From 2ba2c84d9602161d90cf3b0e461aa9ddb9b86c6c Mon Sep 17 00:00:00 2001 From: pwei1018 Date: Fri, 23 Apr 2021 10:00:45 -0700 Subject: [PATCH] Helm Chart setup - bcregistry-api --- .github/ct.yaml | 3 + .github/helm-docs.sh | 12 + .github/kubeval.sh | 15 + .github/workflows/charts-ci.yaml | 45 ++ .github/workflows/charts-release.yaml | 32 + .github/workflows/downpage-off.yaml | 26 + .github/workflows/downpage-on.yaml | 31 + README.md | 3 +- argocd/installation.yaml | 573 ++++++++++++++++++ charts/README.md | 50 ++ charts/bcregistry-api/.helmignore | 22 + charts/bcregistry-api/Chart.yaml | 21 + charts/bcregistry-api/templates/NOTES.txt | 21 + charts/bcregistry-api/templates/_helpers.tpl | 58 ++ .../templates/deploymentconfig.yaml | 86 +++ charts/bcregistry-api/templates/hpa.yaml | 28 + charts/bcregistry-api/templates/route.yaml | 31 + charts/bcregistry-api/templates/secret.yaml | 13 + charts/bcregistry-api/templates/service.yaml | 15 + .../templates/tests/test-connection.yaml | 15 + charts/bcregistry-api/values.yaml | 103 ++++ disaster-recovery-plan/README.md | 4 +- disaster-recovery-plan/Vanity-URL-recovery.md | 6 +- downpage/README.md | 5 +- robots.txt | 1 + vault-service/Makefile | 6 +- vault-service/README.md | 2 +- vault-service/k8s/README.md | 14 +- vault-service/k8s/templates/dc.yaml | 13 +- vault-service/k8s/templates/rbac.yaml | 98 +-- vault-service/scripts/1pass.sh | 116 ++-- 31 files changed, 1304 insertions(+), 164 deletions(-) create mode 100755 .github/ct.yaml create mode 100755 .github/helm-docs.sh create mode 100755 .github/kubeval.sh create mode 100755 .github/workflows/charts-ci.yaml create mode 100755 .github/workflows/charts-release.yaml create mode 100644 .github/workflows/downpage-off.yaml create mode 100644 .github/workflows/downpage-on.yaml create mode 100644 argocd/installation.yaml create mode 100755 charts/README.md create mode 100755 charts/bcregistry-api/.helmignore create mode 100755 charts/bcregistry-api/Chart.yaml create mode 100755 charts/bcregistry-api/templates/NOTES.txt create mode 100755 charts/bcregistry-api/templates/_helpers.tpl create mode 100755 charts/bcregistry-api/templates/deploymentconfig.yaml create mode 100644 charts/bcregistry-api/templates/hpa.yaml create mode 100755 charts/bcregistry-api/templates/route.yaml create mode 100644 charts/bcregistry-api/templates/secret.yaml create mode 100755 charts/bcregistry-api/templates/service.yaml create mode 100755 charts/bcregistry-api/templates/tests/test-connection.yaml create mode 100755 charts/bcregistry-api/values.yaml create mode 100644 robots.txt diff --git a/.github/ct.yaml b/.github/ct.yaml new file mode 100755 index 00000000..b47779eb --- /dev/null +++ b/.github/ct.yaml @@ -0,0 +1,3 @@ +helm-extra-args: --timeout 600s +# check-version-increment: true +debug: true diff --git a/.github/helm-docs.sh b/.github/helm-docs.sh new file mode 100755 index 00000000..27f9961d --- /dev/null +++ b/.github/helm-docs.sh @@ -0,0 +1,12 @@ +#!/bin/bash +set -euo pipefail + +HELM_DOCS_VERSION="1.5.0" + +# install helm-docs +curl --silent --show-error --fail --location --output /tmp/helm-docs.tar.gz https://github.com/norwoodj/helm-docs/releases/download/v"${HELM_DOCS_VERSION}"/helm-docs_"${HELM_DOCS_VERSION}"_Linux_x86_64.tar.gz +tar -xf /tmp/helm-docs.tar.gz helm-docs + +# validate docs +./helm-docs +git diff --exit-code diff --git a/.github/kubeval.sh b/.github/kubeval.sh new file mode 100755 index 00000000..cc81f85b --- /dev/null +++ b/.github/kubeval.sh @@ -0,0 +1,15 @@ +#!/bin/bash +set -euo pipefail + +CHART_DIRS="$(git diff --find-renames --name-only "$(git rev-parse --abbrev-ref HEAD)" remotes/origin/master -- charts | grep '[cC]hart.yaml' | sed -e 's#/[Cc]hart.yaml##g')" +KUBEVAL_VERSION="0.16.0" +SCHEMA_LOCATION="https://raw.githubusercontent.com/instrumenta/kubernetes-json-schema/master/" + +# install kubeval +curl --silent --show-error --fail --location --output /tmp/kubeval.tar.gz https://github.com/instrumenta/kubeval/releases/download/"${KUBEVAL_VERSION}"/kubeval-linux-amd64.tar.gz +tar -xf /tmp/kubeval.tar.gz kubeval + +# validate charts +for CHART_DIR in ${CHART_DIRS}; do + helm template --values "${CHART_DIR}"/ci/ci-values.yaml "${CHART_DIR}" | ./kubeval --strict --ignore-missing-schemas --kubernetes-version "${KUBERNETES_VERSION#v}" --schema-location "${SCHEMA_LOCATION}" +done diff --git a/.github/workflows/charts-ci.yaml b/.github/workflows/charts-ci.yaml new file mode 100755 index 00000000..79e9e363 --- /dev/null +++ b/.github/workflows/charts-ci.yaml @@ -0,0 +1,45 @@ +name: Lint and Test Charts + +on: + pull_request: + paths: + - "charts/**" + +jobs: + lint-test: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Set up Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 + + - uses: actions/setup-python@v2 + with: + python-version: 3.7 + + - name: Set up chart-testing + uses: helm/chart-testing-action@v2.0.1 + + - name: Run chart-testing (list-changed) + id: list-changed + run: | + changed=$(ct list-changed) + if [[ -n "$changed" ]]; then + echo "::set-output name=changed::true" + fi + + - name: Run chart-testing (lint) + run: ct lint + + - name: Create kind cluster + uses: helm/kind-action@v1.0.0 + if: steps.list-changed.outputs.changed == 'true' + + - name: Run chart-testing (install) + run: ct install diff --git a/.github/workflows/charts-release.yaml b/.github/workflows/charts-release.yaml new file mode 100755 index 00000000..8a60a162 --- /dev/null +++ b/.github/workflows/charts-release.yaml @@ -0,0 +1,32 @@ +name: Release Charts + +on: + push: + branches: + - main + paths: + - "charts/**" + +jobs: + release: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v2 + with: + fetch-depth: 0 + + - name: Configure Git + run: | + git config user.name "$GITHUB_ACTOR" + git config user.email "$GITHUB_ACTOR@users.noreply.github.com" + + - name: Install Helm + uses: azure/setup-helm@v1 + with: + version: v3.4.0 + + - name: Run chart-releaser + uses: helm/chart-releaser-action@v1.2.0 + env: + CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" diff --git a/.github/workflows/downpage-off.yaml b/.github/workflows/downpage-off.yaml new file mode 100644 index 00000000..132a0b89 --- /dev/null +++ b/.github/workflows/downpage-off.yaml @@ -0,0 +1,26 @@ +name: Turn off downpage + +on: + workflow_dispatch: + inputs: + environement: + description: "Environment (dev/test/prod)" + required: true + default: "dev" + +jobs: + downpage-off: + runs-on: ubuntu-20.04 + + steps: + - uses: actions/checkout@v2 + - name: Set env by input + run: | + echo "TAG_NAME=${{ github.event.inputs.environement }}" >> $GITHUB_ENV + - name: Login Openshift and turn off downpage + run: | + oc login --server=${{secrets.OPENSHIFT4_LOGIN_REGISTRY}} --token=${{secrets.OPENSHIFT4_SA_TOKEN}} + oc patch route bc-registry-search-prod -p '{"spec": {"to": {"name": "search-web-prod"}, "port": {"targetPort": "search-web-prod-tcp"}}}' -n ${{secrets.OPENSHIFT4_NAMESPACE_FRONTEND}}-prod + oc patch route bc-registry-namerequest-prod -p '{"spec": {"to": {"name": "namerequest-prod"}, "port": {"targetPort": "namerequest-prod-tcp"}}}' -n ${{secrets.OPENSHIFT4_NAMESPACE_FRONTEND}}-prod + oc patch route bc-registry-business-prod -p '{"spec": {"to": {"name": "business-filings-prod"}, "port": {"targetPort": "business-filings-prod-tcp"}}}' -n ${{secrets.OPENSHIFT4_NAMESPACE_FRONTEND}}-prod + oc patch route bc-registry-auth-prod -p '{"spec": {"to": {"name": "auth-web-prod"}, "port": {"targetPort": "auth-web-prod-tcp"}}}' -n ${{secrets.OPENSHIFT4_NAMESPACE_FRONTEND}}-prod diff --git a/.github/workflows/downpage-on.yaml b/.github/workflows/downpage-on.yaml new file mode 100644 index 00000000..741232a5 --- /dev/null +++ b/.github/workflows/downpage-on.yaml @@ -0,0 +1,31 @@ +name: Turn on downpage + +on: + schedule: + - cron: "40 11 25 04 *" + workflow_dispatch: + inputs: + environement: + description: "Environment (prod/test/prod)" + required: true + default: "prod" +jobs: + downpage-on: + runs-on: ubuntu-20.04 + + steps: + - uses: actions/checkout@v2 + - name: Set env by input + run: | + echo "TAG_NAME=${{ github.event.inputs.environement }}" >> $GITHUB_ENV + - name: Set env + if: env.TAG_NAME == '' + run: | + echo "TAG_NAME=prod" >> $GITHUB_ENV + - name: Login Openshift and Turn on downpage + run: | + oc login --server=${{secrets.OPENSHIFT4_LOGIN_REGISTRY}} --token=${{secrets.OPENSHIFT4_SA_TOKEN}} + oc patch route bc-registry-search-prod -p '{"spec": {"to": {"name": "downpage-prod"}, "port": {"targetPort": "downpage-prod-tcp"}}}' -n ${{secrets.OPENSHIFT4_NAMESPACE_FRONTEND}}-prod + oc patch route bc-registry-namerequest-prod -p '{"spec": {"to": {"name": "downpage-prod"}, "port": {"targetPort": "downpage-prod-tcp"}}}' -n ${{secrets.OPENSHIFT4_NAMESPACE_FRONTEND}}-prod + oc patch route bc-registry-business-prod -p '{"spec": {"to": {"name": "downpage-prod"}, "port": {"targetPort": "downpage-prod-tcp"}}}' -n ${{secrets.OPENSHIFT4_NAMESPACE_FRONTEND}}-prod + oc patch route bc-registry-auth-prod -p '{"spec": {"to": {"name": "downpage-prod"}, "port": {"targetPort": "downpage-prod-tcp"}}}' -n ${{secrets.OPENSHIFT4_NAMESPACE_FRONTEND}}-prod diff --git a/README.md b/README.md index bc1f117d..7b60f109 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,7 @@ [![img](https://img.shields.io/badge/Lifecycle-Experimental-339999)](https://github.com/bcgov/repomountie/blob/master/doc/lifecycle-badges.md) --- -description: BC Registries and Online Services SRE team's application -ignore: true +BC Registries and Online Services SRE team's application --- ## About diff --git a/argocd/installation.yaml b/argocd/installation.yaml new file mode 100644 index 00000000..ff59dde9 --- /dev/null +++ b/argocd/installation.yaml @@ -0,0 +1,573 @@ +# This is an auto-generated file. DO NOT EDIT +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +rules: + - apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch + - apiGroups: + - argoproj.io + resources: + - applications + - appprojects + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +rules: + - apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +rules: + - apiGroups: + - "" + resources: + - secrets + - configmaps + verbs: + - create + - get + - list + - watch + - update + - patch + - delete + - apiGroups: + - argoproj.io + resources: + - applications + - appprojects + verbs: + - create + - get + - list + - watch + - update + - delete + - patch + - apiGroups: + - "" + resources: + - events + verbs: + - list +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-application-controller +subjects: + - kind: ServiceAccount + name: argocd-application-controller +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-dex-server +subjects: + - kind: ServiceAccount + name: argocd-dex-server +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: argocd-server +subjects: + - kind: ServiceAccount + name: argocd-server +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: argocd-cm + app.kubernetes.io/part-of: argocd + name: argocd-cm +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: argocd-rbac-cm + app.kubernetes.io/part-of: argocd + name: argocd-rbac-cm +--- +apiVersion: v1 +data: + ssh_known_hosts: | + bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw== + github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== + gitlab.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBFSMqzJeV9rUzU4kWitGjeR4PWSa29SPqJ1fVkhtj3Hw9xjLVXVYrU9QlYWrOLXBpQ6KWjbjTDTdDkoohFzgbEY= + gitlab.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfuCHKVTjquxvt6CM6tdG4SLp1Btn/nOeHHE5UOzRdf + gitlab.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsj2bNKTBSpIYDEGk9KxsGh3mySTRgMtXL583qmBpzeQ+jqCMRgBqB98u3z++J1sKlXHWfM9dyhSevkMwSbhoR8XIq/U0tCNyokEi/ueaBMCvbcTHhO7FcwzY92WK4Yt0aGROY5qX2UKSeOvuP4D6TPqKF1onrSzH9bx9XUf2lEdWT/ia1NEKjunUqu1xOB/StKDHMoX4/OKyIzuS0q/T1zOATthvasJFoPrAjkohTyaDUz2LN5JoH839hViyEG82yB+MjcFV5MU3N1l1QL3cVUCh93xSaua1N85qivl+siMkPGbO5xR/En4iEY6K2XPASUEMaieWVNTRCtJ4S8H+9 + ssh.dev.azure.