Skip to content

Commit

Permalink
refactor: add service account
Browse files Browse the repository at this point in the history
  • Loading branch information
saladgg committed Jan 25, 2024
1 parent b1aa91d commit cbb3d61
Show file tree
Hide file tree
Showing 15 changed files with 173 additions and 48 deletions.
55 changes: 19 additions & 36 deletions cloudbuild.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,61 +82,42 @@ steps:
args:
- cluster-info

# Show kubernetes manifest with values substituted
- id: "show kubernetes manifest"
# Update essential Variables and Deploy to cluster
- id: "update essential variables and start deployment to cluster"
dir: "deploy"
name: "gcr.io/$PROJECT_ID/helm:3.7.0"
env:
- KUBECONFIG=/workspace/.kube/config
args:
- template
- upgrade
- --install
- ${_APP_NAME}-${_DEPLOYMENT_TYPE}
- --create-namespace
- --namespace=${_NAMESPACE}
- --atomic
- --debug
- --values
- values.yaml
- --set
- namespace=${_NAMESPACE}
- --set
- django.image.repository=${_IMAGE_NAME}
- common.project_id=$PROJECT_ID
- --set
- django.image.tag=$COMMIT_SHA
- common.cluster_name=${_GKE_CLUSTER}
- --set
- ingress.networking.domain=${_DOMAIN_NAME}
- common.compute_zone=${_GKE_COMPUTE_ZONE}
- --set
- ingress.networking.issuer.name=${_LETSENCRYPT_SERVER_TYPE}
- common.cluster_namespace=${_NAMESPACE}
- --set
- ingress.networking.static_ip_name=${_STATIC_IP_NAME}
- --set
- pg_bouncer.env.db_name=${_PG_NAME}
- --set
- pg_bouncer.env.db_user=${_PG_USER}
- --set
- pg_bouncer.env.db_password=${_PG_PASSWORD}
- django.image.repository=${_IMAGE_NAME}
- --set
- cloud_sql.env.cloudsql_connection_instance=${_CLOUDSQL_INSTANCE_CONNECTION_NAME}
- django.image.tag=$COMMIT_SHA
- --set
- django.configmap.config_name=${_CONFIGMAP_FILE}
- .

# Update essential Variables and Deploy to cluster
- id: "update essential variables and start deployment to cluster"
dir: "deploy"
name: "gcr.io/$PROJECT_ID/helm:3.7.0"
env:
- KUBECONFIG=/workspace/.kube/config
args:
- upgrade
- --install
- ${_APP_NAME}-${_DEPLOYMENT_TYPE}
- --namespace=${_NAMESPACE}
- --values
- values.yaml
- secret_manager.file_name=${_SETTINGS_NAME}
- --set
- namespace=${_NAMESPACE}
- django.env.django_settings_module=${_K8TS_DJANGO_SETTINGS_MODULE}
- --set
- django.image.repository=${_IMAGE_NAME}
- django.env.postgres_host=${_K8TS_PG_HOST}
- --set
- django.image.tag=$COMMIT_SHA
- django.env.postgres_port=${_K8TS_PG_PORT}
- --set
- ingress.networking.domain=${_DOMAIN_NAME}
- --set
Expand All @@ -153,6 +134,8 @@ steps:
- cloud_sql.env.cloudsql_connection_instance=${_CLOUDSQL_INSTANCE_CONNECTION_NAME}
- --set
- django.configmap.config_name=${_CONFIGMAP_FILE}
- --set
- common.service_account_key=${_IAM_SERVICE_ACCOUNT_KEY}
- .

