From 6533a87e7e1210a5a887499e46fe112b219c33fd Mon Sep 17 00:00:00 2001 From: Anders Revsgaard Date: Fri, 26 Jul 2024 14:00:16 +0200 Subject: [PATCH 1/6] update docker/ versions --- .github/workflows/ci_test_docker.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci_test_docker.yaml b/.github/workflows/ci_test_docker.yaml index 8e68e907e..5e056697e 100644 --- a/.github/workflows/ci_test_docker.yaml +++ b/.github/workflows/ci_test_docker.yaml @@ -20,7 +20,7 @@ jobs: - name: Docker meta id: meta-f - uses: docker/metadata-action@v5 + uses: docker/metadata-action@v5.5.1 with: images: ${{ secrets.DOCKERHUB_ORG }}/foxids tags: | @@ -28,23 +28,23 @@ jobs: - name: Docker meta id: meta-fc - uses: docker/metadata-action@v5 + uses: docker/metadata-action@v5.5.1 with: images: ${{ secrets.DOCKERHUB_ORG }}/foxids-control tags: | type=raw,value=latest-test,enable=true - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@v3.3 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@v3.5 - name: Build and push FoxIDs - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6.5 with: context: . file: ./src/FoxIDs/Dockerfile @@ -54,7 +54,7 @@ jobs: labels: ${{ steps.meta-f.outputs.labels }} - name: Build and push FoxIDs.Control - uses: docker/build-push-action@v5 + uses: docker/build-push-action@v6.5 with: context: . file: ./src/FoxIDs.Control/Dockerfile From 789d9ba39594e41d439f0ff967775b51db23e64e Mon Sep 17 00:00:00 2001 From: Anders Revsgaard Date: Fri, 26 Jul 2024 14:03:53 +0200 Subject: [PATCH 2/6] docker/ add full versionS --- .github/workflows/ci_test_docker.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci_test_docker.yaml b/.github/workflows/ci_test_docker.yaml index 5e056697e..e0139488a 100644 --- a/.github/workflows/ci_test_docker.yaml +++ b/.github/workflows/ci_test_docker.yaml @@ -35,16 +35,16 @@ jobs: type=raw,value=latest-test,enable=true - name: Login to Docker Hub - uses: docker/login-action@v3.3 + uses: docker/login-action@v3.3.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3.5 + uses: docker/setup-buildx-action@v3.5.0 - name: Build and push FoxIDs - uses: docker/build-push-action@v6.5 + uses: docker/build-push-action@v6.5.0 with: context: . file: ./src/FoxIDs/Dockerfile @@ -54,7 +54,7 @@ jobs: labels: ${{ steps.meta-f.outputs.labels }} - name: Build and push FoxIDs.Control - uses: docker/build-push-action@v6.5 + uses: docker/build-push-action@v6.5.0 with: context: . file: ./src/FoxIDs.Control/Dockerfile From aca1e6e00fc09e5a2c3c6edaf565721a118cb0c6 Mon Sep 17 00:00:00 2001 From: Anders Revsgaard Date: Fri, 26 Jul 2024 14:12:04 +0200 Subject: [PATCH 3/6] docker add provenance: false --- .github/workflows/ci_test_docker.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci_test_docker.yaml b/.github/workflows/ci_test_docker.yaml index e0139488a..2e5d477ce 100644 --- a/.github/workflows/ci_test_docker.yaml +++ b/.github/workflows/ci_test_docker.yaml @@ -50,6 +50,7 @@ jobs: file: ./src/FoxIDs/Dockerfile platforms: linux/amd64 push: true + provenance: false tags: ${{ steps.meta-f.outputs.tags }} labels: ${{ steps.meta-f.outputs.labels }} - @@ -60,6 +61,7 @@ jobs: file: ./src/FoxIDs.Control/Dockerfile platforms: linux/amd64 push: true + provenance: false tags: ${{ steps.meta-fc.outputs.tags }} labels: ${{ steps.meta-fc.outputs.labels }} From c4e6a1de89493ce89bcd3ff6f079f64ae722064f Mon Sep 17 00:00:00 2001 From: Anders Revsgaard Date: Fri, 2 Aug 2024 23:13:40 +0200 Subject: [PATCH 4/6] k8s update --- Kubernetes/k8s-foxids-deployment.yaml | 34 ++++----- Kubernetes/k8s-foxids-ingress-deployment.yaml | 22 +++--- Kubernetes/k8s-letsencrypt-issuer.yaml | 36 +++++---- docs/deployment-k8s.md | 73 ++++++++++++------- 4 files changed, 93 insertions(+), 72 deletions(-) diff --git a/Kubernetes/k8s-foxids-deployment.yaml