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H + vs-ssh.visualstudio.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7Hr1oTWqNqOlzGJOfGJ4NakVyIzf1rXYd4d7wo6jBlkLvCA4odBlL0mDUyZ0/QUfTTqeu+tm22gOsv+VrVTMk6vwRU75gY/y9ut5Mb3bR5BV58dKXyq9A9UeB5Cakehn5Zgm6x1mKoVyf+FFn26iYqXJRgzIZZcZ5V6hrE0Qg39kZm4az48o0AUbf6Sp4SLdvnuMa2sVNwHBboS7EJkm57XQPVU3/QpyNLHbWDdzwtrlS+ez30S3AdYhLKEOxAG8weOnyrtLJAUen9mTkol8oII1edf7mWWbWVf0nBmly21+nZcmCTISQBtdcyPaEno7fFQMDD26/s0lfKob4Kw8H +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: argocd-ssh-known-hosts-cm + app.kubernetes.io/part-of: argocd + name: argocd-ssh-known-hosts-cm +--- +apiVersion: v1 +data: null +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: argocd-tls-certs-cm + app.kubernetes.io/part-of: argocd + name: argocd-tls-certs-cm +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + app.kubernetes.io/name: argocd-secret + app.kubernetes.io/part-of: argocd + name: argocd-secret +type: Opaque +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +spec: + ports: + - name: http + port: 5556 + protocol: TCP + targetPort: 5556 + - name: grpc + port: 5557 + protocol: TCP + targetPort: 5557 + - name: metrics + port: 5558 + protocol: TCP + targetPort: 5558 + selector: + app.kubernetes.io/name: argocd-dex-server +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: metrics + app.kubernetes.io/name: argocd-metrics + app.kubernetes.io/part-of: argocd + name: argocd-metrics +spec: + ports: + - name: metrics + port: 8082 + protocol: TCP + targetPort: 8082 + selector: + app.kubernetes.io/name: argocd-application-controller +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: redis + app.kubernetes.io/name: argocd-redis + app.kubernetes.io/part-of: argocd + name: argocd-redis +spec: + ports: + - name: tcp-redis + port: 6379 + targetPort: 6379 + selector: + app.kubernetes.io/name: argocd-redis +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: repo-server + app.kubernetes.io/name: argocd-repo-server + app.kubernetes.io/part-of: argocd + name: argocd-repo-server +spec: + ports: + - name: server + port: 8081 + protocol: TCP + targetPort: 8081 + - name: metrics + port: 8084 + protocol: TCP + targetPort: 8084 + selector: + app.kubernetes.io/name: argocd-repo-server +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server-metrics + app.kubernetes.io/part-of: argocd + name: argocd-server-metrics +spec: + ports: + - name: metrics + port: 8083 + protocol: TCP + targetPort: 8083 + selector: + app.kubernetes.io/name: argocd-server +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 8080 + selector: + app.kubernetes.io/name: argocd-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: application-controller + app.kubernetes.io/name: argocd-application-controller + app.kubernetes.io/part-of: argocd + name: argocd-application-controller +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-application-controller + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: argocd-application-controller + spec: + containers: + - command: + - argocd-application-controller + - --status-processors + - "20" + - --operation-processors + - "10" + image: argoproj/argocd:v1.6.2 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8082 + initialDelaySeconds: 5 + periodSeconds: 10 + name: argocd-application-controller + ports: + - containerPort: 8082 + readinessProbe: + httpGet: + path: /healthz + port: 8082 + initialDelaySeconds: 5 + periodSeconds: 10 + serviceAccountName: argocd-application-controller +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: dex-server + app.kubernetes.io/name: argocd-dex-server + app.kubernetes.io/part-of: argocd + name: argocd-dex-server +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-dex-server + template: + metadata: + labels: + app.kubernetes.io/name: argocd-dex-server + spec: + containers: + - command: + - /shared/argocd-util + - rundex + image: quay.io/dexidp/dex:v2.22.0 + imagePullPolicy: Always + name: dex + ports: + - containerPort: 5556 + - containerPort: 5557 + - containerPort: 5558 + volumeMounts: + - mountPath: /shared + name: static-files + initContainers: + - command: + - cp + - -n + - /usr/local/bin/argocd-util + - /shared + image: argoproj/argocd:v1.6.2 + imagePullPolicy: Always + name: copyutil + volumeMounts: + - mountPath: /shared + name: static-files + serviceAccountName: argocd-dex-server + volumes: + - emptyDir: {} + name: static-files +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: redis + app.kubernetes.io/name: argocd-redis + app.kubernetes.io/part-of: argocd + name: argocd-redis +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-redis + template: + metadata: + labels: + app.kubernetes.io/name: argocd-redis + spec: + containers: + - args: + - --save + - "" + - --appendonly + - "no" + image: redis:5.0.3 + imagePullPolicy: Always + name: redis + ports: + - containerPort: 6379 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: repo-server + app.kubernetes.io/name: argocd-repo-server + app.kubernetes.io/part-of: argocd + name: argocd-repo-server +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-repo-server + template: + metadata: + labels: + app.kubernetes.io/name: argocd-repo-server + spec: + automountServiceAccountToken: false + containers: + - command: + - uid_entrypoint.sh + - argocd-repo-server + - --redis + - argocd-redis:6379 + image: argoproj/argocd:v1.6.2 + imagePullPolicy: Always + livenessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 + tcpSocket: + port: 8081 + name: argocd-repo-server + ports: + - containerPort: 8081 + - containerPort: 8084 + readinessProbe: + initialDelaySeconds: 5 + periodSeconds: 10 + tcpSocket: + port: 8081 + volumeMounts: + - mountPath: /app/config/ssh + name: ssh-known-hosts + - mountPath: /app/config/tls + name: tls-certs + volumes: + - configMap: + name: argocd-ssh-known-hosts-cm + name: ssh-known-hosts + - configMap: + name: argocd-tls-certs-cm + name: tls-certs +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app.kubernetes.io/component: server + app.kubernetes.io/name: argocd-server + app.kubernetes.io/part-of: argocd + name: argocd-server +spec: + selector: + matchLabels: + app.kubernetes.io/name: argocd-server + template: + metadata: + labels: + app.kubernetes.io/name: argocd-server + spec: + containers: + - command: + - argocd-server + - --staticassets + - /shared/app + image: argoproj/argocd:v1.6.2 + imagePullPolicy: Always + livenessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 30 + name: argocd-server + ports: + - containerPort: 8080 + - containerPort: 8083 + readinessProbe: + httpGet: + path: /healthz + port: 8080 + initialDelaySeconds: 3 + periodSeconds: 30 + volumeMounts: + - mountPath: /app/config/ssh + name: ssh-known-hosts + - mountPath: /app/config/tls + name: tls-certs + serviceAccountName: argocd-server + volumes: + - emptyDir: {} + name: static-files + - configMap: + name: argocd-ssh-known-hosts-cm + name: ssh-known-hosts + - configMap: + name: argocd-tls-certs-cm + name: tls-certs diff --git a/charts/README.md b/charts/README.md new file mode 100755 index 00000000..38e69064 --- /dev/null +++ b/charts/README.md @@ -0,0 +1,50 @@ +[![img](https://img.shields.io/badge/Lifecycle-Experimental-339999)](https://github.com/bcgov/repomountie/blob/master/doc/lifecycle-badges.md) + +# BC Registries Services Helm Charts Repository + +## TL;DR + +```bash +$ helm repo add bcregistry https://bcgov.github.io/bcregistry-charts +$ helm search repo bcregistry +$ helm install my-app-name bcregistry/ --namespace -f +``` + +### Prerequisites +- OpenShift 4.5+ +- Kubernetes 1.12+ +- Helm 3.1.0+ + + +### Install Helm + +Helm is a tool for managing Kubernetes charts. Charts are packages of pre-configured Kubernetes resources. + +To install Helm, refer to the [Helm install guide](https://github.com/helm/helm#install) and ensure that the `helm` binary is in the `PATH` of your shell. + +### Add Repo + +The following command allows you to download and install all the charts from this repository: + +```bash +$ helm repo add bcregistry https://bcgov.github.io/bcregistry-charts +``` +### Using Helm + +Please refer to the [Quick Start guide](https://helm.sh/docs/intro/quickstart/) if you wish to get running in just a few commands, otherwise the [Using Helm Guide](https://helm.sh/docs/intro/using_helm/) provides detailed instructions on how to use the Helm client to manage packages on your Kubernetes cluster. + +Useful Helm Client Commands: +* View available charts: `helm search repo` +* Install a chart from repo: `helm install my-app-name bcregistry/ --namespace -f ` +* Install a chart from local: `helm dep up & helm install my-app-name ./charts/ --namespace -f ` +* Upgrade your application: `helm upgrade my-app-name --namespace -f ` +* Uninstall/delete your application: `helm uninstall/delete --namespace my-app-name` + +### Charts + +| Name | Description | Supprt Applications | +| --------- | ----------- | ------- | +| `bcregistry-api` | Chart for API applications | `[auth-api,pay-api,legal-api,namex-api,notify-api,colin-api,status-api,search-api,ppr-api]` | +| `bcregistry-ui` | Chart for UI applications | `[auth-web,namerequest-ui,business-filings-ui,business-edit-ui,business-create-ui,search-web,namex-ui]` | +| `bcregistry-queue` | Chart for Queue Service applications | `[notify-queue,entity-filer,entity-emailer,entity-pay,account-mailer,activity-log-listener,events-listener,payment-reconciliations,namex-pay]` | +| `bcregistry-job` | Chart for Job Service applications | `[future-effective-filings,update-colin-filings,update-legal-filings,ftp-poller,payment-jobs,inprogress_update,nro-extractor,nro-update]` | diff --git a/charts/bcregistry-api/.helmignore b/charts/bcregistry-api/.helmignore new file mode 100755 index 00000000..50af0317 --- /dev/null +++ b/charts/bcregistry-api/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/bcregistry-api/Chart.yaml b/charts/bcregistry-api/Chart.yaml new file mode 100755 index 00000000..12ba099c --- /dev/null +++ b/charts/bcregistry-api/Chart.yaml @@ -0,0 +1,21 @@ +apiVersion: v2 +name: bcregistry-api +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +version: 0.0.1 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. +appVersion: 2.0.1 diff --git a/charts/bcregistry-api/templates/NOTES.txt b/charts/bcregistry-api/templates/NOTES.txt new file mode 100755 index 00000000..0d76d292 --- /dev/null +++ b/charts/bcregistry-api/templates/NOTES.txt @@ -0,0 +1,21 @@ +Thank you for installing {{ .Chart.Name }}. + +Your release is named {{ .Release.Name }} {{ .Release.Version }}. + +Get the application URL: +{{- if .Values.route.create }} + https://{{ include "bcregistry-api.host" . }}/{{ .Values.route.path }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "name={{ include "bcregistry-api.name" . }},environment={{ .Values.environment}}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:{{ .Values.service.port }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "bcregistry-api.name" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get svc -w {{ include "bcregistry-api.name" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "bcregistry-api.name" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- end }} diff --git a/charts/bcregistry-api/templates/_helpers.tpl b/charts/bcregistry-api/templates/_helpers.tpl new file mode 100755 index 00000000..f19702da --- /dev/null +++ b/charts/bcregistry-api/templates/_helpers.tpl @@ -0,0 +1,58 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "bcregistry-api.fullname" -}} +{{- .Release.Name -}}-{{- .Values.environment -}} +{{- end -}} + +{{/* +Expand the name of the chart. +*/}} +{{- define "bcregistry-api.name" -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Common labels +*/}} +{{- define "bcregistry-api.labels" -}} +{{ include "bcregistry-api.selectorLabels" . }} +{{- end -}} + +{{/* +Selector labels +*/}} +{{- define "bcregistry-api.selectorLabels" -}} +name: {{ include "bcregistry-api.name" . }} +environment: {{ .Values.environment }} +role: {{ .Values.role }} +{{- end -}} + +{{/* +Create the name of the service account to use +*/}} +{{- define "bcregistry-api.serviceAccountName" -}} +{{- if .Values.serviceAccount.create -}} + {{ default (include "bcregistry-api.fullname" .) .Values.serviceAccount.name }} +{{- else -}} + {{ default "default" .Values.serviceAccount.name }} +{{- end -}} +{{- end -}} + + +{{/* +image full path +*/}} +{{- define "bcregistry-api.image" -}} +{{- printf "%s/%s:%s-%s" .Values.image.repository .Values.image.namespace (include "bcregistry-api.fullname" .) .Values.environment }} +{{- end -}} + +{{/* +host full url +*/}} +{{- define "bcregistry-api.host" -}} +{{- printf "%s.