images:
Expand Down
7 changes: 7 additions & 0 deletions deploy/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
### Introduction
**TODO:**
- pre-requisites
- Env vars that must be overriden
- ...manifest files are executed `lexicographically` hence the naming
in the order of dependencies.
- avoid special characters in pwd
Empty file removed deploy/ReadMe.md
Empty file.
9 changes: 9 additions & 0 deletions deploy/templates/01_common/01_service_account.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.common.service_account_name }}
namespace: {{ .Values.common.cluster_namespace }}
type: Opaque
data:
# base64 -w 0 /path/to/sa_key.json
service_account.json: {{ .Values.common.service_account_key }}
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Values.pg_bouncer.app_name }}-user-config
namespace: {{ .Values.common.cluster_namespace }}
data:
# echo -n '"user" "pa$$worLd"' | base64
userlist.txt: |
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Values.pg_bouncer.app_name }}-db-config
namespace: {{ .Values.common.cluster_namespace }}
data:
POSTGRESQL_DB: {{ .Values.pg_bouncer.env.db_name }}
POSTGRESQL_USERNAME: {{ .Values.pg_bouncer.env.db_user }}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Values.pg_bouncer.app_name }}-pgb-config
namespace: {{ .Values.common.cluster_namespace }}
data:
pgbouncer.ini: |
[databases]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.pg_bouncer.app_name }}
namespace: {{ .Values.namespace }}
namespace: {{ .Values.common.cluster_namespace }}
spec:
replicas: {{ .Values.pg_bouncer.replica_count }}
selector:
Expand Down Expand Up @@ -34,12 +34,12 @@ spec:
- "--structured-logs"
- "--port=5432"
- "{{ .Values.cloud_sql.env.cloudsql_connection_instance }}"
- "--credentials-file=/secrets/service_account_secrets/service_account.json"
- "--credentials-file=/secrets/{{ .Values.common.service_account_name }}/service_account.json"
securityContext:
runAsNonRoot: true
volumeMounts:
- name: sa-secret-vol
mountPath: /secrets/service_account_secrets
mountPath: "/secrets/{{ .Values.common.service_account_name }}"
readOnly: true
volumes:
- name: user-config
Expand All @@ -52,4 +52,4 @@ spec:

