k/invoiceshelf: migrate to invoiceshelf, use statefulset, grab secrets from backup

Add support for mysql db cluster, add crater mysql db, upgrade DO provider
k/invoiceshelf: initial commit
2024-03-31 03:29:37 -07:00 · 2024-03-31 02:11:40 -07:00 · 2024-03-31 02:08:56 -07:00 · 2024-03-28 21:28:02 -07:00 · 2024-03-28 21:27:29 -07:00
13 changed files with 340 additions and 25 deletions
--- a/34
+++ b/34
@ -7,7 +7,7 @@ ENVIRONMENT := production
 REGION := sfo3
 ROOT_DIR := $(shell pwd)
 # TODO: automatically determine
-TERRAFORM := $(ROOT_DIR)/out/terraform.linux-x86_64
+TERRAFORM := $(ROOT_DIR)/out/tofu.linux-x86_64
 SOPS := $(ROOT_DIR)/out/sops.linux-x86_64
 KEYS := \
 	6B61ECD76088748C70590D55E90A401336C8AAA9 \
@ -15,13 +15,13 @@ KEYS := \
 	3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \
 	F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D

+EXTRA_ARGS :=
+
 .DEFAULT_GOAL :=
 .PHONY: default
 default: \
 	toolchain \
 	tools \
-	$(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \
-	$(CACHE_DIR)/website/.well-known/openpgpkey \
 	apply

 .PHONY:
@ -76,6 +76,13 @@ infra/backend/.terraform: \
 	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
 		env -C infra/backend $(TERRAFORM) init -upgrade \
 		'
+	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
+		env -C infra/backend $(TERRAFORM) refresh \
+		-var environment=$(ENVIRONMENT) \
+		-var namespace=$(ENVIRONMENT) \
+		-var region=$(REGION) \
+		-state $(ENVIRONMENT).tfstate \
+		'

 infra/main/.terraform: | \
 	$(TERRAFORM) \
@ -85,6 +92,13 @@ infra/main/.terraform: | \
 		env -C infra/main $(TERRAFORM) init -upgrade \
 		-backend-config="../../config/$(ENVIRONMENT).tfbackend" \
 		'
+	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
+		env -C infra/main $(TERRAFORM) refresh \
+		-var environment=$(ENVIRONMENT) \
+		-var namespace=$(ENVIRONMENT) \
+		-var region=$(REGION) \
+		-state $(ENVIRONMENT).tfstate \
+		'

 infra/backend/$(ENVIRONMENT).tfstate: \
 	$(TERRAFORM) \
@ -96,7 +110,7 @@ infra/backend/$(ENVIRONMENT).tfstate: \
 		-var environment=$(ENVIRONMENT) \
 		-var namespace=$(ENVIRONMENT) \
 		-var region=$(REGION) \
-		-state ../../$@ \
+		-state $@ \
 		'

 config/$(ENVIRONMENT).tfbackend: | \
@ -107,9 +121,17 @@ config/$(ENVIRONMENT).tfbackend: | \
 	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
 		env -C infra/backend \
 		$(TERRAFORM) \
-		output -state ../../$< \
+		output -state $(ENVIRONMENT).tfstate \
 		> $@ \
 		'
+	$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
+		env -C infra/backend \
+		$(TERRAFORM) refresh \
+		-var environment=$(ENVIRONMENT) \
+		-var namespace=$(ENVIRONMENT) \
+		-var region=$(REGION) \
+		-state $(ENVIRONMENT).tfstate \
+		'

