diff --git a/.travis.yml b/.travis.yml index 61de4b1..e871dc0 100644 --- a/.travis.yml +++ b/.travis.yml @@ -4,6 +4,7 @@ env: matrix: - DEPLOY_ENVIRONMENT=staging DEPLOY_BRANCH=master - DEPLOY_ENVIRONMENT=production DEPLOY_TAGS=true + # - DEPLOY_ENVIRONMENT=ori DEPLOY_BRANCH=midburn-profiles-aka-drupal-infra services: - docker script: @@ -25,6 +26,8 @@ script: ! ./helm_upgrade.sh && echo 'failed helm upgrade' && RES=1; ! ./helm_upgrade_external_chart.sh spark && echo 'failed spark upgrade' && RES=1; ! ./helm_upgrade_external_chart.sh volunteers && echo 'failed volunteers upgrade' && RES=1; + ! ./helm_upgrade_external_chart.sh bi && echo 'failed bi upgrade' && RES=1; + ! ./helm_upgrade_external_chart.sh profiles && echo 'failed profiles upgrade' && RES=1; exit "'$'"RES " "orihoch/sk8s-ops" "${OPS_REPO_SLUG}" "${OPS_REPO_BRANCH}"; then true diff --git a/charts-external/bi/Chart.yaml b/charts-external/bi/Chart.yaml new file mode 100644 index 0000000..2023c72 --- /dev/null +++ b/charts-external/bi/Chart.yaml @@ -0,0 +1 @@ +name: bi \ No newline at end of file diff --git a/charts-external/bi/README.md b/charts-external/bi/README.md new file mode 100644 index 0000000..0107c8c --- /dev/null +++ b/charts-external/bi/README.md @@ -0,0 +1 @@ +# Midburn Business Intelligence diff --git a/charts-external/bi/templates/metabase.yaml b/charts-external/bi/templates/metabase.yaml new file mode 100644 index 0000000..a294351 --- /dev/null +++ b/charts-external/bi/templates/metabase.yaml @@ -0,0 +1,106 @@ +{{ if .Values.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: metabase +spec: + selector: + app: metabase + ports: + - port: 3000 +--- +apiVersion: extensions/v1beta1 +kind: Deployment +metadata: + name: metabase +spec: + replicas: 1 + strategy: {type: Recreate, rollingUpdate: null} + template: + metadata: + labels: + app: metabase + spec: + terminationGracePeriodSeconds: 0 + containers: + # this is a small postgreSQL DB used internally by metabase + - name: postgres + image: postgres + command: + - bash + - "-c" + - | + docker-entrypoint.sh postgres & + export PGPASS=$POSTGRES_PASSWORD + while ! echo "select 1" | psql -h 127.0.0.1 -p 5432 -U postgres; do echo "waiting for db.."; sleep 5; done + RES=0 + ERRORS="" + ! echo "CREATE DATABASE ${MB_DB_DBNAME}" | psql -h 127.0.0.1 -p 5432 -U postgres \ + && ERRORS+="; failed to create db ${MB_DB_DBNAME}" && RES=1 + if [ "${RES}" == "0" ]; then + echo "Great Success!" + touch /state/db_ready + while true; do sleep 86400; done + else + echo "Failed" + echo "${ERRORS}" + echo "Waiting 1 day before existing with error - to allow debugging" + sleep 86400 + exit 1 + fi + env: + - {name: POSTGRES_PASSWORD, value: "123456"} + - {name: MB_DB_DBNAME, value: metabase} + ports: + - containerPort: 5432 + resources: + requests: + cpu: "10m" + memory: "50Mi" + limits: + cpu: "100m" + memory: "100Mi" + volumeMounts: + - name: state + mountPath: /state + - name: metabase + image: metabase/metabase + env: + - {name: "MB_DB_TYPE", value: "postgres"} + - {name: "MB_DB_DBNAME", value: metabase} + - {name: "MB_DB_PORT", value: "5432"} + - {name: "MB_DB_USER", value: postgres} + - {name: "MB_DB_PASS", value: "123456"} + - {name: "MB_DB_HOST", value: "localhost"} + command: + - bash + - "-c" + - | + while ! [ -e /state/db_ready ]; do echo "waiting for db.."; sleep 5; done + touch /state/starting_metabase + /app/run_metabase.sh + readinessProbe: + exec: + command: + - bash + - "-c" + - | + [ -e /state/starting_metabase ] && wget -q localhost:3000 -O /dev/null + initialDelaySeconds: 5 + periodSeconds: 5 + ports: + - containerPort: 3000 + resources: + requests: + cpu: 0.3 + memory: "600Mi" + limits: + cpu: 0.6 + memory: "1400Mi" + volumeMounts: + - name: state + mountPath: /state + volumes: + - name: state + emptyDir: {} +{{ end }} diff --git a/charts-external/profiles/Chart.yaml b/charts-external/profiles/Chart.yaml new file mode 100644 index 0000000..a618019 --- /dev/null +++ b/charts-external/profiles/Chart.yaml @@ -0,0 +1 @@ +name: profiles \ No newline at end of file diff --git a/charts-external/profiles/README.md b/charts-external/profiles/README.md new file mode 100644 index 0000000..fb0d9bf --- /dev/null +++ b/charts-external/profiles/README.md @@ -0,0 +1,3 @@ +# Midburn Profiles + +Contains Midburn profiles system (AKA Drupal) related infrastructure diff --git a/charts-external/profiles/templates/drupal-conf.yaml b/charts-external/profiles/templates/drupal-conf.yaml new file mode 100644 index 0000000..add6423 --- /dev/null +++ b/charts-external/profiles/templates/drupal-conf.yaml @@ -0,0 +1,592 @@ +{{ if .Values.enabled }} +apiVersion: v1 +kind: ConfigMap +metadata: + name: drupal-settings +data: + drupal_site_default_settings.php: | + 'mysql', + * 'database' => 'databasename', + * 'username' => 'username', + * 'password' => 'password', + * 'host' => 'localhost', + * 'port' => 3306, + * 'prefix' => 'myprefix_', + * 'collation' => 'utf8_general_ci', + * ); + * @endcode + * + * The "driver" property indicates what Drupal database driver the + * connection should use. This is usually the same as the name of the + * database type, such as mysql or sqlite, but not always. The other + * properties will vary depending on the driver. For SQLite, you must + * specify a database file name in a directory that is writable by the + * webserver. For most other drivers, you must specify a + * username, password, host, and database name. + * + * Transaction support is enabled by default for all drivers that support it, + * including MySQL. To explicitly disable it, set the 'transactions' key to + * FALSE. + * Note that some configurations of MySQL, such as the MyISAM engine, don't + * support it and will proceed silently even if enabled. If you experience + * transaction related crashes with such configuration, set the 'transactions' + * key to FALSE. + * + * For each database, you may optionally specify multiple "target" databases. + * A target database allows Drupal to try to send certain queries to a + * different database if it can but fall back to the default connection if not. + * That is useful for master/slave replication, as Drupal may try to connect + * to a slave server when appropriate and if one is not available will simply + * fall back to the single master server. + * + * The general format for the $databases array is as follows: + * @code + * $databases['default']['default'] = $info_array; + * $databases['default']['slave'][] = $info_array; + * $databases['default']['slave'][] = $info_array; + * $databases['extra']['default'] = $info_array; + * @endcode + * + * In the above example, $info_array is an array of settings described above. + * The first line sets a "default" database that has one master database + * (the second level default). The second and third lines create an array + * of potential slave databases. Drupal will select one at random for a given + * request as needed. The fourth line creates a new database with a name of + * "extra". + * + * For a single database configuration, the following is sufficient: + * @code + * $databases['default']['default'] = array( + * 'driver' => 'mysql', + * 'database' => 'databasename', + * 'username' => 'username', + * 'password' => 'password', + * 'host' => 'localhost', + * 'prefix' => 'main_', + * 'collation' => 'utf8_general_ci', + * ); + * @endcode + * + * You can optionally set prefixes for some or all database table names + * by using the 'prefix' setting. If a prefix is specified, the table + * name will be prepended with its value. Be sure to use valid database + * characters only, usually alphanumeric and underscore. If no prefixes + * are desired, leave it as an empty string ''. + * + * To have all database names prefixed, set 'prefix' as a string: + * @code + * 'prefix' => 'main_', + * @endcode + * To provide prefixes for specific tables, set 'prefix' as an array. + * The array's keys are the table names and the values are the prefixes. + * The 'default' element is mandatory and holds the prefix for any tables + * not specified elsewhere in the array. Example: + * @code + * 'prefix' => array( + * 'default' => 'main_', + * 'users' => 'shared_', + * 'sessions' => 'shared_', + * 'role' => 'shared_', + * 'authmap' => 'shared_', + * ), + * @endcode + * You can also use a reference to a schema/database as a prefix. This may be + * useful if your Drupal installation exists in a schema that is not the default + * or you want to access several databases from the same code base at the same + * time. + * Example: + * @code + * 'prefix' => array( + * 'default' => 'main.', + * 'users' => 'shared.', + * 'sessions' => 'shared.', + * 'role' => 'shared.', + * 'authmap' => 'shared.', + * ); + * @endcode + * NOTE: MySQL and SQLite's definition of a schema is a database. + * + * Advanced users can add or override initial commands to execute when + * connecting to the database server, as well as PDO connection settings. For + * example, to enable MySQL SELECT queries to exceed the max_join_size system + * variable, and to reduce the database connection timeout to 5 seconds: + * + * @code + * $databases['default']['default'] = array( + * 'init_commands' => array( + * 'big_selects' => 'SET SQL_BIG_SELECTS=1', + * ), + * 'pdo' => array( + * PDO::ATTR_TIMEOUT => 5, + * ), + * ); + * @endcode + * + * WARNING: These defaults are designed for database portability. Changing them + * may cause unexpected behavior, including potential data loss. + * + * @see DatabaseConnection_mysql::__construct + * @see DatabaseConnection_pgsql::__construct + * @see DatabaseConnection_sqlite::__construct + * + * Database configuration format: + * @code + * $databases['default']['default'] = array( + * 'driver' => 'mysql', + * 'database' => 'databasename', + * 'username' => 'username', + * 'password' => 'password', + * 'host' => 'localhost', + * 'prefix' => '', + * ); + * $databases['default']['default'] = array( + * 'driver' => 'pgsql', + * 'database' => 'databasename', + * 'username' => 'username', + * 'password' => 'password', + * 'host' => 'localhost', + * 'prefix' => '', + * ); + * $databases['default']['default'] = array( + * 'driver' => 'sqlite', + * 'database' => '/path/to/databasefilename', + * ); + * @endcode + */ + $databases = array ( + 'default' => + array ( + 'default' => + array ( + 'database' => 'midburndb', + 'username' => 'root', + 'password' => '123456', + 'host' => 'profiles-db', + 'port' => '3306', + 'driver' => 'mysql', + 'prefix' => '', + ), + ), + ); + + /** + * Access control for update.php script. + * + * If you are updating your Drupal installation using the update.php script but + * are not logged in using either an account with the "Administer software + * updates" permission or the site maintenance account (the account that was + * created during installation), you will need to modify the access check + * statement below. Change the FALSE to a TRUE to disable the access check. + * After finishing the upgrade, be sure to open this file again and change the + * TRUE back to a FALSE! + */ + $update_free_access = FALSE; + + /** + * Salt for one-time login links and cancel links, form tokens, etc. + * + * This variable will be set to a random value by the installer. All one-time + * login links will be invalidated if the value is changed. Note that if your + * site is deployed on a cluster of web servers, you must ensure that this + * variable has the same value on each server. If this variable is empty, a hash + * of the serialized database credentials will be used as a fallback salt. + * + * For enhanced security, you may set this variable to a value using the + * contents of a file outside your docroot that is never saved together + * with any backups of your Drupal files and database. + * + * Example: + * $drupal_hash_salt = file_get_contents('/home/example/salt.txt'); + * + */ + $drupal_hash_salt = file_get_contents('/drupalsalt');; + + /** + * Base URL (optional). + * + * If Drupal is generating incorrect URLs on your site, which could + * be in HTML headers (links to CSS and JS files) or visible links on pages + * (such as in menus), uncomment the Base URL