%s" (include "bcregistry-api.fullname" .) .Values.route.routerCanonicalHostname }} +{{- end -}} diff --git a/charts/bcregistry-api/templates/deploymentconfig.yaml b/charts/bcregistry-api/templates/deploymentconfig.yaml new file mode 100755 index 00000000..50c8fc06 --- /dev/null +++ b/charts/bcregistry-api/templates/deploymentconfig.yaml @@ -0,0 +1,86 @@ +apiVersion: apps.openshift.io/v1 +kind: DeploymentConfig +metadata: + name: {{ include "bcregistry-api.fullname" . }} + labels: + {{- include "bcregistry-api.labels" . | nindent 4 }} +spec: + strategy: + type: Rolling + rollingParams: + timeoutSeconds: 600 + updatePeriodSeconds: 1 + maxUnavailable: {{ .Values.rolling.maxUnavailable }} + maxSurge: {{ .Values.rolling.maxSurge }} + {{- if .Values.migrations.enabled }} + pre: + failurePolicy: Abort + execNewPod: + command: + - {{ .Values.migrations.command }} + containerName: {{ include "bcregistry-api.fullname" . }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 4 }} + {{- end }} + activeDeadlineSeconds: 21600 + triggers: + - type: ImageChange + imageChangeParams: + automatic: true + containerNames: + - {{ include "bcregistry-api.fullname" . }} + from: + kind: ImageStreamTag + namespace: {{ .Values.image.namespace }} + name: "{{ include "bcregistry-api.name" . }}:{{ .Values.environment }}" + replicas: {{ .Values.replicas }} + revisionHistoryLimit: {{ .Values.revisionHistoryLimit }} + selector: + {{- include "bcregistry-api.selectorLabels" . | nindent 4 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "bcregistry-api.labels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "bcregistry-api.serviceAccountName" . }} + {{- with .Values.podSecurityContext }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + {{- end }} + containers: + - name: {{ include "bcregistry-api.fullname" . }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: {{ include "bcregistry-api.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- with .Values.args }} + args: + {{- toYaml . | nindent 12 }} + {{ end }} + ports: + - name: http + containerPort: {{ .Values.ports.containerPort }} + protocol: {{ .Values.ports.protocol }} + {{- if .Values.livenessProbe }} + livenessProbe: + {{- toYaml .Values.livenessProbe | nindent 12 }} + {{- end }} + {{- if .Values.readinessProbe }} + readinessProbe: + {{- toYaml .Values.readinessProbe | nindent 12 }} + {{- end }} + {{- with .Values.resources }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- end }} + diff --git a/charts/bcregistry-api/templates/hpa.yaml b/charts/bcregistry-api/templates/hpa.yaml new file mode 100644 index 00000000..288a5fd9 --- /dev/null +++ b/charts/bcregistry-api/templates/hpa.yaml @@ -0,0 +1,28 @@ +{{- if .Values.autoscaling.create }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "bcregistry-api.fullname" . }} + labels: + {{- include "bcregistry-api.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps.openshift.io/v1 + kind: DeploymentConfig + name: {{ include "bcregistry-api.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/charts/bcregistry-api/templates/route.yaml b/charts/bcregistry-api/templates/route.yaml new file mode 100755 index 00000000..fa61b859 --- /dev/null +++ b/charts/bcregistry-api/templates/route.yaml @@ -0,0 +1,31 @@ +{{- if .Values.route.create -}} +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: {{ include "bcregistry-api.fullname" . }} + labels: + {{- include "bcregistry-api.labels" . | nindent 4 }} + {{- with .Values.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + host: {{ include "bcregistry-api.host" . }} + {{- with .Values.route.path }} + path: {{ . }} + {{- end }} + {{- with .Values.route.tls }} + tls: + {{- toYaml . | nindent 4 }} + {{- end }} + to: + kind: Service + name: {{ include "bcregistry-api.fullname" . }} + weight: 100 + port: + targetPort: "{{ include "bcregistry-api.fullname" . }}-{{ lower .Values.service.protocol }}" + tls: + termination: edge + insecureEdgeTerminationPolicy: Redirect + wildcardPolicy: {{ .Values.route.wildcardPolicy }} +{{- end }} diff --git a/charts/bcregistry-api/templates/secret.yaml b/charts/bcregistry-api/templates/secret.yaml new file mode 100644 index 00000000..0e1e2d0f --- /dev/null +++ b/charts/bcregistry-api/templates/secret.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "bcregistry-api.fullname" . }}-secret + labels: + {{- include "bcregistry-api.labels" . | nindent 4 }} +type: Opaque +data: +{{- range $index, $val := .Values.env }} + {{- if .secure }} + {{ $index | kebabcase }}: {{ .value | b64enc | quote }} + {{ end }} +{{ end }} diff --git a/charts/bcregistry-api/templates/service.yaml b/charts/bcregistry-api/templates/service.yaml new file mode 100755 index 00000000..907fa782 --- /dev/null +++ b/charts/bcregistry-api/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "bcregistry-api.fullname" . }} + labels: + {{- include "bcregistry-api.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + protocol: {{ .Values.service.protocol }} + name: "{{ include "bcregistry-api.fullname" . }}-{{ lower .Values.service.protocol }}" + selector: + {{- include "bcregistry-api.selectorLabels" . | nindent 4 }} diff --git a/charts/bcregistry-api/templates/tests/test-connection.yaml b/charts/bcregistry-api/templates/tests/test-connection.yaml new file mode 100755 index 00000000..8bb30274 --- /dev/null +++ b/charts/bcregistry-api/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "bcregistry-api.fullname" . }}-test-connection" + labels: + {{- include "bcregistry-api.