- name: sa-secret-vol
secret:
secretName: {{ .Values.namespace }}-sa-secrets
secretName: {{ .Values.common.service_account_name }}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ .Values.pg_bouncer.app_name }}-service
namespace: {{ .Values.namespace }}
namespace: {{ .Values.common.cluster_namespace }}
annotations:
cloud.google.com/load-balancer-type: "Internal"
labels:
Expand Down
103 changes: 103 additions & 0 deletions deploy/templates/03_django/01_confimap_job.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
apiVersion: batch/v1
kind: Job
metadata:
name: configmap-creator
namespace: {{ .Values.common.cluster_namespace }}
spec:
ttlSecondsAfterFinished: {{ .Values.cloud_sdk.ttl_after_success }}
template:
metadata:
name: configmap-creator
spec:
restartPolicy: OnFailure
containers:
- name: configmap-creator
image: {{ .Values.cloud_sdk.image.repository }}:{{ .Values.cloud_sdk.image.tag }}
imagePullPolicy: {{ .Values.cloud_sdk.image.pull_policy }}
env:
- name: PROJECT_ID
value: {{ .Values.common.project_id }}
- name: CLUSTER_NAME
value: {{ .Values.common.cluster_name }}
- name: COMPUTE_ZONE
value: {{ .Values.common.compute_zone }}
- name: K8TS_DJANGO_SETTINGS_MODULE
value: {{ .Values.django.env.django_settings_module }}
- name: K8TS_POSTGRES_HOST
value: {{ .Values.django.env.postgres_host }}
- name: K8TS_POSTGRES_PORT
value: {{ .Values.django.env.postgres_port | quote }}
- name: SECRET_MANAGER_FILE_NAME
value: {{ .Values.secret_manager.file_name }}
- name: CONFIGMAP_NAME
value: {{ .Values.django.configmap.config_name }}
- name: SERVICE_ACCOUNT_NAME
value: {{ .Values.common.service_account_name }}
command: ["/bin/sh", "-c"]
args:
- |
set -e
# Step 1: Authenticate with Google Cloud using the provided service account key
gcloud auth activate-service-account --key-file=/secrets/${SERVICE_ACCOUNT_NAME}/service_account.json
# Step 2: Get the credentials for the GKE cluster and set up kubectl configuration.
gcloud container clusters get-credentials ${CLUSTER_NAME} --zone=${COMPUTE_ZONE} --project=$PROJECT_ID
# Step 3: Fetch the latest version of the specified secret from Secret Manager
gcloud secrets versions access latest --secret=${SECRET_MANAGER_FILE_NAME} > /secrets/test_settings.txt
ENV_VARS="/secrets/test_settings.txt"
. "$ENV_VARS"
MY_CONTEXT=$(kubectl config get-contexts)
CONFIG_VIEW=$(kubectl config view)
echo "MY_CONTEXT: $MY_CONTEXT"
echo "CONFIG_VIEW: $CONFIG_VIEW"
echo "Override some variables that was used to create containers at cloudbuild"
kubectl create configmap $CONFIGMAP_NAME \
--from-literal=PORT="$CONTAINER_PORT" \
--from-literal=CONN_MAX_AGE="$CONN_MAX_AGE" \
--from-literal=COMPRESS_ENABLED="$COMPRESS_ENABLED" \
--from-literal=DJANGO_ACCOUNT_ALLOW_REGISTRATION="$DJANGO_ACCOUNT_ALLOW_REGISTRATION" \
--from-literal=DJANGO_ADMIN_URL="$DJANGO_ADMIN_URL" \
--from-literal=DJANGO_ALLOWED_HOSTS="$DJANGO_ALLOWED_HOSTS" \
--from-literal=DJANGO_DEBUG="$DJANGO_DEBUG" \
--from-literal=DJANGO_DEFAULT_FROM_EMAIL="$DJANGO_DEFAULT_FROM_EMAIL" \
--from-literal=DJANGO_EMAIL_SUBJECT_PREFIX="$DJANGO_EMAIL_SUBJECT_PREFIX" \
--from-literal=DJANGO_GCP_STORAGE_BUCKET_NAME="$DJANGO_GCP_STORAGE_BUCKET_NAME" \
--from-literal=DJANGO_READ_DOT_ENV_FILE="$DJANGO_READ_DOT_ENV_FILE" \
--from-literal=DJANGO_SECRET_KEY="$DJANGO_SECRET_KEY" \
--from-literal=DJANGO_SECURE_BROWSER_XSS_FILTER="$DJANGO_SECURE_BROWSER_XSS_FILTER" \
--from-literal=DJANGO_SECURE_CONTENT_TYPE_NOSNIFF="$DJANGO_SECURE_CONTENT_TYPE_NOSNIFF" \
--from-literal=DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS="$DJANGO_SECURE_HSTS_INCLUDE_SUBDOMAINS" \
--from-literal=DJANGO_SECURE_FRAME_DENY="$DJANGO_SECURE_FRAME_DENY" \
--from-literal=DJANGO_SECURE_SSL_REDIRECT="$DJANGO_SECURE_SSL_REDIRECT" \
--from-literal=DJANGO_SERVER_EMAIL="$DJANGO_SERVER_EMAIL" \
--from-literal=DJANGO_SESSION_COOKIE_HTTPONLY="$DJANGO_SESSION_COOKIE_HTTPONLY" \
--from-literal=DJANGO_SESSION_COOKIE_SECURE="$DJANGO_SESSION_COOKIE_SECURE" \
--from-literal=DJANGO_SETTINGS_MODULE=${K8TS_DJANGO_SETTINGS_MODULE} \
--from-literal=GOOGLE_ANALYTICS_ID="$GOOGLE_ANALYTICS_ID" \
--from-literal=GOOGLE_APPLICATION_CREDENTIALS_KEY="$GOOGLE_APPLICATION_CREDENTIALS_KEY" \
--from-literal=GOOGLE_CLOUD_PROJECT="$GOOGLE_CLOUD_PROJECT" \
--from-literal=INSTANCE_CONNECTION_NAME="$INSTANCE_CONNECTION_NAME" \
--from-literal=MAILGUN_DOMAIN="$MAILGUN_DOMAIN" \
--from-literal=MAILGUN_API_URL="$MAILGUN_API_URL" \
--from-literal=MAILGUN_API_KEY="$MAILGUN_API_KEY" \
--from-literal=POSTGRES_DB="$POSTGRES_DB" \
--from-literal=POSTGRES_HOST="${K8TS_POSTGRES_HOST}" \
--from-literal=POSTGRES_PORT="${K8TS_POSTGRES_PORT}" \
--from-literal=POSTGRES_PASSWORD="$POSTGRES_PASSWORD" \
--from-literal=POSTGRES_USER="$POSTGRES_USER" \
--from-literal=PUB_SUB_TOPIC="$PUB_SUB_TOPIC" \
--from-literal=SENTRY_DSN="$SENTRY_DSN" \
--from-literal=SENTRY_ENVIRONMENT="$SENTRY_ENVIRONMENT" \
--from-literal=USE_DOCKER="$USE_DOCKER" \
--from-literal=WEB_CONCURRENCY="$WEB_CONCURRENCY" \
--from-literal=WHITELISTED_DOMAINS="$WHITELISTED_DOMAINS"
volumeMounts:
- name: service-account-vol
mountPath: "/secrets/{{ .Values.common.service_account_name }}"
readOnly: true
volumes:
- name: service-account-vol
secret:
secretName: {{ .Values.common.service_account_name }}
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Values.django.app_name }}
namespace: {{ .Values.namespace }}
namespace: {{ .Values.common.cluster_namespace }}
labels:
app: {{ .Values.django.app_name }}
spec:
Expand All @@ -18,7 +18,7 @@ spec:
containers:
- name: {{ .Values.django.app_name }}
image: {{ .Values.django.image.repository }}:{{ .Values.django.image.tag }}
imagePullPolicy: Always
imagePullPolicy: {{ .Values.django.image.pull_policy }}
ports:
- name: http
protocol: TCP
Expand All @@ -28,7 +28,7 @@ spec:
name: {{ .Values.django.configmap.config_name }}
volumeMounts:
- name: env-var-vol
mountPath: /secrets/environment_variables
mountPath: "/secrets/{{ .Values.django.configmap.config_name }}"
readOnly: true

