issue-14: structure kubernetes
Cadoles/hydra-sql/pipeline/pr-develop This commit looks good Details

This commit is contained in:
Rudy Masson 2023-06-15 15:38:14 +02:00
parent 6e3f0e7a61
commit 22231f791f
29 changed files with 308 additions and 73 deletions

View File

@ -1,46 +1,10 @@
CI_COMPOSE=FIXUID=$(shell id -u) FIXGID=$(shell id -g) docker-compose -f docker-compose.yml ################################
HYDRA_SQL_SHELL_USER ?= www-data: # Makefile for Cadoles SP
DOCKER_CMD ?= ################################
DOCKER_IMAGE_NAME ?= login-app-sql_hydra-sql
up:
FIXUID=$(shell id -u) FIXGID=$(shell id -g) docker-compose up --build
down: IMAGE_REPO ?= reg.cadoles.com/cadoles
docker-compose down -v IMAGE_VERSION ?= 0.0.1
purge: DAY_SUFFIX_TAG ?= $(shell date +%Y%m%d)
docker-compose down -v --remove-orphans --rmi local
hydra-sql-shell: include main.mk
$(CI_COMPOSE) exec \
-u "$(HYDRA_SQL_SHELL_USER)" \
hydra-sql \
/bin/bash
APP_LOCALES ?= fr,en
HYDRA_ADMIN_BASE_URL ?= http://hydra:4445
TRUSTED_PROXIES ?= 127.0.0.1,REMOTE_ADDR,localhost
ISSUER_URL ?= http://localhost:8000
BASE_URL ?= http://localhost:8080
DB_USER ?= lasql
DB_PASSWORD ?= lasql
DEFAULT_LOCALE ?= fr
BDD ?= postgres
DSN_REMOTE_DATABASE=mysql:host=mariadb;port=3306;dbname=lasql
up-mysql:
docker run \
-it --rm \
-p 8080:80 \
-e APP_LOCALES=$(APP_LOCALES) \
-e HYDRA_ADMIN_BASE_URL=$(HYDRA_ADMIN_BASE_URL) \
-e TRUSTED_PROXIES=$(TRUSTED_PROXIES) \
-e ISSUER_URL=$(ISSUER_URL) \
-e BASE_URL=$(BASE_URL) \
-e DB_USER=$(DB_USER) \
-e DB_PASSWORD=$(DB_PASSWORD) \
-e DEFAULT_LOCALE=$(DEFAULT_LOCALE) \
-e DSN_REMOTE_DATABASE=$(DSN_REMOTE_DATABASE) \
$(DOCKER_IMAGE_NAME):latest \
$(DOCKER_CMD)

View File

@ -8,8 +8,8 @@ framework:
# Other options include: # Other options include:
# Redis # Redis
app: cache.adapter.redis # app: cache.adapter.redis
default_redis_provider: '%env(REDIS_URL)%' # default_redis_provider: '%env(REDIS_URL)%'
# APCu (not recommended with heavy random-write workloads as memory fragmentation can cause perf issues) # APCu (not recommended with heavy random-write workloads as memory fragmentation can cause perf issues)
#app: cache.adapter.apcu #app: cache.adapter.apcu

View File

@ -12,7 +12,7 @@ framework:
# Enables session support. Note that the session will ONLY be started if you read or write from it. # Enables session support. Note that the session will ONLY be started if you read or write from it.
# Remove or comment this section to explicitly disable session support. # Remove or comment this section to explicitly disable session support.
session: session:
handler_id: '%env(REDIS_URL)%' handler_id: null
cookie_secure: auto cookie_secure: auto
cookie_samesite: lax cookie_samesite: lax
storage_factory_id: session.storage.factory.native storage_factory_id: session.storage.factory.native

View File

@ -28,6 +28,7 @@ services:
DSN_REMOTE_DATABASE: pgsql:host='postgres';port=5432;dbname=lasql; DSN_REMOTE_DATABASE: pgsql:host='postgres';port=5432;dbname=lasql;
HASH_ALGO_LEGACY: sha256 HASH_ALGO_LEGACY: sha256
SECURITY_PATTERN: password,salt,pepper SECURITY_PATTERN: password,salt,pepper
REDIS_URL: redis://redis:6379
oidc-test: oidc-test:
image: bornholm/oidc-test:v0.0.0-1-g936a77e image: bornholm/oidc-test:v0.0.0-1-g936a77e
environment: environment:
@ -108,12 +109,12 @@ services:
- ./containers/compose/mariadb/init-db.d:/docker-entrypoint-initdb.d/:ro - ./containers/compose/mariadb/init-db.d:/docker-entrypoint-initdb.d/:ro
- mariadb:/var/lib/mysql - mariadb:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro - /etc/localtime:/etc/localtime:ro
redis: # redis:
image: redis:7.2-rc2-alpine # image: redis:7.2-rc2-alpine
environment: # environment:
- TZ=Europe/Paris # - TZ=Europe/Paris
volumes: # volumes:
- /etc/localtime:/etc/localtime:ro # - /etc/localtime:/etc/localtime:ro
volumes: volumes:
postgres: postgres:
mariadb: mariadb:

80
main.mk Normal file
View File

@ -0,0 +1,80 @@
IMAGES_DIR := ./misc/images
#
# $1: IMAGE_NAME
#
define build_image
echo "Building ${IMAGE_REPO}/$1";\
docker build \
-t "${IMAGE_REPO}/$1:$(IMAGE_VERSION)" \
-f ${IMAGES_DIR}/$1/Dockerfile \
.
endef
#
# $1: IMAGE_NAME
# $2: IMAGE_TAG
#
define scan_image
echo "Scanning ${IMAGE_REPO}/$1"; \
mkdir -p .trivy/$(IMAGE_REPO)/$1; \
tools/trivy/bin/trivy --cache-dir .trivy/.cache image -o ".trivy/$(IMAGE_REPO)/$1/$2/report.txt" $(TRIVY_ARGS) $(IMAGE_REPO)/$1:$2 ; \
cat ".trivy/$(IMAGE_REPO)/$1/$2report.txt"
endef
define install_trivy
mkdir -p tools/trivy/bin ; \
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
endef
define release_image
docker tag $(IMAGE_REPO)/$1:$(IMAGE_VERSION) $(IMAGE_REPO)/$1:$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG) ; \
docker tag $(IMAGE_REPO)/$1:$(IMAGE_VERSION) $(IMAGE_REPO)/$1:$(IMAGE_VERSION); \
docker tag $(IMAGE_REPO)/$1:$(IMAGE_VERSION) $(IMAGE_REPO)/$1:latest ; \
docker push $(IMAGE_REPO)/$1:latest ; \
docker push $(IMAGE_REPO)/$1:$(IMAGE_VERSION) ; \
docker push $(IMAGE_REPO)/$1:$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG)
endef
#list:
build: ${IMAGES_DIR}/*
@for name in $(basename $(notdir $^)); do \
$(call build_image,$${name}); \
done;\
scan: ${IMAGES_DIR}/*
$(call install_trivy)
@for name in $(basename $(notdir $^)); do \
$(call scan_image,$${name}); \
done;\
tools/trivy/bin/trivy:
mkdir -p tools/trivy/bin
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b ./tools/trivy/bin v0.27.1
release: ${IMAGES_DIR}/*
@for name in $(basename $(notdir $^)); do \
$(call release_image,$${name},base); \
done;\
_release:
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG)
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)
docker tag $(IMAGE_FULL_NAME):$(IMAGE_TAG) $(IMAGE_FULL_NAME):$(IMAGE_TAG)-latest
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)-$(DAY_SUFFIX_TAG)
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-$(IMAGE_VERSION)
docker push $(IMAGE_FULL_NAME):$(IMAGE_TAG)-latest
_test: tools/bin/bash_unit
tools/bin/bash_unit ./tests/test_$(IMAGE_TAG).sh
tools/bin/bash_unit:
mkdir -p tools/bin
cd tools/bin && bash <(curl -s https://raw.githubusercontent.com/pgrange/bash_unit/master/install.sh)
up:
skaffold dev -p dev --default-repo ${IMAGE_REPO}
##include recipes/*.mk

View File

@ -1,11 +1,3 @@
ARG ADDITIONAL_PACKAGES=" ARG ADDITIONAL_PACKAGES="bash mysql-client php81-cli php81-pdo_pgsql php81-pdo_mysql php81-mysqli php81-pgsql"
bash
mysql-client
php81-cli
php81-pdo_pgsql
php81-pdo_mysql
php81-mysqli
php81-pgsql
"
FROM reg.cadoles.com/cadoles/symfony:alpine-php-8.1-base FROM reg.cadoles.com/cadoles/symfony:alpine-php-8.1-standalone

View File

@ -1,11 +1,3 @@
ARG ADDITIONAL_PACKAGES=" ARG ADDITIONAL_PACKAGES="bash mysql-client php81-cli php81-pdo_pgsql php81-pdo_mysql php81-mysqli php81-pgsql"
bash
mysql-client
php81-cli
php81-pdo_pgsql
php81-pdo_mysql
php81-mysqli
php81-pgsql
"
FROM reg.cadoles.com/cadoles/symfony:alpine-php-8.1-standalone FROM reg.cadoles.com/cadoles/symfony:alpine-php-8.1-standalone

View File

@ -0,0 +1,8 @@
---
nameReference:
- kind: Secret
fieldSpecs:
- path: spec/superuserSecret/name
kind: Cluster
- path: spec/bootstrap/initdb/secret/name
kind: Cluster