statement below (remove the + * leading hash sign) and fill in the absolute URL to your Drupal installation. + * + * You might also want to force users to use a given domain. + * See the .htaccess file for more information. + * + * Examples: + * $base_url = 'http://www.example.com'; + * $base_url = 'http://www.example.com:8888'; + * $base_url = 'http://www.example.com/drupal'; + * $base_url = 'https://www.example.com:8888/drupal'; + * + * It is not allowed to have a trailing slash; Drupal will add it + * for you. + */ + # $base_url = 'http://www.example.com'; // NO trailing slash! + //$base_url = 'https://profile.midburn.org'; // NO trailing slash! + $base_url = '{{ .Values.drupalBaseUrl | default "http://localhost" }}'; // NO trailing slash! + + /** + * PHP settings: + * + * To see what PHP settings are possible, including whether they can be set at + * runtime (by using ini_set()), read the PHP documentation: + * http://www.php.net/manual/ini.list.php + * See drupal_environment_initialize() in includes/bootstrap.inc for required + * runtime settings and the .htaccess file for non-runtime settings. Settings + * defined there should not be duplicated here so as to avoid conflict issues. + */ + + /** + * Some distributions of Linux (most notably Debian) ship their PHP + * installations with garbage collection (gc) disabled. Since Drupal depends on + * PHP's garbage collection for clearing sessions, ensure that garbage + * collection occurs by using the most common settings. + */ + ini_set('session.gc_probability', 1); + ini_set('session.gc_divisor', 100); + + /** + * Set session lifetime (in seconds), i.e. the time from the user's last visit + * to the active session may be deleted by the session garbage collector. When + * a session is deleted, authenticated users are logged out, and the contents + * of the user's $_SESSION variable is discarded. + */ + ini_set('session.gc_maxlifetime', 200000); + + /** + * Set session cookie lifetime (in seconds), i.e. the time from the session is + * created to the cookie expires, i.e. when the browser is expected to discard + * the cookie. The value 0 means "until the browser is closed". + */ + ini_set('session.cookie_lifetime', 2000000); + + /** + * If you encounter a situation where users post a large amount of text, and + * the result is stripped out upon viewing but can still be edited, Drupal's + * output filter may not have sufficient memory to process it. If you + * experience this issue, you may wish to uncomment the following two lines + * and increase the limits of these variables. For more information, see + * http://php.net/manual/pcre.configuration.php. + */ + # ini_set('pcre.backtrack_limit', 200000); + # ini_set('pcre.recursion_limit', 200000); + + /** + * Drupal automatically generates a unique session cookie name for each site + * based on its full domain name. If you have multiple domains pointing at the + * same Drupal site, you can either redirect them all to a single domain (see + * comment in .htaccess), or uncomment the line below and specify their shared + * base domain. Doing so assures that users remain logged in as they cross + * between your various domains. Make sure to always start the $cookie_domain + * with a leading dot, as per RFC 2109. + */ + # $cookie_domain = '.example.com'; + + /** + * Variable overrides: + * + * To override specific entries in the 'variable' table for this site, + * set them here. You usually don't need to use this feature. This is + * useful in a configuration file for a vhost or directory, rather than + * the default settings.php. Any configuration setting from the 'variable' + * table can be given a new value. Note that any values you provide in + * these variable overrides will not be modifiable from the Drupal + * administration interface. + * + * The following overrides are examples: + * - site_name: Defines the site's name. + * - theme_default: Defines the default theme for this site. + * - anonymous: Defines the human-readable name of anonymous users. + * Remove the leading hash signs to enable. + */ + # $conf['site_name'] = 'My Drupal site'; + # $conf['theme_default'] = 'garland'; + # $conf['anonymous'] = 'Visitor'; + + /** + * A custom theme can be set for the offline page. This applies when the site + * is explicitly set to maintenance mode through the administration page or when + * the database is inactive due to an error. It can be set through the + * 'maintenance_theme' key. The template file should also be copied into the + * theme. It is located inside 'modules/system/maintenance-page.tpl.php'. + * Note: This setting does not apply to installation and update pages. + */ + # $conf['maintenance_theme'] = 'bartik'; + + /** + * Reverse Proxy Configuration: + * + * Reverse proxy servers are often used to enhance the performance + * of heavily visited sites and may also provide other site caching, + * security, or encryption benefits. In an environment where Drupal + * is behind a reverse proxy, the real IP address of the client should + * be determined such that the correct client IP address is available + * to Drupal's logging, statistics, and access management systems. In + * the most simple scenario, the proxy server will add an + * X-Forwarded-For header to the request that contains the client IP + * address. However, HTTP headers are vulnerable to spoofing, where a + * malicious client could bypass restrictions by setting the + * X-Forwarded-For header directly. Therefore, Drupal's proxy + * configuration requires the IP addresses of all remote proxies to be + * specified in $conf['reverse_proxy_addresses'] to work correctly. + * + * Enable this setting to get Drupal to determine the client IP from + * the X-Forwarded-For header (or $conf['reverse_proxy_header'] if set). + * If you are unsure about this setting, do not have a reverse proxy, + * or Drupal operates in a shared hosting environment, this setting + * should remain commented out. + * + * In order for this setting to be used you must specify every possible + * reverse proxy IP address in $conf['reverse_proxy_addresses']. + * If a complete list of reverse proxies is not available in your + * environment (for example, if you use a CDN) you may set the + * $_SERVER['REMOTE_ADDR'] variable directly in settings.php. + * Be aware, however, that it is likely that this would allow IP + * address spoofing unless more advanced precautions are taken. + */ + # $conf['reverse_proxy'] = TRUE; + + /** + * Specify every reverse proxy IP address in your environment. + * This setting is required if $conf['reverse_proxy'] is TRUE. + */ + # $conf['reverse_proxy_addresses'] = array('a.b.c.d', ...); + + /** + * Set this value if your proxy server sends the client IP in a header + * other than X-Forwarded-For. + */ + # $conf['reverse_proxy_header'] = 'HTTP_X_CLUSTER_CLIENT_IP'; + + /** + * Page caching: + * + * By default, Drupal sends a "Vary: Cookie" HTTP header for anonymous page + * views. This tells a HTTP proxy that it may return a page from its local + * cache without contacting the web server, if the user sends the same Cookie + * header as the user who originally requested the cached page. Without "Vary: + * Cookie", authenticated users would also be served the anonymous page from + * the cache. If the site has mostly anonymous users except a few known + * editors/administrators, the Vary header can be omitted. This allows for + * better caching in HTTP proxies (including reverse proxies), i.e. even if + * clients send different cookies, they still get content served from the cache. + * However, authenticated users should access the site directly (i.e. not use an + * HTTP proxy, and bypass the reverse proxy if one is used) in order to avoid + * getting cached pages from the proxy. + */ + # $conf['omit_vary_cookie'] = TRUE; + + /** + * CSS/JS aggregated file gzip compression: + * + * By default, when CSS or JS aggregation and clean URLs are enabled Drupal will + * store a gzip compressed (.gz) copy of the aggregated files. If this file is + * available then rewrite rules in the default .htaccess file will serve these + * files to browsers that accept gzip encoded content. This allows pages to load + * faster for these users and has minimal impact on server load. If you are + * using a webserver other than Apache httpd, or a caching reverse proxy that is + * configured to cache and compress these files itself you may want to uncomment + * one or both of the below lines, which will prevent gzip files being stored. + */ + # $conf['css_gzip_compression'] = FALSE; + # $conf['js_gzip_compression'] = FALSE; + + /** + * Block caching: + * + * Block caching may not be compatible with node access modules depending on + * how the original block cache policy is defined by the module that provides + * the block. By default, Drupal therefore disables block caching when one or + * more modules implement hook_node_grants(). If you consider block caching to + * be safe on your site and want to bypass this restriction, uncomment the line + * below. + */ + # $conf['block_cache_bypass_node_grants'] = TRUE; + + /** + * String overrides: + * + * To override specific strings on your site with or without enabling the Locale + * module, add an entry to this list. This functionality allows you to change + * a small number of your site's default English language interface strings. + * + * Remove the leading hash signs to enable. + */ + # $conf['locale_custom_strings_en'][''] = array( + # 'forum' => 'Discussion board', + # '@count min' => '@count minutes', + # ); + + /** + * + * IP blocking: + * + * To bypass database queries for denied IP addresses, use this setting. + * Drupal queries the {blocked_ips} table by default on every page request + * for both authenticated and anonymous users. This allows the system to + * block IP addresses from within the administrative interface and before any + * modules are loaded. However on high traffic websites you may want to avoid + * this query, allowing you to bypass database access altogether for anonymous + * users under certain caching configurations. + * + * If using this setting, you will need to add back any IP addresses which + * you may have blocked via the administrative interface. Each element of this + * array represents a blocked IP address. Uncommenting the array and leaving it + * empty will have the effect of disabling IP blocking on your site. + * + * Remove the leading hash signs to enable. + */ + # $conf['blocked_ips'] = array( + # 'a.b.c.d', + # ); + + /** + * Fast 404 pages: + * + * Drupal can generate fully themed 404 pages. However, some of these responses + * are for images or other resource files that are not displayed to the user. + * This can waste bandwidth, and also generate server load. + * + * The options below return a simple, fast 404 page for URLs matching a + * specific pattern: + * - 404_fast_paths_exclude: A regular expression to match paths to exclude, + * such as images generated by image styles, or dynamically-resized images. + * If you need to add more paths, you can add '|path' to the expression. + * - 404_fast_paths: A regular expression to match paths that should return a + * simple 404 page, rather than the fully themed 404 page. If you don't have + * any aliases ending in htm or html you can add '|s?html?' to the expression. + * - 404_fast_html: The html to return for simple 404 pages. + * + * Add leading hash signs if you would like to disable this functionality. + */ + $conf['404_fast_paths_exclude'] = '/\/(?:styles)\//'; + $conf['404_fast_paths'] = '/\.(?:txt|png|gif|jpe?g|css|js|ico|swf|flv|cgi|bat|pl|dll|exe|asp)$/i'; + $conf['404_fast_html'] = '404 Not Found

Not Found

The requested URL "@path" was not found on this server.