b/Kubernetes/k8s-foxids-deployment.yaml index a901cb038..5a03b46e8 100644 --- a/Kubernetes/k8s-foxids-deployment.yaml +++ b/Kubernetes/k8s-foxids-deployment.yaml @@ -5,7 +5,7 @@ metadata: labels: app: foxids spec: - replicas: 1 + replicas: 2 selector: matchLabels: app: foxids @@ -18,10 +18,10 @@ spec: - name: foxids image: foxids/foxids:latest ports: - - containerPort: 80 + - containerPort: 8800 env: - name: "ASPNETCORE_URLS" - value: "http://+" + value: "http://+:8800" - name: "Settings__UseHttp" value: "true" - name: "Settings__TrustProxyHeaders" @@ -68,7 +68,7 @@ metadata: labels: app: foxids-control spec: - replicas: 1 + replicas: 2 selector: matchLabels: app: foxids-control @@ -81,10 +81,10 @@ spec: - name: foxids-control image: foxids/foxids-control:latest ports: - - containerPort: 80 + - containerPort: 8800 env: - name: "ASPNETCORE_URLS" - value: "http://+" + value: "http://+:8800" - name: "Settings__UseHttp" value: "true" - name: "Settings__TrustProxySchemeHeader" @@ -135,25 +135,23 @@ kind: Service metadata: name: foxids spec: - selector: - app: foxids - type: LoadBalancer ports: - - name: http + - port: 8800 + targetPort: 8800 protocol: TCP - port: 8800 - targetPort: 80 + type: ClusterIP + selector: + app: foxids --- apiVersion: v1 kind: Service metadata: name: foxids-control spec: - selector: - app: foxids-control - type: LoadBalancer ports: - - name: http + - port: 8800 + targetPort: 8800 protocol: TCP - port: 8801 - targetPort: 80 \ No newline at end of file + type: ClusterIP + selector: + app: foxids-control \ No newline at end of file diff --git a/Kubernetes/k8s-foxids-ingress-deployment.yaml b/Kubernetes/k8s-foxids-ingress-deployment.yaml index 9e7d8050c..cc6ee18be 100644 --- a/Kubernetes/k8s-foxids-ingress-deployment.yaml +++ b/Kubernetes/k8s-foxids-ingress-deployment.yaml @@ -3,12 +3,16 @@ kind: Ingress metadata: name: foxids-ingress-http annotations: - #production - cert-manager.io/cluster-issuer: letsencrypt-production - #staging - # cert-manager.io/cluster-issuer: letsencrypt-staging + cert-manager.io/cluster-issuer: "letsencrypt-production" #production + #cert-manager.io/cluster-issuer: "letsencrypt-staging" #staging spec: ingressClassName: nginx + tls: + - hosts: + - id.itfoxtec.com # change to your domain - id.my-domain.com + - control.itfoxtec.com # change to your domain - control.my-domain.com + secretName: letsencrypt-production-tls #production + #secretName: letsencrypt-staging-tls #staging rules: - host: id.itfoxtec.com # change to your domain - id.my-domain.com http: @@ -29,12 +33,4 @@ spec: service: name: foxids-control port: - number: 8801 - tls: - - hosts: - - id.itfoxtec.com # change to your domain - id.my-domain.com - - control.itfoxtec.com # change to your domain - control.my-domain.com - #production - secretName: letsencrypt-production - #staging - # secretName: letsencrypt-staging \ No newline at end of file + number: 8800 \ No newline at end of file diff --git a/Kubernetes/k8s-letsencrypt-issuer.yaml b/Kubernetes/k8s-letsencrypt-issuer.yaml index d902fc0d7..c740c1a3d 100644 --- a/Kubernetes/k8s-letsencrypt-issuer.yaml +++ b/Kubernetes/k8s-letsencrypt-issuer.yaml @@ -1,22 +1,28 @@ apiVersion: cert-manager.io/v1 kind: ClusterIssuer -metadata: - #production - name: letsencrypt-production - #staging - # name: letsencrypt-staging +metadata: + name: letsencrypt-staging spec: - acme: - #production - server: https://acme-v02.api.letsencrypt.org/directory - #staging - # server: https://acme-staging-v02.api.letsencrypt.org/directory + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory email: support@my-domain.com # change to your email - privateKeySecretRef: - #production - name: letsencrypt-production - #staging - # name: letsencrypt-staging + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - http01: + ingress: + class: nginx +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: support@my-domain.com # change to your email + privateKeySecretRef: + name: letsencrypt-production solvers: - http01: ingress: diff --git a/docs/deployment-k8s.md b/docs/deployment-k8s.md index d24362845..449cadd7b 100644 --- a/docs/deployment-k8s.md +++ b/docs/deployment-k8s.md @@ -7,6 +7,9 @@ This is a description of how to make a default [deployment](#deployment), [log i Pre requirements: - You have a Kubernetes cluster or Docker Desktop with Kubernetes enabled. - You have basic knowledge about Kubernetes. +- You have `kubectl` installer on your workstation. +- You have [Helm](https://docs.helm.sh/) installer on your workstation and your cluster. + Install Helm on windows with this CMD command `winget install Helm.Helm` > This is a list of [useful commands](#useful-commands) in the end of this description. @@ -69,6 +72,14 @@ Create `persistent volume claim` for Redis kubectl apply -f k8s-redis-pvc-dynamic.yaml ``` +### Namespace +This guide generally uses the namespace `foxids`, consider changing the namespace to suit your kubernetes environment. + +Create namespace +```cmd +kubectl create namespace foxids +``` + ### MongoDB Change the username and password for MongoDB in `k8s-mongo-secret.yaml`. The username and password is base64 encoded. @@ -86,30 +97,30 @@ echo -n "the text" | base64 Add the MongoDB secret ```cmd -kubectl apply -f k8s-mongo-secret.yaml +kubectl apply -f k8s-mongo-secret.yaml -n foxids ``` Create MongoDB *Optionally expose MongoDB on port 27017 by uncomment the `LoadBalancer`* ```cmd -kubectl apply -f k8s-mongo-deployment.yaml +kubectl apply -f k8s-mongo-deployment.yaml -n foxids ``` Add a `ConfigMap` for the MongoDB service ```cmd -kubectl apply -f k8s-mongo-configmap.yaml +kubectl apply -f k8s-mongo-configmap.yaml -n foxids ``` ### Redis Create Redis ```cmd -kubectl apply -f k8s-redis-deployment.yaml +kubectl apply -f k8s-redis-deployment.yaml -n foxids ``` Add a `ConfigMap` for the Redis service ```cmd -kubectl apply -f k8s-redis-configmap.yaml +kubectl apply -f k8s-redis-configmap.yaml -n foxids ``` ### FoxIDs websites @@ -143,70 +154,80 @@ This example show how to add Outlook / Microsoft 365 with SMTP: **Deploy** Create the two FoxIDs websites ```cmd -kubectl apply -f k8s-foxids-deployment.yaml +kubectl apply -f k8s-foxids-deployment.yaml -n foxids ``` The configuration require a Nginx controller. You can optionally change the configuration to use another controller. -Install Ingress-Nginx controller +Install Ingress-Nginx controller with two commands ```cmd -kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.10.1/deploy/static/provider/cloud/deploy.yaml +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx --force-update +helm -n ingress-nginx install ingress-nginx ingress-nginx/ingress-nginx --create-namespace ``` Optionally verify Ingress-Nginx installation ```cmd -kubectl -n ingress-nginx get pod +kubectl get pod -n ingress-nginx +``` +If you try again in a few minutes you should get an EXTERNAL-IP +```cmd +kubectl get svc -n ingress-nginx ingress-nginx-controller ``` > DNS records to the two domains need to point to the installations IP address to enable the Let's Encrypt online validation. > The firewall needs to accept requests on port 80 and 443. Let's encrypt validates the domain ownership on port 80. -Install Cert-manager +Install Cert-manager with two commands ```cmd -kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml +helm repo add jetstack https://charts.jetstack.io --force-update +helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --set crds.enabled=true ``` Optionally verify Cert-manager installation ```cmd -kubectl get pods --namespace cert-manager +kubectl get pods -n cert-manager ``` -> You might need to