View File

@ -0,0 +1,32 @@
apiVersion: kustomize.config.k8s.io/v1alpha1
kind: Component
generatorOptions:
disableNameSuffixHash: true
configurations:
- ./configurations/cnpg-cluster.yaml
resources:
- ./resources/hydra-sql-cnpg-cluster.yaml
secretgenerator:
- name: hydra-sql-postgres-admin
type: secret
literals:
- username=postgres
- password=notsosecret
- name: hydra-sql-postgres-user
type: Secret
literals:
- username=hydra-sql
- password=NotSoSecretButThisIsBad
vars:
- name: APP_DATABASE_SERVICE_NAME
objref:
name: hydra-sql-postgres
kind: Cluster
apiVersion: postgresql.cnpg.io/v1
fieldref:
fieldpath: metadata.name

View File

@ -0,0 +1,17 @@
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: hydra-sql-postgres
spec:
instances: 3
primaryUpdateStrategy: unsupervised
superuserSecret:
name: hydra-sql-postgres-admin
bootstrap:
initdb:
database: hydra-sql
owner: hydra-sql
secret:
name: hydra-sql-postgres-user
storage:
size: 20Gi

View File

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namePrefix: hydra-sql-
components:
- components/hydra-sql-cnpg
resources:
- resources/hydra-sql-kube

View File

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./resources/hydra-sql-service.yaml
- ./resources/hydra-sql-deployment.yaml

View File

@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: hydra-sql
name: hydra-sql
spec:
replicas: 3
selector:
matchLabels:
io.kompose.service: hydra-sql
strategy:
type: Recreate
template:
metadata:
labels:
io.kompose.service: hydra-sql
spec:
restartPolicy: Always
containers:
- image: reg.cadoles.com/cadoles/hydra-sql-kube
imagePullPolicy: Always
name: hydra-sql-php-fpm
args: ["/usr/sbin/php-fpm81", "-F", "-e"]
resources: {}
env:
- name: PHP_FPM_LISTEN
value: 127.0.0.1:9000
- name: PHP_MEMORY_LIMIT
value: 128m
- name: PHP_FPM_MEMORY_LIMIT
value: 128m
- name: PHP_FPM_LOG_LEVEL
value: warning
- name: APP_DATABASE_SERVICE_NAME
value: $(APP_DATABASE_SERVICE_NAME)-rw
- image: reg.cadoles.com/cadoles/hydra-sql-kube
imagePullPolicy: Always
name: hydra-sql-nginx
args: ["/usr/sbin/nginx"]
env:
- name: NGINX_APP_UPSTREAM_BACKEND_SERVER
value: 127.0.0.1:9000
- name: NGINX_APP_ROOT
value: "/public"
- name: NGINX_APP_PHP_INDEX
value: "/index.php"
- name: NGINX_ERROR_LOG_LEVEL
value: "warn"
- name: NGINX_APP_PHP_NON_FILE_PATTERN
value: "^/index\\.php(/|$)"
ports:
- containerPort: 8080
resources: {}

View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
labels:
io.kompose.service: hydra-sql
name: hydra-sql
spec:
type: ClusterIP
ports:
- name: hydra-sql-http
port: 80
targetPort: 8080
selector:
io.kompose.service: hydra-sql

View File

@ -0,0 +1,3 @@
*
!.gitignore
!.gitkeep

View File

@ -0,0 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: hydra-sql-dev
resources:
- ../../base
- resources/namespace.yaml
- resources/ingress.yaml
patches:
- path: patches/update-replicas-for-hydra-sql.yaml
- path: patches/add-registry-pull-secret.yaml
target:
kind: Deployment
version: v1
secretGenerator:
- files:
- secrets/dockerconfig/.dockerconfigjson
name: regcred-dev
type: kubernetes.io/dockerconfigjson

View File

@ -0,0 +1,4 @@
- op: add
path: "/spec/template/spec/imagePullSecrets"
value:
- name: regcred-dev

View File

@ -0,0 +1,8 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
io.kompose.service: hydra-sql
name: hydra-sql
spec:
replicas: 1

View File

@ -0,0 +1,21 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hydra-sql
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "138m"
nginx.ingress.kubernetes.io/enable-cors: "true" #cf 01
nginx.ingress.kubernetes.io/cors-allow-headers: "X-Forwarded-For" #cf 01
spec:
ingressClassName: nginx
rules:
- host: hydra-sql.dev.local
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hydra-sql
port:
number: 8080

View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: hydra-sql-dev

View File

@ -0,0 +1,3 @@
*
!.gitignore
!.gitkeep

View File

@ -29,7 +29,7 @@ build:
sha256: {} sha256: {}
artifacts: artifacts:
- image: reg.cadoles.com/cadoles/app-kube - image: reg.cadoles.com/cadoles/hydra-sql-kube
context: . context: .
sync: sync:
infer: infer:
@ -39,7 +39,7 @@ build:
- scripts/** - scripts/**
- templates/** - templates/**
kaniko: kaniko:
dockerfile: misc/images/app-kube/Dockerfile dockerfile: misc/images/hydra-sql-kube/Dockerfile
cache: {} cache: {}
deploy: deploy: