From 46bb4b70e537ac726050ed6ad74cfbad99f40077 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Tue, 20 Aug 2024 13:44:19 -0400 Subject: [PATCH 01/46] Swapping to argo application and kustomize --- .gitlab-ci.yml | 134 +++-------------------------------- dockerfiles/application.yaml | 37 ++++++++++ 2 files changed, 47 insertions(+), 124 deletions(-) create mode 100644 dockerfiles/application.yaml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index afe4b702609..72eee5e728b 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -11,6 +11,7 @@ variables: IDP_CI_SHA: 'sha256:5c4953f8efba18b7a6d6a9a961cb77ba7143059cbb2176499432b4275fbe67db' PKI_IMAGE_TAG: 'main' DASHBOARD_IMAGE_TAG: 'main' + APPLICATION_MANIFEST: dockerfiles/application.yaml default: image: '${ECR_REGISTRY}/idp/ci@${IDP_CI_SHA}' @@ -433,129 +434,14 @@ trigger_devops: - export SANITIZED_BRANCH_NAME=$(echo "$CI_COMMIT_REF_NAME" | tr '/' '-' | tr -c '[:alnum:]-_' '-' | sed 's/-*$//') - echo "${CI_COMMIT_REF_NAME}" - echo "${SANITIZED_BRANCH_NAME}" - - |- - export IDP_CONFIG=$(cat <- - helm upgrade --install --namespace review-apps - --debug - --set global.labels.branch="${SANITIZED_BRANCH_NAME}" - --set env="reviewapps-$CI_ENVIRONMENT_SLUG" - --set idp.image.repository="${ECR_REGISTRY}/identity-idp/review" - --set idp.image.tag="${CI_COMMIT_SHA}" - --set worker.image.repository="${ECR_REGISTRY}/identity-idp/review" - --set worker.image.tag="${CI_COMMIT_SHA}" - --set pivcac.image.repository="${ECR_REGISTRY}/identity-pivcac/review" - --set pivcac.image.tag="${PKI_IMAGE_TAG}" - --set pivcac.image.pullPolicy="Always" - --set dashboard.image.repository="${ECR_REGISTRY}/identity-dashboard/review" - --set dashboard.image.tag="${DASHBOARD_IMAGE_TAG}" - --set dashboard.image.pullPolicy="Always" - --set-json dashboard.config="$DASHBOARD_CONFIG" - --set-json dashboard.enabled=true - --set-json idp.config="$IDP_CONFIG" - --set-json worker.config="$WORKER_CONFIG" - --set-json pivcac.config="$PIVCAC_CONFIG" - --set-json idp.ingress.hosts="[{\"host\": \"$CI_ENVIRONMENT_SLUG.reviewapps.identitysandbox.gov\", \"paths\": [{\"path\": \"/\", \"pathType\": \"Prefix\"}]}]" - --set-json pivcac.ingress.hosts="[{\"host\": \"$CI_ENVIRONMENT_SLUG.pivcac.reviewapps.identitysandbox.gov\", \"paths\": [{\"path\": \"/\", \"pathType\": \"Prefix\"}]}]" - --set-json dashboard.ingress.hosts="[{\"host\": \"$CI_ENVIRONMENT_SLUG-dashboard.reviewapps.identitysandbox.gov\", \"paths\": [{\"path\": \"/\", \"pathType\": \"Prefix\"}]}]" - $CI_ENVIRONMENT_SLUG ./identity-idp-helm-chart + #TODO put in kustomize based deploy + # Dynamically populate review environment settings + - sed -i "s|{{ENVIRONMENT}}|${{ CI_ENVIRONMENT_SLUG }}|g" ${{ APPLICATION_MANIFEST }} + - sed -i "s|{{IDP_CONTAINER_TAG}}|${{ CI_COMMIT_SHA }}|g" ${{ APPLICATION_MANIFEST }} + - sed -i "s|{{SANITIZED_BRANCH_NAME}}|${{ SANITIZED_BRANCH_NAME }}|g" ${{ APPLICATION_MANIFEST }} + - sed -i "s|{{DASHBOARD_CONTAINER_TAG}}|${{ DASHBOARD_CONTAINER_TAG }}|g" ${{ APPLICATION_MANIFEST }} + # Apply our ArgoCD Application + - kubectl apply -f dockerfiles/application.yaml - echo "DNS may take a while to propagate, so be patient if it doesn't show up right away" - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapp'" - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console" @@ -589,7 +475,7 @@ stop-review-app: script: - export CONTEXT=$(kubectl config get-contexts | grep reviewapp | awk '{print $1}' | head -1) - kubectl config use-context "$CONTEXT" - - helm uninstall --namespace review-apps $CI_ENVIRONMENT_SLUG + - kubectl delete application $CI_ENVIRONMENT_SLUG -n argocd stage: review image: name: dtzar/helm-kubectl:latest diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml new file mode 100644 index 00000000000..e775934b62a --- /dev/null +++ b/dockerfiles/application.yaml @@ -0,0 +1,37 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: {{ENVIRONMENT}} + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: 'git@gitlab.login.gov:lg-public/identity-eks-control.git' + targetRevision: sshelton/update-reviewapp + path: cluster-reviewapp/review-apps + kustomize: + images: + # Swap in review images + - name: identity-idp/idp + newName: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review + newTag: {{IDP_CONTAINER_TAG}} + - name: identity-dashboard/review + newName: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-dashboard/review + newTag: {{DASHBOARD_CONTAINER_TAG}} + namePrefix: "{{ENVIRONMENT}}-" + commonLabels: + env: {{ENVIRONMENT}} + branch: {{SANITIZED_BRANCH_NAME}} + variables: + - name: CI_ENVIRONMENT_SLUG + value: {{ENVIRONMENT}} + destination: + server: 'https://kubernetes.default.svc' + namespace: review-apps + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true \ No newline at end of file From 1e179e46ed43286c2168cec7398776c5d93a4b8f Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 12:50:16 -0400 Subject: [PATCH 02/46] Initial stab at using kustomize --- .gitlab-ci.yml | 4 +- dockerfiles/application.yaml | 283 ++++++++++++++++++++++++++++++++++- 2 files changed, 278 insertions(+), 9 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 72eee5e728b..b8d3ba9cd94 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -440,8 +440,10 @@ trigger_devops: - sed -i "s|{{IDP_CONTAINER_TAG}}|${{ CI_COMMIT_SHA }}|g" ${{ APPLICATION_MANIFEST }} - sed -i "s|{{SANITIZED_BRANCH_NAME}}|${{ SANITIZED_BRANCH_NAME }}|g" ${{ APPLICATION_MANIFEST }} - sed -i "s|{{DASHBOARD_CONTAINER_TAG}}|${{ DASHBOARD_CONTAINER_TAG }}|g" ${{ APPLICATION_MANIFEST }} + - sed -i "s|{{PKI_IMAGE_TAG}}|${{ PIVCAC_CONTAINER_TAG }}|g" ${{ APPLICATION_MANIFEST }} + - cat ${{ APPLICATION_MANIFEST }} # Apply our ArgoCD Application - - kubectl apply -f dockerfiles/application.yaml + - kubectl apply -f ${{ APPLICATION_MANIFEST }} - echo "DNS may take a while to propagate, so be patient if it doesn't show up right away" - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapp'" - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console" diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index e775934b62a..10fe26396ef 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -5,12 +5,111 @@ metadata: finalizers: - resources-finalizer.argocd.argoproj.io spec: + + # Can't use configMapGenerator since ArgoCD doesn't support it yet https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/application.yaml#L107 + # Common environment variables + common_env: &common_env + - name: KUBERNETES_REVIEW_APP + value: "true" + - name: POSTGRES_SSLMODE + value: "prefer" + + # IDP specific environment variables + idp_env: &idp_env + - name: POSTGRES_NAME + value: "idp" + - name: POSTGRES_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - name: POSTGRES_WORKER_NAME + value: "idp-worker-jobs" + - name: POSTGRES_WORKER_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - name: ASSET_HOST + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: DASHBOARD_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - name: DOMAIN_NAME + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: LOGIN_ENV + value: "{{ENVIRONMENT}}" + - name: LOGIN_HOST_ROLE + value: "idp" + - name: LOGIN_SKIP_REMOTE_CONFIG + value: "true" + - name: PIV_CAC_SERVICE_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - name: PIV_CAC_VERIFY_TOKEN_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + + # Worker specific environment variables + worker_env: &worker_env + - name: POSTGRES_NAME + value: "idp" + - name: POSTGRES_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - name: POSTGRES_WORKER_NAME + value: "idp-worker-jobs" + - name: POSTGRES_WORKER_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - name: LOGIN_ENV + value: "{{ENVIRONMENT}}" + - name: LOGIN_HOST_ROLE + value: "worker" + - name: LOGIN_SKIP_REMOTE_CONFIG + value: "true" + - name: PIV_CAC_SERVICE_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - name: PIV_CAC_VERIFY_TOKEN_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - name: DOMAIN_NAME + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + + # PIVCAC specific environment variables + pivcac_env: &pivcac_env + - name: CLIENT_CERT_S3_BUCKET + value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2" + - name: POSTGRES_NAME + value: "identity_pki_production" + - name: POSTGRES_HOST + value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" + - name: IDP_HOST + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: DOMAIN_NAME + value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov" + + # Dashboard specific environment variables + dashboard_config: &dashboard_config + - name: KUBERNETES_REVIEW_APP + value: "true" + - name: POSTGRES_NAME + value: "dashboard" + - name: POSTGRES_HOST + value: "{{ENVIRONMENT}}-dashboard-pg.review-apps" + - name: POSTGRES_SSLMODE + value: "prefer" + - name: NEW_RELIC_ENABLED + value: "false" + - name: SAML_SP_ISSUER + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - name: IDP_URL + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: IDP_SP_URL + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: POST_LOGOUT_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - name: DOMAIN_NAME + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + project: default source: repoURL: 'git@gitlab.login.gov:lg-public/identity-eks-control.git' targetRevision: sshelton/update-reviewapp - path: cluster-reviewapp/review-apps + path: . kustomize: + namePrefix: "{{ENVIRONMENT}}-" + commonLabels: + env: {{ENVIRONMENT}} + branch: {{SANITIZED_BRANCH_NAME}} images: # Swap in review images - name: identity-idp/idp @@ -19,13 +118,181 @@ spec: - name: identity-dashboard/review newName: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-dashboard/review newTag: {{DASHBOARD_CONTAINER_TAG}} - namePrefix: "{{ENVIRONMENT}}-" - commonLabels: - env: {{ENVIRONMENT}} - branch: {{SANITIZED_BRANCH_NAME}} - variables: - - name: CI_ENVIRONMENT_SLUG - value: {{ENVIRONMENT}} + - name: identity-pki/review + newTag: {{PIVCAC_CONTAINER_TAG}} + components: + - library/idp + - library/dashboard + # Since reviewapps are dynamic in nature we have to handle kustomize patching here + patches: + # Patch for IDP StatefulSet + - target: + kind: StatefulSet + name: idp-pg + patch: | + spec: + volumeClaimTemplates: + - metadata: + name: {{ENVIRONMENT}}-idp-data + template: + spec: + containers: + - name: postgres + volumeMounts: + - name: {{ENVIRONMENT}}-idp-data + mountPath: /var/lib/postgresql/data + subPath: postgres + + # Patch for PIVCAC StatefulSet + - target: + kind: StatefulSet + name: pivcac-pg + patch: | + spec: + volumeClaimTemplates: + - metadata: + name: {{ENVIRONMENT}}-pivcac-data + template: + spec: + containers: + - name: postgres + volumeMounts: + - name: {{ENVIRONMENT}}-pivcac-data + mountPath: /var/lib/postgresql/data + subPath: postgres + + # Patch for Dashboard StatefulSet + - target: + kind: StatefulSet + name: dashboard-pg + patch: | + spec: + volumeClaimTemplates: + - metadata: + name: {{ENVIRONMENT}}-dashboard-data + template: + spec: + containers: + - name: postgres + volumeMounts: + - name: {{ENVIRONMENT}}-dashboard-data + mountPath: /var/lib/postgresql/data + subPath: postgres + + # Patch application environments + - target: + kind: Rollout + name: idp-rollout + patch: | + spec: + template: + spec: + containers: + - name: idp + env: + <<: *common_env + <<: *idp_env + volumeMounts: [] # Using environment + volumes: [] + - target: + kind: Deployment + name: worker + patch: | + spec: + template: + spec: + containers: + - name: worker + env: + <<: *common_env + <<: *worker_env + volumeMounts: [] # Using environment + volumes: [] + - target: + kind: Deployment + name: pivcac + patch: | + spec: + template: + spec: + containers: + - name: pivcac + env: + <<: *common_env + <<: *pivcac_env + volumeMounts: [] # Using environment + volumes: [] + - target: + kind: Deployment + name: dashboard + patch: | + spec: + template: + spec: + containers: + - name: dashboard + env: + <<: *common_env + <<: *dashboard_env + volumeMounts: [] # Using environment + volumes: [] + # Patch rollout canary metrics + - target: + kind: Rollout + name: idp-rollout + patch: |- + - op: replace + path: /spec/strategy/canary/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + - op: replace + path: /spec/strategy/canary/steps/2/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + # Patch ingress names + - patch: |- + # IDP Ingress + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: idp + labels: + app: idp + annotations: + alb.ingress.kubernetes.io/group.name: review-app + spec: + rules: + - host: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: idp + port: + name: use-annotation + # DASHBOARD Ingress + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: dashboard + labels: + app: dashboard + annotations: + alb.ingress.kubernetes.io/group.name: review-app-dashboard + spec: + rules: + - host: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: dashboard + port: + number: 3001 destination: server: 'https://kubernetes.default.svc' namespace: review-apps From 2cf5951d792330db77efe88621f6c0b27f4d7b2a Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 13:27:08 -0400 Subject: [PATCH 03/46] Fixing var references --- .gitlab-ci.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b8d3ba9cd94..abe3f0fbb99 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -436,14 +436,14 @@ trigger_devops: - echo "${SANITIZED_BRANCH_NAME}" #TODO put in kustomize based deploy # Dynamically populate review environment settings - - sed -i "s|{{ENVIRONMENT}}|${{ CI_ENVIRONMENT_SLUG }}|g" ${{ APPLICATION_MANIFEST }} - - sed -i "s|{{IDP_CONTAINER_TAG}}|${{ CI_COMMIT_SHA }}|g" ${{ APPLICATION_MANIFEST }} - - sed -i "s|{{SANITIZED_BRANCH_NAME}}|${{ SANITIZED_BRANCH_NAME }}|g" ${{ APPLICATION_MANIFEST }} - - sed -i "s|{{DASHBOARD_CONTAINER_TAG}}|${{ DASHBOARD_CONTAINER_TAG }}|g" ${{ APPLICATION_MANIFEST }} - - sed -i "s|{{PKI_IMAGE_TAG}}|${{ PIVCAC_CONTAINER_TAG }}|g" ${{ APPLICATION_MANIFEST }} - - cat ${{ APPLICATION_MANIFEST }} + - sed -i "s|{{ENVIRONMENT}}|${CI_ENVIRONMENT_SLUG}|g" ${APPLICATION_MANIFEST} + - sed -i "s|{{IDP_CONTAINER_TAG}}|${CI_COMMIT_SHA}|g" ${APPLICATION_MANIFEST} + - sed -i "s|{{SANITIZED_BRANCH_NAME}}|${SANITIZED_BRANCH_NAME}|g" ${APPLICATION_MANIFEST} + - sed -i "s|{{DASHBOARD_CONTAINER_TAG}}|${DASHBOARD_CONTAINER_TAG}|g" ${APPLICATION_MANIFEST} + - sed -i "s|{{PKI_IMAGE_TAG}}|${PIVCAC_CONTAINER_TAG}|g" ${APPLICATION_MANIFEST} + - cat ${APPLICATION_MANIFEST} # Apply our ArgoCD Application - - kubectl apply -f ${{ APPLICATION_MANIFEST }} + - kubectl apply -f ${APPLICATION_MANIFEST} - echo "DNS may take a while to propagate, so be patient if it doesn't show up right away" - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapp'" - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console" From 923cad65e62cac9859ae8904fb543d6dbaf8238e Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 13:56:10 -0400 Subject: [PATCH 04/46] Changes to indentsg --- dockerfiles/application.