From 6d149d96e54d580b09fd61e92d74a2f962ba1734 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Tue, 26 Mar 2024 00:11:14 -0700 Subject: [PATCH 1/7] Add MySQL DB cluster and database for crater app --- infra/main/main.tf | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/infra/main/main.tf b/infra/main/main.tf index 80be87e..0ce21f3 100644 --- a/infra/main/main.tf +++ b/infra/main/main.tf @@ -69,6 +69,26 @@ module "digitalocean_database_cluster" { digitalocean_region = data.digitalocean_region.provided.slug } +# Crater App requires MySQL currently, when it adds PG support we should migrate +# +module "digitalocean_mysql_database_cluster" { + source = "../../terraform_modules/digitalocean_database_cluster" + + cluster_name = "distrust-mysql" + db_engine = "mysql" + db_version = "8" + size = "db-s-1vcpu-2gb" + node_count = 1 + + databases = [{ + name = "crater", + create_default_superuser = true, + }] + + vpc_id = digitalocean_vpc.main.id + digitalocean_region = data.digitalocean_region.provided.slug +} + locals { database_host = module.digitalocean_database_cluster.database_cluster.private_host database_port = module.digitalocean_database_cluster.database_cluster.port From dda0c1f77cacae4d93d95046975a1cee5964b9af Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Thu, 28 Mar 2024 21:28:02 -0700 Subject: [PATCH 2/7] Fix make setup to work with open tofu --- Makefile | 34 ++++++++++++++++++++++++++++------ config/make.env | 2 +- infra/main/provider.tf | 1 + src/toolchain | 2 +- 4 files changed, 31 insertions(+), 8 deletions(-) diff --git a/Makefile b/Makefile index e8c77ad..1407141 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ ENVIRONMENT := production REGION := sfo3 ROOT_DIR := $(shell pwd) # TODO: automatically determine -TERRAFORM := $(ROOT_DIR)/out/terraform.linux-x86_64 +TERRAFORM := $(ROOT_DIR)/out/tofu.linux-x86_64 SOPS := $(ROOT_DIR)/out/sops.linux-x86_64 KEYS := \ 6B61ECD76088748C70590D55E90A401336C8AAA9 \ @@ -15,13 +15,13 @@ KEYS := \ 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \ F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D +EXTRA_ARGS := + .DEFAULT_GOAL := .PHONY: default default: \ toolchain \ tools \ - $(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \ - $(CACHE_DIR)/website/.well-known/openpgpkey \ apply .PHONY: @@ -76,6 +76,13 @@ infra/backend/.terraform: \ $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/backend $(TERRAFORM) init -upgrade \ ' + $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ + env -C infra/backend $(TERRAFORM) refresh \ + -var environment=$(ENVIRONMENT) \ + -var namespace=$(ENVIRONMENT) \ + -var region=$(REGION) \ + -state $(ENVIRONMENT).tfstate \ + ' infra/main/.terraform: | \ $(TERRAFORM) \ @@ -85,6 +92,13 @@ infra/main/.terraform: | \ env -C infra/main $(TERRAFORM) init -upgrade \ -backend-config="../../config/$(ENVIRONMENT).tfbackend" \ ' + $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ + env -C infra/main $(TERRAFORM) refresh \ + -var environment=$(ENVIRONMENT) \ + -var namespace=$(ENVIRONMENT) \ + -var region=$(REGION) \ + -state $(ENVIRONMENT).tfstate \ + ' infra/backend/$(ENVIRONMENT).tfstate: \ $(TERRAFORM) \ @@ -96,7 +110,7 @@ infra/backend/$(ENVIRONMENT).tfstate: \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ - -state ../../$@ \ + -state $@ \ ' config/$(ENVIRONMENT).tfbackend: | \ @@ -107,9 +121,17 @@ config/$(ENVIRONMENT).tfbackend: | \ $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ env -C infra/backend \ $(TERRAFORM) \ - output -state ../../$< \ + output -state $(ENVIRONMENT).tfstate \ > $@ \ ' + $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ + env -C infra/backend \ + $(TERRAFORM) refresh \ + -var environment=$(ENVIRONMENT) \ + -var namespace=$(ENVIRONMENT) \ + -var region=$(REGION) \ + -state $(ENVIRONMENT).tfstate \ + ' .PHONY: apply: \ @@ -126,7 +148,7 @@ apply: \ -var environment=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \ -var region=$(REGION) \ - ' + $(EXTRA_ARGS) ' $(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig) $(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig) $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) diff --git a/config/make.env b/config/make.env index 6a5d6c9..f7f0f39 100644 --- a/config/make.env +++ b/config/make.env @@ -22,7 +22,7 @@ SOPS_REF=b6d3c9700d88e0c9348f3ec7cd2f10ce4a4b3ee1 BUSYBOX_URL=https://busybox.net/downloads/busybox-1.36.1.tar.bz2 BUSYBOX_HASH=b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314 TOFU_REPO=https://github.com/opentofu/opentofu -TOFU_REF=f9d8b3ca2c0926f66757241baf81af523be73726 +TOFU_REF=5d05dba18b6e276a6262a4722fe90c13350c5428 KSOPS_REPO=https://github.com/viaduct-ai/kustomize-sops KSOPS_REF=ac33c40e1b78d9847a8d0f58473e99419be5b170 KUSTOMIZE_REPO=https://github.com/kubernetes-sigs/kustomize diff --git a/infra/main/provider.tf b/infra/main/provider.tf index 1a8e99d..afd7ad6 100644 --- a/infra/main/provider.tf +++ b/infra/main/provider.tf @@ -8,6 +8,7 @@ terraform { backend "s3" { skip_requesting_account_id = true skip_credentials_validation = true + skip_region_validation = true skip_get_ec2_platforms = true skip_metadata_api_check = true } diff --git a/src/toolchain b/src/toolchain index 23fc267..a2315fd 160000 --- a/src/toolchain +++ b/src/toolchain @@ -1 +1 @@ -Subproject commit 23fc267a9dfdda30ba4287f8234879961722bafb +Subproject commit a2315fdbc8cd0e4a654d1aa4623a53d5292b3574 From 860ee7772be26c9052a293f91546376907dd9747 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sun, 31 Mar 2024 02:08:56 -0700 Subject: [PATCH 3/7] k/invoiceshelf: initial commit --- kustomizations/invoiceshelf/deployment.yaml | 39 ++++++ kustomizations/invoiceshelf/env.enc.yaml | 117 ++++++++++++++++++ kustomizations/invoiceshelf/ingress.yaml | 23 ++++ .../invoiceshelf/kustomization.yaml | 21 ++++ .../invoiceshelf/secret-generator.yaml | 6 + kustomizations/invoiceshelf/service.yaml | 15 +++ 6 files changed, 221 insertions(+) create mode 100644 kustomizations/invoiceshelf/deployment.yaml create mode 100644 kustomizations/invoiceshelf/env.enc.yaml create mode 100644 kustomizations/invoiceshelf/ingress.yaml create mode 100644 kustomizations/invoiceshelf/kustomization.yaml create mode 100644 kustomizations/invoiceshelf/secret-generator.yaml create mode 100644 kustomizations/invoiceshelf/service.yaml diff --git a/kustomizations/invoiceshelf/deployment.yaml b/kustomizations/invoiceshelf/deployment.yaml new file mode 100644 index 0000000..0dda1e2 --- /dev/null +++ b/kustomizations/invoiceshelf/deployment.yaml @@ -0,0 +1,39 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: invoiceshelf + labels: + app.kubernetes.io/name: invoiceshelf + app.kubernetes.io/component: server +spec: + selector: + matchLabels: + app.kubernetes.io/name: invoiceshelf + app.kubernetes.io/component: server + template: + metadata: + labels: + app.kubernetes.io/name: invoiceshelf + app.kubernetes.io/component: server + spec: + containers: + - name: invoiceshelf + image: invoiceshelf/invoiceshelf + envFrom: + - secretRef: + name: env + - configMapRef: + name: env + ports: + - name: http + containerPort: 80 + # Create the flag the install check needs to bypass + lifecycle: + postStart: + exec: + command: + - /bin/sh + - -c + - "touch /var/www/html/InvoiceShelf/storage/app/database_created" + securityContext: + allowPrivilegeEscalation: false diff --git a/kustomizations/invoiceshelf/env.enc.yaml b/kustomizations/invoiceshelf/env.enc.yaml new file mode 100644 index 0000000..37ba581 --- /dev/null +++ b/kustomizations/invoiceshelf/env.enc.yaml @@ -0,0 +1,117 @@ +apiVersion: v1 +kind: Secret +metadata: + name: env +stringData: + DB_PASSWORD: ENC[AES256_GCM,data:nHeFXLOI6bMb1hslXLu9xqbMNppGeGzI,iv:rakHQI3iFNgD9gtUX0HdeFG5afP9ln0a+wenqm692T0=,tag:en9KmjYlZ6xzeC0fs9wKzA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-03-31T08:56:24Z" + mac: ENC[AES256_GCM,data:ZzOHxHPOpazpvXHeMJfSyrRQoH9pK33eNYpZKvMXii3rQKWVw8dc4C0HyzbXo5ahJzF9RdBopiXW9tchjejfE1JJoC/a7SXYNCS+wn5wj4CQwu7u3ungbVROcluoBe7NiVzDhWz9URjZgkNWwyDWWQN9SXZW5xVqSYhAS7xPJTY=,iv:emHnnakeNRN1yWM7QvhF/7JH4K6GXpzWL78o9HNxPtE=,tag:9PUAOuO05M1RoQADq3f8gQ==,type:str] + pgp: + - created_at: "2024-01-11T20:56:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA82rPM2mSf/aARAAvQd7qO44LNyywY03qCXI18cx6nj9mo36ehJyq6wuYhWa + n95jXEsmRbGt2l8cAJrH9sZB3uE5DCfeZMzEiZ9heaAyxzC34BxSGP+4PBdRqp6B + jv7Ej6F9lV70bQYvDDry5ihWRmADEVrnDrs2+pXsMQiui9dZSGB676d2PIdliV6y + StqbyudjWZS6fLv2xy25yxJBfzb27rLh1d2yo/9AEm873bFVn7bXQxwOoud8s8KU + MLsQxE05zDQrzm+RpDU0mYk3X4ByyL0/J0dyipjHErOLhOCk2MZ4xTVW8U+Jefuu + htLAzftc9NGwWHdSVXqfwSWUq/UklzurPdDcA1riEqE4XmE74cdgP0vqHYeGPykh + M67Xcr1WLDk7i/n4EISqnp5qwItfJIxWlEpKNANEMveYggHXUz3wTk7qHwjpIDwG + 7mMfKlL221M1elk1lY60bx//tr2ZqIlN9IXCjOUZOlxlqvYcmie09YbR6tRZAbag + KZcq4s5y5HlVQ10ZUe7eY8qjXMlLVm7N+TJRnfgJrr2+7GTy/wCcx5nwsVBeYm8h + GrHT3PS0CVRA19ynlEqF1jXfqlRMjX0szPIUGb6/7HLiw514otq3KuZmHYAq2TZ2 + HMKncOptoUyfpG252v6NJYQC7yF76tdd5YuykeD40ZOBUULtvUEOZyZVdsaAU9zS + UQHygqf8d16qbh2rWK69Kqmc8DbZHCH/f1IDwekPOsNltQhdgn3lOP7gNSEwI7yV + /qk+5kVHg+Yk0l1K34v5aiWEGrI1SKd1m+nvVW7VcEtufw== + =SjUY + -----END PGP MESSAGE----- + fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 + - created_at: "2024-01-11T20:56:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAw95Vf08z8oUAQ/+OHoip407wu+pF9bWolOK+dViuRhA/X9JUVyQfJer9HM2 + thZUChYerdnUBn674pVUkjS5szch19pdZLeK5/YqUXyWoW1qHUgYgzHHq6JvxXXf + PIC7Q+jCfsmDBGcSJefK9rA5u7S+7rULBZvbMbL7gpCG8cG0aXJBoNLzZ/vva16V + x/3Mn6taKjZX0ACeoQ4ma4HS6kB3Nz280S8PKIQeMuUQQfXNWMAlR2ebleovvmvh + pJtN0T5dMLEImexLFSgfPoU1OQmfrnQR/mWP0W3LtGn2o8EE5LordJSgMuwd5eqv + v+XOHoj5E5O88SO2mIwWY0Oh+6P5pf6PJDL8XLLq+0nm2HZrK1Ip8WvYar9xi/12 + HClde7vk1ESWw9Kdiop6rSj7C7M3dD+95ufG6F3c1XJQkp3H+AlK7aTK3/rx6Dml + FekNVioLC0LjiMZ1ZeVBOtIYoXXyrYE8nQF9E6kkW/o6dajMDo9F0Ck5LWLiES/E + 34bHkP3p+lwOOj0l8PONG/MaP5j2S8v7LjfuMBxcuoo1RhplLJQLUYGvkywmqDK2 + 2t5vqIkpGAxBN6WNgZt0OwcBlPC3PP3JHQ+kIn9Sk3MAR5plCAhkywTHFwoDBe1e + FnlmDyVjgOdtzZl3aNjz7uOiDtpecwPmsxah8ox7H5wOOagAabDhweFXh0IxKKXS + UQH4zAt2MLHWqAAGjFPFiYxb/ugU1R5Qjv6NKw8bWGFOrbexMiA2bCGOGmstxd7G + SU0tn54SBi+wOEDmJGnaZS89ZzGEoRm6LRJ5EJz+a03tTg== + =KOLu + -----END PGP MESSAGE----- + fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72 + - created_at: "2024-01-11T20:56:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA0/D4ws+/KPtARAArZ/F2Sh0LIACUnzLO45O0GsesOm4QS/vVEcZ0BDms/fi + Xe4mmJbYTvRIgWfoXpbt79UreBamMFCSpXBPJnx/d2F0s1RHxKvbq7LwNL/qpH3/ + pUJuAbToVTqLyS329YfJVtGtfYRsL0nIyt28wNjz4XudoTfoaaegk+1SSpedT7gW + Wq4ipL3m226yXyTv6DTu61o389TV3H2OR18hawjF6lDfDSCYtNexRCxV3aSqkDU5 + Ik9n9OkWrIgJ0ZM4DJ7U/Ltx9ju89oWCmjBfw6IPSkQGSBMNbTolVHdrFbtsygK4 + FnHRJn75Q7RkrobkrusqypFqu+D9QK2tijOhahFxfdU/S/zWuzfPiKv4m+iwRo5Q + UeJ43uea8DtnfLCIHISh80mqXwhEpulEb73l7y80EdtHuRURlqer4KPmVtV2Q620 + OyLHugmLaqJUXzC6sPyrWBO2tPMqD7JRA34fx5gOVRvyd6KdTc/Pn64/nbqWFcIM + 94VIOdJUGoyDtxLVPu7nttlVddqn0obUmSuSvs1ouTntMkScRS6hNTptxS3BbQZ+ + FDG/mLgArkrEk/2m/+OuxH4teRqDVcwgbKzkZWgZ0RH6k4v2BJSKnTT1S5TOjJg5 + H/RcnMtQeZq0G67fz8uwo3Hqm6FAGBuaWkhtDknNtLEXHaOGE8IIM9L2CeLftq7S + UQGxv6DQZ7PpMjo4LRCyCHNj9ddykRneojKG5cjQxMhTMH2PmamfpB+c2dUSvqin + Ius8vdBiHGuvEwcdJQ3m7cYhkLZWuRgIqGpIrGJX5dvTIw== + =Hi+j + -----END PGP MESSAGE----- + fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA + - created_at: "2024-01-11T20:56:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA5Wf+FyJ+zFJAQ//fyZa4Tzetgnur+02xwrfyxuU3Pvh2+NqSwFQCpo+reWo + bO59a5McV5rWnzL59r9XK/SGwBN87JiDFaTvpc2VJnGAxkz6vw5fuXQI7opybVp/ + exqsqtR6lFLaznAi53oeIgBXIg2svOLr5tD6y9eh6eB4rGrbVf8T2N7TlrSal1RT + qoRjtLLZtNXWPMyIGUTjTr4HIUoYvScwQkBhG54R78PXtkW3QfmYJVqXlzTsbKrM + uAdC+Fd7k2ko39s64PPG6QsFFBg81UAz8SvQPfe6b8sv5IaVDBBk8IJ1tORX5/26 + BbXOQLjyqdxHR9/KDeS/wj1e9rpRH3BgHybft0T9vBZyyBZY1dPAisRKXThs/Khb + QZUrEd9tNQqGhJrBEKGQuoY39G6mVOywvi4Amubg4L4VbETOD1CM8MMQFlhWmXDP + k6UYMY4vUt9O9/R8SljZBejO6Y2+smCzC4lDq5W3sBu5P+JnnHCnM0wgRoS1aCpR + tsBIKE1f+rlG+kb6eTGcCCR64H+TK9hT49MtbkFeKUO7rlZkbxqKgYdN/Q1HzCEW + YCYsxzJQo4mqTRQ4PYRvo+9Oo9gGtWY48H09qTGR737qayxA3VpdHepABBHC9nm5 + BogU/3lTH9PzjESZkEckE1sx7QHUs39FiovXDgvsMRt6+wo6Y5L+dKoXU4MszAzS + UQE0UZL7h7N+QvTbujVrarB6A6vVlwjV0gbQJDRXmPw2awJjBvsjGNfLQ0mruwqb + RLB5G2SvQHiILN/ByD3NxhonQ90mPSjmVBfbdsOp6H4woQ== + =J+qg + -----END PGP MESSAGE----- + fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D + - created_at: "2024-01-11T20:56:10Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA8KRInHl7Vz+AQ//USOIJ5cPWOQgcqjauvvccC22wxU7Rp/Bx86ajZFpL6M3 + ns8g3TC4ga8OO2XYjLTHNXPAzPvEE5lskpO+bkDbqRPkkkGeauqupQTtDIMg25kF + ouBPcvCirWvBJ3uiHHKw1hvTMXAIwcdvIyvxP4zK7sWU8OScDw9nNS8uhOLH9wds + J+Y0qWPuxAJrJF8cgLORxjk5BFh5IdOrmijm72+qEHER6qgYgXoVVbGtIixUTcfv + H9TqxHPkeqgMH2QVGEGKGRueoUVWc0FXtVLNRKlZ5VYX+nZUBDdhVjiiG6DBkWtu + BayAhjRFh/oGs4Q+WyozKy/mv1hJvxsRjpyK78wYw0yQVuwfd/X73y2EkQQNquCk + SyzU+C+5+faJpf9HPq2nv1zrUJid1zSv01IE70OsRFAgKXI9thQlx3VIbLTU6RkZ + Bw6BsWoQmanUR3DUzWvL+lhzYLKhVQ9Gf9rPOK0B1XTvntTGgq1zOYQn/FmlhJjc + SJoXgNU+i9F52CGIJ0fTZaw+8+aJ6oL9SLETl4T9Gj/XCpuDUGJAMP++V7YLWsEf + 5tqwHDngm5UJNmqy5vzVbQAIVyLCK868S4xNFRUFwQMCZCHQeW4MhVM5XFE0d0ab + A5MSm8X7HmYgvg+WvXzawyEX3OyAnw1RZ+n+b6w2NN8YLP1kRLjirDS3PbsLybTS + UQHc1/GvEhu+7CSv118mKOyJwOQ6u1KAblmg2yzyhxN6ZvuwNJ9zvSnovSALJHWQ + HSwUH1xcOoL1xQTwJ/+Ha/n1q9i2MqD4uLSP29yYGgdq1A== + =cXXw + -----END PGP MESSAGE----- + fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD + encrypted_regex: ^(data|stringData)$ + version: 3.8.1 diff --git a/kustomizations/invoiceshelf/ingress.yaml b/kustomizations/invoiceshelf/ingress.yaml new file mode 100644 index 0000000..a5aa55d --- /dev/null +++ b/kustomizations/invoiceshelf/ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: invoiceshelf + annotations: + cert-manager.io/cluster-issuer: letsencrypt +spec: + ingressClassName: nginx + rules: + - host: invoice.distrust.co + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: invoiceshelf + port: + name: http + tls: + - hosts: + - invoice.distrust.co + secretName: invoiceshelf-tls diff --git a/kustomizations/invoiceshelf/kustomization.yaml b/kustomizations/invoiceshelf/kustomization.yaml new file mode 100644 index 0000000..192cbbc --- /dev/null +++ b/kustomizations/invoiceshelf/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + app.kubernetes.io/part-of: invoiceshelf +resources: + - deployment.yaml + - service.yaml + - ingress.yaml +configMapGenerator: + - name: env + literals: + - DB_CONNECTION=mysql + - DB_HOST=distrust-mysql-do-user-11788707-0.c.db.ondigitalocean.com + - DB_USERNAME=crater + - DB_DATABASE=crater + - DB_PORT=25060 +generators: + - secret-generator.yaml +images: + - name: invoiceshelf/invoiceshelf + newTag: 1.1.0@sha256:50787e404725ad4f47462eaf38832d97c627a5d139d51a84f31a9bd90caffb3f diff --git a/kustomizations/invoiceshelf/secret-generator.yaml b/kustomizations/invoiceshelf/secret-generator.yaml new file mode 100644 index 0000000..4dad3a1 --- /dev/null +++ b/kustomizations/invoiceshelf/secret-generator.yaml @@ -0,0 +1,6 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: invoiceshelf +files: +- ./env.enc.yaml diff --git a/kustomizations/invoiceshelf/service.yaml b/kustomizations/invoiceshelf/service.yaml new file mode 100644 index 0000000..ee80d25 --- /dev/null +++ b/kustomizations/invoiceshelf/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: invoiceshelf + labels: + app.kubernetes.io/name: invoiceshelf + app.kubernetes.io/part-of: invoiceshelf +spec: + selector: + app.kubernetes.io/name: invoiceshelf + app.kubernetes.io/component: server + ports: + - name: http + port: 80 + targetPort: 80 From c3d9a55497886ae4f9b838e954d0ed80f52ab7ee Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sun, 31 Mar 2024 02:11:40 -0700 Subject: [PATCH 4/7] Add support for mysql db cluster, add crater mysql db, upgrade DO provider --- infra/main/main.tf | 24 ++++++++++------- infra/main/provider.tf | 2 +- .../digitalocean_database_cluster/main.tf | 27 +++++++++++++------ .../variables.tf | 5 ++++ 4 files changed, 39 insertions(+), 19 deletions(-) diff --git