download the Let's encrypt TLS root certificate used in this URL https://acme-v02.api.letsencrypt.org/directory and add it to the trusted root certificate authority on the machine. - -Add your email in the `k8s-letsencrypt-issuer.yaml` file. Optionally select to use stating or production in the `k8s-letsencrypt-issuer.yaml` and `k8s-foxids-ingress-deployment.yaml` files, default configured for production. - -> Consider to start with Let's Encrypt in staging to avoid hitting the Let's Encrypt production rate limit (staging certificates is not trusted by the browser). +Add your email in the `k8s-letsencrypt-issuer.yaml` (two places) file. Configure Let's Encrypt ```cmd -kubectl apply -f k8s-letsencrypt-issuer.yaml +kubectl apply -f k8s-letsencrypt-issuer.yaml -n foxids ``` The `k8s-foxids-ingress-deployment.yaml` file is configured with the domains: - The FoxIDs site domain `id.itfoxtec.com` (two places in the file) is change to your domain - `id.my-domain.com` -- The FoxIDs Control site domain `control.itfoxtec.com` is change to your domain - `control.my-domain.com` +- The FoxIDs Control site domain `control.itfoxtec.com` (two places in the file) is change to your domain - `control.my-domain.com` + +> Consider to start with Let's Encrypt in staging to avoid hitting the Let's Encrypt production rate limit (staging certificates is not trusted by the browser). +> Optionally select to use stating or production in the `k8s-foxids-ingress-deployment.yaml` file, default configured for production. Add ingress with certificate bound domains ```cmd -kubectl apply -f k8s-foxids-ingress-deployment.yaml +kubectl apply -f k8s-foxids-ingress-deployment.yaml -n foxids +``` + +Optionally verify Ingress +```cmd +kubectl get ingress -n foxids ``` Optionally verify certificate issuer ```cmd -kubectl describe ClusterIssuer letsencrypt-production +kubectl describe ClusterIssuer letsencrypt-production -n foxids #staging -# kubectl describe ClusterIssuer letsencrypt-staging +# kubectl describe ClusterIssuer letsencrypt-staging -n foxids ``` Optionally check if the certificate is ready (READY should be True) ```cmd -kubectl get certificate +kubectl get certificate -n foxids ``` And optionally verify the certificate ```cmd -kubectl describe certificate letsencrypt-production +kubectl describe certificate letsencrypt-production -n foxids #staging -# kubectl describe certificate letsencrypt-staging +# kubectl describe certificate letsencrypt-staging -n foxids ``` ## First login @@ -231,7 +252,7 @@ This section lists some deployment and security considerations. It is recommended to use a [Kubernetes Service Mesh](https://www.toptal.com/kubernetes/service-mesh-comparison) to achieve a zero-trust architecture. Where the internal traffic is secured with mutual TLS (mTLS) and encryption. **Namespace** -Consider encapsulating the resources with a namespace. The following commands are used to apply a namespace. +This guide generally uses the namespace `foxids`, consider changing the namespace to suit your kubernetes environment. Create namespace ```cmd From 1dccc9ca5f1123b08dfda4f2cc80988fa64f1ca0 Mon Sep 17 00:00:00 2001 From: Anders Revsgaard Date: Fri, 2 Aug 2024 23:41:04 +0200 Subject: [PATCH 5/6] k8s scale --- docs/deployment-k8s.