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 10fe26396ef..833e104c871 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -241,12 +241,12 @@ spec: kind: Rollout name: idp-rollout patch: |- - - op: replace - path: /spec/strategy/canary/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 - - op: replace - path: /spec/strategy/canary/steps/2/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + - op: replace + path: /spec/strategy/canary/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + - op: replace + path: /spec/strategy/canary/steps/2/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 # Patch ingress names - patch: |- # IDP Ingress From 934465b90a23ce1f1780cea56aad4d52df5c5639 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 14:15:45 -0400 Subject: [PATCH 05/46] Adding missing targets --- dockerfiles/application.yaml | 100 +++++++++++++++++++---------------- 1 file changed, 55 insertions(+), 45 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 833e104c871..1278990c79b 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -123,6 +123,9 @@ spec: components: - library/idp - library/dashboard + - cluster-reviewapp/env/idp/postgres.yml + - cluster-reviewapp/env/dashboard/postgres.yml + - cluster-reviewapp/env/dashboard/postgres.yml # Since reviewapps are dynamic in nature we have to handle kustomize patching here patches: # Patch for IDP StatefulSet @@ -248,51 +251,58 @@ spec: path: /spec/strategy/canary/steps/2/analysis/args/0/value value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 # Patch ingress names - - patch: |- - # IDP Ingress - --- - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: idp - labels: - app: idp - annotations: - alb.ingress.kubernetes.io/group.name: review-app - spec: - rules: - - host: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: idp - port: - name: use-annotation - # DASHBOARD Ingress - --- - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: dashboard - labels: - app: dashboard - annotations: - alb.ingress.kubernetes.io/group.name: review-app-dashboard - spec: - rules: - - host: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: dashboard - port: - number: 3001 + - target: + kind: Ingress + name: idp + patch: |- + # IDP Ingress + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: idp + labels: + app: idp + annotations: + alb.ingress.kubernetes.io/group.name: review-app + spec: + rules: + - host: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: idp + port: + name: use-annotation + - target: + kind: Ingress + name: dashboard + patch: |- + # DASHBOARD Ingress + --- + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: dashboard + labels: + app: dashboard + annotations: + alb.ingress.kubernetes.io/group.name: review-app-dashboard + spec: + rules: + - host: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: dashboard + port: + number: 3001 destination: server: 'https://kubernetes.default.svc' namespace: review-apps From fc6a5e40f4ac76eb604e88a0a1b7d6de91e97505 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 15:21:57 -0400 Subject: [PATCH 06/46] More testing --- dockerfiles/application.yaml | 101 +++++++++++++++++------------------ 1 file changed, 50 insertions(+), 51 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 1278990c79b..631d1e958d1 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -132,7 +132,7 @@ spec: - target: kind: StatefulSet name: idp-pg - patch: | + patch: |- spec: volumeClaimTemplates: - metadata: @@ -150,7 +150,7 @@ spec: - target: kind: StatefulSet name: pivcac-pg - patch: | + patch: |- spec: volumeClaimTemplates: - metadata: @@ -168,7 +168,7 @@ spec: - target: kind: StatefulSet name: dashboard-pg - patch: | + patch: |- spec: volumeClaimTemplates: - metadata: @@ -186,7 +186,7 @@ spec: - target: kind: Rollout name: idp-rollout - patch: | + patch: |- spec: template: spec: @@ -200,7 +200,7 @@ spec: - target: kind: Deployment name: worker - patch: | + patch: |- spec: template: spec: @@ -214,7 +214,7 @@ spec: - target: kind: Deployment name: pivcac - patch: | + patch: |- spec: template: spec: @@ -228,7 +228,7 @@ spec: - target: kind: Deployment name: dashboard - patch: | + patch: |- spec: template: spec: @@ -255,54 +255,53 @@ spec: kind: Ingress name: idp patch: |- - # IDP Ingress - --- - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: idp - labels: - app: idp - annotations: - alb.ingress.kubernetes.io/group.name: review-app - spec: - rules: - - host: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: idp - port: - name: use-annotation + # IDP Ingress + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: idp + labels: + app: idp + annotations: + alb.ingress.kubernetes.io/group.name: review-app + spec: + rules: + - host: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: idp + port: + name: use-annotation + - target: kind: Ingress name: dashboard patch: |- - # DASHBOARD Ingress - --- - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: dashboard - labels: - app: dashboard - annotations: - alb.ingress.kubernetes.io/group.name: review-app-dashboard - spec: - rules: - - host: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: dashboard - port: - number: 3001 + # DASHBOARD Ingress + apiVersion: networking.k8s.io/v1 + kind: Ingress + metadata: + name: dashboard + labels: + app: dashboard + annotations: + alb.ingress.kubernetes.io/group.name: review-app-dashboard + spec: + rules: + - host: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: dashboard + port: + number: 3001 destination: server: 'https://kubernetes.default.svc' namespace: review-apps From 42a800cd7f7efaa33490628bb21da0c887020666 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 16:36:33 -0400 Subject: [PATCH 07/46] Fixing variable substitution --- .gitlab-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index abe3f0fbb99..b9f804200e3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -437,10 +437,10 @@ trigger_devops: #TODO put in kustomize based deploy # Dynamically populate review environment settings - sed -i "s|{{ENVIRONMENT}}|${CI_ENVIRONMENT_SLUG}|g" ${APPLICATION_MANIFEST} - - sed -i "s|{{IDP_CONTAINER_TAG}}|${CI_COMMIT_SHA}|g" ${APPLICATION_MANIFEST} - sed -i "s|{{SANITIZED_BRANCH_NAME}}|${SANITIZED_BRANCH_NAME}|g" ${APPLICATION_MANIFEST} - - sed -i "s|{{DASHBOARD_CONTAINER_TAG}}|${DASHBOARD_CONTAINER_TAG}|g" ${APPLICATION_MANIFEST} - - sed -i "s|{{PKI_IMAGE_TAG}}|${PIVCAC_CONTAINER_TAG}|g" ${APPLICATION_MANIFEST} + - sed -i "s|{{IDP_CONTAINER_TAG}}|${CI_COMMIT_SHA}|g" ${APPLICATION_MANIFEST} + - sed -i "s|{{DASHBOARD_CONTAINER_TAG}}|${DASHBOARD_IMAGE_TAG}|g" ${APPLICATION_MANIFEST} + - sed -i "s|{{PIVCAC_CONTAINER_TAG}}|${PKI_IMAGE_TAG}|g" ${APPLICATION_MANIFEST} - cat ${APPLICATION_MANIFEST} # Apply our ArgoCD Application - kubectl apply -f ${APPLICATION_MANIFEST} From c858146f97cbc8bbc9d34f80055ba0bdea417068 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 16:52:01 -0400 Subject: [PATCH 08/46] More testing --- dockerfiles/application.yaml | 200 +++++++++++++++-------------------- 1 file changed, 88 insertions(+), 112 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 631d1e958d1..80b13a0af27 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -5,101 +5,6 @@ metadata: finalizers: - resources-finalizer.argocd.argoproj.io spec: - - # Can't use configMapGenerator since ArgoCD doesn't support it yet https://github.com/argoproj/argo-cd/blob/master/docs/operator-manual/application.yaml#L107 - # Common environment variables - common_env: &common_env - - name: KUBERNETES_REVIEW_APP - value: "true" - - name: POSTGRES_SSLMODE - value: "prefer" - - # IDP specific environment variables - idp_env: &idp_env - - name: POSTGRES_NAME - value: "idp" - - name: POSTGRES_HOST - value: "{{ENVIRONMENT}}-idp-pg.review-apps" - - name: POSTGRES_WORKER_NAME - value: "idp-worker-jobs" - - name: POSTGRES_WORKER_HOST - value: "{{ENVIRONMENT}}-idp-pg.review-apps" - - name: ASSET_HOST - value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: DASHBOARD_URL - value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - - name: DOMAIN_NAME - value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: LOGIN_ENV - value: "{{ENVIRONMENT}}" - - name: LOGIN_HOST_ROLE - value: "idp" - - name: LOGIN_SKIP_REMOTE_CONFIG - value: "true" - - name: PIV_CAC_SERVICE_URL - value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - - name: PIV_CAC_VERIFY_TOKEN_URL - value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - - # Worker specific environment variables - worker_env: &worker_env - - name: POSTGRES_NAME - value: "idp" - - name: POSTGRES_HOST - value: "{{ENVIRONMENT}}-idp-pg.review-apps" - - name: POSTGRES_WORKER_NAME - value: "idp-worker-jobs" - - name: POSTGRES_WORKER_HOST - value: "{{ENVIRONMENT}}-idp-pg.review-apps" - - name: LOGIN_ENV - value: "{{ENVIRONMENT}}" - - name: LOGIN_HOST_ROLE - value: "worker" - - name: LOGIN_SKIP_REMOTE_CONFIG - value: "true" - - name: PIV_CAC_SERVICE_URL - value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - - name: PIV_CAC_VERIFY_TOKEN_URL - value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - - name: DOMAIN_NAME - value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - # PIVCAC specific environment variables - pivcac_env: &pivcac_env - - name: CLIENT_CERT_S3_BUCKET - value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2" - - name: POSTGRES_NAME - value: "identity_pki_production" - - name: POSTGRES_HOST - value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" - - name: IDP_HOST - value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: DOMAIN_NAME - value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov" - - # Dashboard specific environment variables - dashboard_config: &dashboard_config - - name: KUBERNETES_REVIEW_APP - value: "true" - - name: POSTGRES_NAME - value: "dashboard" - - name: POSTGRES_HOST - value: "{{ENVIRONMENT}}-dashboard-pg.review-apps" - - name: POSTGRES_SSLMODE - value: "prefer" - - name: NEW_RELIC_ENABLED - value: "false" - - name: SAML_SP_ISSUER - value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - - name: IDP_URL - value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: IDP_SP_URL - value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: POST_LOGOUT_URL - value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - - name: DOMAIN_NAME - value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - project: default source: repoURL: 'git@gitlab.login.gov:lg-public/identity-eks-control.git' @@ -111,7 +16,6 @@ spec: env: {{ENVIRONMENT}} branch: {{SANITIZED_BRANCH_NAME}} images: - # Swap in review images - name: identity-idp/idp newName: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review newTag: {{IDP_CONTAINER_TAG}} @@ -126,7 +30,6 @@ spec: - cluster-reviewapp/env/idp/postgres.yml - cluster-reviewapp/env/dashboard/postgres.yml - cluster-reviewapp/env/dashboard/postgres.yml - # Since reviewapps are dynamic in nature we have to handle kustomize patching here patches: # Patch for IDP StatefulSet - target: @@ -145,7 +48,6 @@ spec: - name: {{ENVIRONMENT}}-idp-data mountPath: /var/lib/postgresql/data subPath: postgres - # Patch for PIVCAC StatefulSet - target: kind: StatefulSet @@ -163,7 +65,6 @@ spec: - name: {{ENVIRONMENT}}-pivcac-data mountPath: /var/lib/postgresql/data subPath: postgres - # Patch for Dashboard StatefulSet - target: kind: StatefulSet @@ -181,8 +82,7 @@ spec: - name: {{ENVIRONMENT}}-dashboard-data mountPath: /var/lib/postgresql/data subPath: postgres - - # Patch application environments + # Patch application environments for IDP - target: kind: Rollout name: idp-rollout @@ -193,10 +93,37 @@ spec: containers: - name: idp env: - <<: *common_env - <<: *idp_env + - name: KUBERNETES_REVIEW_APP + value: "true" + - name: POSTGRES_SSLMODE + value: "prefer" + - name: POSTGRES_NAME + value: "idp" + - name: POSTGRES_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - name: POSTGRES_WORKER_NAME + value: "idp-worker-jobs" + - name: POSTGRES_WORKER_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - name: ASSET_HOST + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: DASHBOARD_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - name: DOMAIN_NAME + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: LOGIN_ENV + value: "{{ENVIRONMENT}}" + - name: LOGIN_HOST_ROLE + value: "idp" + - name: LOGIN_SKIP_REMOTE_CONFIG + value: "true" + - name: PIV_CAC_SERVICE_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - name: PIV_CAC_VERIFY_TOKEN_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" volumeMounts: [] # Using environment volumes: [] + # Patch application environments for Worker - target: kind: Deployment name: worker @@ -207,10 +134,33 @@ spec: containers: - name: worker env: - <<: *common_env - <<: *worker_env + - name: KUBERNETES_REVIEW_APP + value: "true" + - name: POSTGRES_SSLMODE + value: "prefer" + - name: POSTGRES_NAME + value: "idp" + - name: POSTGRES_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - name: POSTGRES_WORKER_NAME + value: "idp-worker-jobs" + - name: POSTGRES_WORKER_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - name: LOGIN_ENV + value: "{{ENVIRONMENT}}" + - name: LOGIN_HOST_ROLE + value: "worker" + - name: LOGIN_SKIP_REMOTE_CONFIG + value: "true" + - name: PIV_CAC_SERVICE_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - name: PIV_CAC_VERIFY_TOKEN_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - name: DOMAIN_NAME + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" volumeMounts: [] # Using environment volumes: [] + # Patch application environments for PIVCAC - target: kind: Deployment name: pivcac @@ -221,10 +171,21 @@ spec: containers: - name: pivcac env: - <<: *common_env - <<: *pivcac_env + - name: KUBERNETES_REVIEW_APP + value: "true" + - name: CLIENT_CERT_S3_BUCKET + value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2" + - name: POSTGRES_NAME + value: "identity_pki_production" + - name: POSTGRES_HOST + value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" + - name: IDP_HOST + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: DOMAIN_NAME + value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov" volumeMounts: [] # Using environment volumes: [] + # Patch application environments for Dashboard - target: kind: Deployment name: dashboard @@ -235,8 +196,26 @@ spec: containers: - name: dashboard env: - <<: *common_env - <<: *dashboard_env + - name: KUBERNETES_REVIEW_APP + value: "true" + - name: POSTGRES_NAME + value: "dashboard" + - name: POSTGRES_HOST + value: "{{ENVIRONMENT}}-dashboard-pg.review-apps" + - name: POSTGRES_SSLMODE + value: "prefer" + - name: NEW_RELIC_ENABLED + value: "false" + - name: SAML_SP_ISSUER + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - name: IDP_URL + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: IDP_SP_URL + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - name: POST_LOGOUT_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - name: DOMAIN_NAME + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" volumeMounts: [] # Using