 .PHONY:
 apply: \
@ -126,7 +148,7 @@ apply: \
 		-var environment=$(ENVIRONMENT) \
 		-var namespace=$(ENVIRONMENT) \
 		-var region=$(REGION) \
-		'
+		$(EXTRA_ARGS) '
 	$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
 	$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
 	$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)
--- a/config/make.env
+++ b/config/make.env
@ -22,7 +22,7 @@ SOPS_REF=b6d3c9700d88e0c9348f3ec7cd2f10ce4a4b3ee1
 BUSYBOX_URL=https://busybox.net/downloads/busybox-1.36.1.tar.bz2
 BUSYBOX_HASH=b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
 TOFU_REPO=https://github.com/opentofu/opentofu
-TOFU_REF=f9d8b3ca2c0926f66757241baf81af523be73726
+TOFU_REF=5d05dba18b6e276a6262a4722fe90c13350c5428
 KSOPS_REPO=https://github.com/viaduct-ai/kustomize-sops
 KSOPS_REF=ac33c40e1b78d9847a8d0f58473e99419be5b170
 KUSTOMIZE_REPO=https://github.com/kubernetes-sigs/kustomize
--- a/infra/main/main.tf
+++ b/infra/main/main.tf
@ -10,21 +10,18 @@ resource "random_id" "suffix" {
  byte_length = 8
 }

-data "digitalocean_region" "provided" {
-  slug = var.region
-}

 resource "digitalocean_custom_image" "talos" {
  name = "talos"
  url = "https://github.com/siderolabs/talos/releases/download/v1.4.3/digital-ocean-amd64.raw.gz"
  # this gets reset by DigitalOcean otherwise
  distribution = "Unknown OS"
-  regions = [data.digitalocean_region.provided.slug]
+  regions = [var.region]
 }

 resource "digitalocean_vpc" "main" {
  name = "talos"
-  region = data.digitalocean_region.provided.slug
+  region = var.region 
  # Note: This is VERY CAREFULLY chosen to avoid conflict with k8s and cilium
  ip_range = "192.168.0.0/16"
 }
@ -45,7 +42,7 @@ module "digitalocean_talos_cluster" {
    size = "s-2vcpu-4gb",
  }]
  vpc_id = digitalocean_vpc.main.id
-  digitalocean_region = data.digitalocean_region.provided.slug
+  digitalocean_region = var.region 
 }

 module "digitalocean_database_cluster" {
@ -66,7 +63,28 @@ module "digitalocean_database_cluster" {
  }]

  vpc_id = digitalocean_vpc.main.id
-  digitalocean_region = data.digitalocean_region.provided.slug
+  digitalocean_region = var.region 
+}
+
+# Crater App requires MySQL currently, when it adds PG support we should migrate
+# 
+module "digitalocean_mysql_database_cluster" {
+  source = "../../terraform_modules/digitalocean_database_cluster"
+
+  cluster_name = "distrust-mysql"
+  db_engine = "mysql"
+  dbcli_name = "mariadb"
+  db_version = "8"
+  size = "db-s-1vcpu-1gb"
+  node_count = 1
+
+  databases = [{
+    name = "crater",
+    create_default_superuser = true,
+  }]
+
+  vpc_id = digitalocean_vpc.main.id
+  digitalocean_region = var.region 
 }

 locals {
@ -80,10 +98,11 @@ locals {
  ])
 }

+
 # `jq .database_users.value.forgejo | sops --encrypt`
 output "database_users" {
  value = {
-    for db_user in module.digitalocean_database_cluster.database_users:
+    for db_user in concat(module.digitalocean_database_cluster.database_users, module.digitalocean_mysql_database_cluster.database_users):
    db_user.name => {
      apiVersion = "v1",
      kind = "Secret",
@ -111,6 +130,11 @@ output "database" {
  sensitive = true
 }

