From 55438379f8d06f2feb6bcd36b458d6d6c9436959 Mon Sep 17 00:00:00 2001 From: George Taylor Date: Mon, 2 Sep 2024 17:42:51 +0100 Subject: [PATCH 1/2] :tada: Add port forward pod that's rebuilt regularly (#98) * Create Dockerfile * Create build-push-pf-pod.yml * ids --- .github/workflows/build-push-db-utils.yml | 2 +- .github/workflows/build-push-pf-pod.yml | 42 +++++++++++++++++++++++ tools/port-forward/Dockerfile | 11 ++++++ 3 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/build-push-pf-pod.yml create mode 100644 tools/port-forward/Dockerfile diff --git a/.github/workflows/build-push-db-utils.yml b/.github/workflows/build-push-db-utils.yml index f921712..5cc0f5a 100644 --- a/.github/workflows/build-push-db-utils.yml +++ b/.github/workflows/build-push-db-utils.yml @@ -1,4 +1,4 @@ -name: Build and push image +name: Build and push image [DB Utils] on: push: diff --git a/.github/workflows/build-push-pf-pod.yml b/.github/workflows/build-push-pf-pod.yml new file mode 100644 index 0000000..08f1536 --- /dev/null +++ b/.github/workflows/build-push-pf-pod.yml @@ -0,0 +1,42 @@ +name: Build and push image [Port Forward Pod] + +on: + push: + workflow_dispatch: + +env: + IMAGE_NAME: hmpps-delius-alfresco-port-forward-pod + +jobs: + build: + runs-on: ubuntu-latest + steps: + - name: checkout code + uses: actions/checkout@v4 + - name: Log in to the Container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 + with: + registry: ghcr.io + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 + with: + images: ${{ env.IMAGE_NAME }} + - name: Build and push Docker image + if: github.ref == 'refs/heads/main' + uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 + with: + context: ./tools/port-forward/ + push: true + tags: ghcr.io/${{ github.repository_owner }}/${{ steps.meta.outputs.tags }}, ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:latest + labels: ${{ steps.meta.outputs.labels }} + - name: Build and push Docker image + if: github.ref != 'refs/heads/main' + uses: docker/build-push-action@5176d81f87c23d6fc96624dfdbcd9f3830bbe445 + with: + context: ./tools/port-forward/ + push: true + tags: ghcr.io/${{ github.repository_owner }}/${{ steps.meta.outputs.tags }}, ghcr.io/${{ github.repository_owner }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}-${{ github.run_id }} + labels: ${{ steps.meta.outputs.labels }} diff --git a/tools/port-forward/Dockerfile b/tools/port-forward/Dockerfile new file mode 100644 index 0000000..7734714 --- /dev/null +++ b/tools/port-forward/Dockerfile @@ -0,0 +1,11 @@ +FROM alpine:3 + +RUN apk add --update --no-cache socat \ + && rm -rf /var/cache/apk/ + +RUN addgroup -g 1001 -S appgroup && \ + adduser -u 1001 -S appuser -G appgroup + +USER 1001 + +CMD ["sh", "-c", "socat tcp-listen:$LOCAL_PORT,reuseaddr,fork tcp:$REMOTE_HOST:$REMOTE_PORT & pid=$! && trap \"kill $pid\" SIGINT && echo \"Socat started listening on $LOCAL_PORT: Redirecting traffic to $REMOTE_HOST:$REMOTE_PORT ($pid)\" && wait $pid"] From 7457f4e28f5bcebd00cc4d283688a06275ef86fe Mon Sep 17 00:00:00 2001 From: George Taylor Date: Tue, 3 Sep 2024 11:57:42 +0100 Subject: [PATCH 2/2] :hammer: Add scripts to easily port-forward non k8s services (#99) --- tools/scripts/amq-connect.md | 74 +++++++++++++++++++++++++++++ tools/scripts/amq-connect.sh | 62 ++++++++++++++++++++++++ tools/scripts/opensearch-connect.md | 66 +++++++++++++++++++++++++ tools/scripts/opensearch-connect.sh | 48 +++++++++++++++++++ tools/scripts/rds-connect.md | 74 +++++++++++++++++++++++++++++ tools/scripts/rds-connect.sh | 66 +++++++++++++++++++++++++ 6 files changed, 390 insertions(+) create mode 100644 tools/scripts/amq-connect.md create mode 100755 tools/scripts/amq-connect.sh create mode 100644 tools/scripts/opensearch-connect.md create mode 100755 tools/scripts/opensearch-connect.sh create mode 100644 tools/scripts/rds-connect.md create mode 100755 tools/scripts/rds-connect.sh diff --git a/tools/scripts/amq-connect.md b/tools/scripts/amq-connect.md new file mode 100644 index 0000000..fad86be --- /dev/null +++ b/tools/scripts/amq-connect.md @@ -0,0 +1,74 @@ +# AMQ Connect Script + +This script provides a way to connect to the Amazon MQ (ActiveMQ) console within a specified Kubernetes namespace by setting up port forwarding. The script targets HMPPS Delius Alfresco environments. + +## Usage + +```sh +./amq-connect.sh [local_port] +``` + +- `env`: Required. The environment you want to connect to (e.g., `dev`, `poc`, `prod`). +- `local_port`: Optional. The local port for port forwarding. If not provided, the remote port will be used. + +## Features + +- Automatically determines the appropriate namespace based on the environment provided. +- Retrieves the AMQ console URL from Kubernetes secrets. +- Sets up port forwarding to allow local access to the AMQ console. + +## Environment Mapping + +The environment (``) parameter maps to Kubernetes namespaces as follows: + +- `poc` -> `hmpps-delius-alfrsco-poc` +- Other environments (e.g., `dev`, `prod`) -> `hmpps-delius-alfresco-` + +## Prerequisites + +- Ensure you have `kubectl` installed and configured to interact with the appropriate Kubernetes cluster. +- Ensure the `jq` utility is installed for JSON parsing. +- Ensure OpenSSL is installed for generating random hex strings. +- Ensure the Docker image `ghcr.io/ministryofjustice/hmpps-delius-alfresco-port-forward-pod:latest` is available and accessible. + +## Steps Performed by the Script + +1. Validate the input and determine the Kubernetes namespace based on the provided environment (`env`). +2. Retrieve the ActiveMQ console URL from the Kubernetes secret `amazon-mq-broker-secret`. +3. Extract the necessary details (protocol, host, and ports) from the URL. +4. Generate a random hex string for unique identification. +5. Create a pod for port forwarding using the Docker image `ghcr.io/ministryofjustice/hmpps-delius-alfresco-port-forward-pod:latest`. +6. Wait for the pod to become ready. +7. Start port forwarding from the remote MQ console to the local machine. + +## Signals and Error Handling + +- The script traps signals for interruption (Ctrl+C) and errors, ensuring proper cleanup of the port-forwarding pod. +- If the script fails at any step or is interrupted, it will delete the port-forward pod and exit gracefully. + +## Example + +```sh +./amq-connect.sh dev 8080 +``` + +This example connects to the `dev` environment and sets up port forwarding from the remote MQ console to local port `8080`. + +## Important Notes + +- The script assumes that the Kubernetes secret `amazon-mq-broker-secret` exists in the target namespace and contains the key `BROKER_CONSOLE_URL`. +- Pressing Ctrl+C will terminate the port-forwarding session and clean up the pod created for this purpose. + +## Cleanup + +The script automatically deletes the created port-forward pod upon script termination or failure. Manual cleanup should not be necessary. + +## Troubleshooting + +- Ensure your Kubernetes context is set correctly to the cluster containing the target namespace. +- Ensure you have the necessary permissions to create and delete pods and retrieve secrets within the namespace. +- Verify the `ghcr.io/ministryofjustice/hmpps-delius-alfresco-port-forward-pod:latest` image is accessible and that your Kubernetes cluster can pull it. + +--- + +This script is useful for developers and engineers who need to access the ActiveMQ console in HMPPS Delius Alfresco environments securely and conveniently. \ No newline at end of file diff --git a/tools/scripts/amq-connect.sh b/tools/scripts/amq-connect.sh new file mode 100755 index 0000000..ce398b8 --- /dev/null +++ b/tools/scripts/amq-connect.sh @@ -0,0 +1,62 @@ +#!