environment volumes: [] # Patch rollout canary metrics @@ -255,7 +234,6 @@ spec: kind: Ingress name: idp patch: |- - # IDP Ingress apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -276,12 +254,10 @@ spec: name: idp port: name: use-annotation - - target: kind: Ingress name: dashboard patch: |- - # DASHBOARD Ingress apiVersion: networking.k8s.io/v1 kind: Ingress metadata: From 13f54cc8260f420c8cc0694adc077a11ab2d0ce7 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 19:46:43 -0400 Subject: [PATCH 09/46] More testing --- dockerfiles/application.yaml | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 80b13a0af27..d00cfd336e6 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -15,15 +15,6 @@ spec: commonLabels: env: {{ENVIRONMENT}} branch: {{SANITIZED_BRANCH_NAME}} - images: - - name: identity-idp/idp - newName: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review - newTag: {{IDP_CONTAINER_TAG}} - - name: identity-dashboard/review - newName: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-dashboard/review - newTag: {{DASHBOARD_CONTAINER_TAG}} - - name: identity-pki/review - newTag: {{PIVCAC_CONTAINER_TAG}} components: - library/idp - library/dashboard @@ -92,6 +83,7 @@ spec: spec: containers: - name: idp + image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review:{{IDP_CONTAINER_TAG}} env: - name: KUBERNETES_REVIEW_APP value: "true" @@ -133,6 +125,7 @@ spec: spec: containers: - name: worker + image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review:{{IDP_CONTAINER_TAG}} env: - name: KUBERNETES_REVIEW_APP value: "true" @@ -170,6 +163,7 @@ spec: spec: containers: - name: pivcac + image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} env: - name: KUBERNETES_REVIEW_APP value: "true" @@ -195,6 +189,7 @@ spec: spec: containers: - name: dashboard + image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} env: - name: KUBERNETES_REVIEW_APP value: "true" From fb1ce036c59a9ef0919ed2250b0fb3a0bbd5da27 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 19:53:57 -0400 Subject: [PATCH 10/46] Adding namespace to apply command --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b9f804200e3..b3843d818f3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -443,7 +443,7 @@ trigger_devops: - sed -i "s|{{PIVCAC_CONTAINER_TAG}}|${PKI_IMAGE_TAG}|g" ${APPLICATION_MANIFEST} - cat ${APPLICATION_MANIFEST} # Apply our ArgoCD Application - - kubectl apply -f ${APPLICATION_MANIFEST} + - kubectl apply -f ${APPLICATION_MANIFEST} -n argocd - echo "DNS may take a while to propagate, so be patient if it doesn't show up right away" - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapp'" - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console" From 7d9c4b2c40f62ae1730217ecbe091177b46ee68e Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 19:59:08 -0400 Subject: [PATCH 11/46] Not validating our application manifest --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b3843d818f3..56bc474bd43 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -443,7 +443,7 @@ trigger_devops: - sed -i "s|{{PIVCAC_CONTAINER_TAG}}|${PKI_IMAGE_TAG}|g" ${APPLICATION_MANIFEST} - cat ${APPLICATION_MANIFEST} # Apply our ArgoCD Application - - kubectl apply -f ${APPLICATION_MANIFEST} -n argocd + - kubectl apply -f ${APPLICATION_MANIFEST} -n argocd --validate=false - echo "DNS may take a while to propagate, so be patient if it doesn't show up right away" - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapp'" - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console" From 8540a02605bd31318e12e6947cb8f1c87d589886 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 21 Aug 2024 20:06:15 -0400 Subject: [PATCH 12/46] It was KAS all along --- .gitlab-ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 56bc474bd43..b3843d818f3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -443,7 +443,7 @@ trigger_devops: - sed -i "s|{{PIVCAC_CONTAINER_TAG}}|${PKI_IMAGE_TAG}|g" ${APPLICATION_MANIFEST} - cat ${APPLICATION_MANIFEST} # Apply our ArgoCD Application - - kubectl apply -f ${APPLICATION_MANIFEST} -n argocd --validate=false + - kubectl apply -f ${APPLICATION_MANIFEST} -n argocd - echo "DNS may take a while to propagate, so be patient if it doesn't show up right away" - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapp'" - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console" From e66aeafdf257f4c48a73d550a3e4fe9891893d94 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Thu, 22 Aug 2024 09:28:38 -0400 Subject: [PATCH 13/46] Removing components key --- dockerfiles/application.yaml | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index d00cfd336e6..defbca947cc 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -9,18 +9,12 @@ spec: source: repoURL: 'git@gitlab.login.gov:lg-public/identity-eks-control.git' targetRevision: sshelton/update-reviewapp - path: . + path: cluster-reviewapp/envs/reviewapps kustomize: namePrefix: "{{ENVIRONMENT}}-" commonLabels: env: {{ENVIRONMENT}} branch: {{SANITIZED_BRANCH_NAME}} - components: - - library/idp - - library/dashboard - - cluster-reviewapp/env/idp/postgres.yml - - cluster-reviewapp/env/dashboard/postgres.yml - - cluster-reviewapp/env/dashboard/postgres.yml patches: # Patch for IDP StatefulSet - target: From c1c97e1140694200a543a95294fea662a2d49f5f Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Thu, 22 Aug 2024 09:52:30 -0400 Subject: [PATCH 14/46] Seeing if this helps --- dockerfiles/application.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index defbca947cc..b13a60dfa3c 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -23,8 +23,8 @@ spec: patch: |- spec: volumeClaimTemplates: - - metadata: - name: {{ENVIRONMENT}}-idp-data + - metadata: + name: {{ENVIRONMENT}}-idp-data template: spec: containers: From 118f9f8863a8b7852aaa3ba24110670785c3ceb8 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Thu, 22 Aug 2024 09:59:44 -0400 Subject: [PATCH 15/46] Starting simple and adding more --- dockerfiles/application.yaml | 484 +++++++++++++++++------------------ 1 file changed, 242 insertions(+), 242 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index b13a60dfa3c..b15598bf16c 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -25,248 +25,248 @@ spec: volumeClaimTemplates: - metadata: name: {{ENVIRONMENT}}-idp-data - template: - spec: - containers: - - name: postgres - volumeMounts: - - name: {{ENVIRONMENT}}-idp-data - mountPath: /var/lib/postgresql/data - subPath: postgres - # Patch for PIVCAC StatefulSet - - target: - kind: StatefulSet - name: pivcac-pg - patch: |- - spec: - volumeClaimTemplates: - - metadata: - name: {{ENVIRONMENT}}-pivcac-data - template: - spec: - containers: - - name: postgres - volumeMounts: - - name: {{ENVIRONMENT}}-pivcac-data - mountPath: /var/lib/postgresql/data - subPath: postgres - # Patch for Dashboard StatefulSet - - target: - kind: StatefulSet - name: dashboard-pg - patch: |- - spec: - volumeClaimTemplates: - - metadata: - name: {{ENVIRONMENT}}-dashboard-data - template: - spec: - containers: - - name: postgres - volumeMounts: - - name: {{ENVIRONMENT}}-dashboard-data - mountPath: /var/lib/postgresql/data - subPath: postgres - # Patch application environments for IDP - - target: - kind: Rollout - name: idp-rollout - patch: |- - spec: - template: - spec: - containers: - - name: idp - image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review:{{IDP_CONTAINER_TAG}} - env: - - name: KUBERNETES_REVIEW_APP - value: "true" - - name: POSTGRES_SSLMODE - value: "prefer" - - name: POSTGRES_NAME - value: "idp" - - name: POSTGRES_HOST - value: "{{ENVIRONMENT}}-idp-pg.review-apps" - - name: POSTGRES_WORKER_NAME - value: "idp-worker-jobs" - - name: POSTGRES_WORKER_HOST - value: "{{ENVIRONMENT}}-idp-pg.review-apps" - - name: ASSET_HOST - value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: DASHBOARD_URL - value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - - name: DOMAIN_NAME - value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: LOGIN_ENV - value: "{{ENVIRONMENT}}" - - name: LOGIN_HOST_ROLE - value: "idp" - - name: LOGIN_SKIP_REMOTE_CONFIG - value: "true" - - name: PIV_CAC_SERVICE_URL - value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - - name: PIV_CAC_VERIFY_TOKEN_URL - value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - volumeMounts: [] # Using environment - volumes: [] - # Patch application environments for Worker - - target: - kind: Deployment - name: worker - patch: |- - spec: - template: - spec: - containers: - - name: worker - image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review:{{IDP_CONTAINER_TAG}} - env: - - name: KUBERNETES_REVIEW_APP - value: "true" - - name: POSTGRES_SSLMODE - value: "prefer" - - name: POSTGRES_NAME - value: "idp" - - name: POSTGRES_HOST - value: "{{ENVIRONMENT}}-idp-pg.review-apps" - - name: POSTGRES_WORKER_NAME - value: "idp-worker-jobs" - - name: POSTGRES_WORKER_HOST - value: "{{ENVIRONMENT}}-idp-pg.review-apps" - - name: LOGIN_ENV - value: "{{ENVIRONMENT}}" - - name: LOGIN_HOST_ROLE - value: "worker" - - name: LOGIN_SKIP_REMOTE_CONFIG - value: "true" - - name: PIV_CAC_SERVICE_URL - value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - - name: PIV_CAC_VERIFY_TOKEN_URL - value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - - name: DOMAIN_NAME - value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - volumeMounts: [] # Using environment - volumes: [] - # Patch application environments for PIVCAC - - target: - kind: Deployment - name: pivcac - patch: |- - spec: - template: - spec: - containers: - - name: pivcac - image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} - env: - - name: KUBERNETES_REVIEW_APP - value: "true" - - name: CLIENT_CERT_S3_BUCKET - value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2" - - name: POSTGRES_NAME - value: "identity_pki_production" - - name: POSTGRES_HOST - value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" - - name: IDP_HOST - value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: DOMAIN_NAME - value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov" - volumeMounts: [] # Using environment - volumes: [] - # Patch application environments for Dashboard - - target: - kind: Deployment - name: dashboard - patch: |- - spec: - template: - spec: - containers: - - name: dashboard - image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - env: - - name: KUBERNETES_REVIEW_APP - value: "true" - - name: POSTGRES_NAME - value: "dashboard" - - name: POSTGRES_HOST - value: "{{ENVIRONMENT}}-dashboard-pg.review-apps" - - name: POSTGRES_SSLMODE - value: "prefer" - - name: NEW_RELIC_ENABLED - value: "false" - - name: SAML_SP_ISSUER - value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - - name: IDP_URL - value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: IDP_SP_URL - value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - - name: POST_LOGOUT_URL - value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - - name: DOMAIN_NAME - value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - volumeMounts: [] # Using environment - volumes: [] - # Patch rollout canary metrics - - target: - kind: Rollout - name: idp-rollout - patch: |- - - op: replace - path: /spec/strategy/canary/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 - - op: replace - path: /spec/strategy/canary/steps/2/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 - # Patch ingress names - - target: - kind: Ingress - name: idp - patch: |- - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: idp - labels: - app: idp - annotations: - alb.ingress.kubernetes.io/group.name: review-app - spec: - rules: - - host: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: idp - port: - name: use-annotation - - target: - kind: Ingress - name: dashboard - patch: |- - apiVersion: networking.k8s.io/v1 - kind: Ingress - metadata: - name: dashboard - labels: - app: dashboard - annotations: - alb.ingress.kubernetes.io/group.name: review-app-dashboard - spec: - rules: - - host: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: dashboard - port: - number: 3001 + # template: + # spec: + # containers: + # - name: postgres + # volumeMounts: + # - name: {{ENVIRONMENT}}-idp-data + # mountPath: /var/lib/postgresql/data + # subPath: postgres + # # Patch for PIVCAC StatefulSet + # - target: + # kind: StatefulSet + # name: pivcac-pg + # patch: |- + # spec: + # volumeClaimTemplates: + # - metadata: + # name: {{ENVIRONMENT}}-pivcac-data + # template: + # spec: + # containers: + # - name: postgres + # volumeMounts: + # - name: {{ENVIRONMENT}}-pivcac-data + # mountPath: /var/lib/postgresql/data + # subPath: postgres + # # Patch for Dashboard StatefulSet + # - target: + # kind: StatefulSet + # name: dashboard-pg + # patch: |- + # spec: + # volumeClaimTemplates: + # - metadata: + # name: {{ENVIRONMENT}}-dashboard-data + # template: + # spec: + # containers: + # - name: postgres + # volumeMounts: + # - name: {{ENVIRONMENT}}-dashboard-data + # mountPath: /var/lib/postgresql/data + # subPath: postgres + # # Patch application environments for IDP + # - target: + # kind: Rollout + # name: idp-rollout + # patch: |- + # spec: + # template: + # spec: + # containers: + # - name: idp + # image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review:{{IDP_CONTAINER_TAG}} + # env: + # - name: KUBERNETES_REVIEW_APP + # value: "true" + # - name: POSTGRES_SSLMODE + # value: "prefer" + # - name: POSTGRES_NAME + # value: "idp" + # - name: POSTGRES_HOST + # value: "{{ENVIRONMENT}}-idp-pg.review-apps" + # - name: POSTGRES_WORKER_NAME + # value: "idp-worker-jobs" + # - name: POSTGRES_WORKER_HOST + # value: "{{ENVIRONMENT}}-idp-pg.review-apps" + # - name: ASSET_HOST + # value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + # - name: DASHBOARD_URL + # value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + # - name: DOMAIN_NAME + # value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + # - name: LOGIN_ENV + # value: "{{ENVIRONMENT}}" + # - name: LOGIN_HOST_ROLE + # value: "idp" + # - name: LOGIN_SKIP_REMOTE_CONFIG + # value: "true" + # - name: PIV_CAC_SERVICE_URL + # value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + # - name: PIV_CAC_VERIFY_TOKEN_URL + # value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + # volumeMounts: [] # Using environment + # volumes: [] + # # Patch application environments for Worker + # - target: + # kind: Deployment + # name: worker + # patch: |- + # spec: + # template: + # spec: + # containers: + # - name: worker + # image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review:{{IDP_CONTAINER_TAG}} + # env: + # - name: KUBERNETES_REVIEW_APP + # value: "true" + # - name: POSTGRES_SSLMODE + # value: "prefer" + # - name: POSTGRES_NAME + # value: "idp" + # - name: POSTGRES_HOST + # value: "{{ENVIRONMENT}}-idp-pg.review-apps" + # - name: POSTGRES_WORKER_NAME + # value: "idp-worker-jobs" + # - name: POSTGRES_WORKER_HOST + # value: "{{ENVIRONMENT}}-idp-pg.review-apps" + # - name: LOGIN_ENV + # value: "{{ENVIRONMENT}}" + # - name: LOGIN_HOST_ROLE + # value: "worker" + # - name: LOGIN_SKIP_REMOTE_CONFIG + # value: "true" + # - name: PIV_CAC_SERVICE_URL + # value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + # - name: PIV_CAC_VERIFY_TOKEN_URL + # value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + # - name: DOMAIN_NAME + # value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + # volumeMounts: [] # Using environment + # volumes: [] + # # Patch application environments for PIVCAC + # - target: + # kind: Deployment + # name: pivcac + # patch: |- + # spec: + # template: + # spec: + # containers: + # - name: pivcac + # image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} + # env: + # - name: KUBERNETES_REVIEW_APP + # value: "true" + # - name: CLIENT_CERT_S3_BUCKET + # value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2" + # - name: POSTGRES_NAME + # value: "identity_pki_production" + # - name: POSTGRES_HOST + # value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" + # - name: IDP_HOST + # value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + # - name: DOMAIN_NAME + # value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov" + # volumeMounts: [] # Using environment + # volumes: [] + # # Patch application environments for Dashboard + # - target: + # kind: Deployment + # name: dashboard + # patch: |- + # spec: + # template: + # spec: + # containers: + # - name: dashboard + # image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} + # env: + # - name: KUBERNETES_REVIEW_APP + # value: "true" + # - name: POSTGRES_NAME + # value: "dashboard" + # - name: POSTGRES_HOST + # value: "{{ENVIRONMENT}}-dashboard-pg.review-apps" + # - name: POSTGRES_SSLMODE + # value: "prefer" + # - name: NEW_RELIC_ENABLED + # value: "false" + # - name: SAML_SP_ISSUER + # value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + # - name: IDP_URL + # value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + # - name: IDP_SP_URL + # value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + # - name: POST_LOGOUT_URL + # value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + # - name: DOMAIN_NAME + # value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + # volumeMounts: [] # Using environment + # volumes: [] + # # Patch rollout canary metrics + # - target: + # kind: Rollout + # name: idp-rollout + # patch: |- + # - op: replace + # path: /spec/strategy/canary/analysis/args/0/value + # value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + # - op: replace + # path: /spec/strategy/canary/steps/2/analysis/args/0/value + # value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + # # Patch ingress names + # - target: + # kind: Ingress + # name: idp + # patch: |- + # apiVersion: networking.k8s.io/v1 + # kind: Ingress + # metadata: + # name: idp + # labels: + # app: idp + # annotations: + # alb.ingress.kubernetes.io/group.name: review-app + # spec: + # rules: + # - host: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov + # http: + # paths: + # - path: / + # pathType: Prefix + # backend: + # service: + # name: idp + # port: + # name: use-annotation + # - target: + # kind: Ingress + # name: dashboard + # patch: |- + # apiVersion: networking.k8s.io/v1 + # kind: Ingress + # metadata: + # name: dashboard + # labels: + # app: dashboard + # annotations: + # alb.ingress.kubernetes.io/group.name: review-app-dashboard + # spec: + # rules: + # - host: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov + # http: + # paths: + # - path: / + # pathType: Prefix + # backend: + # service: + # name: dashboard + # port: + # number: 3001 destination: server: 'https://kubernetes.default.svc' namespace: review-apps From 8d65c49fc4092ad1be221e9f9d54f1c6a03904a2 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Thu, 22 Aug 2024 10:16:12 -0400 Subject: [PATCH 16/46] Updating to not use patchesStrategicMerge --- .gitlab-ci.yml | 1 + dockerfiles/application.yaml | 490 +++++++++++++++++------------------ 2 files changed, 245 insertions(+), 246 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b3843d818f3..ec03d1fcefc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -441,6 +441,7 @@ trigger_devops: - sed -i "s|{{IDP_CONTAINER_TAG}}|${CI_COMMIT_SHA}|g" ${APPLICATION_MANIFEST} - sed -i "s|{{DASHBOARD_CONTAINER_TAG}}|${DASHBOARD_IMAGE_TAG}|g" ${APPLICATION_MANIFEST} - sed -i "s|{{PIVCAC_CONTAINER_TAG}}|${PKI_IMAGE_TAG}|g" ${APPLICATION_MANIFEST} + - sed -i "s|{{ECR_REGISTRY}}|${ECR_REGISTRY}|g" ${APPLICATION_MANIFEST} - cat ${APPLICATION_MANIFEST} # Apply our ArgoCD Application - kubectl apply -f ${APPLICATION_MANIFEST} -n argocd diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index b15598bf16c..5de4d530bc4 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -15,258 +15,256 @@ spec: commonLabels: env: {{ENVIRONMENT}} branch: {{SANITIZED_BRANCH_NAME}} + # ArgoCD does not support patchesStrategicMerge patches: # Patch for IDP StatefulSet - target: kind: StatefulSet name: idp-pg patch: |- - spec: - volumeClaimTemplates: - - metadata: - name: {{ENVIRONMENT}}-idp-data - # template: - # spec: - # containers: - # - name: postgres - # volumeMounts: - # - name: {{ENVIRONMENT}}-idp-data - # mountPath: /var/lib/postgresql/data - # subPath: postgres - # # Patch for PIVCAC StatefulSet - # - target: - # kind: StatefulSet - # name: pivcac-pg - # patch: |- - # spec: - # volumeClaimTemplates: - # - metadata: - # name: {{ENVIRONMENT}}-pivcac-data - # template: - # spec: - # containers: - # - name: postgres - # volumeMounts: - # - name: {{ENVIRONMENT}}-pivcac-data - # mountPath: /var/lib/postgresql/data - # subPath: postgres - # # Patch for Dashboard StatefulSet - # - target: - # kind: StatefulSet - # name: dashboard-pg - # patch: |- - # spec: - # volumeClaimTemplates: - # - metadata: - # name: {{ENVIRONMENT}}-dashboard-data - # template: - # spec: - # containers: - # - name: postgres - # volumeMounts: - # - name: {{ENVIRONMENT}}-dashboard-data - # mountPath: /var/lib/postgresql/data - # subPath: postgres - # # Patch application environments for IDP - # - target: - # kind: Rollout - # name: idp-rollout - # patch: |- - # spec: - # template: - # spec: - # containers: - # - name: idp - # image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review:{{IDP_CONTAINER_TAG}} - # env: - # - name: KUBERNETES_REVIEW_APP - # value: "true" - # - name: POSTGRES_SSLMODE - # value: "prefer" - # - name: POSTGRES_NAME - # value: "idp" - # - name: POSTGRES_HOST - # value: "{{ENVIRONMENT}}-idp-pg.review-apps" - # - name: POSTGRES_WORKER_NAME - # value: "idp-worker-jobs" - # - name: POSTGRES_WORKER_HOST - # value: "{{ENVIRONMENT}}-idp-pg.review-apps" - # - name: ASSET_HOST - # value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - # - name: DASHBOARD_URL - # value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - # - name: DOMAIN_NAME - # value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - # - name: LOGIN_ENV - # value: "{{ENVIRONMENT}}" - # - name: LOGIN_HOST_ROLE - # value: "idp" - # - name: LOGIN_SKIP_REMOTE_CONFIG - # value: "true" - # - name: PIV_CAC_SERVICE_URL - # value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - # - name: PIV_CAC_VERIFY_TOKEN_URL - # value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - # volumeMounts: [] # Using environment - # volumes: [] - # # Patch application environments for Worker - # - target: - # kind: Deployment - # name: worker - # patch: |- - # spec: - # template: - # spec: - # containers: - # - name: worker - # image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-idp/review:{{IDP_CONTAINER_TAG}} - # env: - # - name: KUBERNETES_REVIEW_APP - # value: "true" - # - name: POSTGRES_SSLMODE - # value: "prefer" - # - name: POSTGRES_NAME - # value: "idp" - # - name: POSTGRES_HOST - # value: "{{ENVIRONMENT}}-idp-pg.review-apps" - # - name: POSTGRES_WORKER_NAME - # value: "idp-worker-jobs" - # - name: POSTGRES_WORKER_HOST - # value: "{{ENVIRONMENT}}-idp-pg.review-apps" - # - name: LOGIN_ENV - # value: "{{ENVIRONMENT}}" - # - name: LOGIN_HOST_ROLE - # value: "worker" - # - name: LOGIN_SKIP_REMOTE_CONFIG - # value: "true" - # - name: PIV_CAC_SERVICE_URL - # value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - # - name: PIV_CAC_VERIFY_TOKEN_URL - # value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" - # - name: DOMAIN_NAME - # value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - # volumeMounts: [] # Using environment - # volumes: [] - # # Patch application environments for PIVCAC - # - target: - # kind: Deployment - # name: pivcac - # patch: |- - # spec: - # template: - # spec: - # containers: - # - name: pivcac - # image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} - # env: - # - name: KUBERNETES_REVIEW_APP - # value: "true" - # - name: CLIENT_CERT_S3_BUCKET - # value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2" - # - name: POSTGRES_NAME - # value: "identity_pki_production" - # - name: POSTGRES_HOST - # value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" - # - name: IDP_HOST - # value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - # - name: DOMAIN_NAME - # value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov" - # volumeMounts: [] # Using environment - # volumes: [] - # # Patch application environments for Dashboard - # - target: - # kind: Deployment - # name: dashboard - # patch: |- - # spec: - # template: - # spec: - # containers: - # - name: dashboard - # image: 217680906704.dkr.ecr.us-west-2.amazonaws.com/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - # env: - # - name: KUBERNETES_REVIEW_APP - # value: "true" - # - name: POSTGRES_NAME - # value: "dashboard" - # - name: POSTGRES_HOST - # value: "{{ENVIRONMENT}}-dashboard-pg.review-apps" - # - name: POSTGRES_SSLMODE - # value: "prefer" - # - name: NEW_RELIC_ENABLED - # value: "false" - # - name: SAML_SP_ISSUER - # value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - # - name: IDP_URL - # value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - # - name: IDP_SP_URL - # value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" - # - name: POST_LOGOUT_URL - # value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - # - name: DOMAIN_NAME - # value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - # volumeMounts: [] # Using environment - # volumes: [] - # # Patch rollout canary metrics - # - target: - # kind: Rollout - # name: idp-rollout - # patch: |- - # - op: replace - # path: /spec/strategy/canary/analysis/args/0/value - # value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 - # - op: replace - # path: /spec/strategy/canary/steps/2/analysis/args/0/value - # value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 - # # Patch ingress names - # - target: - # kind: Ingress - # name: idp - # patch: |- - # apiVersion: networking.k8s.io/v1 - # kind: Ingress - # metadata: - # name: idp - # labels: - # app: idp - # annotations: - # alb.ingress.kubernetes.io/group.name: review-app - # spec: - # rules: - # - host: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov - # http: - # paths: - # - path: / - # pathType: Prefix - # backend: - # service: - # name: idp - # port: - # name: use-annotation - # - target: - # kind: Ingress - # name: dashboard - # patch: |- - # apiVersion: networking.k8s.io/v1 - # kind: Ingress - # metadata: - # name: dashboard - # labels: - # app: dashboard - # annotations: - # alb.ingress.kubernetes.io/group.name: review-app-dashboard - # spec: - # rules: - # - host: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov - # http: - # paths: - # - path: / - # pathType: Prefix - # backend: - # service: - # name: dashboard - # port: - # number: 3001 + - op: replace + path: /spec/volumeClaimTemplates/0/metadata/name + value: {{ENVIRONMENT}}-idp-data + - op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/name + value: {{ENVIRONMENT}}-idp-data + - op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/mountPath + value: /var/lib/postgresql/data + - op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/subPath + value: postgres + # Patch for PIVCAC StatefulSet + - target: + kind: StatefulSet + name: pivcac-pg + patch: |- + - op: replace + path: /spec/volumeClaimTemplates/0/metadata/name + value: {{ENVIRONMENT}}-pivcac-data + - op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/name + value: {{ENVIRONMENT}}-pivcac-data + - op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/mountPath + value: /var/lib/postgresql/data + - op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/subPath + value: postgres + # Patch for Dashboard StatefulSet + - target: + kind: StatefulSet + name: dashboard-pg + patch: |- + - op: replace + path: /spec/volumeClaimTemplates/0/metadata/name + value: {{ENVIRONMENT}}-dashboard-data + - op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/name + value: {{ENVIRONMENT}}-dashboard-data + - op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/mountPath + value: /var/lib/postgresql/data + - op: replace + path: /spec/template/spec/containers/0/volumeMounts/0/subPath + value: postgres + # Patch application environments for IDP + - target: + kind: Rollout + name: idp-rollout + patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} + - op: add + path: /spec/template/spec/containers/0/env/0 + value: {name: "KUBERNETES_REVIEW_APP", value: "true"} + - op: add + path: /spec/template/spec/containers/0/env/1 + value: {name: "POSTGRES_SSLMODE", value: "prefer"} + - op: add + path: /spec/template/spec/containers/0/env/2 + value: {name: "POSTGRES_NAME", value: "idp"} + - op: add + path: /spec/template/spec/containers/0/env/3 + value: {name: "POSTGRES_HOST", value: "{{ENVIRONMENT}}-idp-pg.review-apps"} + - op: add + path: /spec/template/spec/containers/0/env/4 + value: {name: "POSTGRES_WORKER_NAME", value: "idp-worker-jobs"} + - op: add + path: /spec/template/spec/containers/0/env/5 + value: {name: "POSTGRES_WORKER_HOST", value: "{{ENVIRONMENT}}-idp-pg.review-apps"} + - op: add + path: /spec/template/spec/containers/0/env/6 + value: {name: "ASSET_HOST", value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} + - op: add + path: /spec/template/spec/containers/0/env/7 + value: {name: "DASHBOARD_URL", value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov"} + - op: add + path: /spec/template/spec/containers/0/env/8 + value: {name: "DOMAIN_NAME", value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} + - op: add + path: /spec/template/spec/containers/0/env/9 + value: {name: "LOGIN_ENV", value: "{{ENVIRONMENT}}"} + - op: add + path: /spec/template/spec/containers/0/env/10 + value: {name: "LOGIN_HOST_ROLE", value: "idp"} + - op: add + path: /spec/template/spec/containers/0/env/11 + value: {name: "LOGIN_SKIP_REMOTE_CONFIG", value: "true"} + - op: add + path: /spec/template/spec/containers/0/env/12 + value: {name: "PIV_CAC_SERVICE_URL", value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/"} + - op: add + path: /spec/template/spec/containers/0/env/13 + value: {name: "PIV_CAC_VERIFY_TOKEN_URL", value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/"} + # Patch application environments for Worker + - target: + kind: Deployment + name: worker + patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} + - op: add + path: /spec/template/spec/containers/0/env/0 + value: {name: "KUBERNETES_REVIEW_APP", value: "true"} + - op: add + path: /spec/template/spec/containers/0/env/1 + value: {name: "POSTGRES_SSLMODE", value: "prefer"} + - op: add + path: /spec/template/spec/containers/0/env/2 + value: {name: "POSTGRES_NAME", value: "idp"} + - op: add + path: /spec/template/spec/containers/0/env/3 + value: {name: "POSTGRES_HOST", value: "{{ENVIRONMENT}}-idp-pg.review-apps"} + - op: add + path: /spec/template/spec/containers/0/env/4 + value: {name: "POSTGRES_WORKER_NAME", value: "idp-worker-jobs"} + - op: add + path: /spec/template/spec/containers/0/env/5 + value: {name: "POSTGRES_WORKER_HOST", value: "{{ENVIRONMENT}}-idp-pg.review-apps"} + - op: add + path: /spec/template/spec/containers/0/env/6 + value: {name: "LOGIN_ENV", value: "{{ENVIRONMENT}}"} + - op: add + path: /spec/template/spec/containers/0/env/7 + value: {name: "LOGIN_HOST_ROLE", value: "worker"} + - op: add + path: /spec/template/spec/containers/0/env/8 + value: {name: "LOGIN_SKIP_REMOTE_CONFIG", value: "true"} + - op: add + path: /spec/template/spec/containers/0/env/9 + value: {name: "PIV_CAC_SERVICE_URL", value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/"} + - op: add + path: /spec/template/spec/containers/0/env/10 + value: {name: "PIV_CAC_VERIFY_TOKEN_URL", value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/"} + - op: add + path: /spec/template/spec/containers/0/env/11 + value: {name: "DOMAIN_NAME", value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} + # Patch application environments for PIVCAC + - target: + kind: Deployment + name: pivcac + patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} + - op: add + path: /spec/template/spec/containers/0/env/0 + value: {name: "KUBERNETES_REVIEW_APP", value: "true"} + - op: add + path: /spec/template/spec/containers/0/env/1 + value: {name: "CLIENT_CERT_S3_BUCKET", value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2"} + - op: add + path: /spec/template/spec/containers/0/env/2 + value: {name: "POSTGRES_NAME", value: "identity_pki_production"} + - op: add + path: /spec/template/spec/containers/0/env/3 + value: {name: "POSTGRES_HOST", value: "{{ENVIRONMENT}}-pivcac-pg.review-apps"} + - op: add + path: /spec/template/spec/containers/0/env/4 + value: {name: "IDP_HOST", value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} + - op: add + path: /spec/template/spec/containers/0/env/5 + value: {name: "DOMAIN_NAME", value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov"} + # Patch application environments for Dashboard + - target: + kind: Deployment + name: dashboard + patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} + - op: add + path: /spec/template/spec/containers/0/env/0 + value: {name: "KUBERNETES_REVIEW_APP", value: "true"} + - op: add + path: /spec/template/spec/containers/0/env/1 + value: {name: "POSTGRES_NAME", value: "dashboard"} + - op: add + path: /spec/template/spec/containers/0/env/2 + value: {name: "POSTGRES_HOST", value: "{{ENVIRONMENT}}-dashboard-pg.review-apps"} + - op: add + path: /spec/template/spec/containers/0/env/3 + value: {name: "POSTGRES_SSLMODE", value: "prefer"} + - op: add + path: /spec/template/spec/containers/0/env/4 + value: {name: "NEW_RELIC_ENABLED", value: "false"} + - op: add + path: /spec/template/spec/containers/0/env/5 + value: {name: "SAML_SP_ISSUER", value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov"} + - op: add + path: /spec/template/spec/containers/0/env/6 + value: {name: "IDP_URL", value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} + - op: add + path: /spec/template/spec/containers/0/env/7 + value: {name: "IDP_SP_URL", value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} + - op: add + path: /spec/template/spec/containers/0/env/8 + value: {name: "POST_LOGOUT_URL", value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov"} + - op: add + path: /spec/template/spec/containers/0/env/9 + value: {name: "DOMAIN_NAME", value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov"} + # Patch rollout canary metrics + - target: + kind: Rollout + name: idp-rollout + patch: |- + - op: replace + path: /spec/strategy/canary/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + - op: replace + path: /spec/strategy/canary/steps/2/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + # Patch ingress names + - target: + kind: Ingress + name: idp + patch: |- + - op: replace + path: /metadata/annotations/alb.ingress.kubernetes.io~1group.name + value: review-app + - op: replace + path: /spec/rules/0/host + value: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov + - op: replace + path: /spec/rules/0/http/paths/0/backend/service/name + value: {{ENVIRONMENT}}-idp + - target: + kind: Ingress + name: dashboard + patch: |- + - op: replace + path: /metadata/annotations/alb.ingress.kubernetes.io~1group.name + value: review-app-dashboard + - op: replace + path: /spec/rules/0/host + value: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov + - op: replace + path: /spec/rules/0/http/paths/0/backend/service/name + value: {{ENVIRONMENT}}-dashboard + destination: server: 'https://kubernetes.default.svc' namespace: review-apps From 4c247029112a087808bee39f160a8d4686921d1a Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Thu, 22 Aug 2024 11:10:46 -0400 Subject: [PATCH 17/46] Swapping to use configmaps and pull environment from them instead --- dockerfiles/application.yaml | 392 +++++++++++++++++++++++------------ 1 file changed, 262 insertions(+), 130 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 5de4d530bc4..ab4aac82131 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -17,6 +17,140 @@ spec: branch: {{SANITIZED_BRANCH_NAME}} # ArgoCD does not support patchesStrategicMerge patches: + # Patch ConfigMap for IDP + - target: + kind: ConfigMap + name: idp-config + patch: |- + - op: add + path: /data/ASSET_HOST + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/DASHBOARD_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - op: add + path: /data/DOMAIN_NAME + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/KUBERNETES_REVIEW_APP + value: "true" + - op: add + path: /data/POSTGRES_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - op: add + path: /data/POSTGRES_NAME + value: "idp" + - op: add + path: /data/POSTGRES_SSLMODE + value: "prefer" + - op: add + path: /data/LOGIN_ENV + value: "{{ENVIRONMENT}}" + - op: add + path: /data/LOGIN_HOST_ROLE + value: "idp" + - op: add + path: /data/LOGIN_SKIP_REMOTE_CONFIG + value: "true" + - op: add + path: /data/PIV_CAC_SERVICE_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - op: add + path: /data/PIV_CAC_VERIFY_TOKEN_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + # Patch ConfigMap for Worker + - target: + kind: ConfigMap + name: worker-config + patch: |- + - op: add + path: /data/KUBERNETES_REVIEW_APP + value: "true" + - op: add + path: /data/POSTGRES_SSLMODE + value: "prefer" + - op: add + path: /data/POSTGRES_NAME + value: "idp" + - op: add + path: /data/POSTGRES_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - op: add + path: /data/LOGIN_ENV + value: "{{ENVIRONMENT}}" + - op: add + path: /data/LOGIN_HOST_ROLE + value: "worker" + - op: add + path: /data/LOGIN_SKIP_REMOTE_CONFIG + value: "true" + - op: add + path: /data/PIV_CAC_SERVICE_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - op: add + path: /data/PIV_CAC_VERIFY_TOKEN_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - op: add + path: /data/DOMAIN_NAME + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + # Patch ConfigMap for PIVCAC + - target: + kind: ConfigMap + name: pivcac-config + patch: |- + - op: add + path: /data/KUBERNETES_REVIEW_APP + value: "true" + - op: add + path: /data/CLIENT_CERT_S3_BUCKET + value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2" + - op: add + path: /data/POSTGRES_NAME + value: "identity_pki_production" + - op: add + path: /data/POSTGRES_HOST + value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" + - op: add + path: /data/IDP_HOST + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/DOMAIN_NAME + value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov" + # Patch ConfigMap for Dashboard + - target: + kind: ConfigMap + name: dashboard-config + patch: |- + - op: add + path: /data/KUBERNETES_REVIEW_APP + value: "true" + - op: add + path: /data/POSTGRES_NAME + value: "dashboard" + - op: add + path: /data/POSTGRES_HOST + value: "{{ENVIRONMENT}}-dashboard-pg.review-apps" + - op: add + path: /data/POSTGRES_SSLMODE + value: "prefer" + - op: add + path: /data/NEW_RELIC_ENABLED + value: "false" + - op: add + path: /data/SAML_SP_ISSUER + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - op: add + path: /data/IDP_URL + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/IDP_SP_URL + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/POST_LOGOUT_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - op: add + path: /data/DOMAIN_NAME + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" # Patch for IDP StatefulSet - target: kind: StatefulSet @@ -68,7 +202,118 @@ spec: - op: replace path: /spec/template/spec/containers/0/volumeMounts/0/subPath value: postgres - # Patch application environments for IDP + # Patch idp database setup jobs + - target: + kind: Job + name: create-database + patch: |- + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-idp-application-yml + - op: remove + path: /spec/template/spec/containers/0/env + - op: replace + path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name + value: {{ENVIRONMENT}}-idp-config + - target: + kind: Job + name: migrate-database + patch: |- + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-idp-application-yml + - op: remove + path: /spec/template/spec/containers/0/env + - op: replace + path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name + value: {{ENVIRONMENT}}-idp-config + - target: + kind: Job + name: seed-database + patch: |- + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-idp-application-yml + - op: remove + path: /spec/template/spec/containers/0/env + - op: replace + path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name + value: {{ENVIRONMENT}}-idp-config + # Patch idp database setup jobs + - target: + kind: Job + name: create-database + patch: |- + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-idp-application-yml + - op: remove + path: /spec/template/spec/containers/0/env + - op: replace + path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name + value: {{ENVIRONMENT}}-idp-config + - target: + kind: Job + name: migrate-database + patch: |- + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-idp-application-yml + - op: remove + path: /spec/template/spec/containers/0/env + - op: replace + path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name + value: {{ENVIRONMENT}}-idp-config + - target: + kind: Job + name: seed-database + patch: |- + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-idp-application-yml + - op: remove + path: /spec/template/spec/containers/0/env + - op: replace + path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name + value: {{ENVIRONMENT}}-idp-config + # Patch dashboard database setup jobs + - target: + kind: Job + name: create-dashboard-database + patch: |- + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-dashboard-application-yml + - op: remove + path: /spec/template/spec/containers/0/env + - op: replace + path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name + value: {{ENVIRONMENT}}-dashboard-config + - target: + kind: Job + name: migrate-dashboard-database + patch: |- + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-dashboard-application-yml + - op: remove + path: /spec/template/spec/containers/0/env + - op: replace + path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name + value: {{ENVIRONMENT}}-dashboard-config + - target: + kind: Job + name: seed-dashboard-database + patch: |- + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-dashboard-application-yml + - op: remove + path: /spec/template/spec/containers/0/env + - op: replace + path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name + value: {{ENVIRONMENT}}-dashboard-config + # Patch IDP image and configmaps - target: kind: Rollout name: idp-rollout @@ -76,49 +321,10 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - - op: add - path: /spec/template/spec/containers/0/env/0 - value: {name: "KUBERNETES_REVIEW_APP", value: "true"} - - op: add - path: /spec/template/spec/containers/0/env/1 - value: {name: "POSTGRES_SSLMODE", value: "prefer"} - - op: add - path: /spec/template/spec/containers/0/env/2 - value: {name: "POSTGRES_NAME", value: "idp"} - - op: add - path: /spec/template/spec/containers/0/env/3 - value: {name: "POSTGRES_HOST", value: "{{ENVIRONMENT}}-idp-pg.review-apps"} - - op: add - path: /spec/template/spec/containers/0/env/4 - value: {name: "POSTGRES_WORKER_NAME", value: "idp-worker-jobs"} - - op: add - path: /spec/template/spec/containers/0/env/5 - value: {name: "POSTGRES_WORKER_HOST", value: "{{ENVIRONMENT}}-idp-pg.review-apps"} - - op: add - path: /spec/template/spec/containers/0/env/6 - value: {name: "ASSET_HOST", value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} - - op: add - path: /spec/template/spec/containers/0/env/7 - value: {name: "DASHBOARD_URL", value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov"} - - op: add - path: /spec/template/spec/containers/0/env/8 - value: {name: "DOMAIN_NAME", value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} - - op: add - path: /spec/template/spec/containers/0/env/9 - value: {name: "LOGIN_ENV", value: "{{ENVIRONMENT}}"} - - op: add - path: /spec/template/spec/containers/0/env/10 - value: {name: "LOGIN_HOST_ROLE", value: "idp"} - - op: add - path: /spec/template/spec/containers/0/env/11 - value: {name: "LOGIN_SKIP_REMOTE_CONFIG", value: "true"} - - op: add - path: /spec/template/spec/containers/0/env/12 - value: {name: "PIV_CAC_SERVICE_URL", value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/"} - - op: add - path: /spec/template/spec/containers/0/env/13 - value: {name: "PIV_CAC_VERIFY_TOKEN_URL", value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/"} - # Patch application environments for Worker + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-idp-application-yml + # Patch Worker Image and configmaps - target: kind: Deployment name: worker @@ -126,43 +332,10 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - - op: add - path: /spec/template/spec/containers/0/env/0 - value: {name: "KUBERNETES_REVIEW_APP", value: "true"} - - op: add - path: /spec/template/spec/containers/0/env/1 - value: {name: "POSTGRES_SSLMODE", value: "prefer"} - - op: add - path: /spec/template/spec/containers/0/env/2 - value: {name: "POSTGRES_NAME", value: "idp"} - - op: add - path: /spec/template/spec/containers/0/env/3 - value: {name: "POSTGRES_HOST", value: "{{ENVIRONMENT}}-idp-pg.review-apps"} - - op: add - path: /spec/template/spec/containers/0/env/4 - value: {name: "POSTGRES_WORKER_NAME", value: "idp-worker-jobs"} - - op: add - path: /spec/template/spec/containers/0/env/5 - value: {name: "POSTGRES_WORKER_HOST", value: "{{ENVIRONMENT}}-idp-pg.review-apps"} - - op: add - path: /spec/template/spec/containers/0/env/6 - value: {name: "LOGIN_ENV", value: "{{ENVIRONMENT}}"} - - op: add - path: /spec/template/spec/containers/0/env/7 - value: {name: "LOGIN_HOST_ROLE", value: "worker"} - - op: add - path: /spec/template/spec/containers/0/env/8 - value: {name: "LOGIN_SKIP_REMOTE_CONFIG", value: "true"} - - op: add - path: /spec/template/spec/containers/0/env/9 - value: {name: "PIV_CAC_SERVICE_URL", value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/"} - - op: add - path: /spec/template/spec/containers/0/env/10 - value: {name: "PIV_CAC_VERIFY_TOKEN_URL", value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/"} - - op: add - path: /spec/template/spec/containers/0/env/11 - value: {name: "DOMAIN_NAME", value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} - # Patch application environments for PIVCAC + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-worker-application-yml + # Patch PIVCAC Image and configmaps - target: kind: Deployment name: pivcac @@ -170,25 +343,10 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} - - op: add - path: /spec/template/spec/containers/0/env/0 - value: {name: "KUBERNETES_REVIEW_APP", value: "true"} - - op: add - path: /spec/template/spec/containers/0/env/1 - value: {name: "CLIENT_CERT_S3_BUCKET", value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2"} - - op: add - path: /spec/template/spec/containers/0/env/2 - value: {name: "POSTGRES_NAME", value: "identity_pki_production"} - - op: add - path: /spec/template/spec/containers/0/env/3 - value: {name: "POSTGRES_HOST", value: "{{ENVIRONMENT}}-pivcac-pg.review-apps"} - - op: add - path: /spec/template/spec/containers/0/env/4 - value: {name: "IDP_HOST", value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} - - op: add - path: /spec/template/spec/containers/0/env/5 - value: {name: "DOMAIN_NAME", value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov"} - # Patch application environments for Dashboard + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-pivcac-application-yml + # Patch Dashboard Image configmaps - target: kind: Deployment name: dashboard @@ -196,36 +354,10 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - - op: add - path: /spec/template/spec/containers/0/env/0 - value: {name: "KUBERNETES_REVIEW_APP", value: "true"} - - op: add - path: /spec/template/spec/containers/0/env/1 - value: {name: "POSTGRES_NAME", value: "dashboard"} - - op: add - path: /spec/template/spec/containers/0/env/2 - value: {name: "POSTGRES_HOST", value: "{{ENVIRONMENT}}-dashboard-pg.review-apps"} - - op: add - path: /spec/template/spec/containers/0/env/3 - value: {name: "POSTGRES_SSLMODE", value: "prefer"} - - op: add - path: /spec/template/spec/containers/0/env/4 - value: {name: "NEW_RELIC_ENABLED", value: "false"} - - op: add - path: /spec/template/spec/containers/0/env/5 - value: {name: "SAML_SP_ISSUER", value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov"} - - op: add - path: /spec/template/spec/containers/0/env/6 - value: {name: "IDP_URL", value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} - - op: add - path: /spec/template/spec/containers/0/env/7 - value: {name: "IDP_SP_URL", value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov"} - - op: add - path: /spec/template/spec/containers/0/env/8 - value: {name: "POST_LOGOUT_URL", value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov"} - - op: add - path: /spec/template/spec/containers/0/env/9 - value: {name: "DOMAIN_NAME", value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov"} + - op: replace + path: /spec/template/spec/volumes/0/configMap/name + value: {{ENVIRONMENT}}-dashboard-application-yml + # Patch rollout canary metrics - target: kind: Rollout From 10314eed56c146b6976597d5353d31f17fa36581 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Thu, 22 Aug 2024 13:58:29 -0400 Subject: [PATCH 18/46] More testing --- dockerfiles/application.yaml | 18 ------------------ 1 file changed, 18 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index ab4aac82131..93af36d511e 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -210,8 +210,6 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml - - op: remove - path: /spec/template/spec/containers/0/env - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-idp-config @@ -222,8 +220,6 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml - - op: remove - path: /spec/template/spec/containers/0/env - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-idp-config @@ -234,8 +230,6 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml - - op: remove - path: /spec/template/spec/containers/0/env - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-idp-config @@ -247,8 +241,6 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml - - op: remove - path: /spec/template/spec/containers/0/env - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-idp-config @@ -259,8 +251,6 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml - - op: remove - path: /spec/template/spec/containers/0/env - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-idp-config @@ -271,8 +261,6 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml - - op: remove - path: /spec/template/spec/containers/0/env - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-idp-config @@ -284,8 +272,6 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-dashboard-application-yml - - op: remove - path: /spec/template/spec/containers/0/env - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-dashboard-config @@ -296,8 +282,6 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-dashboard-application-yml - - op: remove - path: /spec/template/spec/containers/0/env - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-dashboard-config @@ -308,8 +292,6 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-dashboard-application-yml - - op: remove - path: /spec/template/spec/containers/0/env - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-dashboard-config From e8f4c2005ba1e06fac522894b89c4fa9837bc6df Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Fri, 23 Aug 2024 09:49:09 -0400 Subject: [PATCH 19/46] Swapping out container images in jobs as well, also removing duplicate database overrides --- dockerfiles/application.yaml | 47 +++++++++++++----------------------- 1 file changed, 17 insertions(+), 30 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 93af36d511e..7ad644e485f 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -208,36 +208,8 @@ spec: name: create-database patch: |- - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-idp-application-yml - - op: replace - path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name - value: {{ENVIRONMENT}}-idp-config - - target: - kind: Job - name: migrate-database - patch: |- - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-idp-application-yml - - op: replace - path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name - value: {{ENVIRONMENT}}-idp-config - - target: - kind: Job - name: seed-database - patch: |- - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-idp-application-yml - - op: replace - path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name - value: {{ENVIRONMENT}}-idp-config - # Patch idp database setup jobs - - target: - kind: Job - name: create-database - patch: |- + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml @@ -248,6 +220,9 @@ spec: kind: Job name: migrate-database patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml @@ -258,6 +233,9 @@ spec: kind: Job name: seed-database patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml @@ -269,6 +247,9 @@ spec: kind: Job name: create-dashboard-database patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-dashboard-application-yml @@ -279,6 +260,9 @@ spec: kind: Job name: migrate-dashboard-database patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-dashboard-application-yml @@ -289,6 +273,9 @@ spec: kind: Job name: seed-dashboard-database patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-dashboard-application-yml From c1a9a0092f03d77f1913c8e62f9e5c10a51ec5c5 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 11 Sep 2024 11:53:25 -0400 Subject: [PATCH 20/46] Updating application.yaml --- dockerfiles/application.yaml | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 7ad644e485f..10f7ee24bfb 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -282,7 +282,7 @@ spec: - op: replace path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name value: {{ENVIRONMENT}}-dashboard-config - # Patch IDP image and configmaps + # Patch IDP image and configmaps and canary metrics - target: kind: Rollout name: idp-rollout @@ -293,6 +293,12 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml + - op: replace + path: /spec/strategy/canary/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + - op: replace + path: /spec/strategy/canary/steps/2/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 # Patch Worker Image and configmaps - target: kind: Deployment @@ -323,21 +329,12 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/initContainers/0/image + value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-dashboard-application-yml - - # Patch rollout canary metrics - - target: - kind: Rollout - name: idp-rollout - patch: |- - - op: replace - path: /spec/strategy/canary/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 - - op: replace - path: /spec/strategy/canary/steps/2/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 # Patch ingress names - target: kind: Ingress From a138fd827a647787fd1ae9f946baf4f9f32ad519 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Thu, 12 Sep 2024 10:57:12 -0400 Subject: [PATCH 21/46] Adding in missing service_providers.yml --- dockerfiles/application.yaml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 10f7ee24bfb..5782ebdbd28 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -151,6 +151,27 @@ spec: - op: add path: /data/DOMAIN_NAME value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + # Patch ConfigMap for Dashboard service_providers.yml + - target: + kind: ConfigMap + name: service-providers-yml + patch: |- + - op: replace + path: /data/service_providers.yml + value: | + production: + 'urn:gov:gsa:openidconnect.profiles:sp:sso:gsa:dashboard': + friendly_name: 'Dashboard' + agency: 'GSA' + agency_id: 2 + logo: '18f.svg' + certs: + - 'identity_dashboard_cert' + return_to_sp_url: 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov/' + redirect_uris: + - 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov/auth/logindotgov/callback' + - 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov' + push_notification_url: 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov/api/security_events' # Patch for IDP StatefulSet - target: kind: StatefulSet From ec0419264e00c77eb8ab730e7a2df0cb7e60303f Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Thu, 12 Sep 2024 12:04:47 -0400 Subject: [PATCH 22/46] Adding missing DASHBOARD_URL --- dockerfiles/application.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 5782ebdbd28..d8ff43a3511 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -63,6 +63,9 @@ spec: kind: ConfigMap name: worker-config patch: |- + - op: add + path: /data/DASHBOARD_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" - op: add path: /data/KUBERNETES_REVIEW_APP value: "true" From 43577c55230ff2599b2c054e236d500305c53a0d Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Mon, 16 Sep 2024 12:26:24 -0400 Subject: [PATCH 23/46] Add in override for idp initContainer --- dockerfiles/application.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index d8ff43a3511..c10778b5d76 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -314,6 +314,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/initContainers/0/image + value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml From a9190bf046956fce45867861b816552e3bf89f24 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Mon, 16 Sep 2024 13:26:32 -0400 Subject: [PATCH 24/46] Adding in missing environment vars for readonly filesystem --- dockerfiles/application.yaml | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index c10778b5d76..b65c1f51d93 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -58,6 +58,18 @@ spec: - op: add path: /data/PIV_CAC_VERIFY_TOKEN_URL value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - op: add + path: /data/NEW_RELIC_LOG + value: "stdout" + - op: add + path: /data/PIDFILE + value: "/dev/null" + - op: add + path: /data/ENABLE_BOOTSNAP + value: "false" + - op: add + path: /data/BOOTSNAP_READONLY + value: "true" # Patch ConfigMap for Worker - target: kind: ConfigMap @@ -314,9 +326,6 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/initContainers/0/image - value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-idp-application-yml From 1dd42475d03f5ba28eb32260fc5f07811df7849c Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Mon, 16 Sep 2024 13:46:50 -0400 Subject: [PATCH 25/46] Lowering min/max replicas in HPA --- dockerfiles/application.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index b65c1f51d93..814377842c8 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -371,6 +371,17 @@ spec: - op: replace path: /spec/template/spec/volumes/0/configMap/name value: {{ENVIRONMENT}}-dashboard-application-yml + # Patch in lower pod number in IDP HPA + - target: + kind: HorizontalPodAutoscaler + name: idp + patch: |- + - op: replace + path: /spec/minReplicas + value: 1 + - op: replace + path: /spec/maxReplicas + value: 2 # Patch ingress names - target: kind: Ingress From b5059795734b87f68597bfa526980a553a60505c Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Mon, 16 Sep 2024 14:35:52 -0400 Subject: [PATCH 26/46] Adding in missing redis urls --- dockerfiles/application.yaml | 9 +++++++++ dockerfiles/idp_review_app.Dockerfile | 1 + 2 files changed, 10 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 814377842c8..924cda1dd43 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -70,6 +70,15 @@ spec: - op: add path: /data/BOOTSNAP_READONLY value: "true" + - op: add + path: /data/REDIS_URL + value: "redis://{{ENVIRONMENT}}-redis.review-apps:6379" + - op: add + path: /data/REDIS_THROTTLE_URL + value: "redis://{{ENVIRONMENT}}-redis.review-apps:6379/1" + - op: add + path: /data/REDIS_IRS_ATTEMPTS_API_URL + value: "redis://{{ENVIRONMENT}}-redis.review-apps:6379/2" # Patch ConfigMap for Worker - target: kind: ConfigMap diff --git a/dockerfiles/idp_review_app.Dockerfile b/dockerfiles/idp_review_app.Dockerfile index ba8b4cbbb3c..7c8947dc82d 100644 --- a/dockerfiles/idp_review_app.Dockerfile +++ b/dockerfiles/idp_review_app.Dockerfile @@ -22,6 +22,7 @@ ENV POSTGRES_WORKER_NAME idp-worker-jobs ENV POSTGRES_WORKER_HOST postgres-worker ENV POSTGRES_WORKER_USERNAME postgres ENV POSTGRES_WORKER_PASSWORD postgres +ENV REDIS_IRS_ATTEMPTS_API_URL redis://redis:6379/2 ENV REDIS_THROTTLE_URL redis://redis:6379/1 ENV REDIS_URL redis://redis:6379 ENV ASSET_HOST http://localhost:3000 From 268c44ad06673f331614052ac46a3482bbcdeb79 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Tue, 17 Sep 2024 11:40:09 -0400 Subject: [PATCH 27/46] Starting to cleanup some of the overrides --- dockerfiles/application.yaml | 84 ++++++++++++++---------------------- 1 file changed, 33 insertions(+), 51 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 924cda1dd43..158946b2e78 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -196,57 +196,39 @@ spec: - 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov/auth/logindotgov/callback' - 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov' push_notification_url: 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov/api/security_events' - # Patch for IDP StatefulSet - - target: - kind: StatefulSet - name: idp-pg - patch: |- - - op: replace - path: /spec/volumeClaimTemplates/0/metadata/name - value: {{ENVIRONMENT}}-idp-data - - op: replace - path: /spec/template/spec/containers/0/volumeMounts/0/name - value: {{ENVIRONMENT}}-idp-data - - op: replace - path: /spec/template/spec/containers/0/volumeMounts/0/mountPath - value: /var/lib/postgresql/data - - op: replace - path: /spec/template/spec/containers/0/volumeMounts/0/subPath - value: postgres - # Patch for PIVCAC StatefulSet - - target: - kind: StatefulSet - name: pivcac-pg - patch: |- - - op: replace - path: /spec/volumeClaimTemplates/0/metadata/name - value: {{ENVIRONMENT}}-pivcac-data - - op: replace - path: /spec/template/spec/containers/0/volumeMounts/0/name - value: {{ENVIRONMENT}}-pivcac-data - - op: replace - path: /spec/template/spec/containers/0/volumeMounts/0/mountPath - value: /var/lib/postgresql/data - - op: replace - path: /spec/template/spec/containers/0/volumeMounts/0/subPath - value: postgres - # Patch for Dashboard StatefulSet - - target: - kind: StatefulSet - name: dashboard-pg - patch: |- - - op: replace - path: /spec/volumeClaimTemplates/0/metadata/name - value: {{ENVIRONMENT}}-dashboard-data - - op: replace - path: /spec/template/spec/containers/0/volumeMounts/0/name - value: {{ENVIRONMENT}}-dashboard-data - - op: replace - path: /spec/template/spec/containers/0/volumeMounts/0/mountPath - value: /var/lib/postgresql/data - - op: replace - path: /spec/template/spec/containers/0/volumeMounts/0/subPath - value: postgres + # # Patch for IDP StatefulSet + # - target: + # kind: StatefulSet + # name: idp-pg + # patch: |- + # - op: replace + # path: /spec/volumeClaimTemplates/0/metadata/name + # value: {{ENVIRONMENT}}-idp-data + # - op: replace + # path: /spec/template/spec/containers/0/volumeMounts/0/name + # value: {{ENVIRONMENT}}-idp-data + # # Patch for PIVCAC StatefulSet + # - target: + # kind: StatefulSet + # name: pivcac-pg + # patch: |- + # - op: replace + # path: /spec/volumeClaimTemplates/0/metadata/name + # value: {{ENVIRONMENT}}-pivcac-data + # - op: replace + # path: /spec/template/spec/containers/0/volumeMounts/0/name + # value: {{ENVIRONMENT}}-pivcac-data + # # Patch for Dashboard StatefulSet + # - target: + # kind: StatefulSet + # name: dashboard-pg + # patch: |- + # - op: replace + # path: /spec/volumeClaimTemplates/0/metadata/name + # value: {{ENVIRONMENT}}-dashboard-data + # - op: replace + # path: /spec/template/spec/containers/0/volumeMounts/0/name + # value: {{ENVIRONMENT}}-dashboard-data # Patch idp database setup jobs - target: kind: Job From 57e528405090a92a57cf33577388c465d6be13b0 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Tue, 17 Sep 2024 12:24:32 -0400 Subject: [PATCH 28/46] Testing out more nameReference transformers --- dockerfiles/application.yaml | 101 ++--------------------------------- 1 file changed, 4 insertions(+), 97 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 158946b2e78..c7f6017de73 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -196,39 +196,6 @@ spec: - 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov/auth/logindotgov/callback' - 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov' push_notification_url: 'https://dashboard.{{ENVIRONMENT}}.identitysandbox.gov/api/security_events' - # # Patch for IDP StatefulSet - # - target: - # kind: StatefulSet - # name: idp-pg - # patch: |- - # - op: replace - # path: /spec/volumeClaimTemplates/0/metadata/name - # value: {{ENVIRONMENT}}-idp-data - # - op: replace - # path: /spec/template/spec/containers/0/volumeMounts/0/name - # value: {{ENVIRONMENT}}-idp-data - # # Patch for PIVCAC StatefulSet - # - target: - # kind: StatefulSet - # name: pivcac-pg - # patch: |- - # - op: replace - # path: /spec/volumeClaimTemplates/0/metadata/name - # value: {{ENVIRONMENT}}-pivcac-data - # - op: replace - # path: /spec/template/spec/containers/0/volumeMounts/0/name - # value: {{ENVIRONMENT}}-pivcac-data - # # Patch for Dashboard StatefulSet - # - target: - # kind: StatefulSet - # name: dashboard-pg - # patch: |- - # - op: replace - # path: /spec/volumeClaimTemplates/0/metadata/name - # value: {{ENVIRONMENT}}-dashboard-data - # - op: replace - # path: /spec/template/spec/containers/0/volumeMounts/0/name - # value: {{ENVIRONMENT}}-dashboard-data # Patch idp database setup jobs - target: kind: Job @@ -237,12 +204,6 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-idp-application-yml - - op: replace - path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name - value: {{ENVIRONMENT}}-idp-config - target: kind: Job name: migrate-database @@ -250,12 +211,6 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-idp-application-yml - - op: replace - path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name - value: {{ENVIRONMENT}}-idp-config - target: kind: Job name: seed-database @@ -263,12 +218,6 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-idp-application-yml - - op: replace - path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name - value: {{ENVIRONMENT}}-idp-config # Patch dashboard database setup jobs - target: kind: Job @@ -277,12 +226,6 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-dashboard-application-yml - - op: replace - path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name - value: {{ENVIRONMENT}}-dashboard-config - target: kind: Job name: migrate-dashboard-database @@ -290,12 +233,6 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-dashboard-application-yml - - op: replace - path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name - value: {{ENVIRONMENT}}-dashboard-config - target: kind: Job name: seed-dashboard-database @@ -303,13 +240,7 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-dashboard-application-yml - - op: replace - path: /spec/template/spec/containers/0/envFrom/0/configMapRef/name - value: {{ENVIRONMENT}}-dashboard-config - # Patch IDP image and configmaps and canary metrics + # Patch IDP image - target: kind: Rollout name: idp-rollout @@ -317,16 +248,7 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-idp-application-yml - - op: replace - path: /spec/strategy/canary/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 - - op: replace - path: /spec/strategy/canary/steps/2/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 - # Patch Worker Image and configmaps + # Patch Worker Image - target: kind: Deployment name: worker @@ -334,10 +256,7 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-worker-application-yml - # Patch PIVCAC Image and configmaps + # Patch PIVCAC Image - target: kind: Deployment name: pivcac @@ -345,10 +264,7 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-pivcac-application-yml - # Patch Dashboard Image configmaps + # Patch Dashboard Image - target: kind: Deployment name: dashboard @@ -359,9 +275,6 @@ spec: - op: replace path: /spec/template/spec/initContainers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} - - op: replace - path: /spec/template/spec/volumes/0/configMap/name - value: {{ENVIRONMENT}}-dashboard-application-yml # Patch in lower pod number in IDP HPA - target: kind: HorizontalPodAutoscaler @@ -384,9 +297,6 @@ spec: - op: replace path: /spec/rules/0/host value: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov - - op: replace - path: /spec/rules/0/http/paths/0/backend/service/name - value: {{ENVIRONMENT}}-idp - target: kind: Ingress name: dashboard @@ -397,9 +307,6 @@ spec: - op: replace path: /spec/rules/0/host value: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov - - op: replace - path: /spec/rules/0/http/paths/0/backend/service/name - value: {{ENVIRONMENT}}-dashboard destination: server: 'https://kubernetes.default.svc' From 2561bbf2e149ff8107d4c32bbd2886240e2013aa Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Tue, 17 Sep 2024 14:56:50 -0400 Subject: [PATCH 29/46] Adding in canary for idp override --- dockerfiles/application.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index c7f6017de73..2a583e13331 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -248,6 +248,12 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} + - op: replace + path: /spec/strategy/canary/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 + - op: replace + path: /spec/strategy/canary/steps/2/analysis/args/0/value + value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 # Patch Worker Image - target: kind: Deployment From e1fb1b1aa8d0343290f6edb91700fa3f272cb25d Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Fri, 20 Sep 2024 14:10:52 -0400 Subject: [PATCH 30/46] Adding in pivcac ingress --- dockerfiles/application.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 2a583e13331..1a673c1e899 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -313,6 +313,13 @@ spec: - op: replace path: /spec/rules/0/host value: {{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov + - target: + kind: Ingress + name: pivcac + patch: |- + - op: replace + path: /spec/rules/0/host + value: {{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov destination: server: 'https://kubernetes.default.svc' From c210883089ac3180058e541031fe82464e724827 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Fri, 20 Sep 2024 14:53:29 -0400 Subject: [PATCH 31/46] Adding more image overrides --- dockerfiles/application.yaml | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 1a673c1e899..3bd22b95215 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -240,6 +240,28 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} + # Patch pivcac database jobs/update crl CronJob + - target: + kind: Job + name: create-pivcac-database + patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-pivcac/review:{{DASHBOARD_CONTAINER_TAG}} + - target: + kind: Job + name: migrate-pivcac-database + patch: |- + - op: replace + path: /spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-pivcac/review:{{DASHBOARD_CONTAINER_TAG}} + - target: + kind: CronJob + name: update-pivcac-crls + patch: |- + - op: replace + path: /spec/jobTemplate/spec/template/spec/containers/0/image + value: {{ECR_REGISTRY}}/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} # Patch IDP image - target: kind: Rollout From 6f7ccd1b0ec9fcc772d19b91c844138179bc942f Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Tue, 24 Sep 2024 13:52:53 -0400 Subject: [PATCH 32/46] Adding missing environment var --- dockerfiles/application.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 3bd22b95215..28469524984 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -131,6 +131,9 @@ spec: - op: add path: /data/POSTGRES_NAME value: "identity_pki_production" + - op: add + path: /data/POSTGRES_SSLMODE + value: "prefer" - op: add path: /data/POSTGRES_HOST value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" From 01a45b220322978351fd30c16970f6fc51afdb82 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Tue, 24 Sep 2024 15:19:27 -0400 Subject: [PATCH 33/46] More overrides --- dockerfiles/application.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 28469524984..c53b51a9c79 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -295,6 +295,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/1/image + value: {{ECR_REGISTRY}}/identity-pivcac/nginx:{{PIVCAC_CONTAINER_TAG}} # Patch Dashboard Image - target: kind: Deployment From b3d3f8df1956b35c486cbb3f4dcbba687183f283 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Tue, 24 Sep 2024 18:21:52 -0400 Subject: [PATCH 34/46] Updating reviewapp image for pivcac --- dockerfiles/application.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index c53b51a9c79..c25432dc8e3 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -294,7 +294,7 @@ spec: patch: |- - op: replace path: /spec/template/spec/containers/0/image - value: {{ECR_REGISTRY}}/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} + value: {{ECR_REGISTRY}}/identity-pivcac/review:{{PIVCAC_CONTAINER_TAG}} - op: replace path: /spec/template/spec/containers/1/image value: {{ECR_REGISTRY}}/identity-pivcac/nginx:{{PIVCAC_CONTAINER_TAG}} From 4beaf57c3e297da6f297515d5a308204765bfd04 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Tue, 24 Sep 2024 18:23:30 -0400 Subject: [PATCH 35/46] Fix more pivcac references --- dockerfiles/application.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index c25432dc8e3..e751bcc321d 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -250,21 +250,21 @@ spec: patch: |- - op: replace path: /spec/template/spec/containers/0/image - value: {{ECR_REGISTRY}}/identity-pivcac/review:{{DASHBOARD_CONTAINER_TAG}} + value: {{ECR_REGISTRY}}/identity-pivcac/review:{{PIVCAC_CONTAINER_TAG}} - target: kind: Job name: migrate-pivcac-database patch: |- - op: replace path: /spec/template/spec/containers/0/image - value: {{ECR_REGISTRY}}/identity-pivcac/review:{{DASHBOARD_CONTAINER_TAG}} + value: {{ECR_REGISTRY}}/identity-pivcac/review:{{PIVCAC_CONTAINER_TAG}} - target: kind: CronJob name: update-pivcac-crls patch: |- - op: replace path: /spec/jobTemplate/spec/template/spec/containers/0/image - value: {{ECR_REGISTRY}}/identity-pki/review:{{PIVCAC_CONTAINER_TAG}} + value: {{ECR_REGISTRY}}/identity-pivcac/review:{{PIVCAC_CONTAINER_TAG}} # Patch IDP image - target: kind: Rollout From f614e9b1d679203765c24c71482612d80d3becec Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 25 Sep 2024 11:46:09 -0400 Subject: [PATCH 36/46] Swapping from review to pivcac --- dockerfiles/application.