a/infra/main/main.tf b/infra/main/main.tf index 0ce21f3..b2314aa 100644 --- a/infra/main/main.tf +++ b/infra/main/main.tf @@ -10,21 +10,18 @@ resource "random_id" "suffix" { byte_length = 8 } -data "digitalocean_region" "provided" { - slug = var.region -} resource "digitalocean_custom_image" "talos" { name = "talos" url = "https://github.com/siderolabs/talos/releases/download/v1.4.3/digital-ocean-amd64.raw.gz" # this gets reset by DigitalOcean otherwise distribution = "Unknown OS" - regions = [data.digitalocean_region.provided.slug] + regions = [var.region] } resource "digitalocean_vpc" "main" { name = "talos" - region = data.digitalocean_region.provided.slug + region = var.region # Note: This is VERY CAREFULLY chosen to avoid conflict with k8s and cilium ip_range = "192.168.0.0/16" } @@ -45,7 +42,7 @@ module "digitalocean_talos_cluster" { size = "s-2vcpu-4gb", }] vpc_id = digitalocean_vpc.main.id - digitalocean_region = data.digitalocean_region.provided.slug + digitalocean_region = var.region } module "digitalocean_database_cluster" { @@ -66,7 +63,7 @@ module "digitalocean_database_cluster" { }] vpc_id = digitalocean_vpc.main.id - digitalocean_region = data.digitalocean_region.provided.slug + digitalocean_region = var.region } # Crater App requires MySQL currently, when it adds PG support we should migrate @@ -76,8 +73,9 @@ module "digitalocean_mysql_database_cluster" { cluster_name = "distrust-mysql" db_engine = "mysql" + dbcli_name = "mariadb" db_version = "8" - size = "db-s-1vcpu-2gb" + size = "db-s-1vcpu-1gb" node_count = 1 databases = [{ @@ -86,7 +84,7 @@ module "digitalocean_mysql_database_cluster" { }] vpc_id = digitalocean_vpc.main.id - digitalocean_region = data.digitalocean_region.provided.slug + digitalocean_region = var.region } locals { @@ -100,10 +98,11 @@ locals { ]) } + # `jq .database_users.value.forgejo | sops --encrypt` output "database_users" { value = { - for db_user in module.digitalocean_database_cluster.database_users: + for db_user in concat(module.digitalocean_database_cluster.database_users, module.digitalocean_mysql_database_cluster.database_users): db_user.name => { apiVersion = "v1", kind = "Secret", @@ -131,6 +130,11 @@ output "database" { sensitive = true } +output "mysql_database" { + value = module.digitalocean_mysql_database_cluster.database_cluster + sensitive = true +} + output "vpc_id" { value = digitalocean_vpc.main.id } diff --git a/infra/main/provider.tf b/infra/main/provider.tf index afd7ad6..32f2430 100644 --- a/infra/main/provider.tf +++ b/infra/main/provider.tf @@ -2,7 +2,7 @@ terraform { required_providers { digitalocean = { source = "digitalocean/digitalocean" - version = "2.28.1" + version = "2.36.0" } } backend "s3" { diff --git a/terraform_modules/digitalocean_database_cluster/main.tf b/terraform_modules/digitalocean_database_cluster/main.tf index 9114a10..1146ab1 100644 --- a/terraform_modules/digitalocean_database_cluster/main.tf +++ b/terraform_modules/digitalocean_database_cluster/main.tf @@ -39,23 +39,34 @@ resource "digitalocean_database_user" "default_users" { name = each.key provisioner "local-exec" { - command = "GRANT ALL ON DATABASE ${each.key} TO ${each.key};" - interpreter = [ - "psql", - "-v", "ON_ERROR_STOP=1", + command = var.dbcli_name == "psql" ? "GRANT ALL ON DATABASE ${each.key} TO ${each.key};" : "GRANT ALL PRIVILEGES ON ${each.key} TO '${each.key}'@'%';" + interpreter = var.dbcli_name == "psql" ? [ + "${var.dbcli_name}", "${local.base_connection_string}/${each.key}", "-c" + ] : [ + "${var.dbcli_name}", + "-u", + "${digitalocean_database_cluster.main.user}", + "-p", + "-h", + "${digitalocean_database_cluster.main.host}", + "-P", + "25060", + "-D", + "${each.key}", + "-e" ] } provisioner "local-exec" { - command = "GRANT ALL ON SCHEMA public TO ${each.key}" - interpreter = [ - "psql", + command = var.dbcli_name == "psql" ? "GRANT ALL ON SCHEMA public TO ${each.key}" : "true" + interpreter = var.dbcli_name == "psql" ? [ + "${var.dbcli_name}", "-v", "ON_ERROR_STOP=1", "${local.base_connection_string}/${each.key}", "-c" - ] + ] : ["true"] } # Note: provisioners depend on databases existing diff --git a/terraform_modules/digitalocean_database_cluster/variables.tf b/terraform_modules/digitalocean_database_cluster/variables.tf index dd1a6a3..3a43c6b 100644 --- a/terraform_modules/digitalocean_database_cluster/variables.tf +++ b/terraform_modules/digitalocean_database_cluster/variables.tf @@ -33,3 +33,8 @@ variable "vpc_id" { type = string nullable = true } + +variable "dbcli_name" { + type = string + default = "psql" +} From 10119fd5576f175707024f112db23d224d36a7b0 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sun, 31 Mar 2024 03:29:37 -0700 Subject: [PATCH 5/7] k/invoiceshelf: migrate to invoiceshelf, use statefulset, grab secrets from backup --- kustomizations/invoiceshelf/env.enc.yaml | 6 ++-- .../invoiceshelf/kustomization.yaml | 28 ++++++++++++++++++- .../{deployment.yaml => statefulset.yaml} | 21 ++++++++------ 3 files changed, 43 insertions(+), 12 deletions(-) rename kustomizations/invoiceshelf/{deployment.yaml => statefulset.yaml} (70%) diff --git a/kustomizations/invoiceshelf/env.enc.yaml b/kustomizations/invoiceshelf/env.enc.yaml index 37ba581..a71fd57 100644 --- a/kustomizations/invoiceshelf/env.enc.yaml +++ b/kustomizations/invoiceshelf/env.enc.yaml @@ -4,14 +4,16 @@ metadata: name: env stringData: DB_PASSWORD: ENC[AES256_GCM,data:nHeFXLOI6bMb1hslXLu9xqbMNppGeGzI,iv:rakHQI3iFNgD9gtUX0HdeFG5afP9ln0a+wenqm692T0=,tag:en9KmjYlZ6xzeC0fs9wKzA==,type:str] + APP_KEY: ENC[AES256_GCM,data:pG99OkN9DpXEJ287ty/7e/86v5kEYeikNN6FnV++uNFE4j48aPiQENd+57RxAXFTUl+6,iv:IFXaK2gnXFm6T3O7ClTRk5HqLGmgFdvh7Dn2Jw+MQU0=,tag:0SPKkf5jfyyuwHNvvDVgCg==,type:str] + MAIL_PASSWORD: ENC[AES256_GCM,data:+pWcN1GYSA3pibo8WgvFsAHjnrvhDNsjuO+QXYR7bdZFBKWJbshf0sS8,iv:Kw6qiUEFnd5FRGBMWutOoxMNFZYMf8NyQkPBR9TvfXg=,tag:4IOU6qOXWQ02S6rc1RHiOQ==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-03-31T08:56:24Z" - mac: ENC[AES256_GCM,data:ZzOHxHPOpazpvXHeMJfSyrRQoH9pK33eNYpZKvMXii3rQKWVw8dc4C0HyzbXo5ahJzF9RdBopiXW9tchjejfE1JJoC/a7SXYNCS+wn5wj4CQwu7u3ungbVROcluoBe7NiVzDhWz9URjZgkNWwyDWWQN9SXZW5xVqSYhAS7xPJTY=,iv:emHnnakeNRN1yWM7QvhF/7JH4K6GXpzWL78o9HNxPtE=,tag:9PUAOuO05M1RoQADq3f8gQ==,type:str] + lastmodified: "2024-03-31T09:43:12Z" + mac: ENC[AES256_GCM,data:I9rIuOh2cTJDrlPYs3kf6o6jPPtdElDmjWENc4Yk29ezpWwUj3+BsICpOU0kOrehvuyKtcM6BcxuvJG5Q92gZoVRvlHDoLypMyK3vDBxhGO0CAbcKnKmUSvROr6IWY5jKh9EWczxU3VkDTrm/BmCJAbjC2Ys51ej73InZez4t0g=,iv:gIaUNj8wKew4bH7dBHW+LV5S0a9allRQkWQ/3aWYJ4Q=,tag:mwwI+RDG0i45sPOSh+e1mg==,type:str] pgp: - created_at: "2024-01-11T20:56:10Z" enc: |- diff --git a/kustomizations/invoiceshelf/kustomization.yaml b/kustomizations/invoiceshelf/kustomization.yaml index 192cbbc..8322966 100644 --- a/kustomizations/invoiceshelf/kustomization.yaml +++ b/kustomizations/invoiceshelf/kustomization.yaml @@ -3,7 +3,7 @@ kind: Kustomization commonLabels: app.kubernetes.io/part-of: invoiceshelf resources: - - deployment.yaml + - statefulset.yaml - service.yaml - ingress.yaml configMapGenerator: @@ -14,6 +14,32 @@ configMapGenerator: - DB_USERNAME=crater - DB_DATABASE=crater - DB_PORT=25060 + - APP_ENV=production + - APP_DEBUG=false + - APP_LOG_LEVEL=debug + - APP_URL=https://billing.distrust.co + - ASSET_URL=https://billing.distrust.co + - BROADCAST_DRIVER=log + - CACHE_DRIVER=file + - QUEUE_DRIVER=sync + - SESSION_DRIVER=cookie + - SESSION_LIFETIME=1440 + - REDIS_HOST=127.0.0.1 + - REDIS_PORT=6379 + - MAIL_DRIVER=smtp + - MAIL_HOST=smtp.migadu.com + - MAIL_PORT=465 + - MAIL_USERNAME=billing@distrust.co + - MAIL_FROM_ADDRESS=billing@distrust.co + - MAIL_FROM_NAME="billing@distrust.co" + - MAIL_ENCRYPTION=ssl + - PUSHER_APP_ID= + - PUSHER_KEY= + - PUSHER_SECRET= + - SANCTUM_STATEFUL_DOMAINS=billing.distrust.co + - SESSION_DOMAIN=billing.distrust.co + - TRUSTED_PROXIES="*" + - CRON_JOB_AUTH_TOKEN="" generators: - secret-generator.yaml images: diff --git a/kustomizations/invoiceshelf/deployment.yaml b/kustomizations/invoiceshelf/statefulset.yaml similarity index 70% rename from kustomizations/invoiceshelf/deployment.yaml rename to kustomizations/invoiceshelf/statefulset.yaml index 0dda1e2..39f6ada 100644 --- a/kustomizations/invoiceshelf/deployment.yaml +++ b/kustomizations/invoiceshelf/statefulset.yaml @@ -1,5 +1,5 @@ apiVersion: apps/v1 -kind: Deployment +kind: StatefulSet metadata: name: invoiceshelf labels: @@ -27,13 +27,16 @@ spec: ports: - name: http containerPort: 80 - # Create the flag the install check needs to bypass - lifecycle: - postStart: - exec: - command: - - /bin/sh - - -c - - "touch /var/www/html/InvoiceShelf/storage/app/database_created" securityContext: allowPrivilegeEscalation: false + volumeMounts: + - name: invoiceshelf-data + mountPath: /var/www/html/InvoiceShelf/storage + volumeClaimTemplates: + - metadata: + name: invoiceshelf-data + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 10Gi From 59c36f47b33e1727b21b7a8f70cdbef075e2014d Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Sun, 31 Mar 2024 21:24:45 -0700 Subject: [PATCH 6/7] k/invoiceshelf: fix config to get working. migrate ingress to billing.distrust.co --- kustomizations/invoiceshelf/env.enc.yaml | 8 ++--- kustomizations/invoiceshelf/ingress.yaml | 4 +-- .../invoiceshelf/kustomization.yaml | 34 ------------------- kustomizations/invoiceshelf/statefulset.yaml | 32 +++++++++++++---- 4 files changed, 31 insertions(+), 47 deletions(-) diff --git a/kustomizations/invoiceshelf/env.enc.yaml b/kustomizations/invoiceshelf/env.enc.yaml index a71fd57..2340031 100644 --- a/kustomizations/invoiceshelf/env.enc.yaml +++ b/kustomizations/invoiceshelf/env.enc.yaml @@ -3,17 +3,15 @@ kind: Secret metadata: name: env stringData: - DB_PASSWORD: ENC[AES256_GCM,data:nHeFXLOI6bMb1hslXLu9xqbMNppGeGzI,iv:rakHQI3iFNgD9gtUX0HdeFG5afP9ln0a+wenqm692T0=,tag:en9KmjYlZ6xzeC0fs9wKzA==,type:str] - APP_KEY: ENC[AES256_GCM,data:pG99OkN9DpXEJ287ty/7e/86v5kEYeikNN6FnV++uNFE4j48aPiQENd+57RxAXFTUl+6,iv:IFXaK2gnXFm6T3O7ClTRk5HqLGmgFdvh7Dn2Jw+MQU0=,tag:0SPKkf5jfyyuwHNvvDVgCg==,type:str] - MAIL_PASSWORD: ENC[AES256_GCM,data:+pWcN1GYSA3pibo8WgvFsAHjnrvhDNsjuO+QXYR7bdZFBKWJbshf0sS8,iv:Kw6qiUEFnd5FRGBMWutOoxMNFZYMf8NyQkPBR9TvfXg=,tag:4IOU6qOXWQ02S6rc1RHiOQ==,type:str] + env: ENC[AES256_GCM,data:eOLjpVzWl5bamDBmg3an2DrYKJcyMve/RkHha5PvsPFInQLJHlPm0qHP8AucafntFbTg2tV5umcnlJ2+aqNv5h1UF7QGN1oKhe8VTHHxKG4fZWD+m+j+UfpD6eA8dmEf//npgiJsBAx6qRBDWN4SxkryNAP9WsiiN9+VMsJdWe5ItQYQLU+uPNjDHMjYnw1p/JcIxilFFMn6GSV4Kc62ilE6oU5cUKk96xm/JzIX/T4GZ9q3LzCdJtaXsNic/9i6EDDIxNsLYzn0A+T1hp+jZ4k4HICx6ATPA85k1NhH0cH/r4aOv9BYed1375wkWWp4v3qzC8paHATZ5pyPeUrpJqd/uPAE8IYO3sDTimWBKU7X/O0lfTO4tiNVQFDF8cXq8tRJlZWogs67iSSepjb04e7a+OFW9f++E4eeXrbSsVw+YW43Rtbhjw0qlVBM4nBFCchiZk8etTIFkfVvbirvdcLCOCtzjtYO8rVNdj6tzwBFrpFrbvCxgEMLB6P6FwM5epMfiiOLF9DT+ljFeafBEXvy+kU5afYkf1Sh9HNvvs9ifOILyFXjMXb9jAKvNPqd0rZPOQhyvBIwRlhbsWfPO4owa/mFpNmU9mYOwHSFrVZ+V5bDAzXTQ9LKS25/NonBil0c+99peN09U5CwL1gNOtRIaFP3VlRR3/FhUwyKlgeq/Ah0s6jYN7LcNyTj0PKIMjdLotO5XHssQW+Z34s0EDDdkH1t+IODbtE39oVeErfatj+i3kFNSL+E6iVbe3KiWLIWm1xDf0pP5PD/N0OVi6abj/2OD5ClylDzO2q7dRKn3aHlRAZWXeQGMq9hxJm6VCP9HspQs+pGjDiMOs/cYib6LWkoeVN3IDV9rQ9XHeHKAXOQYVQ58auuYAIJ9qbLG0+YQvHoHiFtuK3ucXMbq17oQ/NjZEX/e77ZZCYTfxuxhW9Zwa1abojIwrfKSyhoh91HHvgYmOh8hU+gCthWDNaPJ8XIAaGy+M9V7F2TK4V2vPy6xLp/XmzPUchO78/ZcW71jPDoR7pV5I3vab+c27EWlPw4mv4U+emnVZ1L7VM7+EkpsXuncNaKPCaFz1LDl4sbaAJSS2UK2ZfBBbM/EcGT2Ymm8jOjBwHwDi2VqN/CHMf6qG3P9R3XN/jNU5ShR97D52mSE3zy25wJHcv4Z8iSu98KEC9rNvJviPjncftWkycGjWFXx7mLwsKo6VyfUn/OXuk=,iv:HXTsRJEHxceO1HIA4CaR9CYt3oO18+cdeTAiBk4w0zo=,tag:e44hqgGLC9ugivxaxr+0Gw==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: [] - lastmodified: "2024-03-31T09:43:12Z" - mac: ENC[AES256_GCM,data:I9rIuOh2cTJDrlPYs3kf6o6jPPtdElDmjWENc4Yk29ezpWwUj3+BsICpOU0kOrehvuyKtcM6BcxuvJG5Q92gZoVRvlHDoLypMyK3vDBxhGO0CAbcKnKmUSvROr6IWY5jKh9EWczxU3VkDTrm/BmCJAbjC2Ys51ej73InZez4t0g=,iv:gIaUNj8wKew4bH7dBHW+LV5S0a9allRQkWQ/3aWYJ4Q=,tag:mwwI+RDG0i45sPOSh+e1mg==,type:str] + lastmodified: "2024-04-01T03:47:06Z" + mac: ENC[AES256_GCM,data:mrjkTQF+cKuNzbaAaflQCTMT+H7D0dKL6keVLs1ig6ok4Z6JCKxe9+1Fa3q2OIpgq0bhHZqPPe5e2ztQSAzFC9z6c7YCHGh6kPZ8fQ7F0l2dATqNSeaRMsjsMdo7vOOQjNqj0SkeU5c4PSQpQHz9Rg7CtMupQ60iLbsm8GGM1tU=,iv:uhzyxgDSdJ/jw0qZyOddxP3JZ3S4okuWhZdJE22nDEI=,tag:EYe9MYxL8QDPe9Rf53OM+Q==,type:str] pgp: - created_at: "2024-01-11T20:56:10Z" enc: |- diff --git a/kustomizations/invoiceshelf/ingress.yaml b/kustomizations/invoiceshelf/ingress.yaml index a5aa55d..c090527 100644 --- a/kustomizations/invoiceshelf/ingress.yaml +++ b/kustomizations/invoiceshelf/ingress.yaml @@ -7,7 +7,7 @@ metadata: spec: ingressClassName: nginx rules: - - host: invoice.distrust.co + - host: billing.distrust.co http: paths: - path: / @@ -19,5 +19,5 @@ spec: name: http tls: - hosts: - - invoice.distrust.co + - billing.distrust.co secretName: invoiceshelf-tls diff --git a/kustomizations/invoiceshelf/kustomization.yaml b/kustomizations/invoiceshelf/kustomization.yaml index 8322966..19753b1 100644 --- a/kustomizations/invoiceshelf/kustomization.yaml +++ b/kustomizations/invoiceshelf/kustomization.yaml @@ -6,40 +6,6 @@ resources: - statefulset.yaml - service.yaml - ingress.yaml -configMapGenerator: - - name: env - literals: - - DB_CONNECTION=mysql - - DB_HOST=distrust-mysql-do-user-11788707-0.c.db.ondigitalocean.com - - DB_USERNAME=crater - - DB_DATABASE=crater - - DB_PORT=25060 - - APP_ENV=production - - APP_DEBUG=false - - APP_LOG_LEVEL=debug - - APP_URL=https://billing.distrust.co - - ASSET_URL=https://billing.distrust.co - - BROADCAST_DRIVER=log - - CACHE_DRIVER=file - - QUEUE_DRIVER=sync - - SESSION_DRIVER=cookie - - SESSION_LIFETIME=1440 - - REDIS_HOST=127.0.0.1 - - REDIS_PORT=6379 - - MAIL_DRIVER=smtp - - MAIL_HOST=smtp.migadu.com - - MAIL_PORT=465 - - MAIL_USERNAME=billing@distrust.co - - MAIL_FROM_ADDRESS=billing@distrust.co - - MAIL_FROM_NAME="billing@distrust.co" - - MAIL_ENCRYPTION=ssl - - PUSHER_APP_ID= - - PUSHER_KEY= - - PUSHER_SECRET= - - SANCTUM_STATEFUL_DOMAINS=billing.distrust.co - - SESSION_DOMAIN=billing.distrust.co - - TRUSTED_PROXIES="*" - - CRON_JOB_AUTH_TOKEN="" generators: - secret-generator.yaml images: diff --git a/kustomizations/invoiceshelf/statefulset.yaml b/kustomizations/invoiceshelf/statefulset.yaml index 39f6ada..48aed2f 100644 --- a/kustomizations/invoiceshelf/statefulset.yaml +++ b/kustomizations/invoiceshelf/statefulset.yaml @@ -19,19 +19,39 @@ spec: containers: - name: invoiceshelf image: invoiceshelf/invoiceshelf - envFrom: - - secretRef: - name: env - - configMapRef: - name: env ports: - name: http containerPort: 80 securityContext: allowPrivilegeEscalation: false + startupProbe: + initialDelaySeconds: 60 + periodSeconds: 5 + failureThreshold: 10 + httpGet: + path: /api/v1/app/version + port: http + livenessProbe: + periodSeconds: 5 + httpGet: + path: /api/v1/app/version + port: http + readinessProbe: + periodSeconds: 5 + httpGet: + path: /api/v1/app/version + port: http volumeMounts: - name: invoiceshelf-data - mountPath: /var/www/html/InvoiceShelf/storage + mountPath: /data + subPath: data + - name: dot-env + mountPath: /conf/.env + subPath: env + volumes: + - name: dot-env + secret: + secretName: env volumeClaimTemplates: - metadata: name: invoiceshelf-data From 9d5e1f074f51d5802e3a1412f2b5fa75bf8da3d3 Mon Sep 17 00:00:00 2001 From: Danny Grove Date: Wed, 24 Apr 2024 22:25:57 -0700 Subject: [PATCH 7/7] Drop billing.distrust.co DNS record in favor of external-dns --- infra/main/dns.tf | 7 ------- 1 file changed, 7 deletions(-) diff --git a/infra/main/dns.tf b/infra/main/dns.tf index 068f87e..53bd417 100644 --- a/infra/main/dns.tf +++ b/infra/main/dns.tf @@ -9,13 +9,6 @@ resource "digitalocean_record" "main" { value = "143.198.235.76" } -resource "digitalocean_record" "billing" { - domain = digitalocean_domain.default.id - type = "A" - name = "billing" - value = "45.16.98.153" -} - resource "digitalocean_record" "chat" { domain = digitalocean_domain.default.id type = "CNAME"