/usr/bin/env bash + +# trap ctrl-c and call ctrl_c() +trap ctrl_c INT +# trap fail and call fail() +trap fail ERR + +main() { + env=$1 + if [ "$env" == "poc" ]; then + namespace="hmpps-delius-alfrsco-${env}" + else + namespace="hmpps-delius-alfresco-${env}" + fi + echo "Connecting to AMQ Console in namespace $namespace" + + # get amq connection url + URL=$(kubectl get secrets amazon-mq-broker-secret --namespace ${namespace} -o json | jq -r ".data.BROKER_CONSOLE_URL | @base64d") + # extract host and port + HOST=$(echo $URL | cut -d '/' -f 3 | cut -d ':' -f 1) + # extract protocol + PROTOCOL=$(echo $URL | awk -F'://' '{print $1}') + # extract remote port + REMOTE_PORT=$(echo $URL | cut -d '/' -f 3 | cut -d ':' -f 2) + # if custom local port not provided, use remote port + if [ -z "$2" ]; then + LOCAL_PORT=$REMOTE_PORT + else + LOCAL_PORT=$2 + fi + # generate random hex string + RANDOM_HEX=$(openssl rand -hex 4) + # start port forwarding + kubectl run port-forward-pod-${RANDOM_HEX} --image=ghcr.io/ministryofjustice/hmpps-delius-alfresco-port-forward-pod:latest --port ${LOCAL_PORT} --env="REMOTE_HOST=$HOST" --env="LOCAL_PORT=$LOCAL_PORT" --env="REMOTE_PORT=$REMOTE_PORT" --namespace ${namespace}; + # wait for pod to start + kubectl wait --for=condition=ready pod/port-forward-pod-${RANDOM_HEX} --timeout=30s --namespace ${namespace} + printf "\nPort forwarding started, connecting to $HOST:$REMOTE_PORT \n" + printf "\n****************************************************\n" + printf "Connect to ${PROTOCOL}://localhost:$LOCAL_PORT locally\n" + printf "Press Ctrl+C to stop port forwarding \n" + printf "****************************************************\n\n" + # start the local port forwarding session + kubectl port-forward --namespace ${namespace} port-forward-pod-${RANDOM_HEX} $LOCAL_PORT:$LOCAL_PORT; +} + +fail() { + printf "\n\nPort forwarding failed" + kubectl delete pod port-forward-pod-${RANDOM_HEX} --force --grace-period=0 --namespace ${namespace} + exit 1 +} +ctrl_c() { + printf "\n\nStopping port forwarding" + kubectl delete pod port-forward-pod-${RANDOM_HEX} --force --grace-period=0 --namespace ${namespace} + exit 0 +} + +if [ -z "$1" ]; then + echo "env not provided" + echo "Usage: amq-connect.sh " + exit 1 +fi +main $1 $2 diff --git a/tools/scripts/opensearch-connect.md b/tools/scripts/opensearch-connect.md new file mode 100644 index 0000000..a4a7b4d --- /dev/null +++ b/tools/scripts/opensearch-connect.md @@ -0,0 +1,66 @@ +# Opensearch Connect Script + +This script provides a convenient way to connect to the Opensearch service within a specified Kubernetes namespace by setting up port forwarding. The script targets HMPPS Delius Alfresco environments. + +## Usage + +```sh +./opensearch-connect.sh [local_port] +``` + +- `env`: Required. The environment you want to connect to (e.g., `dev`, `poc`, `prod`). +- `local_port`: Optional. The local port for port forwarding (defaults to `8080` if not specified). + +## Features + +- Automatically determines the appropriate namespace based on the environment provided. +- Identifies the pod running the Opensearch proxy within the namespace. +- Sets up port forwarding to allow local access to the Opensearch service. + +## Environment Mapping + +The environment (``) parameter maps to Kubernetes namespaces as follows: + +- `poc` -> `hmpps-delius-alfrsco-poc` +- Other environments (e.g., `dev`, `prod`) -> `hmpps-delius-alfresco-` + +## Prerequisites + +- Ensure you have `kubectl` installed and configured to interact with the appropriate Kubernetes cluster. + +## Steps Performed by the Script + +1. Validate the input and determine the Kubernetes namespace based on the provided environment (`env`). +2. Identify the Opensearch proxy pod running in the target namespace. +3. Set up port forwarding from the specified or default local port (`8080`) to the Opensearch service. + +## Signals and Error Handling + +- The script traps signals for interruption (Ctrl+C) and errors, ensuring graceful exit. +- If the script fails at any step or is interrupted, it will terminate the port-forwarding session and exit gracefully. + +## Example + +```sh +./opensearch-connect.sh dev 9090 +``` + +This example connects to the `dev` environment and sets up port forwarding from the remote Opensearch service to local port `9090`. + +## Important Notes + +- The script assumes that the target namespace contains a pod with the name containing `opensearch-proxy-cloud-platform`. +- Pressing Ctrl+C will terminate the port-forwarding session. + +## Cleanup + +The script does not create any resources that require manual cleanup. The local port forwarding session will terminate upon script exit. + +## Troubleshooting + +- Ensure your Kubernetes context is set correctly to the cluster containing the target namespace. +- Ensure you have the necessary permissions to retrieve pods within the namespace. + +--- + +This script is useful for developers and engineers who need to access the Opensearch service in HMPPS Delius Alfresco environments securely and conveniently. \ No newline at end of file diff --git a/tools/scripts/opensearch-connect.sh b/tools/scripts/opensearch-connect.sh new file mode 100755 index 0000000..d27dee0 --- /dev/null +++ b/tools/scripts/opensearch-connect.sh @@ -0,0 +1,48 @@ +#!/usr/bin/env bash + +# trap ctrl-c and call ctrl_c() +trap ctrl_c INT +# trap fail and call fail() +trap fail ERR + +main() { + env=$1 + + if [ "$env" == "poc" ]; then + namespace="hmpps-delius-alfrsco-${env}" + else + namespace="hmpps-delius-alfresco-${env}" + fi + echo "Connecting to Opensearch in namespace $namespace" + + if [ -z "$2" ]; then + PORT=8080 + else + PORT=$2 + fi + + # get opensearch proxy pod name + OPENSEARCH_PROXY_POD=$(kubectl get pods | grep 'opensearch-proxy-cloud-platform' | awk '{print $1}') + printf "\n****************************************************\n" + printf "Connect to http://localhost:$PORT locally\n" + printf "Press Ctrl+C to stop port forwarding \n" + printf "****************************************************\n\n" + # start the local port forwarding session + kubectl port-forward $OPENSEARCH_PROXY_POD $PORT:8080 --namespace ${namespace} +} + +fail() { + printf "\n\nPort forwarding failed" + exit 1 +} +ctrl_c() { + printf "\n\nStopping port forwarding" + exit 0 +} + +if [ -z "$1" ]; then + echo "env not provided" + echo "Usage: opensearch-connect.sh " + exit 1 +fi +main $1 $2 diff --git a/tools/scripts/rds-connect.md b/tools/scripts/rds-connect.md new file mode 100644 index 0000000..1adcfef --- /dev/null +++ b/tools/scripts/rds-connect.md @@ -0,0 +1,74 @@ +# RDS Connect Script + +This script provides a convenient way to connect to an RDS (Relational Database Service) instance within a specified Kubernetes namespace by setting up port forwarding. The script targets HMPPS Delius Alfresco environments. + +## Usage + +```sh +./rds-connect.sh [local_port] +``` + +- `env`: Required. The environment you want to connect to (e.g., `dev`, `poc`, `prod`). +- `local_port`: Optional. The local port for port forwarding (defaults to the remote port if not specified). + +## Features + +- Automatically determines the appropriate namespace based on the environment provided. +- Retrieves the RDS JDBC URL from Kubernetes secrets. +- Sets up port forwarding to allow local access to the RDS instance. + +## Environment Mapping + +The environment (``) parameter maps to Kubernetes namespaces as follows: + +- `poc` -> `hmpps-delius-alfrsco-poc` +- Other environments (e.g., `dev`, `prod`) -> `hmpps-delius-alfresco-` + +## Prerequisites + +- Ensure you have `kubectl` installed and configured to interact with the appropriate Kubernetes cluster. +- Ensure the `jq` utility is installed for JSON parsing. +- Ensure OpenSSL is installed for generating random hex strings. +- Ensure the Docker image `ghcr.io/ministryofjustice/hmpps-delius-alfresco-port-forward-pod:latest` is available and accessible. + +## Steps Performed by the Script + +1. Validate the input and determine the Kubernetes namespace based on the provided environment (`env`). +2. Retrieve the RDS JDBC URL from the Kubernetes secret `rds-instance-output`. +3. Extract the necessary details (protocol, host, ports, and database name) from the URL. +4. Generate a random hex string for unique identification. +5. Create a pod for port forwarding using the Docker image `ghcr.io/ministryofjustice/hmpps-delius-alfresco-port-forward-pod:latest`. +6. Wait for the pod to become ready. +7. Start port forwarding from the remote RDS instance to the local machine. + +## Signals and Error Handling + +- The script traps signals for interruption (Ctrl+C) and errors, ensuring proper cleanup of the port-forwarding pod. +- If the script fails at any step or is interrupted, it will delete the port-forward pod and exit gracefully. + +## Example + +```sh +./rds-connect.sh dev 5432 +``` + +This example connects to the `dev` environment and sets up port forwarding from the remote RDS instance to local port `5432`. + +## Important Notes + +- The script assumes that the Kubernetes secret `rds-instance-output` exists in the target namespace and contains the key `RDS_JDBC_URL`. +- Pressing Ctrl+C will terminate the port-forwarding session and clean up the pod created for this purpose. + +## Cleanup + +The script automatically deletes the created port-forward pod upon script termination or failure. Manual cleanup should not be necessary. + +## Troubleshooting + +- Ensure your Kubernetes context is set correctly to the cluster containing the target namespace. +- Ensure you have the necessary permissions to create and delete pods and retrieve secrets within the namespace. +- Verify the `ghcr.io/ministryofjustice/hmpps-delius-alfresco-port-forward-pod:latest` image is accessible and that your Kubernetes cluster can pull it. + +--- + +This script is useful for developers and engineers who need to access the RDS instance in HMPPS Delius Alfresco environments securely and conveniently. diff --git a/tools/scripts/rds-connect.sh b/tools/scripts/rds-connect.sh new file mode 100755 index 0000000..0c1f163 --- /dev/null +++ b/tools/scripts/rds-connect.sh @@ -0,0 +1,66 @@ +#!/usr/bin/env bash + +# trap ctrl-c and call ctrl_c() +trap ctrl_c INT +# trap fail and call fail() +trap fail ERR + +main() { + env=$1 + + if [ "$env" == "poc" ]; then + namespace="hmpps-delius-alfrsco-${env}" + else + namespace="hmpps-delius-alfresco-${env}" + fi + echo "Connecting to RDS in namespace $namespace" + + # get RDS connection url + URL=$(kubectl get secrets rds-instance-output --namespace ${namespace} -o json | jq -r ".data.RDS_JDBC_URL | @base64d") + # extract host and port + HOST=$(echo $URL | cut -d '/' -f 3 | cut -d ':' -f 1) + # extract database name + DATABASE_NAME=$(echo "$URL" | awk -F'/' '{print $NF}') + # extract protocol/jdbc + PROTOCOL=$(echo $URL | awk -F'://' '{print $1}') + # extract remote port + REMOTE_PORT=$(echo $URL | cut -d '/' -f 3 | cut -d ':' -f 2) + # if custom local port not provided, use remote port + if [ -z "$2" ]; then + LOCAL_PORT=$REMOTE_PORT + else + LOCAL_PORT=$2 + fi + # generate random hex string + RANDOM_HEX=$(openssl rand -hex 4) + # start port forwarding + kubectl run port-forward-pod-${RANDOM_HEX} --image=ghcr.io/ministryofjustice/hmpps-delius-alfresco-port-forward-pod:latest --port ${LOCAL_PORT} --env="REMOTE_HOST=$HOST" --env="LOCAL_PORT=$LOCAL_PORT" --env="REMOTE_PORT=$REMOTE_PORT" --namespace ${namespace}; + # wait for pod to start + kubectl wait --for=condition=ready pod/port-forward-pod-${RANDOM_HEX} --timeout=30s --namespace ${namespace} + printf "\nPort forwarding started, connecting to $HOST:$REMOTE_PORT \n" + printf "\n****************************************************\n" + printf "Connect to ${PROTOCOL}://localhost:$LOCAL_PORT/$DATABASE_NAME locally\n" + printf "Press Ctrl+C to stop port forwarding \n" + printf "****************************************************\n\n" + # start the local port forwarding session + kubectl port-forward --namespace ${namespace} port-forward-pod-${RANDOM_HEX} $LOCAL_PORT:$LOCAL_PORT; +} + +fail() { + printf "\n\nPort forwarding failed" + kubectl delete pod port-forward-pod-${RANDOM_HEX} --force --grace-period=0 --namespace ${namespace} + exit 1 +} + +ctrl_c() { + printf "\n\nStopping port forwarding" + kubectl delete pod port-forward-pod-${RANDOM_HEX} --force --grace-period=0 --namespace ${namespace} + exit 0 +} + +if [ -z "$1" ]; then + echo "env not provided" + echo "Usage: rds-connect.sh " + exit 1 +fi +main $1 $2