feat: Deploy cert-manager and istio (#18)

* feat: Deploy cert-manager and istio * style: Rename some components * feat: Add letsencrypt staging issuer * feat: Add pvc for postgres dev env * refactor: Move config file * feat: Create secret * refactor: Create helm template * feat: Add deployment and service * clean: Remove postgres helm * feat: Create the certificates for new domains Co-authored-by: rgaiffe <[email protected]> Co-authored-by: 42Atomys <[email protected]>
42atomys · Apr 22, 2022 · fcdfe5b · fcdfe5b
1 parent 5b366eb
commit fcdfe5b
Show file tree

Hide file tree

Showing 26 changed files with 603 additions and 9 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,68 @@
+# See https://help.github.com/articles/ignoring-files/ for more about ignoring files.
+
+# =================================================
+# Globals 🤖
+# =================================================
+# local env files
+.env*
+
+# Configuration Files
+config/*
+web/ui/stud42.config.yaml
+
+# =================================================
+# Backend ignores 💻
+# =================================================
+
+# Certs
+certs/
+
+# Generated code
+internal/api/generated/*
+internal/models/generated/*
+internal/models/structs_generated.go
+internal/**/*.pb.go
+
+# =================================================
+# Frontned ignores 🕹
+# =================================================
+
+# Generated code
+web/ui/src/graphql/schema.json
+web/ui/src/graphql/generated.ts
+web/ui/src/grpc/jwtks/jwtks.ts
+
+# dependencies
+web/ui/node_modules
+web/ui/*.pnp
+web/ui/*.pnp.js
+
+# testing
+web/ui/coverage
+
+# next.js
+web/ui/.next/
+web/ui/out/
+
+# production
+web/ui/build
+
+# misc
+deploy/
+docs/
+config/*
+tools/
+.github
+.DS_Store
+*.pem
+
+# debug
+web/ui/*npm-debug.log*
+web/ui/*yarn-debug.log*
+web/ui/*yarn-error.log*
+
+# vercel
+web/ui/*.vercel
+
+# typescript
+web/ui/**.tsbuildinfo
diff --git a/.github/workflows/backend-tests.yaml b/.github/workflows/backend-tests.yaml
@@ -5,13 +5,15 @@ on:
     - '.github/**'
     - 'web/ui/**'
     - 'docs/**'
+    - 'deploy/**'
   push:
     branches:
       - main
     paths-ignore:
     - '.github/**'
     - 'web/ui/**'
     - 'docs/**'
+    - 'deploy/**'
 
 jobs:
   linters:

diff --git a/.github/workflows/cluster-initial-install.yaml b/.github/workflows/cluster-initial-install.yaml
@@ -0,0 +1,96 @@
+name: 'K8S Cluster - Install 🤖'
+on: 
+  workflow_dispatch:
+    inputs:
+      install_istio:
+        type: boolean
+        required: true
+        description: (Re)Install Istio ?
+      install_cert_manager:
+        type: boolean
+        required: true
+        description: (Re)Install Cert Manager ?
+
+jobs:
+  core_install:
+    runs-on: ubuntu-latest
+    name: Install the core of the cluster
+    steps:
+    - uses: azure/[email protected]
+    - uses: azure/setup-helm@v1
+    - uses: azure/k8s-set-context@v2
+      with:
+        method: kubeconfig
+        kubeconfig: ${{ secrets.KUBECONFIG_ADMIN }}
+        cluster-type: generic
+    - uses: Azure/[email protected]
+      name: Create namespaces
+      with:
+        action: deploy
+        manifests: |
+          deploy/cluster/namespaces/
+        token: ${{ github.token }}
+    - uses: Azure/[email protected]
+      name: Create deployer service accounts
+      with:
+        action: deploy
+        manifests: |
+          deploy/cluster/rbac/deployer*.yaml
+        token: ${{ github.token }}
+    - name: Install istio
+      if: ${{ github.event.inputs.install_istio == 'true' }} 
+      run: |
+        curl -L https://istio.io/downloadIstio | sh -
+        istioctl install -y 
+    - name: Install cert-manager
+      if: ${{ github.event.inputs.install_cert_manager == 'true' }} 
+      run: |
+        kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
+        git clone https://github.com/baarde/cert-manager-webhook-ovh.git
+        cd cert-manager-webhook-ovh
+        helm install cert-manager-webhook-ovh ./deploy/cert-manager-webhook-ovh --set groupName='acme.s42.app'
+    - name: Create ovh-credentials secrets for cert-manager
+      uses: azure/k8s-create-secret@v2
+      if: ${{ github.event.inputs.install_cert_manager == 'true' }} 
+      with:
+        namespace: cert-manager
+        secret-type: Opaque
+        secret-name: ovh-credentials
+        string-data: ${{ secrets.SECRET__OVH_CREDENTIALS_SECRET_KEY }}
+    - uses: Azure/[email protected]
+      name: Install issuers & certificates
+      with:
+        action: deploy
+        manifests: |
+          deploy/cluster/cert-manager/issuers
+          deploy/cluster/cert-manager/certificates
+        token: ${{ github.token }}
+    - uses: Azure/[email protected]
+      name: Install gateways
+      with:
+        action: deploy
+        manifests: |
+          deploy/cluster/istio/gateways
+        token: ${{ github.token }}
+  update_secrets:
+    name: Install cross cluster secrets
+    runs-on: ubuntu-latest
+    needs: core_install
+    strategy:
+      fail-fast: true
+      matrix:
+        namespace: [ review-apps, staging, sandbox, production ]
+    steps:
+    - uses: azure/[email protected]
+    - uses: azure/k8s-set-context@v2
+      with:
+        method: kubeconfig
+        kubeconfig: ${{ secrets.KUBECONFIG_ADMIN }}
+        cluster-type: generic
+    - name: Create docker-registry secret for GitHub Packages on ${{ matrix.namespace }}
+      run: |
+        kubectl create secret docker-registry ghcr-creds \
+          --namespace=${{ matrix.namespace }} \
+          --docker-username=${{ github.repository_owner }} \
+          --docker-password=${{ secrets.SECRET__GHCR_TOKEN }} \
+          --docker-server=ghcr.io
diff --git a/.github/workflows/k8s-manifests-lints.yaml b/.github/workflows/k8s-manifests-lints.yaml
@@ -0,0 +1,39 @@
+# name: 'Tests - K8S Manifests 🤖'
+# on:
+#   pull_request:
+#     paths:
+#     - deploy/**.yaml
+#   push:
+#     branches:
+#     - main
+#     paths:
+#     - deploy/**.yaml
+# jobs:
+#   manifests_linter:
+#     name: 'K8S Manifests Linters 🤖'
+#     runs-on: ubuntu-latest
+#     permissions:
+#       contents: read
+#     steps:
+#     - uses: azure/[email protected]
+#     - uses: azure/k8s-set-context@v2
+#       with:
+#         cluster-type: generic
+#         method: service-account
+#         k8s-url: ${{ secrets._K8S_CLUSTER_ENDPOINT }}
+#         k8s-secret: ${{ secrets.SECRET_REVIEW_APPS_DEPLOYER_TOKEN }}
+#       id: setcontext
+#     - uses: actions/checkout@v3
+#     - id: files-raw
+#       uses: jitterbit/get-changed-files@v1
+#       with:
+#         format: 'space-delimited'
+#         token: ${{ github.token }}
+#     - run: |
+#         result=$(echo ${{ steps.files-raw.outputs.all }} | tr ' ' '\n' | grep 'deploy/' | egrep -i '.(yml|yaml)$')
+#         echo "::set-output name=FILES::$result"
+#       id: files
+#     - uses: azure/k8s-lint@v2
+#       with:
+#         lintType: dryrun
+#         manifests: ${{ steps.files.outputs.FILES }}
diff --git a/.github/workflows/review-apps.yaml b/.github/workflows/review-apps.yaml
@@ -0,0 +1,48 @@
+name: 'Review App - Build 🔧'
+on:
+  pull_request: 
+    branches:
+    - main
+  push:
+    branches:
+    - main
+  release:
+    types:
+    - prereleased
+    - published
+jobs:
+  build_and_push:
+    name: 'Build & push to ghcr.io 🔧'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME: ${{ github.repository }}
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    - name: Log in to the Container registry
+      uses: docker/login-action@v1
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@v3
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        github-token: ${{ github.token }}
+
+    - name: Build and push Docker image
+      uses: docker/build-push-action@v2
+      with:
+        context: .
+        push: true
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
+        file: build/Dockerfile
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -1,14 +1,17 @@
-FROM golang:1.17-alpine AS build
+FROM golang:1.18 AS build
 
 WORKDIR /build
 COPY . /build
-RUN CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o stud42
+
+RUN apt-get update && \
+    apt-get install -y unzip && \
+    make -f build/Makefile deps generate build
 
 FROM alpine
 
 LABEL maintener "42Atomys <[email protected]>"
 LABEL repository "https://github.com/42Atomys/stud42"
 
-COPY --from=build /build/stud42 /stud42
+COPY --from=build /build/stud42cli /stud42cli
 
-CMD ["/stud42"]
+CMD ["/stud42cli"]
diff --git a/build/Makefile b/build/Makefile
@@ -4,7 +4,7 @@ generate:
 	go generate cmd/jwtks.go
 
 build:
-	go build -o stud42cli
+	CGO_ENABLED=0 GOARCH=amd64 GOOS=linux go build -o stud42cli
 
 clean:
 	rm -rf internal/api/generated 
@@ -18,12 +18,12 @@ certs:
 	openssl rsa -in certs/private.key -out certs/public.pem -pubout -outform PEM
 
 deps:
-	wget -O /tmp/protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v3.20.0/protoc-3.20.0-linux-x86_64.zip
-	unzip -ud /tmp/protoc /tmp/protoc.zip
-	mv /tmp/protoc/bin/protoc /usr/local/bin/protoc
+	wget -O /tmp/protoc.zip https://github.com/protocolbuffers/protobuf/releases/download/v3.20.1/protoc-3.20.1-linux-x86_64.zip
+	unzip -uo /tmp/protoc -d /usr/local bin/protoc
 
 all:
+	deps
 	generate
 	build
 
-.PHONY: generate build all
+.PHONY: clean deps generate build all
diff --git a/deploy/.keep b/deploy/.keep
diff --git a/deploy/cluster/cert-manager/certificates/app.s42.yaml b/deploy/cluster/cert-manager/certificates/app.s42.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: s42-app
+  namespace: istio-system
+spec:
+  dnsNames:
+    - s42.app
+    - '*.s42.app'
+  issuerRef:
+    kind: ClusterIssuer
+    name: ovh-issuer
+  secretName: s42-app-tls
diff --git a/deploy/cluster/cert-manager/certificates/dev.s42.yaml b/deploy/cluster/cert-manager/certificates/dev.s42.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: s42-dev
+  namespace: istio-system
+spec:
+  dnsNames:
+    - s42.dev
+    - '*.s42.dev'
+  issuerRef:
+    kind: ClusterIssuer
+    name: ovh-issuer
+  secretName: s42-dev-tls
diff --git a/deploy/cluster/cert-manager/issuers/ovh-letsencrypt-staging.yaml b/deploy/cluster/cert-manager/issuers/ovh-letsencrypt-staging.yaml
@@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: ovh-staging-issuer
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: '[email protected]'
+    privateKeySecretRef:
+      name: letsencrypt-account-key
+    solvers:
+    - dns01:
+        webhook:
+          groupName: 'acme.stud42.atomys.app'
+          solverName: ovh
+          config:
+            endpoint: ovh-eu
+            applicationKey: 'OVH_APPLICATION_KEY'
+            applicationSecretRef:
+              key: applicationSecret
+              name: ovh-credentials
+            consumerKey: 'OVH_CONSUMER_KEY'