'; + + /** + * By default the page request process will return a fast 404 page for missing + * files if they match the regular expression set in '404_fast_paths' and not + * '404_fast_paths_exclude' above. 404 errors will simultaneously be logged in + * the Drupal system log. + * + * You can choose to return a fast 404 page earlier for missing pages (as soon + * as settings.php is loaded) by uncommenting the line below. This speeds up + * server response time when loading 404 error pages and prevents the 404 error + * from being logged in the Drupal system log. In order to prevent valid pages + * such as image styles and other generated content that may match the + * '404_fast_html' regular expression from returning 404 errors, it is necessary + * to add them to the '404_fast_paths_exclude' regular expression above. Make + * sure that you understand the effects of this feature before uncommenting the + * line below. + */ + # drupal_fast_404(); + + /** + * External access proxy settings: + * + * If your site must access the Internet via a web proxy then you can enter + * the proxy settings here. Currently only basic authentication is supported + * by using the username and password variables. The proxy_user_agent variable + * can be set to NULL for proxies that require no User-Agent header or to a + * non-empty string for proxies that limit requests to a specific agent. The + * proxy_exceptions variable is an array of host names to be accessed directly, + * not via proxy. + */ + # $conf['proxy_server'] = ''; + # $conf['proxy_port'] = 8080; + # $conf['proxy_username'] = ''; + # $conf['proxy_password'] = ''; + # $conf['proxy_user_agent'] = ''; + # $conf['proxy_exceptions'] = array('127.0.0.1', 'localhost'); + + /** + * Authorized file system operations: + * + * The Update manager module included with Drupal provides a mechanism for + * site administrators to securely install missing updates for the site + * directly through the web user interface. On securely-configured servers, + * the Update manager will require the administrator to provide SSH or FTP + * credentials before allowing the installation to proceed; this allows the + * site to update the new files as the user who owns all the Drupal files, + * instead of as the user the webserver is running as. On servers where the + * webserver user is itself the owner of the Drupal files, the administrator + * will not be prompted for SSH or FTP credentials (note that these server + * setups are common on shared hosting, but are inherently insecure). + * + * Some sites might wish to disable the above functionality, and only update + * the code directly via SSH or FTP themselves. This setting completely + * disables all functionality related to these authorized file operations. + * + * @see http://drupal.org/node/244924 + * + * Remove the leading hash signs to disable. + */ + # $conf['allow_authorize_operations'] = FALSE; + +{{ end }} diff --git a/charts-external/profiles/templates/profiles-db.yaml b/charts-external/profiles/templates/profiles-db.yaml new file mode 100644 index 0000000..b3ffc39 --- /dev/null +++ b/charts-external/profiles/templates/profiles-db.yaml @@ -0,0 +1,108 @@ +{{ if .Values.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: profiles-db +spec: + ports: + - name: '3306' + port: 3306 + - name: '8080' + port: 8080 + selector: + app: profiles-db +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: profiles-db +spec: + replicas: 1 + template: + metadata: + labels: + app: profiles-db + spec: + terminationGracePeriodSeconds: 0 + containers: + - name: adminer + image: adminer + ports: + - containerPort: 8080 + resources: + requests: + cpu: "0.001" + memory: "10Mi" + - name: db + image: {{ .Values.dbImage | default "mysql:5.6" | quote }} + ports: + - {containerPort: 3306} + resources: + requests: {cpu: "100m", memory: "300Mi"} + limits: {cpu: "400m", memory: "1500Mi"} + env: + - name: MYSQL_ROOT_PASSWORD + value: "123456" + - name: ops + image: orihoch/sk8s-ops:mysql + resources: + requests: + cpu: "0.01" + memory: "10Mi" + command: + - bash + - "-c" + - | + echo "sleeping 15 seconds to let mysql start" + sleep 15 + source ~/.bashrc + RES=0 + ERRORS="" + ! gcloud config set project "{{ .Values.global.googleProjectId }}" && ERRORS+="; failed to set google projectid {{ .Values.global.googleProjectId }}" && RES=1 + while ! echo "select 1" | mysql --host=127.0.0.1 --user=root --password=${MYSQL_ROOT_PASSWORD}; do echo "waiting for mysql..."; sleep 5; done + if [ "${IMPORT_URL}" != "" ]; then + echo "importing from ${IMPORT_URL}" + ! echo "create database midburndb;" | mysql --host=127.0.0.1 --user=root --password=${MYSQL_ROOT_PASSWORD} \ + && ERRORS+="; failed to create midburndb" && RES=1 + echo "IMPORT_URL=${IMPORT_URL}" + ! gsutil cp "${IMPORT_URL}" ./dump.sql && ERRORS+="; failed to download sql dump" && RES=1 + ! cat ./dump.sql | mysql --host=127.0.0.1 --user=root --password=${MYSQL_ROOT_PASSWORD} --database midburndb --one-database \ + && ERRORS+="; Failed mysql import" && RES=1 + fi + if [ "${RES}" == "0" ]; then + echo "Great Success!" + touch /state/ops_ready + while true; do sleep 86400; done + else + echo "Failed" + echo "${ERRORS}" + echo "Waiting 1 day before existing with error - to allow debugging" + sleep 86400 + exit 1 + fi + readinessProbe: + exec: + command: + - bash + - "-c" + - "[ -e /state/ops_ready ]" + initialDelaySeconds: 5 + periodSeconds: 5 + env: + - name: MYSQL_ROOT_PASSWORD + value: "123456" + - name: IMPORT_URL + value: {{ .Values.dbImportUrl | quote }} + volumeMounts: + - name: k8s-ops + mountPath: /k8s-ops + readOnly: true + - name: state + mountPath: /state + volumes: + - name: k8s-ops + secret: + secretName: ops + - name: state + emptyDir: {} +{{ end }} diff --git a/charts-external/profiles/templates/profiles-drupal.yaml b/charts-external/profiles/templates/profiles-drupal.yaml new file mode 100644 index 0000000..d07b7f7 --- /dev/null +++ b/charts-external/profiles/templates/profiles-drupal.yaml @@ -0,0 +1,44 @@ +{{ if .Values.enabled }} +apiVersion: v1 +kind: Service +metadata: + name: profiles-drupal +spec: + ports: + - name: '80' + port: 80 + selector: + app: profiles-drupal +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: profiles-drupal +spec: + replicas: 1 + template: + metadata: + labels: + app: profiles-drupal + spec: + containers: + - name: drupal + image: {{ .Values.image | quote }} + ports: + - containerPort: 80 + resources: + requests: + cpu: 100m + memory: 100Mi + limits: + cpu: 300m + memory: 500Mi + volumeMounts: + - name: drupal-settings + mountPath: /opt/bitnami/apps/drupal/htdocs/sites/default/settings.php + subPath: drupal_site_default_settings.php + volumes: + - name: drupal-settings + configMap: + name: drupal-settings +{{ end }} diff --git a/environments/ori/.env b/environments/ori/.env new file mode 100644 index 0000000..b8c18af --- /dev/null +++ b/environments/ori/.env @@ -0,0 +1,7 @@ +CLOUDSDK_CORE_PROJECT=midbarrn +CLOUDSDK_CONTAINER_CLUSTER=midbarrn +CLOUDSDK_COMPUTE_ZONE=us-central1-a +K8S_NAMESPACE=ori +K8S_HELM_RELEASE_NAME=midburn +K8S_ENVIRONMENT_NAME=ori +K8S_ENVIRONMENT_CONTEXT=gke_midbarrn_us-central1-a_midbarrn diff --git a/environments/ori/README.md b/environments/ori/README.md new file mode 100644 index 0000000..dc703c7 --- /dev/null +++ b/environments/ori/README.md @@ -0,0 +1,3 @@ +# Ori's testing environment + +Minimal environment for testing, no public entrypoints diff --git a/environments/ori/values.auto-updated.yaml b/environments/ori/values.auto-updated.yaml new file mode 100644 index 0000000..0be75c6 --- /dev/null +++ b/environments/ori/values.auto-updated.yaml @@ -0,0 +1,9 @@ +global: + opsImage: gcr.io/uumpa123/midburn-k8s:24fb296508dcf05202b9bbb3ffb7c9bdd47a7128 +profiles: + dbImage: gcr.io/midbarrn/midburn-profiles-drupal-db:54e27014eb6ea03b55c73fc2cc16f1fc1730e222 + image: gcr.io/midbarrn/midburn-profiles-drupal:54e27014eb6ea03b55c73fc2cc16f1fc1730e222 +spark: + image: gcr.io/midbarrn/midburn-spark-cd:e763c1d8e3377bf9246062bb2699c4be6f1c4027 +volunteers: + image: gcr.io/midbarrn/midburn-volunteers-cd:0812e713b7ae18a8bdf917ff04451df430eced33 diff --git a/environments/ori/values.yaml b/environments/ori/values.yaml new file mode 100644 index 0000000..cb9fc3b --- /dev/null +++ b/environments/ori/values.yaml @@ -0,0 +1,36 @@ +# minimal values files for testing - enable just what you need and copy required values from staging environment + +global: + defaultNodePool: default-pool + k8sOpsSecretName: ops + k8sOpsImage: gcr.io/uumpa123/midburn-k8s + environmentName: ori + opsRepoSlug: Midburn/midburn-k8s + opsRepoBranch: master + googleProjectId: midbarrn + projectName: midburn + enableRootChart: true + +traefik: + enabled: true + enableLoadBalancer: false + profilesHostsRule: "" + +spark: + enabled: false + +nginx: + enabled: true + htpasswdSecretName: nginx-htpasswd + +volunteers: + enabled: false + +profiles: + enabled: true + # dbImportUrl: gs://midburn-k8s-backups/profiles-db-production-dump-2018-01-16-11-30.sql + # NO trailing slash! + # drupalBaseUrl: http://localhost + +bi: + enabled: false diff --git a/environments/production/values.yaml b/environments/production/values.yaml index 361b280..0c2bff3 100644 --- a/environments/production/values.yaml +++ b/environments/production/values.yaml @@ -7,6 +7,7 @@ global: opsRepoBranch: master googleProjectId: midbarrn projectName: midburn + enableRootChart: true traefik: enabled: true @@ -18,6 +19,9 @@ traefik: [[acme.domains]] main = "volunteers.spark.midburn.org" acmeEmail: ori@uumpa.com + dnsProvider: route53 + AWS_ACCESS_KEY_ID: AKIAIJUE2QVTBJAN7INQ + AWS_REGION: "eu-west-1" sparkHostsRule: "Host: spark.midburn.org;" volunteersHostsRule: "Host: volunteers.spark.midburn.org;" # gcloud compute addresses create midburn-production-traefik --region=us-central1 @@ -26,6 +30,8 @@ traefik: enableVolunteers: true # nodeHostName: gke-midbarrn-default-pool-ed511f2f-p08j backupJob: true + enableLoadBalancer: true + # profilesHostsRule: "Host: profile.midburn.org;" spark: nodeEnv: production @@ -66,3 +72,14 @@ volunteers: dbImportJob: IMPORT_URL: gs://midburn-k8s-backups/volunteersdb-old-staging-dump-2017-12-27-18-01.tar.gz dbBackupJob: true + +profiles: + enabled: false + # dbImage: gcr.io/midbarrn/midburn-profiles-drupal-db-latest + # image: gcr.io/midbarrn/midburn-profiles-drupal-latest + # dbImportUrl: gs://midburn-k8s-backups/profiles-db-production-dump-2018-01-16-11-30.sql + # NO trailing slash! + # drupalBaseUrl: https://profile.midburn.org + +bi: + enabled: false diff --git a/environments/staging/README.md b/environments/staging/README.md index 2d9db79..cbff807 100644 --- a/environments/staging/README.md +++ b/environments/staging/README.md @@ -3,9 +3,14 @@ ## Main entrypoints * Spark - https://spark.staging.midburn.org/ + * Deployed on push to `master` branch of https://github.com/Midburn/spark * Adminer - https://staging.midburn.org/adminer * Volunteers - https://volunteers.staging.midburn.org/ + * Deployed on push to `develop` branch of https://github.com/Midburn/Volunteers * Volunteers DB UI - https://staging.midburn.org/volunteers/mongoexpress +* Profiles - https://profiles.staging.midburn.org/ + * DEployed on push to `master` branch of https://github.com/orihoch/midburn-profiles-drupal +* Profiles Adminer - https://staging.midburn.org/profiles/adminer ## Secrets diff --git a/environments/staging/values.yaml b/environments/staging/values.yaml index 091a8da..61347db 100644 --- a/environments/staging/values.yaml +++ b/environments/staging/values.yaml @@ -7,6 +7,8 @@ global: opsRepoBranch: master googleProjectId: midbarrn projectName: midburn + enableRootChart: true + backupsBucketName: midburn-k8s-backups traefik: enabled: true @@ -17,7 +19,12 @@ traefik: main = "staging.midburn.org" [[acme.domains]] main = "volunteers.staging.midburn.org" + [[acme.domains]] + main = "profiles.staging.midburn.org" acmeEmail: ori@uumpa.com + dnsProvider: route53 + AWS_ACCESS_KEY_ID: AKIAIJUE2QVTBJAN7INQ + AWS_REGION: "eu-west-1" sparkHostsRule: "Host: spark.staging.midburn.org;" volunteersHostsRule: "Host: volunteers.staging.midburn.org;" # gcloud compute addresses create midburn-staging-traefik --region=us-central1 @@ -26,6 +33,12 @@ traefik: enableVolunteers: true # nodeHostName: gke-midbarrn-default-pool-ed511f2f-p08j backupJob: true + enableLoadBalancer: true + profilesHostsRule: "Host: profiles.staging.midburn.org;" + SSLcheckMainDomain: staging.midburn.org + SSLcheckSparkDomain: spark.staging.midburn.org + SSLcheckProfilesDomain: profiles.staging.midburn.org + SSLcheckVolunteersDomain: volunteers.staging.midburn.org spark: # nodeEnv: production @@ -66,3 +79,14 @@ volunteers: dbImportJob: IMPORT_URL: gs://midburn-k8s-backups/volunteersdb-production-mongodump-2018-01-06-12-21.tar.gz dbBackupJob: true + +profiles: + dbImage: gcr.io/midbarrn/midburn-profiles-drupal-db-latest + image: gcr.io/midbarrn/midburn-profiles-drupal-latest + enabled: true + # dbImportUrl: gs://midburn-k8s-backups/profiles-db-production-dump-2018-01-16-11-30.sql + # NO trailing slash! + drupalBaseUrl: https://profiles.staging.midburn.org + +bi: + enabled: false diff --git a/helm_upgrade.sh b/helm_upgrade.sh index 134a905..dff674e 100755 --- a/helm_upgrade.sh +++ b/helm_upgrade.sh @@ -6,4 +6,8 @@ DEFAULT_VALUES_FILE=`[ -f values.yaml ] && echo "-f values.yaml"` ENVIRONMENT_VALUES_FILE=`[ -f "environments/${K8S_ENVIRONMENT_NAME}/values.yaml" ] && echo "-f environments/${K8S_ENVIRONMENT_NAME}/values.yaml"` AUTO_UPDATED_VALUES_FILE=`[ -f "environments/${K8S_ENVIRONMENT_NAME}/values.auto-updated.yaml" ] && echo "-f environments/${K8S_ENVIRONMENT_NAME}/values.auto-updated.yaml"` -helm upgrade $DEFAULT_VALUES_FILE $ENVIRONMENT_VALUES_FILE $AUTO_UPDATED_VALUES_FILE "${K8S_HELM_RELEASE_NAME}-${K8S_ENVIRONMENT_NAME}" . "$@" +if [ `./read_yaml.py "environments/${K8S_ENVIRONMENT_NAME}/values.yaml" global enableRootChart` == "true" ]; then + helm upgrade $DEFAULT_VALUES_FILE $ENVIRONMENT_VALUES_FILE $AUTO_UPDATED_VALUES_FILE "${K8S_HELM_RELEASE_NAME}-${K8S_ENVIRONMENT_NAME}" . "$@" +else + echo "root chart is disabled, skipping helm upgrade" +fi diff --git a/helm_upgrade_external_chart.sh b/helm_upgrade_external_chart.sh index 5238f1a..c06bcba 100755 --- a/helm_upgrade_external_chart.sh +++ b/helm_upgrade_external_chart.sh @@ -2,13 +2,9 @@ source connect.sh -usage() { - echo "Usage: ./helm_upgrade_external_chart.sh " -} - CHART_NAME="${1}" -[ -z "${CHART_NAME}" ] && usage && exit 1 +[ -z "${CHART_NAME}" ] && echo "usage:" && echo "./helm_upgrade_external_chart.sh " && exit 1 RELEASE_NAME="${K8S_HELM_RELEASE_NAME}-${CHART_NAME}-${K8S_ENVIRONMENT_NAME}" EXTERNAL_CHARTS_DIRECTORY="charts-external" @@ -35,6 +31,26 @@ do # cat "${TEMPDIR}/values.yaml" done -helm upgrade -f "${TEMPDIR}/values.yaml" "${RELEASE_NAME}" "${CHART_DIRECTORY}" "${@:2}" - -rm -rf $TEMPDIR +VALUES=`cat "${TEMPDIR}/values.yaml"` + +if [ `./read_yaml.py "${TEMPDIR}/values.yaml" enabled` == "true" ]; then + CMD="helm upgrade -f ${TEMPDIR}/values.yaml ${RELEASE_NAME} ${CHART_DIRECTORY} ${@:2}" + if ! $CMD; then + echo + echo "${TEMPDIR}/values.yaml" + echo "${VALUES}" + echo + echo "CMD" + echo "${CMD}" + echo + echo "helm upgrade failed" + exit 1 + else + rm -rf $TEMPDIR + echo "Great Success!" + exit 0 + fi +else + echo "chart is disabled, not performing upgrade" + exit 0 +fi diff --git a/templates/nginx-conf.yaml b/templates/nginx-conf.yaml index f7232c4..206eb8e 100644 --- a/templates/nginx-conf.yaml +++ b/templates/nginx-conf.yaml @@ -12,15 +12,26 @@ data: include /etc/nginx/conf.d/healthcheck.inc; + {{ if .Values.adminer.enabled }} location /adminer { proxy_pass http://adminer:8080; include /etc/nginx/conf.d/restricted.inc; } + {{ end }} + {{ if .Values.volunteers.enabled }} location /volunteers/mongoexpress { proxy_pass http://volunteersmongoexpress:8081; include /etc/nginx/conf.d/restricted.inc; } + {{ end }} + + {{ if .Values.profiles.enabled }} + location /profiles/adminer { + proxy_pass http://profiles-db:8080; + include /etc/nginx/conf.d/restricted.inc; + } + {{ end }} } healthcheck.inc: | @@ -33,6 +44,10 @@ data: {{ if .Values.nginx.htpasswdSecretName }} auth_basic "Restricted Content"; auth_basic_user_file /etc/nginx/htpasswd/secret-nginx-htpasswd; + {{ else }} + {{ if .Values.traefik.enabled }} + ERROR!! CANNOT ENABLE TRAEFIK WITHOUT AUTHENTICATION! + {{ end }} {{ end }} {{ end }} diff --git a/templates/traefik-backup.yaml b/templates/traefik-backup.yaml deleted file mode 100644 index 28a959f..0000000 --- a/templates/traefik-backup.yaml +++ /dev/null @@ -1,52 +0,0 @@ -{{ if .Values.traefik.enabled }}{{ if .Values.traefik.backupJob }} -#apiVersion: batch/v1 -#kind: Job -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: traefik-backup -spec: - schedule: "@daily" - concurrencyPolicy: Forbid - jobTemplate: - spec: - template: - metadata: - name: traefik-backup - spec: - {{ if .Values.traefik.nodeHostName }} - nodeSelector: - kubernetes.io/hostname: {{ .Values.traefik.nodeHostName | quote }} - {{ end }}{{ if .Values.traefik.nodePool }} - nodeSelector: - cloud.google.com/gke-nodepool: {{ .Values.traefik.nodePool | quote }} - {{ end }} - containers: - - name: ops - image: orihoch/sk8sops:pipelines-gcs@sha256:a6e8f94c2e68fc8da552abcbdac865763d40e79895b87ff06a98ebd588070cf0 - resources: {"requests": {"cpu": "0.01", "memory": "100Mi"}} - command: - - bash - - "-c" - - > - source ~/.bashrc; - gcloud config set project "{{ .Values.global.googleProjectId }}" && - echo "gs://{{ .Values.global.projectName }}-k8s-backups/{{ .Values.global.environmentName }}/traefik-acme/`date +%Y-%m-%d-%H-%M`/" > /latest && - gsutil -m rsync -r /traefik-acme `cat /latest` && - gsutil cp /latest gs://{{ .Values.global.projectName }}-k8s-backups/{{ .Values.global.environmentName }}/traefik-acme/latest - volumeMounts: - - name: k8s-ops - mountPath: /k8s-ops - readOnly: true - - name: traefik-acme - mountPath: /traefik-acme - volumes: - - name: k8s-ops - secret: - secretName: ops - - name: traefik-acme - hostPath: - type: DirectoryOrCreate - path: /var/{{ .Values.global.projectName }}-traefik-acme-{{ .Values.global.environmentName }} - restartPolicy: Never -{{ end }}{{ end }} diff --git a/templates/traefik-etc.yaml b/templates/traefik-etc.yaml index 287cb5d..99e86ad 100644 --- a/templates/traefik-etc.yaml +++ b/templates/traefik-etc.yaml @@ -7,26 +7,31 @@ data: traefik.toml: | # https://docs.traefik.io/configuration/commons/ - {{ if .Values.global.debug }} - debug = true - {{ end }} + debug = false defaultEntryPoints = ["http", "https"] [entryPoints] [entryPoints.http] address = ":80" + {{ if .Values.traefik.acmeEmail }} [entryPoints.http.redirect] entryPoint = "https" - + {{ end }} + + {{ if .Values.traefik.acmeEmail }} [entryPoints.https] address = ":443" [entryPoints.https.tls] + {{ end }} {{ if .Values.traefik.acmeEmail }} # let's encrypt automatic ssl certificate issue and renewal [acme] email = {{ .Values.traefik.acmeEmail | quote }} + {{ if .Values.traefik.dnsProvider }} + dnsProvider = {{ .Values.traefik.dnsProvider | quote }} + {{ end }} storage = "/traefik-acme/acme.json" entryPoint = "https" {{ .Values.traefik.acmeDomains | indent 6 }} @@ -53,6 +58,12 @@ data: url = "http://volunteers:8000" {{ end }} + {{ if .Values.profiles.enabled }} + [backends.profiles] + [backends.profiles.servers.server1] + url = "http://profiles-drupal" + {{ end }} + [frontends] {{ if .Values.nginx.enabled }} [frontends.default] @@ -76,4 +87,12 @@ data: rule = "{{ .Values.traefik.volunteersHostsRule }}" {{ end }} + {{ if .Values.profiles.enabled }} + [frontends.profiles] + backend="profiles" + passHostHeader = true + [frontends.profiles.routes.route1] + rule = "{{ .Values.traefik.profilesHostsRule }}" + {{ end }} + {{ end }} diff --git a/templates/traefik.yaml b/templates/traefik.yaml index 63612a9..ce0b30c 100644 --- a/templates/traefik.yaml +++ b/templates/traefik.yaml @@ -9,10 +9,12 @@ spec: - {name: '443', port: 443} selector: app: traefik + {{ if .Values.traefik.enableLoadBalancer }} type: LoadBalancer {{ if .Values.traefik.loadBalancerIP }} loadBalancerIP: {{ .Values.traefik.loadBalancerIP | quote }} {{ end }} + {{ end }} --- apiVersion: apps/v1beta1 kind: Deployment @@ -36,28 +38,74 @@ spec: nodeSelector: cloud.google.com/gke-nodepool: {{ .Values.traefik.nodePool | quote }} {{ end }} -# initContainers: -# - name: ops -# image: orihoch/sk8sops:pipelines-gcs@sha256:a6e8f94c2e68fc8da552abcbdac865763d40e79895b87ff06a98ebd588070cf0 -# resources: {"requests": {"cpu": "0.01", "memory": "100Mi"}} -# command: -# - bash -# - "-c" -# - | -# if ! [ -e /traefik-acme/acme.json ]; then -# source ~/.bashrc; -# gcloud config set project "{{ .Values.global.googleProjectId }}" -# gsutil -m rsync -r `gsutil cat gs://{{ .Values.global.projectName }}-k8s-backups/{{ .Values.global.environmentName }}/traefik-acme/latest` /traefik-acme -# fi -# chmod -R 600 /traefik-acme -# exit 0 -# volumeMounts: -# - name: k8s-ops -# mountPath: /k8s-ops -# readOnly: true -# - name: traefik-acme -# mountPath: /traefik-acme + initContainers: + # initops container - copies the acme data from last backup before starting up the pod + - name: initops + image: gcr.io/uumpa-public/sk8s-google-storage-sync:v0.0.2 + resources: {"requests": {"cpu": "1m", "memory": "2Mi"}} + command: + - bash + - "-c" + - | + source ~/.bashrc; + gcloud config set project {{ .Values.global.googleProjectId | quote }} + ! gsutil -m rsync -x '^done|synced$' -r "gs://{{ .Values.global.backupsBucketName }}/{{ .Values.global.environmentName }}/traefik-acme/latest/" /traefik-acme/ \ + && echo "failed to get traefik acme details from backup, continuing anyway, traefik will create new certificates (hopefully..)" + chmod -R 600 /traefik-acme + volumeMounts: + - name: k8s-ops + mountPath: /k8s-ops + readOnly: true + - name: traefik-acme + mountPath: /traefik-acme containers: + - name: ops + image: gcr.io/uumpa-public/sk8s-google-storage-sync:v0.0.2 + resources: {"requests": {"cpu": "1m", "memory": "2Mi"}} + command: + - bash + - "-c" + - | + source ~/.bashrc; + gcloud config set project {{ .Values.global.googleProjectId | quote }} + echo "sleeping for 10 minutes before making the first backup to allow traefik time to issue certificates" + sleep 600 + echo "making daily backups" + LATEST_BACKUP="gs://{{ .Values.global.backupsBucketName }}/{{ .Values.global.environmentName }}/traefik-acme/latest/" + echo "LATEST_BACKUP=${LATEST_BACKUP}" + while true; do + HISTORY_BACKUP="gs://{{ .Values.global.backupsBucketName }}/{{ .Values.global.environmentName }}/traefik-acme/`date +%Y-%m-%d-%H-%M`/" + echo "HISTORY_BACKUP=${HISTORY_BACKUP}" + ! gsutil -m rsync -x '^done|synced$' -r /traefik-acme/ gs://{{ .Values.global.backupsBucketName }}/{{ .Values.global.environmentName }}/traefik-acme/latest/ \ + && echo "failed to sync latest backup" && exit 1 + ! gsutil -m rsync -x '^done|synced$' -r /traefik-acme/ "${HISTORY_BACKUP}" \ + && echo "failed to sync ${HISTORY_BACKUP}" && exit 1 + echo "sleeping for 1 day" + sleep 86400 + done + readinessProbe: + exec: + command: + - bash + - "-c" + - | + RES=0 + check_domain() { + curl --insecure -v https://${1}/ 2>&1 | grep "SSL certificate verify " | tee /dev/stderr | grep "SSL certificate verify ok." + } + {{ if .Values.traefik.SSLcheckMainDomain }}! check_domain {{ .Values.traefik.SSLcheckMainDomain }} && RES=1{{ end }} + {{ if .Values.traefik.SSLcheckSparkDomain }}! check_domain {{ .Values.traefik.SSLcheckSparkDomain }} && RES=1{{ end }} + {{ if .Values.traefik.SSLcheckProfilesDomain }}! check_domain {{ .Values.traefik.SSLcheckProfilesDomain }} && RES=1{{ end }} + {{ if .Values.traefik.SSLcheckVolunteersDomain }}! check_domain {{ .Values.traefik.SSLcheckVolunteersDomain }} && RES=1{{ end }} + exit $RES + initialDelaySeconds: 5 + periodSeconds: 5 + volumeMounts: + - name: k8s-ops + mountPath: /k8s-ops + readOnly: true + - name: traefik-acme + mountPath: /traefik-acme - name: traefik image: traefik ports: @@ -72,14 +120,24 @@ spec: mountPath: /traefik-acme args: - "--configFile=/etc-traefik/traefik.toml" + {{ if eq .Values.traefik.dnsProvider "route53" }} + env: + - name: AWS_ACCESS_KEY_ID + value: {{ .Values.traefik.AWS_ACCESS_KEY_ID | quote }} + - name: AWS_REGION + value: {{ .Values.traefik.AWS_REGION | quote }} + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: route53 + key: AWS_SECRET_ACCESS_KEY + {{ end }} volumes: - name: etc-traefik configMap: name: etc-traefik - name: traefik-acme - hostPath: - type: DirectoryOrCreate - path: /var/{{ .Values.global.projectName }}-traefik-acme-{{ .Values.global.environmentName }} + emptyDir: {} - name: k8s-ops secret: secretName: ops