          name: http
+      imagePullSecrets:
+      - name: ghcr-login-secret
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: backend
+  namespace: ridoc
+spec:
+  ports:
+  - name: http
+    port: 5000
+  selector:
+    app: backend

deployments/frontend.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: frontend
+  labels:
+    app: frontend
+  namespace: pavima
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: frontend
+  template:
+    metadata:
+      labels:
+        app: frontend
+    spec:
+      containers:
+        - name: frontend
+          image: ghcr.io/pavima-journe/pavima-frontend:latest
+          imagePullPolicy: Always
+          ports:
+          - name: node
+            containerPort: 3000
+      imagePullSecrets:
+      - name: ghcr-login-secret
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: frontend
+  namespace: pavima
+spec:
+  selector:
+    app: frontend
+  ports:
+  - name: node
+    port: 3000
+    targetPort: 3000

deployments/namespace.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ridoc
+
+---
+
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: traefik
+  labels:
+    name: traefik

deployments/traefik/README.md

@@ -0,0 +1,75 @@
+
+# Reverse proxy traefik for test
+[base tuto](https://doc.traefik.io/traefik/user-guides/crd-acme/)
+
+LoadBalancer services turned to ClusterIp to begin small
+
+## Install custom ressources for traefik v2
+```bash
+# Install Traefik Resource Definitions:
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
+
+# Install RBAC for Traefik:
+kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
+```
+## Deploy traefik stuffs
+
+```bash
+kubectl apply -f .
+```
+
+Forward traefik dashboard service
+```bash
+ kubectl port-forward service/traefik-dashboard-service 8080:8080
+ ```
+
+ Forward traefik service
+ ```bash
+  kubectl port-forward service/traefik 8000:80
+  ```
+
+:tada:  [test](http://localhost:8000) frontend !
+
+## Add client certificate to paranoid mode !
+
+Reproduce [base tuto](https://www.nerdieworks.nl/posts/client-certificate-authentication-with-traefik/)
+
+## Links
+
+Twincity [old backend](https://github.com/twin-city/infra/blob/main/traefik/03-deployment.yaml)
+
+# Alternative installation with Helm 
+
+```bash
+helm upgrade --install --values deployments/traefik/values.yaml traefik traefik/traefik --namespace traefik
+```
+
+Plus besoin de gérer les certificats https car on utilise ceux du neud kube.
+
+--- 
+Suivre la grotte du barbu pour générer une application dns ovh [tuto](https://www.grottedubarbu.fr/traefik-dns-challenge-ovh/)
+
+```
+domain = 
+curl -XPOST -H "X-Ovh-Application: 10b1283c6eda6eb9" -H "Content-type: application/json" \
+https://eu.api.ovh.com/1.0/auth/credential  -d '{
+    "accessRules": [
+        {
+            "method": "POST",
+            "path": "/domain/zone/pavima.ovh/record"
+        },
+        {
+            "method": "POST",
+            "path": "/domain/zone/pavima.ovh/refresh"
+        },
+        {
+            "method": "DELETE",
+            "path": "/domain/zone/pavima.ovh/record/*"
+        }
+    ]
+}'
+```
+```bash
+helm install traefik traefik/traefik
+helm install -f values.yaml traefik traefik/traefik
+```

deployments/traefik/ingress.yml

@@ -0,0 +1,62 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: http-redirect-ingressroute
+spec:
+  entryPoints:
+  - websecure
+  routes:
+    - match: Host(`kubernetes.ridoc.ovh`)
+      kind: Rule
+      services:
+        - name: frontend
+          port: node
+          namespace: ridoc
+    - match: Host(`kubernetes.ridoc.ovh`) && PathPrefix(`/api`)
+      kind: Rule
+      services:
+        - name: backend
+          port: http
+          namespace: ridoc
+      middlewares:
+      - name: stripprefix
+
+    - match: Host(`kubernetes.ridoc.ovh`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
+      kind: Rule
+      services:
+      - name: api@internal
+        kind: TraefikService
+
+    - match: Host(`kubernetes.ridoc.ovh`) && PathPrefix(`/kibana`)
+      kind: Rule
+      services:
+        - name: kibana
+          namespace: ridoc
+          port: http
+      middlewares:
+      - name: stripprefix
+      - name: kibana
+
+  tls: # Not merged with static configuration
+    certResolver: letsencrypt # You can add this later
+    options:
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: stripprefix
+spec:
+  stripPrefix:
+    prefixes:
+      - /backend
+      - /kibana
+    forceSlash: false
+
+
+apiVersion: traefik.containo.us/v1alpha1
+  kind: Middleware
+  metadata:
+    name: kibana-dashboard-auth
+  spec:
+    basicAuth:
+      secret: traefik-dashboard-auth-secret

deployments/traefik/values.yaml

@@ -0,0 +1,71 @@
+certResolvers:
+  le:
+    email: [email protected]
+    httpChallenge:
+      entryPoint: "web"
+    storage: /data/acme.json
+    #caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+persistence:
+  enabled: true
+  name: traefik-internal
+  accessMode: ReadWriteOnce
+  size: 1Gi
+  path: /data
+
+
+service:
+  enabled: false
+
+providers:
+  kubernetesIngress:
+    ingressClass: traefik-internal
+    publishedService:
+      enabled: true
+
+ingressClass:
+  enabled: true
+  isDefaultClass: true
+
+ports:
+  web:
+    redirectTo: websecure
+    hostPort: 80 
+  websecure:
+    tls:
+      certResolver: le
+    hostPort: 443
+
+deployment:
+  # Can be either Deployment or DaemonSet
+  kind: DaemonSet
+  initContainers:
+    - name: volume-permissions
+      image: busybox:latest
+      securityContext:
+        runAsNonRoot: false
+        runAsGroup: 0
+        runAsUser: 0
+      command: ["sh", "-c", "sleep 30 ;chown -R 65532:65532 /data; chmod -Rv 600 /data/*"]
+      volumeMounts:
+      - mountPath: /data
+        name: traefik-internal
+
+
+updateStrategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxUnavailable: 1
+    maxSurge: 0
+
+logs:
+  general:
+    # Alternative logging levels are DEBUG, PANIC, FATAL, ERROR, WARN, and INFO.
+    level: INFO
+  access:
+    # To enable access logs
+    enabled: true
+    ## By default, logs are written using the Common Log Format (CLF) on stdout.
+    ## To write logs in JSON, use json in the format option.
+    ## If the given format is unsupported, the default (CLF) is used instead.
+    # format: json
+    filePath: "/tmp/logs/access.log"