Merge pull request #891 from ITfoxtec/main

main
ITfoxtec · Aug 3, 2024 · 29c18c8 · 29c18c8
2 parents 7e6627a + 8e74cb0
commit 29c18c8
Show file tree

Hide file tree

Showing 11 changed files with 113 additions and 85 deletions.
diff --git a/.github/workflows/ci_test_docker.yaml b/.github/workflows/ci_test_docker.yaml
@@ -20,46 +20,48 @@ jobs:
       -
         name: Docker meta
         id: meta-f
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v5.5.1
         with:
           images: ${{ secrets.DOCKERHUB_ORG }}/foxids
           tags: |            
             type=raw,value=latest-test,enable=true
       -
         name: Docker meta
         id: meta-fc
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v5.5.1
         with:
           images: ${{ secrets.DOCKERHUB_ORG }}/foxids-control
           tags: |     
             type=raw,value=latest-test,enable=true
       -
         name: Login to Docker Hub
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.3.0
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v3.5.0
       -
         name: Build and push FoxIDs
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6.5.0
         with:
           context: .
           file: ./src/FoxIDs/Dockerfile
           platforms: linux/amd64
           push: true
+          provenance: false
           tags: ${{ steps.meta-f.outputs.tags }}
           labels: ${{ steps.meta-f.outputs.labels }}
       -
         name: Build and push FoxIDs.Control
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6.5.0
         with:
           context: .
           file: ./src/FoxIDs.Control/Dockerfile
           platforms: linux/amd64
           push: true
+          provenance: false
           tags: ${{ steps.meta-fc.outputs.tags }}
           labels: ${{ steps.meta-fc.outputs.labels }}
 

diff --git a/Kubernetes/k8s-foxids-deployment.yaml b/Kubernetes/k8s-foxids-deployment.yaml
@@ -5,7 +5,7 @@ metadata:
   labels:
     app: foxids
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app: foxids
@@ -18,10 +18,10 @@ spec:
         - name: foxids
           image: foxids/foxids:latest
           ports:
-            - containerPort: 80
+            - containerPort: 8800
           env:
             - name: "ASPNETCORE_URLS"
-              value: "http://+"
+              value: "http://+:8800"
             - name: "Settings__UseHttp"
               value: "true"
             - name: "Settings__TrustProxyHeaders"
@@ -68,7 +68,7 @@ metadata:
   labels:
     app: foxids-control
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app: foxids-control
@@ -81,10 +81,10 @@ spec:
         - name: foxids-control
           image: foxids/foxids-control:latest
           ports:
-            - containerPort: 80
+            - containerPort: 8800
           env:
             - name: "ASPNETCORE_URLS"
-              value: "http://+"
+              value: "http://+:8800"
             - name: "Settings__UseHttp"
               value: "true"
             - name: "Settings__TrustProxySchemeHeader"
@@ -135,25 +135,23 @@ kind: Service
 metadata:
   name: foxids
 spec:
-  selector:
-    app: foxids
-  type: LoadBalancer
   ports:
-    - name: http
+    - port: 8800
+      targetPort: 8800
       protocol: TCP
-      port: 8800
-      targetPort: 80
+  type: ClusterIP
+  selector:
+    app: foxids
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: foxids-control
 spec:
-  selector:
-    app: foxids-control
-  type: LoadBalancer
   ports:
-    - name: http
+    - port: 8800
+      targetPort: 8800
       protocol: TCP
-      port: 8801
-      targetPort: 80
+  type: ClusterIP
+  selector:
+    app: foxids-control
diff --git a/Kubernetes/k8s-foxids-ingress-deployment.yaml b/Kubernetes/k8s-foxids-ingress-deployment.yaml
@@ -3,12 +3,16 @@ kind: Ingress
 metadata:
   name: foxids-ingress-http
   annotations:
-   #production 
-    cert-manager.io/cluster-issuer: letsencrypt-production
-   #staging
-   # cert-manager.io/cluster-issuer: letsencrypt-staging
+   cert-manager.io/issuer: "letsencrypt-production" #production    
+   #cert-manager.io/issuer: "letsencrypt-staging" #staging
 spec:
   ingressClassName: nginx
+  tls:
+    - hosts:
+      - id.itfoxtec.com   # change to your domain -  id.my-domain.com
+      - control.itfoxtec.com  # change to your domain -  control.my-domain.com
+      secretName: letsencrypt-production-tls #production  
+      #secretName: letsencrypt-staging-tls #staging
   rules:
   - host: id.itfoxtec.com   # change to your domain -  id.my-domain.com
     http:
@@ -29,12 +33,4 @@ spec:
           service:
             name: foxids-control
             port:
-              number: 8801
-  tls:
-    - hosts:
-      - id.itfoxtec.com   # change to your domain -  id.my-domain.com
-      - control.itfoxtec.com  # change to your domain -  control.my-domain.com
-     #production 
-      secretName: letsencrypt-production
-     #staging 
-     # secretName: letsencrypt-staging
+              number: 8800
diff --git a/Kubernetes/k8s-letsencrypt-issuer.yaml b/Kubernetes/k8s-letsencrypt-issuer.yaml
@@ -1,22 +1,28 @@
 apiVersion: cert-manager.io/v1
-kind: ClusterIssuer
-metadata:
- #production 
-  name: letsencrypt-production
- #staging
- # name: letsencrypt-staging
+kind: Issuer
+metadata: 
+  name: letsencrypt-staging 
 spec:
-  acme:
-   #production
-    server: https://acme-v02.api.letsencrypt.org/directory
-   #staging
-   # server: https://acme-staging-v02.api.letsencrypt.org/directory
+  acme:   
+    server: https://acme-staging-v02.api.letsencrypt.org/directory 
     email: support@my-domain.com # change to your email
-    privateKeySecretRef:
-     #production 
-      name: letsencrypt-production
-     #staging
-     # name: letsencrypt-staging
+    privateKeySecretRef:     
+     name: letsencrypt-staging 
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata: 
+  name: letsencrypt-production 
+spec:
+  acme:   
+    server: https://acme-v02.api.letsencrypt.org/directory 
+    email: support@my-domain.com # change to your email
+    privateKeySecretRef:     
+      name: letsencrypt-production 
     solvers:
       - http01:
           ingress:

diff --git a/docs/deployment-k8s.md b/docs/deployment-k8s.md
@@ -7,6 +7,9 @@ This is a description of how to make a default [deployment](#deployment), [log i
 Pre requirements:
 - You have a Kubernetes cluster or Docker Desktop with Kubernetes enabled. 
 - You have basic knowledge about Kubernetes.
+- You have `kubectl` installer on your workstation.
+- You have [Helm](https://docs.helm.sh/) installer on your workstation and your cluster.  
+  Install Helm on windows with this CMD command `winget install Helm.Helm` 
 
 > This is a list of [useful commands](#useful-commands) in the end of this description.
 
@@ -69,6 +72,14 @@ Create `persistent volume claim` for Redis
 kubectl apply -f k8s-redis-pvc-dynamic.yaml
 ```
 
+### Namespace
+This guide generally uses the namespace `foxids`, consider changing the namespace to suit your kubernetes environment.
+
+Create namespace
+```cmd
+kubectl create namespace foxids
+```
+
 ### MongoDB
 Change the username and password for MongoDB in `k8s-mongo-secret.yaml`. The username and password is base64 encoded.
 
@@ -86,30 +97,30 @@ echo -n "the text" | base64
 
 Add the MongoDB secret
 ```cmd
-kubectl apply -f k8s-mongo-secret.yaml
+kubectl apply -f k8s-mongo-secret.yaml -n foxids
 ```
 
 Create MongoDB  
 *Optionally expose MongoDB on port 27017 by uncomment the `LoadBalancer`*
 ```cmd
-kubectl apply -f k8s-mongo-deployment.yaml
+kubectl apply -f k8s-mongo-deployment.yaml -n foxids
 ```
 
 Add a `ConfigMap` for the MongoDB service
 ```cmd
-kubectl apply -f k8s-mongo-configmap.yaml
+kubectl apply -f k8s-mongo-configmap.yaml -n foxids
 ```
 
 ### Redis
 
 Create Redis  
 ```cmd
-kubectl apply -f k8s-redis-deployment.yaml
+kubectl apply -f k8s-redis-deployment.yaml -n foxids
 ```
 
 Add a `ConfigMap` for the Redis service
 ```cmd
-kubectl apply -f k8s-redis-configmap.yaml
+kubectl apply -f k8s-redis-configmap.yaml -n foxids
 ```
 
 ### FoxIDs websites
@@ -143,70 +154,85 @@ This example show how to add Outlook / Microsoft 365 with SMTP:
 **Deploy**  
 Create the two FoxIDs websites
 ```cmd
-kubectl apply -f k8s-foxids-deployment.yaml
+kubectl apply -f k8s-foxids-deployment.yaml -n foxids
 ```
 
 The configuration require a Nginx controller. You can optionally change the configuration to use another controller.
 
-Install Ingress-Nginx controller
+Install Ingress-Nginx controller with two commands
 ```cmd
-kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml
+helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx --force-update
+helm -n ingress-nginx install ingress-nginx ingress-nginx/ingress-nginx --create-namespace
 ```
 Optionally verify Ingress-Nginx installation 
 ```cmd
-kubectl -n ingress-nginx get pod
+kubectl get pod -n ingress-nginx
+```
+If you try again in a few minutes you should get an EXTERNAL-IP
+```cmd
+kubectl get svc -n ingress-nginx ingress-nginx-controller
 ```
 
 > DNS records to the two domains need to point to the installations IP address to enable the Let's Encrypt online validation.  
 > The firewall needs to accept requests on port 80 and 443. Let's encrypt validates the domain ownership on port 80.
 
-Install Cert-manager
+Optionally scale the Ingress-Nginx controller 
+```cmd
+kubectl scale deployment ingress-nginx-controller -n ingress-nginx --replicas=2
+```
+
+Install Cert-manager with two commands
 ```cmd
-kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
