kamikazechaser/cic-internal-integration
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

try and launch some k8s

Browse Source
This commit is contained in:
Blair Vanderlugt
2021-08-23 13:46:17 -07:00
parent 70ce759564
commit ea6ce88dab
48 changed files with 3802 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
kubernetes/cic-auth-proxy/cic-auth-creds-configmap.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cic-auth-proxy-credentials-configmap
namespace: grassroots
data:
credentials.yaml: |
level: 9
items:
user: 1

10
kubernetes/cic-auth-proxy/cic-auth-proxy-acl-configMap.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: cic-auth-proxy-acl-configmap
namespace: grassroots
data:
F3FAF668E82EF5124D5187BAEF26F4682343F692: |
- "^/user(/.*)?$":
read:
- user

114
kubernetes/cic-auth-proxy/cic-auth-proxy-meta-deployment.yaml Normal file
View File

@@ -0,0 +1,114 @@
# https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
apiVersion: apps/v1
kind: Deployment
metadata:
name: cic-auth-proxy-meta
namespace: grassroots
labels:
app: cic-auth-proxy-meta
group: cic
annotations:
keel.sh/policy: "glob:master-*"
keel.sh/trigger: poll
keel.sh/pollSchedule: "@every 5m"
spec:
selector:
matchLabels:
app: cic-auth-proxy-meta
replicas: 1
template:
metadata:
labels:
app: cic-auth-proxy-meta
group: cic
spec:
containers:
- name: cic-auth-proxy-meta
#image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:master-c05fafbf-1627493790 # {"$imagepolicy": "flux-system:cic-auth-proxy"}
image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:latest
imagePullPolicy: Always
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 100m
memory: 200Mi
env:
- name: PROXY_HOST
value: cic-meta-server
- name: PROXY_PORT
value: "80"
- name: PROXY_PATH_PREFIX
value: "/"
- name: HTTP_AUTH_ORIGIN
value: https://meta-auth.dev.grassrootseconomics.net:443
- name: HTTP_AUTH_REALM
value: GE
- name: ACL_CREDENTIALS_ENDPOINT
value: http://key-server:8081/
- name: ACL_PATH
value: /data/acls/F3FAF668E82EF5124D5187BAEF26F4682343F692
- name: GPG_PUBLICKEYS_ENDPOINT
value: http://key-server:8080/.well-known/publickeys/
- name: GPG_SIGNATURE_ENDPOINT
value: http://key-server:8080/.well-known/signature/
- name: GPG_TRUSTED_PUBLICKEY_FINGERPRINT # fingerprint of trusted key
value: CCE2E1D2D0E36ADE0405E2D0995BB21816313BD5
- name: GPG_HOMEDIR
value: /usr/local/etc/cic-auth-proxy/.gnupg/
- name: GPG_IMPORT_DIR
value: /usr/local/etc/cic-auth-proxy/import/
- name: GPG_PUBLICKEY_FILENAME
value: publickeys.asc
- name: GPG_SIGNATURE_FILENAME
value: signature.asc
- name: GPG_TRUSTED_PUBLICKEY_MATERIAL
value: /usr/local/etc/cic-auth-proxy/trusted/trustedpublickey.asc
ports:
- containerPort: 8080
name: http
volumeMounts:
- name: acl-config
mountPath: /data/acls/
readOnly: true
- name: credentials-config
mountPath: /data/noop/
readOnly: true
- name: trusted-publickey
mountPath: /usr/local/etc/cic-auth-proxy/trusted/
- name: gpg-homedir
mountPath: /usr/local/etc/cic-auth-proxy/.gnupg
- name: pgp-meta-test
mountPath: /usr/local/etc/cic-auth-proxy/import
volumes:
- name: pgp-meta-test
configMap:
name: pgp-meta-test
- name: acl-config
configMap:
name: cic-auth-proxy-acl-configmap
- name: credentials-config
configMap:
name: cic-auth-proxy-credentials-configmap
- name: trusted-publickey
configMap:
name: pgp-trusted-publickey
- name: gpg-homedir
emptyDir: {}
---
# https://kubernetes.io/docs/concepts/services-networking/service/
apiVersion: v1
kind: Service
metadata:
name: cic-auth-proxy-meta
namespace: grassroots
spec:
selector:
app: cic-auth-proxy-meta
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8080

114
kubernetes/cic-auth-proxy/cic-auth-proxy-user-deployment.yaml Normal file
View File

@@ -0,0 +1,114 @@
# https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
apiVersion: apps/v1
kind: Deployment
metadata:
name: cic-auth-proxy-user
namespace: grassroots
labels:
app: cic-auth-proxy-user
group: cic
annotations:
keel.sh/policy: "glob:master-*"
keel.sh/trigger: poll
keel.sh/pollSchedule: "@every 5m"
spec:
selector:
matchLabels:
app: cic-auth-proxy-user
replicas: 1
template:
metadata:
labels:
app: cic-auth-proxy-user
group: cic
spec:
containers:
- name: cic-auth-proxy-user
#image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:master-c05fafbf-1627493790 # {"$imagepolicy": "flux-system:cic-auth-proxy"}
image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:latest
imagePullPolicy: Always
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 100m
memory: 200Mi
env:
- name: PROXY_HOST
value: cic-user-server
- name: PROXY_PORT
value: "80"
- name: PROXY_PATH_PREFIX
value: "/"
- name: HTTP_AUTH_ORIGIN
value: https://meta-auth.dev.grassrootseconomics.net:443
- name: HTTP_AUTH_REALM
value: GE
- name: ACL_CREDENTIALS_ENDPOINT
value: http://key-server:8081/
- name: ACL_PATH
value: /data/acls/F3FAF668E82EF5124D5187BAEF26F4682343F692
- name: GPG_PUBLICKEYS_ENDPOINT
value: http://key-server:8080/.well-known/publickeys/
- name: GPG_SIGNATURE_ENDPOINT
value: http://key-server:8080/.well-known/signature/
- name: GPG_TRUSTED_PUBLICKEY_FINGERPRINT # fingerprint of trusted key
value: CCE2E1D2D0E36ADE0405E2D0995BB21816313BD5
- name: GPG_HOMEDIR
value: /usr/local/etc/cic-auth-proxy/.gnupg/
- name: GPG_IMPORT_DIR
value: /usr/local/etc/cic-auth-proxy/import/
- name: GPG_PUBLICKEY_FILENAME
value: publickeys.asc
- name: GPG_SIGNATURE_FILENAME
value: signature.asc
- name: GPG_TRUSTED_PUBLICKEY_MATERIAL
value: /usr/local/etc/cic-auth-proxy/trusted/trustedpublickey.asc
ports:
- containerPort: 8080
name: http
volumeMounts:
- name: acl-config
mountPath: /data/acls/
readOnly: true
- name: credentials-config
mountPath: /data/noop/
readOnly: true
- name: trusted-publickey
mountPath: /usr/local/etc/cic-auth-proxy/trusted/
- name: gpg-homedir
mountPath: /usr/local/etc/cic-auth-proxy/.gnupg
- name: pgp-user-test
mountPath: /usr/local/etc/cic-auth-proxy/import
volumes:
- name: pgp-meta-test
configMap:
name: pgp-meta-test
- name: acl-config
configMap:
name: cic-auth-proxy-acl-configmap
- name: credentials-config
configMap:
name: cic-auth-proxy-credentials-configmap
- name: trusted-publickey
configMap:
name: pgp-trusted-publickey
- name: gpg-homedir
emptyDir: {}
---
# https://kubernetes.io/docs/concepts/services-networking/service/
apiVersion: v1
kind: Service
metadata:
name: cic-auth-proxy-user
namespace: grassroots
spec:
selector:
app: cic-auth-proxy-user
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8080

129
kubernetes/cic-auth-proxy/cic-auth-proxy-ussd-deployment.yaml Normal file
View File

@@ -0,0 +1,129 @@
# https://kubernetes.io/docs/concepts/workloads/controllers/deployment/
apiVersion: apps/v1
kind: Deployment
metadata:
name: cic-auth-proxy-ussd
namespace: grassroots
labels:
app: cic-auth-proxy-ussd
group: cic
annotations:
keel.sh/policy: "glob:master-*"
keel.sh/trigger: poll
keel.sh/pollSchedule: "@every 5m"
spec:
selector:
matchLabels:
app: cic-auth-proxy-ussd
replicas: 1
template:
metadata:
labels:
app: cic-auth-proxy-ussd
group: cic
spec:
containers:
- name: cic-auth-proxy-ussd
#image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:master-c05fafbf-1627493790 # {"$imagepolicy": "flux-system:cic-auth-proxy"}
image: registry.gitlab.com/grassrootseconomics/cic-auth-proxy:latest
imagePullPolicy: Always
command: ["uwsgi", "--wsgi-file", "meta/scripts/proxy-ussd.py", "--http",
":8080"]
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 100m
memory: 200Mi
env:
- name: PROXY_HOST
value: cic-user-ussd-server
- name: PROXY_PORT
value: "80"
- name: PROXY_PATH_PREFIX
value: "/"
- name: HTTP_AUTH_ORIGIN
value: https://ussd-auth.dev.grassrootseconomics.net:443
- name: HTTP_AUTH_REALM
value: GE
- name: ACL_CREDENTIALS_ENDPOINT
value: http://key-server:8081/
- name: ACL_PATH
value: /data/acls/F3FAF668E82EF5124D5187BAEF26F4682343F692
- name: ACL_QUERYSTRING_USERNAME
valueFrom:
secretKeyRef:
name: cic-ussd-querystring-creds
key: username
- name: ACL_QUERYSTRING_PASSWORD
valueFrom:
secretKeyRef:
name: cic-ussd-querystring-creds
key: password
- name: ACL_WHITELIST
value: "37.188.113.15, 164.177.157.18, 5.79.0.242, 164.177.141.82, 164.177.141.83"
- name: GPG_PUBLICKEYS_ENDPOINT
value: http://key-server:8080/.well-known/publickeys/
- name: GPG_SIGNATURE_ENDPOINT
value: http://key-server:8080/.well-known/signature/
- name: GPG_TRUSTED_PUBLICKEY_FINGERPRINT # fingerprint of trusted key
value: CCE2E1D2D0E36ADE0405E2D0995BB21816313BD5
- name: GPG_HOMEDIR
value: /usr/local/etc/cic-auth-proxy/.gnupg/
- name: GPG_IMPORT_DIR
value: /usr/local/etc/cic-auth-proxy/import/
- name: GPG_PUBLICKEY_FILENAME
value: publickeys.asc
- name: GPG_SIGNATURE_FILENAME
value: signature.asc
- name: GPG_TRUSTED_PUBLICKEY_MATERIAL
value: /usr/local/etc/cic-auth-proxy/trusted/trustedpublickey.asc
ports:
- containerPort: 8080
name: http
volumeMounts:
- name: acl-config
mountPath: /data/acls/
readOnly: true
- name: credentials-config
mountPath: /data/noop/
readOnly: true
- name: trusted-publickey
mountPath: /usr/local/etc/cic-auth-proxy/trusted/
- name: gpg-homedir
mountPath: /usr/local/etc/cic-auth-proxy/.gnupg
- name: pgp-meta-test
mountPath: /usr/local/etc/cic-auth-proxy/import
volumes:
- name: pgp-meta-test
configMap:
name: pgp-meta-test
- name: acl-config
configMap:
name: cic-auth-proxy-acl-configmap
- name: credentials-config
configMap:
name: cic-auth-proxy-credentials-configmap
- name: trusted-publickey
configMap:
name: pgp-trusted-publickey
- name: gpg-homedir
emptyDir: {}
---
# https://kubernetes.io/docs/concepts/services-networking/service/
apiVersion: v1
kind: Service
metadata:
name: cic-auth-proxy-ussd
namespace: grassroots
spec:
selector:
app: cic-auth-proxy-ussd
type: ClusterIP
ports:
- name: http
protocol: TCP
port: 80
targetPort: 8080

16
kubernetes/cic-auth-proxy/cic-ussd-querystring-creds.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: cic-ussd-querystring-creds
namespace: grassroots
spec:
encryptedData:
password: AgAO18hv8gZZRoySuTqNOg06imdnfES7io54TEGO501cq8usRcj9Bu3us+7V8zD20DQTZ7xCGCV2eyZ1kMsnFNFUBPMG0raAtwe4dAskYeQxKp0VyE1y+d9TbecvlqRXmAD3lF1exMSS3PD68VZcrDpenXE7Ag74uEJM7YmAKnUXIzBhxZlG7bIwLrRuNiTye83e/jijaPD3+66NrExBM2H//b8u1l8QVNd13XwgAWkJEW9QNMP1b2ir9VWKE4P8Da22SQRIed/Nhyc+aR3izqEpCbeRYmQqlo9r66oXK4Yr5v0IkI38gBGORrPv1OZK01plvGgMoxTe3pSiW5cyMtCXx6GgyIFKII1yYvtlI86Sf4J3DRU6kC3NSvF+2B99yFrbUPyoAGQFd6oSWAQLBI2kYqf6NXuaT3kxBNroAICMlAYygPKG0t6jEzTWk+E5l4F/PHWFD5DM+diHRqQAdDStACcMCl2i2133PPjlK1gUhQkCmeRcKeEqMT5ssBx/KM5p+v8syV4/0VlNtJpnP/aWcbwvVsiHhDE9trM/+p5E6gsVymAIiW20nRnuOSjHCnHOtjtfPtEZ3A8eHAqgJjdE6fY7DvZmwKfx2A4tMcrikz208Pa7JIFE6nj9osTz7eMrWXTmquVRotZ9we3WmGBycgVUuv9hfzUC6srkTIyT9UGHH9UNiRba/73ZDF2Zr2XvN0ofkQz8dN0dKLxy/OptCciV3Rdn/4s/IQ0usSwXLEb2tQtHgy5+twj7IQij6amjLbulRm1U2GLatmvgbjqf
username: AgCJQ9JiJErCGfH3pkX3I3696Garu40pGWgvcUOa9wz3r3Q+5SY0IMnroWO3z66L/HG7DW70upgfJBVyhncrUBrC/z73D++nMz43JvFc39MHcUYVmqvjIw1401705+G7UxxgcMOx09++CBZ97wbEfKc251v98s8G/bLtMcqS/12pVNfMGgjpkE6InlS0n9VD26HDs4A3uNtfN2GK2dsazV05UXs8W+6JOZsJ60QfPJylCpKh+sxPLDlYt4lRIM/6pP7kQXLn+VmWtzuo1dZTaUliMYH+DOXO2V9ePnjTUXGrMgRfuZP2PCmG3usdC45mOPpuURPFUmF8SDQ4IXKhBd7N+8pjZDiqQ2RxK61Qz6MXv851u7HABgVMhtjlZfaD4hVY+mr7KYDVQvrhJ971y84KBHuQFOxwZZnXAx5FdBWmkKkz959bjulJaRe1ZWA01k1SQHiVFeIArbbNSlvH45XoNR8rxFiQE+5Olt9UwdpXAH/sAfH7CRY1SnRrAW3LCyCVqAJcXF9kU+bnezVgWoJ/h9ff6VKRFqh3o+wa6V6J8GNbwC0/oeXo0XyUjbwAUjIRKeWbJ1obkvWDfYILpo2CVt34tzYowiVqmYYB8SqKBPgrca+Xmn9GpggOMibJKk0LC6R04iAajMy73cuxkX+PMV1Wz5xOuF60ccCsdiD15deYOlA34UdfeNQgGA7EKPhsl0kD/xm5
template:
metadata:
creationTimestamp: null
name: cic-ussd-querystring-creds
namespace: grassroots