From afd81dcb705f04b3b42cfa7e8e6965ca9dc39b75 Mon Sep 17 00:00:00 2001
From: Chris Nesbitt-Smith <chris@cns.me.uk>
Date: Tue, 1 Oct 2019 15:52:11 +0100
Subject: [PATCH] ci

---
 .drone.yml                                    |  5 ++
 .gitignore                                    |  5 +-
 README.md                                     | 52 +------------------
 yeti/yeti-web/deployment.yaml                 | 11 ++--
 yeti/yeti-web/ingress.yaml                    |  4 +-
 yeti/yeti-web/kustomization.yaml              |  3 +-
 yeti/yeti-web/networkpolicy-huggin.yaml       | 19 +++++++
 ...policy.yaml => networkpolicy-ingress.yaml} |  2 +-
 yeti/yeti-web/service.yaml                    |  4 ++
 9 files changed, 43 insertions(+), 62 deletions(-)
 create mode 100644 yeti/yeti-web/networkpolicy-huggin.yaml
 rename yeti/yeti-web/{networkpolicy.yaml => networkpolicy-ingress.yaml} (94%)

diff --git a/.drone.yml b/.drone.yml
index a3dcc9a..bee2c67 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -23,6 +23,7 @@ pipeline:
 
   rebuild_and_republish_docker_images:
     image: docker
+    group: phase1
     environment:
       - DOCKER_HOST=tcp://172.17.0.1:2375
       - DOCKER_CONFIG=/drone/src/github.com/UKHomeOffice/cto-csoc-poc/.docker
@@ -35,12 +36,14 @@ pipeline:
 
   get_kubectl_kustomize:
     image: busybox
+    group: phase1
     commands:
       - wget https://storage.googleapis.com/kubernetes-release/release/v1.16.0/bin/linux/amd64/kubectl
       - wget https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv3.2.1/kustomize_kustomize.v3.2.1_linux_amd64
       - chmod +x kustomize_* kubectl
 
   create_dummy_secrets:
+    group: phase1
     image: busybox
     commands:
       - touch huggin/huggin-secrets.env
@@ -49,6 +52,7 @@ pipeline:
 
   create_secrets:
     image: busybox
+    group: phase2
     commands:
       - echo $${HUGGIN_SECRETS_NOTPROD} | base64 -d > huggin/huggin-secrets.env
       - echo $${YETI_KEYCLOAK_SECRET_NOTPROD} | base64 -d > yeti/yeti-web/keycloak-secret.env
@@ -68,6 +72,7 @@ pipeline:
 