+helm repo add jetstack https://charts.jetstack.io --force-update
+helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set crds.enabled=true
 ```
 Optionally verify Cert-manager installation 
 ```cmd
-kubectl get pods --namespace cert-manager
+kubectl get pods -n cert-manager
 ```
 
-> You might need to download the Let's encrypt TLS root certificate used in this URL https://acme-v02.api.letsencrypt.org/directory and add it to the trusted root certificate authority on the machine.
-
-Add your email in the `k8s-letsencrypt-issuer.yaml` file. Optionally select to use stating or production in the `k8s-letsencrypt-issuer.yaml` and `k8s-foxids-ingress-deployment.yaml` files, default configured for production.
-
-> Consider to start with Let's Encrypt in staging to avoid hitting the Let's Encrypt production rate limit (staging certificates is not trusted by the browser).  
+Add your email in the `k8s-letsencrypt-issuer.yaml` (two places) file.
 
 Configure Let's Encrypt
 ```cmd
-kubectl apply -f k8s-letsencrypt-issuer.yaml
+kubectl apply -f k8s-letsencrypt-issuer.yaml -n foxids
 ```
 
 The `k8s-foxids-ingress-deployment.yaml` file is configured with the domains:
 
 - The FoxIDs site domain `id.itfoxtec.com` (two places in the file) is change to your domain - `id.my-domain.com`
-- The FoxIDs Control site domain `control.itfoxtec.com` is change to your domain - `control.my-domain.com`
+- The FoxIDs Control site domain `control.itfoxtec.com` (two places in the file) is change to your domain - `control.my-domain.com`
+
+> Consider to start with Let's Encrypt in staging to avoid hitting the Let's Encrypt production rate limit (staging certificates is not trusted by the browser).  
+> Optionally select to use stating or production in the `k8s-foxids-ingress-deployment.yaml` file, default configured for production.
 
 Add ingress with certificate bound domains
 ```cmd
-kubectl apply -f k8s-foxids-ingress-deployment.yaml
+kubectl apply -f k8s-foxids-ingress-deployment.yaml -n foxids
+```
+
+Optionally verify Ingress
+```cmd
+kubectl get ingress -n foxids
 ```
 
 Optionally verify certificate issuer
 ```cmd
-kubectl describe ClusterIssuer letsencrypt-production
+kubectl describe ClusterIssuer letsencrypt-production -n foxids
 #staging 
-# kubectl describe ClusterIssuer letsencrypt-staging
+# kubectl describe ClusterIssuer letsencrypt-staging -n foxids
 ```
 
 Optionally check if the certificate is ready (READY should be True)
 ```cmd
-kubectl get certificate
+kubectl get certificate -n foxids
 ```
 
 And optionally verify the certificate
 ```cmd
-kubectl describe certificate letsencrypt-production
+kubectl describe certificate letsencrypt-production -n foxids
 #staging 
-# kubectl describe certificate letsencrypt-staging
+# kubectl describe certificate letsencrypt-staging -n foxids
 ```
 
 ## First login
@@ -231,7 +257,7 @@ This section lists some deployment and security considerations.
 It is recommended to use a [Kubernetes Service Mesh](https://www.toptal.com/kubernetes/service-mesh-comparison) to achieve a zero-trust architecture. Where the internal traffic is secured with mutual TLS (mTLS) and encryption.
 
 **Namespace**  
-Consider encapsulating the resources with a namespace. The following commands are used to apply a namespace.
+This guide generally uses the namespace `foxids`, consider changing the namespace to suit your kubernetes environment.
 
 Create namespace
 ```cmd