+output "mysql_database" {
+  value = module.digitalocean_mysql_database_cluster.database_cluster
+  sensitive = true
+}
+
 output "vpc_id" {
  value = digitalocean_vpc.main.id
 }
--- a/infra/main/provider.tf
+++ b/infra/main/provider.tf
@ -2,12 +2,13 @@ terraform {
  required_providers {
    digitalocean = {
      source  = "digitalocean/digitalocean"
-      version = "2.28.1"
+      version = "2.36.0"
    }
  }
  backend "s3" {
    skip_requesting_account_id  = true
    skip_credentials_validation = true
+    skip_region_validation      = true
    skip_get_ec2_platforms      = true
    skip_metadata_api_check     = true
  }
--- a/kustomizations/invoiceshelf/env.enc.yaml
+++ b/kustomizations/invoiceshelf/env.enc.yaml
@ -0,0 +1,119 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: env
+stringData:
+    DB_PASSWORD: ENC[AES256_GCM,data:nHeFXLOI6bMb1hslXLu9xqbMNppGeGzI,iv:rakHQI3iFNgD9gtUX0HdeFG5afP9ln0a+wenqm692T0=,tag:en9KmjYlZ6xzeC0fs9wKzA==,type:str]
+    APP_KEY: ENC[AES256_GCM,data:pG99OkN9DpXEJ287ty/7e/86v5kEYeikNN6FnV++uNFE4j48aPiQENd+57RxAXFTUl+6,iv:IFXaK2gnXFm6T3O7ClTRk5HqLGmgFdvh7Dn2Jw+MQU0=,tag:0SPKkf5jfyyuwHNvvDVgCg==,type:str]
+    MAIL_PASSWORD: ENC[AES256_GCM,data:+pWcN1GYSA3pibo8WgvFsAHjnrvhDNsjuO+QXYR7bdZFBKWJbshf0sS8,iv:Kw6qiUEFnd5FRGBMWutOoxMNFZYMf8NyQkPBR9TvfXg=,tag:4IOU6qOXWQ02S6rc1RHiOQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-03-31T09:43:12Z"
+    mac: ENC[AES256_GCM,data:I9rIuOh2cTJDrlPYs3kf6o6jPPtdElDmjWENc4Yk29ezpWwUj3+BsICpOU0kOrehvuyKtcM6BcxuvJG5Q92gZoVRvlHDoLypMyK3vDBxhGO0CAbcKnKmUSvROr6IWY5jKh9EWczxU3VkDTrm/BmCJAbjC2Ys51ej73InZez4t0g=,iv:gIaUNj8wKew4bH7dBHW+LV5S0a9allRQkWQ/3aWYJ4Q=,tag:mwwI+RDG0i45sPOSh+e1mg==,type:str]
+    pgp:
+        - created_at: "2024-01-11T20:56:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA82rPM2mSf/aARAAvQd7qO44LNyywY03qCXI18cx6nj9mo36ehJyq6wuYhWa
+            n95jXEsmRbGt2l8cAJrH9sZB3uE5DCfeZMzEiZ9heaAyxzC34BxSGP+4PBdRqp6B
+            jv7Ej6F9lV70bQYvDDry5ihWRmADEVrnDrs2+pXsMQiui9dZSGB676d2PIdliV6y
+            StqbyudjWZS6fLv2xy25yxJBfzb27rLh1d2yo/9AEm873bFVn7bXQxwOoud8s8KU
+            MLsQxE05zDQrzm+RpDU0mYk3X4ByyL0/J0dyipjHErOLhOCk2MZ4xTVW8U+Jefuu
+            htLAzftc9NGwWHdSVXqfwSWUq/UklzurPdDcA1riEqE4XmE74cdgP0vqHYeGPykh
+            M67Xcr1WLDk7i/n4EISqnp5qwItfJIxWlEpKNANEMveYggHXUz3wTk7qHwjpIDwG
+            7mMfKlL221M1elk1lY60bx//tr2ZqIlN9IXCjOUZOlxlqvYcmie09YbR6tRZAbag
+            KZcq4s5y5HlVQ10ZUe7eY8qjXMlLVm7N+TJRnfgJrr2+7GTy/wCcx5nwsVBeYm8h
+            GrHT3PS0CVRA19ynlEqF1jXfqlRMjX0szPIUGb6/7HLiw514otq3KuZmHYAq2TZ2
+            HMKncOptoUyfpG252v6NJYQC7yF76tdd5YuykeD40ZOBUULtvUEOZyZVdsaAU9zS
+            UQHygqf8d16qbh2rWK69Kqmc8DbZHCH/f1IDwekPOsNltQhdgn3lOP7gNSEwI7yV
+            /qk+5kVHg+Yk0l1K34v5aiWEGrI1SKd1m+nvVW7VcEtufw==
+            =SjUY
+            -----END PGP MESSAGE-----
+          fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
+        - created_at: "2024-01-11T20:56:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMAw95Vf08z8oUAQ/+OHoip407wu+pF9bWolOK+dViuRhA/X9JUVyQfJer9HM2
+            thZUChYerdnUBn674pVUkjS5szch19pdZLeK5/YqUXyWoW1qHUgYgzHHq6JvxXXf
+            PIC7Q+jCfsmDBGcSJefK9rA5u7S+7rULBZvbMbL7gpCG8cG0aXJBoNLzZ/vva16V
+            x/3Mn6taKjZX0ACeoQ4ma4HS6kB3Nz280S8PKIQeMuUQQfXNWMAlR2ebleovvmvh
+            pJtN0T5dMLEImexLFSgfPoU1OQmfrnQR/mWP0W3LtGn2o8EE5LordJSgMuwd5eqv
+            v+XOHoj5E5O88SO2mIwWY0Oh+6P5pf6PJDL8XLLq+0nm2HZrK1Ip8WvYar9xi/12
+            HClde7vk1ESWw9Kdiop6rSj7C7M3dD+95ufG6F3c1XJQkp3H+AlK7aTK3/rx6Dml
+            FekNVioLC0LjiMZ1ZeVBOtIYoXXyrYE8nQF9E6kkW/o6dajMDo9F0Ck5LWLiES/E
+            34bHkP3p+lwOOj0l8PONG/MaP5j2S8v7LjfuMBxcuoo1RhplLJQLUYGvkywmqDK2
+            2t5vqIkpGAxBN6WNgZt0OwcBlPC3PP3JHQ+kIn9Sk3MAR5plCAhkywTHFwoDBe1e
+            FnlmDyVjgOdtzZl3aNjz7uOiDtpecwPmsxah8ox7H5wOOagAabDhweFXh0IxKKXS
+            UQH4zAt2MLHWqAAGjFPFiYxb/ugU1R5Qjv6NKw8bWGFOrbexMiA2bCGOGmstxd7G
+            SU0tn54SBi+wOEDmJGnaZS89ZzGEoRm6LRJ5EJz+a03tTg==
+            =KOLu
+            -----END PGP MESSAGE-----
+          fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
+        - created_at: "2024-01-11T20:56:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA0/D4ws+/KPtARAArZ/F2Sh0LIACUnzLO45O0GsesOm4QS/vVEcZ0BDms/fi
+            Xe4mmJbYTvRIgWfoXpbt79UreBamMFCSpXBPJnx/d2F0s1RHxKvbq7LwNL/qpH3/
+            pUJuAbToVTqLyS329YfJVtGtfYRsL0nIyt28wNjz4XudoTfoaaegk+1SSpedT7gW
+            Wq4ipL3m226yXyTv6DTu61o389TV3H2OR18hawjF6lDfDSCYtNexRCxV3aSqkDU5
+            Ik9n9OkWrIgJ0ZM4DJ7U/Ltx9ju89oWCmjBfw6IPSkQGSBMNbTolVHdrFbtsygK4
+            FnHRJn75Q7RkrobkrusqypFqu+D9QK2tijOhahFxfdU/S/zWuzfPiKv4m+iwRo5Q
+            UeJ43uea8DtnfLCIHISh80mqXwhEpulEb73l7y80EdtHuRURlqer4KPmVtV2Q620
+            OyLHugmLaqJUXzC6sPyrWBO2tPMqD7JRA34fx5gOVRvyd6KdTc/Pn64/nbqWFcIM
+            94VIOdJUGoyDtxLVPu7nttlVddqn0obUmSuSvs1ouTntMkScRS6hNTptxS3BbQZ+
+            FDG/mLgArkrEk/2m/+OuxH4teRqDVcwgbKzkZWgZ0RH6k4v2BJSKnTT1S5TOjJg5
+            H/RcnMtQeZq0G67fz8uwo3Hqm6FAGBuaWkhtDknNtLEXHaOGE8IIM9L2CeLftq7S
+            UQGxv6DQZ7PpMjo4LRCyCHNj9ddykRneojKG5cjQxMhTMH2PmamfpB+c2dUSvqin
+            Ius8vdBiHGuvEwcdJQ3m7cYhkLZWuRgIqGpIrGJX5dvTIw==
+            =Hi+j
+            -----END PGP MESSAGE-----
+          fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
+        - created_at: "2024-01-11T20:56:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA5Wf+FyJ+zFJAQ//fyZa4Tzetgnur+02xwrfyxuU3Pvh2+NqSwFQCpo+reWo
+            bO59a5McV5rWnzL59r9XK/SGwBN87JiDFaTvpc2VJnGAxkz6vw5fuXQI7opybVp/
+            exqsqtR6lFLaznAi53oeIgBXIg2svOLr5tD6y9eh6eB4rGrbVf8T2N7TlrSal1RT
+            qoRjtLLZtNXWPMyIGUTjTr4HIUoYvScwQkBhG54R78PXtkW3QfmYJVqXlzTsbKrM
+            uAdC+Fd7k2ko39s64PPG6QsFFBg81UAz8SvQPfe6b8sv5IaVDBBk8IJ1tORX5/26
+            BbXOQLjyqdxHR9/KDeS/wj1e9rpRH3BgHybft0T9vBZyyBZY1dPAisRKXThs/Khb
+            QZUrEd9tNQqGhJrBEKGQuoY39G6mVOywvi4Amubg4L4VbETOD1CM8MMQFlhWmXDP
+            k6UYMY4vUt9O9/R8SljZBejO6Y2+smCzC4lDq5W3sBu5P+JnnHCnM0wgRoS1aCpR
+            tsBIKE1f+rlG+kb6eTGcCCR64H+TK9hT49MtbkFeKUO7rlZkbxqKgYdN/Q1HzCEW
+            YCYsxzJQo4mqTRQ4PYRvo+9Oo9gGtWY48H09qTGR737qayxA3VpdHepABBHC9nm5
+            BogU/3lTH9PzjESZkEckE1sx7QHUs39FiovXDgvsMRt6+wo6Y5L+dKoXU4MszAzS
+            UQE0UZL7h7N+QvTbujVrarB6A6vVlwjV0gbQJDRXmPw2awJjBvsjGNfLQ0mruwqb
+            RLB5G2SvQHiILN/ByD3NxhonQ90mPSjmVBfbdsOp6H4woQ==
+            =J+qg
+            -----END PGP MESSAGE-----
+          fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
+        - created_at: "2024-01-11T20:56:10Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA8KRInHl7Vz+AQ//USOIJ5cPWOQgcqjauvvccC22wxU7Rp/Bx86ajZFpL6M3
+            ns8g3TC4ga8OO2XYjLTHNXPAzPvEE5lskpO+bkDbqRPkkkGeauqupQTtDIMg25kF
+            ouBPcvCirWvBJ3uiHHKw1hvTMXAIwcdvIyvxP4zK7sWU8OScDw9nNS8uhOLH9wds
+            J+Y0qWPuxAJrJF8cgLORxjk5BFh5IdOrmijm72+qEHER6qgYgXoVVbGtIixUTcfv
+            H9TqxHPkeqgMH2QVGEGKGRueoUVWc0FXtVLNRKlZ5VYX+nZUBDdhVjiiG6DBkWtu
+            BayAhjRFh/oGs4Q+WyozKy/mv1hJvxsRjpyK78wYw0yQVuwfd/X73y2EkQQNquCk
+            SyzU+C+5+faJpf9HPq2nv1zrUJid1zSv01IE70OsRFAgKXI9thQlx3VIbLTU6RkZ
+            Bw6BsWoQmanUR3DUzWvL+lhzYLKhVQ9Gf9rPOK0B1XTvntTGgq1zOYQn/FmlhJjc
+            SJoXgNU+i9F52CGIJ0fTZaw+8+aJ6oL9SLETl4T9Gj/XCpuDUGJAMP++V7YLWsEf
+            5tqwHDngm5UJNmqy5vzVbQAIVyLCK868S4xNFRUFwQMCZCHQeW4MhVM5XFE0d0ab
+            A5MSm8X7HmYgvg+WvXzawyEX3OyAnw1RZ+n+b6w2NN8YLP1kRLjirDS3PbsLybTS
+            UQHc1/GvEhu+7CSv118mKOyJwOQ6u1KAblmg2yzyhxN6ZvuwNJ9zvSnovSALJHWQ
+            HSwUH1xcOoL1xQTwJ/+Ha/n1q9i2MqD4uLSP29yYGgdq1A==
+            =cXXw
+            -----END PGP MESSAGE-----
+          fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1
--- a/kustomizations/invoiceshelf/ingress.yaml
+++ b/kustomizations/invoiceshelf/ingress.yaml
@ -0,0 +1,23 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: invoiceshelf
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: invoice.distrust.co
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: invoiceshelf 
+            port:
+              name: http
+  tls:
+  - hosts:
+    - invoice.distrust.co
+    secretName: invoiceshelf-tls
--- a/kustomizations/invoiceshelf/kustomization.yaml
+++ b/kustomizations/invoiceshelf/kustomization.yaml
@ -0,0 +1,47 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+commonLabels:
+  app.kubernetes.io/part-of: invoiceshelf
+resources:
+  - statefulset.yaml
+  - service.yaml
+  - ingress.yaml
+configMapGenerator:
+  - name: env
+    literals:
+      - DB_CONNECTION=mysql
+      - DB_HOST=distrust-mysql-do-user-11788707-0.c.db.ondigitalocean.com
+      - DB_USERNAME=crater
+      - DB_DATABASE=crater
+      - DB_PORT=25060
+      - APP_ENV=production
+      - APP_DEBUG=false
+      - APP_LOG_LEVEL=debug
+      - APP_URL=https://billing.distrust.co
+      - ASSET_URL=https://billing.distrust.co
+      - BROADCAST_DRIVER=log
+      - CACHE_DRIVER=file
+      - QUEUE_DRIVER=sync
+      - SESSION_DRIVER=cookie