   configure_kubectl:
     image: busybox
+    group: phase2
     commands:
       - ./.drone-configure-kubeconfig.sh
       - ./kubectl config use-context notprod
diff --git a/.gitignore b/.gitignore
index a15a1ca..1bef6e5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,3 @@
 huggin-secrets.env
-/secret-ecr.yaml
-/yeti/yeti-web/keycloak-secret.env
-/huggin/keycloak-secret.env
+secret-ecr.yaml
+keycloak-secret.env
\ No newline at end of file
diff --git a/README.md b/README.md
index f1e08be..d6d221d 100644
--- a/README.md
+++ b/README.md
@@ -12,54 +12,4 @@ Tools included
     - yeti web service
     - mongo
     - redis
-    - various yeti workers
-
-## TODO:
-
-- [ ] determine and set meaningful memory+cpu requirements for:
-  - [ ] huggin web
-  - [ ] huggin worker
-  - [ ] huggin postgres
-  - [ ] yeti web
-  - [ ] yeti analytics
-  - [ ] yeti beat
-  - [ ] yeti exports
-  - [ ] yeti feeds
-  - [ ] yeti oneshot
-  - [ ] yeti uwsgi-http
-  - [ ] yeti uwsgi
-  - [ ] yeti mongodb
-  - [ ] yeti redis
-- [ ] get persistent volumes working for:
-  - [ ] yeti redis (?)
-  - [ ] yeti mongodb
-  - [ ] huggin postgres
-- [ ] stop huggin having to pull all its dependencies everytime it starts
-- [ ] add keycloak proxy
-  - [ ] huggin
-  - [ ] yeti  
-- [ ] configure to use keycloak provided user auth
-  - [ ] huggin
-  - [ ] yeti  
-- [ ] configure keycloak realm
-- [ ] add naxsi proxy
-  - [ ] huggin
-  - [ ] yeti  
-- [ ] network policies
-  - [ ] huggin
-  - [ ] yeti  
-- [ ] services
-  - [x] huggin-web
-  - [x] huggin-postgres
-  - [x] yeti-web
-  - [x] yeti-redis
-  - [x] yeti-mongo
-- [ ] Horizontal pod autoscaler
-  - [x] yeti-web
-  - [x] yeti-worker
-  - [ ] huggin-web
-  - [ ] huggin....
-- [x] ingress
-  - [x] yeti-web
-  - [x] huggin-web
-- [ ] add whitelist to ingress
\ No newline at end of file
+    - various yeti workers
\ No newline at end of file
diff --git a/yeti/yeti-web/deployment.yaml b/yeti/yeti-web/deployment.yaml
index af50384..16b20ad 100644
--- a/yeti/yeti-web/deployment.yaml
+++ b/yeti/yeti-web/deployment.yaml
@@ -23,15 +23,18 @@ spec:
           volumeMounts:
             - mountPath: /var/log
               name: logs
+          ports:
+            - name: noauth
+              containerPort: 5000
           livenessProbe:
             httpGet:
-              path: /
-              port: 5000
+              path: /observable/
+              port: noauth
             initialDelaySeconds: 120
           readinessProbe:
             httpGet:
-              path: /
-              port: 5000
+              path: /observable/
+              port: noauth
         - name: keycloak-gatekeeper
           image: quay.io/keycloak/keycloak-gatekeeper
           securityContext:
diff --git a/yeti/yeti-web/ingress.yaml b/yeti/yeti-web/ingress.yaml
index e0bed81..3c4ada9 100644
--- a/yeti/yeti-web/ingress.yaml
+++ b/yeti/yeti-web/ingress.yaml
@@ -11,8 +11,8 @@ metadata:
     ingress.kubernetes.io/force-ssl-redirect: "true"
     kubernetes.io/tls-acme: "true"
     stable.k8s.psg.io/kcm.provider: http
-    ingress.kubernetes.io/proxy-redirect-from: http://localhost:5000/observable/
-    ingress.kubernetes.io/proxy-redirect-to: /observable/
+    ingress.kubernetes.io/proxy-redirect-from: http://localhost:5000/
+    ingress.kubernetes.io/proxy-redirect-to: /
 spec:
   rules:
     - host: yeti.csoc.cto-notprod.homeoffice.gov.uk
diff --git a/yeti/yeti-web/kustomization.yaml b/yeti/yeti-web/kustomization.yaml
index 571b689..dc18781 100644
--- a/yeti/yeti-web/kustomization.yaml
+++ b/yeti/yeti-web/kustomization.yaml
@@ -6,7 +6,8 @@ resources:
   - service.yaml
   - ingress.yaml
   - hpa.yaml
-  - networkpolicy.yaml
+  - networkpolicy-ingress.yaml
+  - networkpolicy-huggin.yaml
 
 patchesStrategicMerge:
   - deployment.yaml
diff --git a/yeti/yeti-web/networkpolicy-huggin.yaml b/yeti/yeti-web/networkpolicy-huggin.yaml
new file mode 100644
index 0000000..8db7fb9
--- /dev/null
+++ b/yeti/yeti-web/networkpolicy-huggin.yaml
@@ -0,0 +1,19 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: yeti-huggin
+spec:
+  podSelector:
+    matchLabels:
+      yeti: yeti-web
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              name: huggin-worker
+        - podSelector:
+            matchLabels:
+              name: huggin-web
+      ports:
+        - protocol: TCP
+          port: noauth
diff --git a/yeti/yeti-web/networkpolicy.yaml b/yeti/yeti-web/networkpolicy-ingress.yaml
similarity index 94%
rename from yeti/yeti-web/networkpolicy.yaml
rename to yeti/yeti-web/networkpolicy-ingress.yaml
index 7353d47..72ad819 100644
--- a/yeti/yeti-web/networkpolicy.yaml
+++ b/yeti/yeti-web/networkpolicy-ingress.yaml
@@ -1,7 +1,7 @@
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
-  name: yeti
+  name: yeti-ingress
 spec:
   podSelector:
     matchLabels:
diff --git a/yeti/yeti-web/service.yaml b/yeti/yeti-web/service.yaml
index 7868135..398ee21 100644
--- a/yeti/yeti-web/service.yaml
+++ b/yeti/yeti-web/service.yaml
@@ -8,5 +8,9 @@ spec:
       port: 3000
       protocol: TCP
       targetPort: http
+    - name: noauth
+      port: 3001
+      protocol: TCP
+      targetPort: noauth
   selector:
     yeti: yeti-web