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index e751bcc321d..c325bd645b9 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -250,21 +250,21 @@ spec: patch: |- - op: replace path: /spec/template/spec/containers/0/image - value: {{ECR_REGISTRY}}/identity-pivcac/review:{{PIVCAC_CONTAINER_TAG}} + value: {{ECR_REGISTRY}}/identity-pivcac/pivcac:{{PIVCAC_CONTAINER_TAG}} - target: kind: Job name: migrate-pivcac-database patch: |- - op: replace path: /spec/template/spec/containers/0/image - value: {{ECR_REGISTRY}}/identity-pivcac/review:{{PIVCAC_CONTAINER_TAG}} + value: {{ECR_REGISTRY}}/identity-pivcac/pivcac:{{PIVCAC_CONTAINER_TAG}} - target: kind: CronJob name: update-pivcac-crls patch: |- - op: replace path: /spec/jobTemplate/spec/template/spec/containers/0/image - value: {{ECR_REGISTRY}}/identity-pivcac/review:{{PIVCAC_CONTAINER_TAG}} + value: {{ECR_REGISTRY}}/identity-pivcac/pivcac:{{PIVCAC_CONTAINER_TAG}} # Patch IDP image - target: kind: Rollout @@ -294,7 +294,7 @@ spec: patch: |- - op: replace path: /spec/template/spec/containers/0/image - value: {{ECR_REGISTRY}}/identity-pivcac/review:{{PIVCAC_CONTAINER_TAG}} + value: {{ECR_REGISTRY}}/identity-pivcac/pivcac:{{PIVCAC_CONTAINER_TAG}} - op: replace path: /spec/template/spec/containers/1/image value: {{ECR_REGISTRY}}/identity-pivcac/nginx:{{PIVCAC_CONTAINER_TAG}} From 1f8edf64bdbd171e77418aaa6d14fcecb46af33f Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 25 Sep 2024 13:01:51 -0400 Subject: [PATCH 37/46] Seeing if this helps out --- dockerfiles/application.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index c325bd645b9..93aef211a2f 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -137,6 +137,9 @@ spec: - op: add path: /data/POSTGRES_HOST value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" + - op: add + path: /data/PIDFILE + value: "/dev/null" - op: add path: /data/IDP_HOST value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" From 5f657eb649bb98e1ba62f36e7914cd009d6e5e02 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Fri, 4 Oct 2024 12:20:51 -0400 Subject: [PATCH 38/46] Removing canary --- dockerfiles/application.yaml | 6 ------ 1 file changed, 6 deletions(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 93aef211a2f..8318c47821f 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -276,12 +276,6 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} - - op: replace - path: /spec/strategy/canary/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 - - op: replace - path: /spec/strategy/canary/steps/2/analysis/args/0/value - value: {{ENVIRONMENT}}-idp_reviewapps_svc_3000 # Patch Worker Image - target: kind: Deployment From 74a533373a656ce59c1e00c577753f7088f5a7f5 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Fri, 4 Oct 2024 13:14:04 -0400 Subject: [PATCH 39/46] Adding in pull policy overrides --- dockerfiles/application.yaml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 8318c47821f..124e14f0915 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -276,6 +276,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always # Patch Worker Image - target: kind: Deployment @@ -284,6 +287,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always # Patch PIVCAC Image - target: kind: Deployment @@ -295,6 +301,12 @@ spec: - op: replace path: /spec/template/spec/containers/1/image value: {{ECR_REGISTRY}}/identity-pivcac/nginx:{{PIVCAC_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always + - op: replace + path: /spec/template/spec/containers/1/imagePullPolicy + value: Always # Patch Dashboard Image - target: kind: Deployment @@ -306,6 +318,12 @@ spec: - op: replace path: /spec/template/spec/initContainers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always + - op: replace + path: /spec/template/spec/initContainers/0/imagePullPolicy + value: Always # Patch in lower pod number in IDP HPA - target: kind: HorizontalPodAutoscaler From e65224a9a9efdaa214f37fe48e2ff3e250264c85 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Fri, 4 Oct 2024 13:28:52 -0400 Subject: [PATCH 40/46] Adding in more missing imagepullpolicies --- dockerfiles/application.yaml | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 124e14f0915..41ce8123f64 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -210,6 +210,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always - target: kind: Job name: migrate-database @@ -217,6 +220,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always - target: kind: Job name: seed-database @@ -224,6 +230,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-idp/review:{{IDP_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always # Patch dashboard database setup jobs - target: kind: Job @@ -232,6 +241,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always - target: kind: Job name: migrate-dashboard-database @@ -239,6 +251,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always - target: kind: Job name: seed-dashboard-database @@ -246,6 +261,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-dashboard/review:{{DASHBOARD_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always # Patch pivcac database jobs/update crl CronJob - target: kind: Job @@ -254,6 +272,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-pivcac/pivcac:{{PIVCAC_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always - target: kind: Job name: migrate-pivcac-database @@ -261,6 +282,9 @@ spec: - op: replace path: /spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-pivcac/pivcac:{{PIVCAC_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always - target: kind: CronJob name: update-pivcac-crls @@ -268,6 +292,9 @@ spec: - op: replace path: /spec/jobTemplate/spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-pivcac/pivcac:{{PIVCAC_CONTAINER_TAG}} + - op: replace + path: /spec/template/spec/containers/0/imagePullPolicy + value: Always # Patch IDP image - target: kind: Rollout From 26843f50805e070b2fd8d7564facfed22eb468ac Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Fri, 4 Oct 2024 13:42:06 -0400 Subject: [PATCH 41/46] Fixing CronJob imagepullpolicy reference --- dockerfiles/application.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 41ce8123f64..ecb02aeb6f2 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -293,7 +293,7 @@ spec: path: /spec/jobTemplate/spec/template/spec/containers/0/image value: {{ECR_REGISTRY}}/identity-pivcac/pivcac:{{PIVCAC_CONTAINER_TAG}} - op: replace - path: /spec/template/spec/containers/0/imagePullPolicy + path: /spec/jobTemplate/spec/template/spec/containers/0/imagePullPolicy value: Always # Patch IDP image - target: From c49f479104e8a7c27c87d41072e7df5cd807d09e Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Mon, 7 Oct 2024 10:33:59 -0400 Subject: [PATCH 42/46] Making sure rollouts is playing nice --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ec03d1fcefc..b72fd47a395 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -449,6 +449,7 @@ trigger_devops: - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapp'" - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console" - echo "Address of IDP review app:" + - echo "Testing" - echo https://$CI_ENVIRONMENT_SLUG.reviewapps.identitysandbox.gov - echo "Address of PIVCAC review app:" - echo https://$CI_ENVIRONMENT_SLUG.pivcac.reviewapps.identitysandbox.gov From ee3c2896388293494a287067c480d530601f957a Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Mon, 7 Oct 2024 13:06:52 -0400 Subject: [PATCH 43/46] Testing out some things --- .gitlab-ci.yml | 1 - dockerfiles/application.yaml | 160 +++++++++++++++++++++++++++++++++++ 2 files changed, 160 insertions(+), 1 deletion(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index b72fd47a395..ec03d1fcefc 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -449,7 +449,6 @@ trigger_devops: - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapp'" - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console" - echo "Address of IDP review app:" - - echo "Testing" - echo https://$CI_ENVIRONMENT_SLUG.reviewapps.identitysandbox.gov - echo "Address of PIVCAC review app:" - echo https://$CI_ENVIRONMENT_SLUG.pivcac.reviewapps.identitysandbox.gov diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index ecb02aeb6f2..e76ee318253 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -79,6 +79,67 @@ spec: - op: add path: /data/REDIS_IRS_ATTEMPTS_API_URL value: "redis://{{ENVIRONMENT}}-redis.review-apps:6379/2" + - target: + kind: ConfigMap + name: idp-config-dbsetup + patch: |- + - op: add + path: /data/ASSET_HOST + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/DASHBOARD_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - op: add + path: /data/DOMAIN_NAME + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/KUBERNETES_REVIEW_APP + value: "true" + - op: add + path: /data/POSTGRES_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - op: add + path: /data/POSTGRES_NAME + value: "idp" + - op: add + path: /data/POSTGRES_SSLMODE + value: "prefer" + - op: add + path: /data/LOGIN_ENV + value: "{{ENVIRONMENT}}" + - op: add + path: /data/LOGIN_HOST_ROLE + value: "idp" + - op: add + path: /data/LOGIN_SKIP_REMOTE_CONFIG + value: "true" + - op: add + path: /data/PIV_CAC_SERVICE_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - op: add + path: /data/PIV_CAC_VERIFY_TOKEN_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - op: add + path: /data/NEW_RELIC_LOG + value: "stdout" + - op: add + path: /data/PIDFILE + value: "/dev/null" + - op: add + path: /data/ENABLE_BOOTSNAP + value: "false" + - op: add + path: /data/BOOTSNAP_READONLY + value: "true" + - op: add + path: /data/REDIS_URL + value: "redis://{{ENVIRONMENT}}-redis.review-apps:6379" + - op: add + path: /data/REDIS_THROTTLE_URL + value: "redis://{{ENVIRONMENT}}-redis.review-apps:6379/1" + - op: add + path: /data/REDIS_IRS_ATTEMPTS_API_URL + value: "redis://{{ENVIRONMENT}}-redis.review-apps:6379/2" # Patch ConfigMap for Worker - target: kind: ConfigMap @@ -117,6 +178,43 @@ spec: - op: add path: /data/DOMAIN_NAME value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - target: + kind: ConfigMap + name: worker-config-dbsetup + patch: |- + - op: add + path: /data/DASHBOARD_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - op: add + path: /data/KUBERNETES_REVIEW_APP + value: "true" + - op: add + path: /data/POSTGRES_SSLMODE + value: "prefer" + - op: add + path: /data/POSTGRES_NAME + value: "idp" + - op: add + path: /data/POSTGRES_HOST + value: "{{ENVIRONMENT}}-idp-pg.review-apps" + - op: add + path: /data/LOGIN_ENV + value: "{{ENVIRONMENT}}" + - op: add + path: /data/LOGIN_HOST_ROLE + value: "worker" + - op: add + path: /data/LOGIN_SKIP_REMOTE_CONFIG + value: "true" + - op: add + path: /data/PIV_CAC_SERVICE_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - op: add + path: /data/PIV_CAC_VERIFY_TOKEN_URL + value: "https://{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov/" + - op: add + path: /data/DOMAIN_NAME + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" # Patch ConfigMap for PIVCAC - target: kind: ConfigMap @@ -146,6 +244,34 @@ spec: - op: add path: /data/DOMAIN_NAME value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov" + - target: + kind: ConfigMap + name: pivcac-config-dbsetup + patch: |- + - op: add + path: /data/KUBERNETES_REVIEW_APP + value: "true" + - op: add + path: /data/CLIENT_CERT_S3_BUCKET + value: "login-gov-pivcac-public-cert-reviewapps.894947205914-us-west-2" + - op: add + path: /data/POSTGRES_NAME + value: "identity_pki_production" + - op: add + path: /data/POSTGRES_SSLMODE + value: "prefer" + - op: add + path: /data/POSTGRES_HOST + value: "{{ENVIRONMENT}}-pivcac-pg.review-apps" + - op: add + path: /data/PIDFILE + value: "/dev/null" + - op: add + path: /data/IDP_HOST + value: "{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/DOMAIN_NAME + value: "{{ENVIRONMENT}}.pivcac.reviewapps.identitysandbox.gov" # Patch ConfigMap for Dashboard - target: kind: ConfigMap @@ -181,6 +307,40 @@ spec: - op: add path: /data/DOMAIN_NAME value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - target: + kind: ConfigMap + name: dashboard-config-dbsetup + patch: |- + - op: add + path: /data/KUBERNETES_REVIEW_APP + value: "true" + - op: add + path: /data/POSTGRES_NAME + value: "dashboard" + - op: add + path: /data/POSTGRES_HOST + value: "{{ENVIRONMENT}}-dashboard-pg.review-apps" + - op: add + path: /data/POSTGRES_SSLMODE + value: "prefer" + - op: add + path: /data/NEW_RELIC_ENABLED + value: "false" + - op: add + path: /data/SAML_SP_ISSUER + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - op: add + path: /data/IDP_URL + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/IDP_SP_URL + value: "https://{{ENVIRONMENT}}.reviewapps.identitysandbox.gov" + - op: add + path: /data/POST_LOGOUT_URL + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" + - op: add + path: /data/DOMAIN_NAME + value: "https://{{ENVIRONMENT}}-dashboard.reviewapps.identitysandbox.gov" # Patch ConfigMap for Dashboard service_providers.yml - target: kind: ConfigMap From 4c7b4600d54e054cab1fcccc75d65302530ad574 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Mon, 7 Oct 2024 13:50:12 -0400 Subject: [PATCH 44/46] Seeing if this fixes the routing issue --- dockerfiles/application.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index e76ee318253..3e4002c71c6 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -533,6 +533,9 @@ spec: - op: replace path: /spec/rules/0/host value: {{ENVIRONMENT}}.reviewapps.identitysandbox.gov + - op: replace + path: /spec/rules/0/http/paths/0/backend/service/port/name + value: https - target: kind: Ingress name: dashboard From a8352ad2db43983fba7e52d950efc3bab306bd0d Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 9 Oct 2024 12:20:30 -0400 Subject: [PATCH 45/46] Swapping to main now that the other is landed --- dockerfiles/application.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dockerfiles/application.yaml b/dockerfiles/application.yaml index 3e4002c71c6..96599270750 100644 --- a/dockerfiles/application.yaml +++ b/dockerfiles/application.yaml @@ -8,7 +8,7 @@ spec: project: default source: repoURL: 'git@gitlab.login.gov:lg-public/identity-eks-control.git' - targetRevision: sshelton/update-reviewapp + targetRevision: main path: cluster-reviewapp/envs/reviewapps kustomize: namePrefix: "{{ENVIRONMENT}}-" From 01d89591409d2f6fbeec171087a276c4b85b8291 Mon Sep 17 00:00:00 2001 From: Stephen Shelton Date: Wed, 9 Oct 2024 16:28:21 -0400 Subject: [PATCH 46/46] Adding echo statement to help find the application deployment in argo --- .gitlab-ci.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index ec03d1fcefc..f2b7e8d2af3 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -445,6 +445,7 @@ trigger_devops: - cat ${APPLICATION_MANIFEST} # Apply our ArgoCD Application - kubectl apply -f ${APPLICATION_MANIFEST} -n argocd + - echo "View your applications deployment progress at https://argocd.reviewapp.identitysandbox.gov/applications/argocd/${CI_ENVIRONMENT_SLUG}?view=tree&resource=" - echo "DNS may take a while to propagate, so be patient if it doesn't show up right away" - echo "To access the rails console, first run 'aws-vault exec sandbox-power -- aws eks update-kubeconfig --name reviewapp'" - echo "Then run aws-vault exec sandbox-power -- kubectl exec -it service/$CI_ENVIRONMENT_SLUG-login-chart-idp -n review-apps -- /app/bin/rails console"