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test-success +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "bcregistry-api.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/charts/bcregistry-api/values.yaml b/charts/bcregistry-api/values.yaml new file mode 100755 index 00000000..54ca1728 --- /dev/null +++ b/charts/bcregistry-api/values.yaml @@ -0,0 +1,103 @@ +# Default values for bcregistry-api. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +imagePullSecrets: [] + +environment: "dev" +role: "api" + +image: + repository: "image-registry.openshift-image-registry.svc:5000" + namespace: "6e0e49-tools" + pullPolicy: "IfNotPresent" + tag: "dev" + +imagePullSecrets: [] + +rolling: + maxUnavailable: 33% + maxSurge: 33% + +migrations: + enabled: true + command: "/opt/app-root/pre-hook-update-db.sh" + +ports: + containerPort: 8080 + protocol: TCP + +resources: {} + +replicas: 1 + +revisionHistoryLimit: 10 + +livenessProbe: + httpGet: + path: /ops/healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 3 + timeoutSeconds: 1 + +readinessProbe: + httpGet: + path: /ops/readyz + port: 8080 + scheme: HTTP + initialDelaySeconds: 3 + timeoutSeconds: 30 + +podAnnotations: {} + +podSecurityContext: {} + +securityContext: {} + +args: {} + +env: {} + # SOME_ENV_VAR: + # value: "var2" + # secure: false + # SOME_SEC_ENV_VAR: + # value: "var" + # secure: true + +service: + type: ClusterIP + port: 8080 + targetPort: 8080 + protocol: TCP + +route: + create: true + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + # haproxy.router.openshift.io/ip_whitelist: '' + # haproxy.router.openshift.io/timeout: 900s + routerCanonicalHostname: apps.silver.devops.gov.bc.ca + path: "" + service: {} + wildcardPolicy: None + tls: {} + +autoscaling: + # Specifies whether the autoscaling should be created + create: true + minReplicas: 1 + maxReplicas: 1 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + +serviceAccount: + # Specifies whether a service account should be created + create: false + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + diff --git a/disaster-recovery-plan/README.md b/disaster-recovery-plan/README.md index 00e2842f..1a614c6e 100644 --- a/disaster-recovery-plan/README.md +++ b/disaster-recovery-plan/README.md @@ -1,4 +1,4 @@ -img - [![img](https://img.shields.io/badge/Lifecycle-Experimental-339999)](https://github.com/bcgov/repomountie/blob/master/doc/lifecycle-badges.md) +[![img](https://img.shields.io/badge/Lifecycle-Experimental-339999)](https://github.com/bcgov/repomountie/blob/master/doc/lifecycle-badges.md) --- description: BC Registries and Online Services Diaster Recovery Plan @@ -7,7 +7,7 @@ ignore: true ## About -The disaster recovery plan is a plan that describes the steps of how to recover BC Registries and Online Services application from a disaster. +The IT Recovery Plan is a supporting document to BC Registries’ Business Continuity Plan. It defines the preventative controls, recovery strategies and contingency plan to restore a damaged system. ### Database diff --git a/disaster-recovery-plan/Vanity-URL-recovery.md b/disaster-recovery-plan/Vanity-URL-recovery.md index e2038fe2..ba3fe17a 100644 --- a/disaster-recovery-plan/Vanity-URL-recovery.md +++ b/disaster-recovery-plan/Vanity-URL-recovery.md @@ -1,4 +1,7 @@ -# Vanity URL list +# Purpose: +The IT Recovery Plan is a supporting document to BC Registries’ Business Continuity Plan. It defines the preventative controls, recovery strategies and contingency plan to restore a damaged system. +# Scope +## Vanity URL list (dev/test/www).bcregistry.ca/business (dev/test/www).bcregistry.ca/directorsearch @@ -6,3 +9,4 @@ (dev/test/www).bcregistry.ca/namerequest (dev/test/www).bcregistry.ca/ppr +# Recovery strategies diff --git a/downpage/README.md b/downpage/README.md index b8a21b0a..74c38849 100644 --- a/downpage/README.md +++ b/downpage/README.md @@ -15,9 +15,10 @@ Downpage ui is an application that can prevent users from accessing the BC Regis ### Turn on Downpage UI oc get route bc-registry-search-dev -oc patch route bc-registry-search-dev -p '{"spec": {"to": {"name": "search-web-dev"}, "port": {"targetPort": "search-web-dev-tcp"}}}' +oc patch route bc-registry-search-dev -p '{"spec": {"to": {"name": "downpage-dev"}, "port": {"targetPort": "downpage-dev-tcp"}}}' ### Turn off Downpage UI oc get route bc-registry-search-dev -oc patch route bc-registry-search-dev -p '{"spec": {"to": {"name": "downpage-dev"}, "port": {"targetPort": "downpage-dev-tcp"}}}' +oc patch route bc-registry-search-dev -p '{"spec": {"to": {"name": "search-web-dev"}, "port": {"targetPort": "search-web-dev-tcp"}}}' + diff --git a/robots.txt b/robots.txt new file mode 100644 index 00000000..954f34b2 --- /dev/null +++ b/robots.txt @@ -0,0 +1 @@ +“User-Agent: *nDisallow: /” diff --git a/vault-service/Makefile b/vault-service/Makefile index 90805a5d..20245002 100644 --- a/vault-service/Makefile +++ b/vault-service/Makefile @@ -1,8 +1,8 @@ .PHONY: setup .PHONY: ci cd -PROJECT_NAME:=bcros-cli -DOCKER_NAME:=bcros-cli +PROJECT_NAME:=vault-service +DOCKER_NAME:=vault-service ################################################################################# # COMMANDS -- Setup # @@ -25,7 +25,7 @@ test: ## Unit testing # expects export OPENSHIFT_SA_NAME="$(oc whoami)" # expects export OPENSHIFT_SA_TOKEN="$(oc whoami -t)" # expects export OPENSHIFT_REPOSITORY="" -# expects export TAG_NAME="dev/test" +# expects export TAG_NAME="dev/test/prod" # expects export OPS_REPOSITORY="" # ################################################################################# cd: build push ## CD flow diff --git a/vault-service/README.md b/vault-service/README.md index 141a84ae..08ae0554 100644 --- a/vault-service/README.md +++ b/vault-service/README.md @@ -13,7 +13,7 @@ The