+      - SESSION_LIFETIME=1440
+      - REDIS_HOST=127.0.0.1
+      - REDIS_PORT=6379
+      - MAIL_DRIVER=smtp
+      - MAIL_HOST=smtp.migadu.com
+      - MAIL_PORT=465
+      - MAIL_USERNAME=billing@distrust.co
+      - MAIL_FROM_ADDRESS=billing@distrust.co
+      - MAIL_FROM_NAME="billing@distrust.co"
+      - MAIL_ENCRYPTION=ssl
+      - PUSHER_APP_ID=
+      - PUSHER_KEY=
+      - PUSHER_SECRET=
+      - SANCTUM_STATEFUL_DOMAINS=billing.distrust.co
+      - SESSION_DOMAIN=billing.distrust.co
+      - TRUSTED_PROXIES="*"
+      - CRON_JOB_AUTH_TOKEN=""
+generators:
+  - secret-generator.yaml
+images:
+  - name: invoiceshelf/invoiceshelf
+    newTag: 1.1.0@sha256:50787e404725ad4f47462eaf38832d97c627a5d139d51a84f31a9bd90caffb3f 
--- a/kustomizations/invoiceshelf/secret-generator.yaml
+++ b/kustomizations/invoiceshelf/secret-generator.yaml
@ -0,0 +1,6 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: invoiceshelf 
+files:
+- ./env.enc.yaml
--- a/kustomizations/invoiceshelf/service.yaml
+++ b/kustomizations/invoiceshelf/service.yaml
@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: invoiceshelf
+  labels:
+    app.kubernetes.io/name: invoiceshelf
+    app.kubernetes.io/part-of: invoiceshelf
+spec:
+  selector:
+    app.kubernetes.io/name: invoiceshelf
+    app.kubernetes.io/component: server
+  ports:
+    - name: http 
+      port: 80
+      targetPort: 80
--- a/kustomizations/invoiceshelf/statefulset.yaml
+++ b/kustomizations/invoiceshelf/statefulset.yaml
@ -0,0 +1,42 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: invoiceshelf
+  labels:
+    app.kubernetes.io/name: invoiceshelf
+    app.kubernetes.io/component: server
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: invoiceshelf
+      app.kubernetes.io/component: server
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: invoiceshelf
+        app.kubernetes.io/component: server
+    spec:
+      containers:
+        - name: invoiceshelf 
+          image: invoiceshelf/invoiceshelf
+          envFrom:
+            - secretRef:
+                name: env
+            - configMapRef:
+                name: env
+          ports:
+            - name: http 
+              containerPort: 80
+          securityContext:
+            allowPrivilegeEscalation: false
+          volumeMounts:
+            - name: invoiceshelf-data
+              mountPath: /var/www/html/InvoiceShelf/storage
+  volumeClaimTemplates:
+  - metadata:
+      name: invoiceshelf-data
+    spec:
+      accessModes: ["ReadWriteOnce"]
+      resources:
+        requests:
+          storage: 10Gi
--- a/src/toolchain
+++ b/src/toolchain
@ -1 +1 @@
-Subproject commit 23fc267a9dfdda30ba4287f8234879961722bafb
+Subproject commit a2315fdbc8cd0e4a654d1aa4623a53d5292b3574
--- a/terraform_modules/digitalocean_database_cluster/main.tf
+++ b/terraform_modules/digitalocean_database_cluster/main.tf
@ -39,23 +39,34 @@ resource "digitalocean_database_user" "default_users" {
  name = each.key

  provisioner "local-exec" {
-    command = "GRANT ALL ON DATABASE ${each.key} TO ${each.key};"
-    interpreter = [
-      "psql",
-      "-v", "ON_ERROR_STOP=1",
+    command = var.dbcli_name == "psql" ? "GRANT ALL ON DATABASE ${each.key} TO ${each.key};" : "GRANT ALL PRIVILEGES ON ${each.key} TO '${each.key}'@'%';"
+    interpreter = var.dbcli_name == "psql" ? [
+      "${var.dbcli_name}",
      "${local.base_connection_string}/${each.key}",
      "-c"
+    ] : [
+      "${var.dbcli_name}",
+      "-u",
+      "${digitalocean_database_cluster.main.user}",
+      "-p",
+      "-h",
+      "${digitalocean_database_cluster.main.host}",
+      "-P",
+      "25060",
+      "-D",
+      "${each.key}",
+      "-e"
    ]
  }

  provisioner "local-exec" {
-    command = "GRANT ALL ON SCHEMA public TO ${each.key}"
-    interpreter = [
-      "psql",
+    command = var.dbcli_name == "psql" ? "GRANT ALL ON SCHEMA public TO ${each.key}" : "true"
+    interpreter = var.dbcli_name == "psql" ? [
+      "${var.dbcli_name}",
      "-v", "ON_ERROR_STOP=1",
      "${local.base_connection_string}/${each.key}",
      "-c"
-    ]
+    ] : ["true"]
  }

  # Note: provisioners depend on databases existing
--- a/terraform_modules/digitalocean_database_cluster/variables.tf
+++ b/terraform_modules/digitalocean_database_cluster/variables.tf
@ -33,3 +33,8 @@ variable "vpc_id" {
  type = string
  nullable = true
 }
+
+variable "dbcli_name" {
+  type    = string
+  default = "psql"
+}
Author	SHA1	Message	Date
Danny Grove	10119fd557	k/invoiceshelf: migrate to invoiceshelf, use statefulset, grab secrets from backup	2024-03-31 03:29:37 -07:00
Danny Grove	c3d9a55497	Add support for mysql db cluster, add crater mysql db, upgrade DO provider	2024-03-31 02:11:40 -07:00
Danny Grove	860ee7772b	k/invoiceshelf: initial commit	2024-03-31 02:08:56 -07:00
Danny Grove	dda0c1f77c	Fix make setup to work with open tofu	2024-03-28 21:28:02 -07:00
Danny Grove	6d149d96e5	Add MySQL DB cluster and database for crater app	2024-03-28 21:27:29 -07:00