ci

UKHomeOffice · Oct 1, 2019 · afd81dc · afd81dc
1 parent 68043f9
commit afd81dc
Show file tree

Hide file tree

Showing 9 changed files with 43 additions and 62 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -23,6 +23,7 @@ pipeline:
 
   rebuild_and_republish_docker_images:
     image: docker
+    group: phase1
     environment:
       - DOCKER_HOST=tcp://172.17.0.1:2375
       - DOCKER_CONFIG=/drone/src/github.com/UKHomeOffice/cto-csoc-poc/.docker
@@ -35,12 +36,14 @@ pipeline:
 
   get_kubectl_kustomize:
     image: busybox
+    group: phase1
     commands:
       - wget https://storage.googleapis.com/kubernetes-release/release/v1.16.0/bin/linux/amd64/kubectl
       - wget https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv3.2.1/kustomize_kustomize.v3.2.1_linux_amd64
       - chmod +x kustomize_* kubectl
 
   create_dummy_secrets:
+    group: phase1
     image: busybox
     commands:
       - touch huggin/huggin-secrets.env
@@ -49,6 +52,7 @@ pipeline:
 
   create_secrets:
     image: busybox
+    group: phase2
     commands:
       - echo $${HUGGIN_SECRETS_NOTPROD} | base64 -d > huggin/huggin-secrets.env
       - echo $${YETI_KEYCLOAK_SECRET_NOTPROD} | base64 -d > yeti/yeti-web/keycloak-secret.env
@@ -68,6 +72,7 @@ pipeline:
 
   configure_kubectl:
     image: busybox
+    group: phase2
     commands:
       - ./.drone-configure-kubeconfig.sh
       - ./kubectl config use-context notprod

diff --git a/.gitignore b/.gitignore
@@ -1,4 +1,3 @@
 huggin-secrets.env
-/secret-ecr.yaml
-/yeti/yeti-web/keycloak-secret.env
-/huggin/keycloak-secret.env
+secret-ecr.yaml
+keycloak-secret.env
diff --git a/README.md b/README.md
@@ -12,54 +12,4 @@ Tools included
     - yeti web service
     - mongo
     - redis
-    - various yeti workers
-
-## TODO:
-
-- [ ] determine and set meaningful memory+cpu requirements for:
-  - [ ] huggin web
-  - [ ] huggin worker
-  - [ ] huggin postgres
-  - [ ] yeti web
-  - [ ] yeti analytics
-  - [ ] yeti beat
-  - [ ] yeti exports
-  - [ ] yeti feeds
-  - [ ] yeti oneshot
-  - [ ] yeti uwsgi-http
-  - [ ] yeti uwsgi
-  - [ ] yeti mongodb
-  - [ ] yeti redis
-- [ ] get persistent volumes working for:
-  - [ ] yeti redis (?)
-  - [ ] yeti mongodb
-  - [ ] huggin postgres
-- [ ] stop huggin having to pull all its dependencies everytime it starts
-- [ ] add keycloak proxy
-  - [ ] huggin
-  - [ ] yeti  
-- [ ] configure to use keycloak provided user auth
-  - [ ] huggin
-  - [ ] yeti  
-- [ ] configure keycloak realm
-- [ ] add naxsi proxy
-  - [ ] huggin
-  - [ ] yeti  
-- [ ] network policies
-  - [ ] huggin
-  - [ ] yeti  
-- [ ] services
-  - [x] huggin-web
-  - [x] huggin-postgres
-  - [x] yeti-web
-  - [x] yeti-redis
-  - [x] yeti-mongo
-- [ ] Horizontal pod autoscaler
-  - [x] yeti-web
-  - [x] yeti-worker
-  - [ ] huggin-web
-  - [ ] huggin....
-- [x] ingress
-  - [x] yeti-web
-  - [x] huggin-web
-- [ ] add whitelist to ingress
+    - various yeti workers
diff --git a/yeti/yeti-web/deployment.yaml b/yeti/yeti-web/deployment.yaml
@@ -23,15 +23,18 @@ spec:
           volumeMounts:
             - mountPath: /var/log
               name: logs
+          ports:
+            - name: noauth
+              containerPort: 5000
           livenessProbe:
             httpGet:
-              path: /
-              port: 5000
+              path: /observable/
+              port: noauth
             initialDelaySeconds: 120
           readinessProbe:
             httpGet:
-              path: /
-              port: 5000
+              path: /observable/
+              port: noauth
         - name: keycloak-gatekeeper
           image: quay.io/keycloak/keycloak-gatekeeper
           securityContext:

diff --git a/yeti/yeti-web/ingress.yaml b/yeti/yeti-web/ingress.yaml
@@ -11,8 +11,8 @@ metadata:
     ingress.kubernetes.io/force-ssl-redirect: "true"
     kubernetes.io/tls-acme: "true"
     stable.k8s.psg.io/kcm.provider: http
-    ingress.kubernetes.io/proxy-redirect-from: http://localhost:5000/observable/
-    ingress.kubernetes.io/proxy-redirect-to: /observable/
+    ingress.kubernetes.io/proxy-redirect-from: http://localhost:5000/
+    ingress.kubernetes.io/proxy-redirect-to: /
 spec:
   rules:
     - host: yeti.csoc.cto-notprod.homeoffice.gov.uk

diff --git a/yeti/yeti-web/kustomization.yaml b/yeti/yeti-web/kustomization.yaml
@@ -6,7 +6,8 @@ resources:
   - service.yaml
   - ingress.yaml
   - hpa.yaml
-  - networkpolicy.yaml
+  - networkpolicy-ingress.yaml
+  - networkpolicy-huggin.yaml
 
 patchesStrategicMerge:
   - deployment.yaml

diff --git a/yeti/yeti-web/networkpolicy-huggin.yaml b/yeti/yeti-web/networkpolicy-huggin.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: yeti-huggin
+spec:
+  podSelector:
+    matchLabels:
+      yeti: yeti-web
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              name: huggin-worker
+        - podSelector:
+            matchLabels:
+              name: huggin-web
+      ports:
+        - protocol: TCP
+          port: noauth
diff --git a/yeti/yeti-web/networkpolicy.yaml → yeti/yeti-web/networkpolicy-ingress.yaml b/yeti/yeti-web/networkpolicy.yaml → yeti/yeti-web/networkpolicy-ingress.yaml
@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: yeti
+  name: yeti-ingress
 spec:
   podSelector:
     matchLabels:

diff --git a/yeti/yeti-web/service.yaml b/yeti/yeti-web/service.yaml
@@ -8,5 +8,9 @@ spec:
       port: 3000
       protocol: TCP
       targetPort: http
+    - name: noauth
+      port: 3001
+      protocol: TCP
+      targetPort: noauth
   selector:
     yeti: yeti-web