volumes:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v1
kind: Service
metadata:
name: {{ .Values.django.app_name }}-service
namespace: {{ .Values.namespace }}
namespace: {{ .Values.common.cluster_namespace }}
labels:
app: {{ .Values.django.app_name }}
spec:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ .Values.ingress.app_name }}
namespace: {{ .Values.namespace }}
namespace: {{ .Values.common.cluster_namespace }}
annotations:
cert-manager.io/issuer: {{ .Values.ingress.networking.issuer.name }}
konghq.com/protocols: "http,https"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ .Values.ingress.networking.issuer.name }}
namespace: {{ .Values.namespace }}
namespace: {{ .Values.common.cluster_namespace }}
spec:
acme:
server: {{ .Values.ingress.networking.issuer.acme.server }}
Expand Down
22 changes: 21 additions & 1 deletion deploy/values.yaml
Original file line number Diff line number Diff line change
@@ -1,4 +1,17 @@
namespace: cluster_namespace
common:
project_id: "project-id"
cluster_name: "cluster-name"
compute_zone: "compute-zone"
cluster_namespace: "work-namespace"
service_account_key: "base64_encoded_sa_key"
service_account_name: "iam-service-account-key"

cloud_sdk:
ttl_after_success: 600
image:
repository: gcr.io/google.com/cloudsdktool/cloud-sdk
tag: "459.0.0"
pull_policy: IfNotPresent

django:
app_name: django
Expand All @@ -15,6 +28,10 @@ django:
config_name: "config_name"
secrets:
secrets_name: "secrets_name"
env:
django_settings_module: django_settings_module
postgres_host: postgres_host
postgres_port: postgres_port

cloud_sql:
app_name: cloudsql-proxy
Expand All @@ -41,6 +58,9 @@ pg_bouncer:
db_user: "database_user"
db_password: "database_password"

secret_manager:
file_name: secret_manager_file_name

ingress:
app_name: ingress
networking:
Expand Down

0 comments on commit cbb3d61

Please sign in to comment.