vault service is an application that can retrive the vault vaules from 1pass ## Usage ```shell -oc -n "$(OPS_REPOSITORY)-tools" exec dc/bcros-cli -- ./scripts/1pass.sh \ +oc -n "$(OPS_REPOSITORY)-tools" exec dc/vault-service -- ./scripts/1pass.sh \ -m "secret" \ -e "$(TAG_NAME)" \ -a "$(DOCKER_NAME)-$(TAG_NAME)" \ diff --git a/vault-service/k8s/README.md b/vault-service/k8s/README.md index eca845e2..329ea887 100644 --- a/vault-service/k8s/README.md +++ b/vault-service/k8s/README.md @@ -1,18 +1,18 @@ # RBAC -oc process -f k8s/templates/rbac.yaml -o yaml | oc apply -f - -n d893f6-dev +oc process -f k8s/templates/rbac.yaml -o yaml | oc apply -f - -n 73c567-dev -oc process -f k8s/templates/rbac.yaml -o yaml | oc apply -f - -n d893f6-test +oc process -f k8s/templates/rbac.yaml -p TAG=test -o yaml | oc apply -f - -n 73c567-test -oc process -f k8s/templates/rbac.yaml -o yaml | oc apply -f - -n d893f6-prod +oc process -f k8s/templates/rbac.yaml -p TAG=prod -o yaml | oc apply -f - -n 73c567-prod # buildconfig -oc process -f k8s/templates/bc.yaml -o yaml | oc apply -f - -n d893f6-tools +oc process -f k8s/templates/bc.yaml -o yaml | oc apply -f - -n 73c567-tools # deploymentconfig, service and route -oc process -f k8s/templates/dc.yaml -o yaml | oc apply -f - -n d893f6-dev +oc process -f k8s/templates/dc.yaml -o yaml | oc apply -f - -n 73c567-dev -oc process -f k8s/templates/dc.yaml -p TAG=test -o yaml | oc apply -f - -n d893f6-test +oc process -f k8s/templates/dc.yaml -p TAG=test -o yaml | oc apply -f - -n 73c567-test -oc process -f k8s/templates/dc.yaml -p TAG=prod -o yaml | oc apply -f - -n d893f6-prod +oc process -f k8s/templates/dc.yaml -p TAG=prod -o yaml | oc apply -f - -n 73c567-prod diff --git a/vault-service/k8s/templates/dc.yaml b/vault-service/k8s/templates/dc.yaml index 20714cfc..5c09a4be 100644 --- a/vault-service/k8s/templates/dc.yaml +++ b/vault-service/k8s/templates/dc.yaml @@ -79,9 +79,14 @@ objects: containerPort: 8080 protocol: TCP livenessProbe: - httpGet: - path: / - port: http + exec: + command: + - ls -l + initialDelaySeconds: 10 + timeoutSeconds: 1 + periodSeconds: 10 + successThreshold: 1 + failureThreshold: 3 readinessProbe: httpGet: path: / @@ -131,7 +136,7 @@ parameters: displayName: Namespace Name description: The base namespace name for the project. required: true - value: d893f6 + value: 73c567 - name: IMAGE_NAMESPACE displayName: Image Namespace diff --git a/vault-service/k8s/templates/rbac.yaml b/vault-service/k8s/templates/rbac.yaml index 9ba941ab..a221e299 100644 --- a/vault-service/k8s/templates/rbac.yaml +++ b/vault-service/k8s/templates/rbac.yaml @@ -12,7 +12,6 @@ # See the License for the specific language governing permissions and # limitations under the License. # ---- apiVersion: template.openshift.io/v1 kind: Template metadata: @@ -23,75 +22,16 @@ objects: metadata: name: ${NAME} labels: - app: ${NAME} + name: ${NAME} + environment: ${TAG} rules: - - verbs: - - create - apiGroups: - - build.openshift.io - - '' - resources: - - buildconfigs/instantiate - - verbs: - - create - - get - - list - apiGroups: - - build.openshift.io - - '' - resources: - - buildconfigs - - builds - - verbs: - - get - - list - apiGroups: - - image.openshift.io - - '' - resources: - - imagestreamimages - - imagestreams - - verbs: - - create - - get - - list - apiGroups: - - image.openshift.io - - '' - resources: - - imagestreamtags - - verbs: - - get - - list - apiGroups: - - image.openshift.io - - '' - resources: - - imagestreams - - verbs: - - get - - update - apiGroups: - - '' - - image.openshift.io - resources: - - imagestreams/layers - verbs: - get - list - watch - apiGroups: - - build.openshift.io - - '' - resources: - - builds/log - - verbs: - - get - - list - - watch - apiGroups: + apiGroups: - '' - resources: + resources: - pods - verbs: - create @@ -99,9 +39,9 @@ objects: - deletecollection - patch - update - apiGroups: + apiGroups: - '' - resources: + resources: - pods/exec - verbs: - get @@ -109,10 +49,10 @@ objects: - patch - update - watch - apiGroups: + apiGroups: - '' - apps.openshift.io - resources: + resources: - deploymentconfigs - apiVersion: authorization.openshift.io/v1 @@ -120,15 +60,16 @@ objects: metadata: name: ${NAME} labels: - app: ${NAME} + name: ${NAME} + environment: ${TAG} subjects: - kind: ServiceAccount name: ${NAME} - namespace: ${NAMESPACE}-tools + namespace: ${OPS_NAMESPACE}-tools roleRef: kind: Role name: ${NAME} - namespace: ${NAMESPACE} + namespace: ${NAMESPACE}-${TAG} apiGroup: authorization.openshift.io parameters: - displayName: Namespace @@ -136,7 +77,13 @@ parameters: The namespace where all of role are stored. name: NAMESPACE required: true - value: d893f6 + value: 73c567 + + - name: TAG + displayName: Environment TAG name + description: The TAG name for this environment, e.g., dev, test, prod + value: dev + required: true - displayName: Credentials Name description: | @@ -145,3 +92,10 @@ parameters: name: NAME required: true value: github-cicd + + - displayName: OPS Namespace + description: | + The namespace where all of role are stored. + name: OPS_NAMESPACE + required: true + value: 73c567 diff --git a/vault-service/scripts/1pass.sh b/vault-service/scripts/1pass.sh index a3168099..f4c3851d 100644 --- a/vault-service/scripts/1pass.sh +++ b/vault-service/scripts/1pass.sh @@ -7,13 +7,13 @@ usage() { cat <<-EOF A helper script to get the secrcts from 1password' vault. - Usage: ./1pass.sh [-h ] - -m - -e - -v - -a - -n - -f + Usage: ./1pass.sh [-h + -m + -e + -v + -a + -n + -f OPTIONS: ======== @@ -50,14 +50,10 @@ exit # ----------------------------------------------------------------------------------------------------------------- # Initialization: # ----------------------------------------------------------------------------------------------------------------- -while getopts h:a:d:u:k:p:v:m:e:n:r:f: FLAG; do +while getopts h:a:v:m:e:n:r:f: FLAG; do case $FLAG in h ) usage ;; a ) APP_NAME=$OPTARG ;; - d ) DOMAIN_NAME=$OPTARG ;; - u ) USERNAME=$OPTARG ;; - k ) SECRET_KEY=$OPTARG ;; - p ) MASTER_PASSWORD=$OPTARG ;; v ) VAULT=$OPTARG ;; m ) METHOD=$OPTARG ;; e ) ENVIRONMENT=$OPTARG ;; @@ -83,19 +79,6 @@ else DEPLOYMENT=false fi -if [ -z "${DOMAIN_NAME}" ]; then - DOMAIN_NAME=registries.1password.ca -fi - -if [ -z "${USERNAME}" ]; then - USERNAME=bcregistries.devops@gmail.com -fi - -if [ -z "${SECRET_KEY}" ] || [ -z "${MASTER_PASSWORD}" ]; then - echo -e \\n"Missing parameters - secret key or master password"\\n - usage -fi - if [ -z "${ENVIRONMENT}" ]; then echo -e \\n"Missing parameters - environment"\\n usage @@ -147,8 +130,10 @@ fi # Login to 1Password../s # Assumes you have installed the OP CLI and performed the initial configuration # For more details see https://support.1password.com/command-line-getting-started/ -eval $(echo "${MASTER_PASSWORD}" | op signin ${DOMAIN_NAME} ${USERNAME} ${SECRET_KEY}) +op_session=$(echo "${MASTER_PASSWORD}" | op signin ${DOMAIN_NAME} ${USERNAME} ${SECRET_KEY} | grep export | awk -F\" '{print $2}') +export OP_SESSION_registries="$op_session" +random_name=`cat /dev/urandom | tr -cd 'a-f0-9' | head -c 32` num=0 for env_name in "${envs[@]}"; do @@ -169,7 +154,7 @@ for env_name in "${envs[@]}"; do # single section. The label is the key, and the value is the value. ev=`op get item --vault=$(_vault_json .vault) ${env_name}` - touch t$num.txt + touch t$num-$random_name.txt # Convert to base64 for multi-line secrets. # The schema for the 1Password type uses t as the label, and v as the value. @@ -178,18 +163,18 @@ for env_name in "${envs[@]}"; do echo ${row} | base64 --decode | jq -r ${1} } - echo "${_vault_json_app}: $(_envvars '.t')" >> t$num.txt + echo "${_vault_json_app}: $(_envvars '.t')" >> t$num-$random_name.txt if [[ ${env_name} == ${ENVIRONMENT} ]]; then # Frontend applications will create a keycloak json file if [ $(_vault_json '.vault') = "keycloak" ] && [ ${FRONTEND} = true ]; then if [[ ${env_name} == ${ENVIRONMENT} ]]; then - echo "$(_envvars '.t')=$(_envvars '.v')" >> tkeycloak.txt + echo "$(_envvars '.t')=$(_envvars '.v')" >> tkeycloak-$random_name.txt fi else case ${METHOD} in secret) - echo "$(_envvars '.t')=$(_envvars '.v')" >> tsecret.txt + echo "$(_envvars '.t')=$(_envvars '.v')" >> tsecret-$random_name.txt ;; env) echo "Setting environment variable $(_envvars '.t')" @@ -211,8 +196,8 @@ case ${METHOD} in # Compare vaults from different environments env_true=(test prod) if [[ " ${env_true[@]} " =~ " ${ENVIRONMENT} " ]]; then - result=$(comm -23 <(sort t1.txt) <(sort t2.txt)) - result2=$(comm -23 <(sort t2.txt) <(sort t1.txt)) + result=$(comm -23 <(sort t1-$random_name.txt) <(sort t2-$random_name.txt)) + result2=$(comm -23 <(sort t2-$random_name.txt) <(sort t1-$random_name.txt)) if [[ ! -z ${result} ]]; then matched=false @@ -228,44 +213,23 @@ case ${METHOD} in fi # check the duplicat key(s) from vaults - duplicate_key_check=$(sort tsecret.txt | grep -v -P '^\s*#' | sed -E 's/(.*)=.*/\1/' | uniq -d | xargs) + duplicate_key_check=$(sort tsecret-$random_name.txt | grep -v -P '^\s*#' | sed -E 's/(.*)=.*/\1/' | uniq -d | xargs) if [[ ! -z ${duplicate_key_check} ]]; then warning_message="Duplicate key(s) found in 1password. ${duplicate_key_check}" echo ::warning "::$warning_message" - sort tsecret.txt | uniq > tsecret1.txt - cp tsecret1.txt tsecret.txt + sort tsecret-$random_name.txt | uniq > tsecret1-$random_name.txt + cp tsecret1-$random_name.txt tsecret-$random_name.txt fi if [[ $matched = true ]]; then if [[ ${FRONTEND} = false ]]; then - COUNTER_SECRETS=$(oc get secret ${APP_NAME}-secret -n ${NAMESPACE} --no-headers --ignore-not-found | wc -l) - if [[ $COUNTER_SECRETS > 0 ]]; then - # backup current secrets - COMMIT_LABEL=$(oc get secret ${APP_NAME}-secret -n ${NAMESPACE} --label-columns=git-commit --no-headers | awk '{ print $5 " " $6}') - if [[ ! -z "${COMMIT_LABEL}" ]]; then - # delete duplicate secret - oc delete secret ${APP_NAME}-secret-${COMMIT_LABEL} -n ${NAMESPACE} - # copy existing secret - oc get secret ${APP_NAME}-secret -n ${NAMESPACE} -o yaml|sed "s/name: ${APP_NAME}-secret/name: ${APP_NAME}-secret-${commit_label}/g" | oc apply -f - - fi - - oc delete secret ${APP_NAME}-secret -n ${NAMESPACE} - fi - - # create application secrets and set label - oc create secret generic ${APP_NAME}-secret -n ${NAMESPACE} - oc label secret ${APP_NAME}-secret -n ${NAMESPACE} app=${APP_NAME} git-commit=$(git rev-parse --short HEAD) - - COUNTER_SECRETS=$(oc get secrets --selector=app=${APP_NAME} -n ${NAMESPACE} --no-headers --ignore-not-found | wc -l) - # keep 3 backup secrets - if [[ $COUNTER_SECRETS > 4 ]]; then - oldest_secret=($(oc get secrets -n ${NAMESPACE} --selector=app=${APP_NAME} --sort-by=.metadata.creationTimestamp --no-headers -o custom-columns=NAME:.metadata.name)) - oc delete secret ${oldest_secret} -n ${NAMESPACE} - fi - - SECRET_JSON=$(oc create secret generic ${APP_NAME}-secret -n ${NAMESPACE} --from-env-file=./tsecret.txt --dry-run=client -o json) + LABELS=$(oc get secret ${APP_NAME}-secret -o jsonpath='{.metadata.labels}' -n ${NAMESPACE}) + ANNOTATIONS=$(oc get secret ${APP_NAME}-secret -o jsonpath='{.metadata.annotations}' -n ${NAMESPACE}) + SECRET_JSON=$(oc create secret generic ${APP_NAME}-secret -n ${NAMESPACE} --from-env-file=./tsecret-$random_name.txt --dry-run=client -o json) # Set secret key and value from 1password - oc get secret ${APP_NAME}-secret -n ${NAMESPACE} -o json | jq ". * $SECRET_JSON" | oc apply -f - + echo $SECRET_JSON | oc replace -f - + oc patch secret ${APP_NAME}-secret --type='json' -p='[{"op":"add","path":"/metadata/labels", "value":'$LABELS'}]' -n ${NAMESPACE} + oc patch secret ${APP_NAME}-secret --type='json' -p='[{"op":"add","path":"/metadata/annotations", "value":'$ANNOTATIONS'}]' -n ${NAMESPACE} if [[ ${DEPLOYMENT} = true ]]; then # Set environment variable of deployment config @@ -278,23 +242,33 @@ case ${METHOD} in else # frontend application # create keycloak configmap - while read -r line; do declare "$line"; done