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/deployment-k8s.md b/docs/deployment-k8s.md index 449cadd7b..62e122c09 100644 --- a/docs/deployment-k8s.md +++ b/docs/deployment-k8s.md @@ -176,6 +176,11 @@ kubectl get svc -n ingress-nginx ingress-nginx-controller > DNS records to the two domains need to point to the installations IP address to enable the Let's Encrypt online validation. > The firewall needs to accept requests on port 80 and 443. Let's encrypt validates the domain ownership on port 80. +Optionally scale the Ingress-Nginx controller +```cmd +kubectl scale deployment ingress-nginx-controller -n ingress-nginx --replicas=2 +``` + Install Cert-manager with two commands ```cmd helm repo add jetstack https://charts.jetstack.io --force-update From ec34435ae13e3e46d7a8532a336412961e7ee957 Mon Sep 17 00:00:00 2001 From: Anders Revsgaard Date: Sat, 3 Aug 2024 20:28:03 +0200 Subject: [PATCH 6/6] k8s cert issuer --- Kubernetes/k8s-foxids-ingress-deployment.yaml | 4 ++-- Kubernetes/k8s-letsencrypt-issuer.yaml | 4 ++-- src/FoxIDs.Control/FoxIDs.Control.csproj | 2 +- src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj | 2 +- src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj | 2 +- src/FoxIDs.Shared/FoxIDs.Shared.csproj | 2 +- src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj | 2 +- src/FoxIDs/FoxIDs.csproj | 2 +- 8 files changed, 10 insertions(+), 10 deletions(-) diff --git a/Kubernetes/k8s-foxids-ingress-deployment.yaml b/Kubernetes/k8s-foxids-ingress-deployment.yaml index cc6ee18be..d6a4dd231 100644 --- a/Kubernetes/k8s-foxids-ingress-deployment.yaml +++ b/Kubernetes/k8s-foxids-ingress-deployment.yaml @@ -3,8 +3,8 @@ kind: Ingress metadata: name: foxids-ingress-http annotations: - cert-manager.io/cluster-issuer: "letsencrypt-production" #production - #cert-manager.io/cluster-issuer: "letsencrypt-staging" #staging + cert-manager.io/issuer: "letsencrypt-production" #production + #cert-manager.io/issuer: "letsencrypt-staging" #staging spec: ingressClassName: nginx tls: diff --git a/Kubernetes/k8s-letsencrypt-issuer.yaml b/Kubernetes/k8s-letsencrypt-issuer.yaml index c740c1a3d..6915bb63c 100644 --- a/Kubernetes/k8s-letsencrypt-issuer.yaml +++ b/Kubernetes/k8s-letsencrypt-issuer.yaml @@ -1,5 +1,5 @@ apiVersion: cert-manager.io/v1 -kind: ClusterIssuer +kind: Issuer metadata: name: letsencrypt-staging spec: @@ -14,7 +14,7 @@ spec: class: nginx --- apiVersion: cert-manager.io/v1 -kind: ClusterIssuer +kind: Issuer metadata: name: letsencrypt-production spec: diff --git a/src/FoxIDs.Control/FoxIDs.Control.csproj b/src/FoxIDs.Control/FoxIDs.Control.csproj index e3360a02f..c49783f6c 100644 --- a/src/FoxIDs.Control/FoxIDs.Control.csproj +++ b/src/FoxIDs.Control/FoxIDs.Control.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.2 + 1.7.3 FoxIDs Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj b/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj index c3618e236..a65ab07d9 100644 --- a/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj +++ b/src/FoxIDs.ControlClient/FoxIDs.ControlClient.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.2 + 1.7.3 FoxIDs.Client Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj b/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj index 5dce1ae6f..9275f6327 100644 --- a/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj +++ b/src/FoxIDs.ControlShared/FoxIDs.ControlShared.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.2 + 1.7.3 FoxIDs Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs.Shared/FoxIDs.Shared.csproj b/src/FoxIDs.Shared/FoxIDs.Shared.csproj index 4b290366b..5b482e32f 100644 --- a/src/FoxIDs.Shared/FoxIDs.Shared.csproj +++ b/src/FoxIDs.Shared/FoxIDs.Shared.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.2 + 1.7.3 FoxIDs Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj b/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj index 230f73084..b06b7538b 100644 --- a/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj +++ b/src/FoxIDs.SharedBase/FoxIDs.SharedBase.csproj @@ -2,7 +2,7 @@ net8.0 - 1.7.2 + 1.7.3 FoxIDs Anders Revsgaard ITfoxtec diff --git a/src/FoxIDs/FoxIDs.csproj b/src/FoxIDs/FoxIDs.csproj index fc343c279..5bec9d62b 100644 --- a/src/FoxIDs/FoxIDs.csproj +++ b/src/FoxIDs/FoxIDs.csproj @@ -1,7 +1,7 @@  net8.0 - 1.7.2 + 1.7.3 FoxIDs Anders Revsgaard ITfoxtec