Fix/make (#24)

* for lecture6: use Taskfile.yml * for lecture6: add ephemeral container debug
AustrianDataLAB · Apr 5, 2024 · bd85c78 · bd85c78
1 parent 95d6f90
commit bd85c78
Show file tree

Hide file tree

Showing 7 changed files with 272 additions and 10 deletions.
diff --git a/Documentation/kubernetes.md b/Documentation/kubernetes.md
@@ -165,16 +165,6 @@ see the [nginx ingress docs](https://kubernetes.github.io/ingress-nginx/)
 The persistentvolumeClaim directory has a single resource definition aimed at
 telling the cluster to provision some storage use by the database container. 
 
-### security 
-
-The security directory contains some encrypted secrets that our application will
-use. Note that this example uses open encryption (anyone with openssl or a
-similar encryption tool can read the plain text values they hide). In a real
-production application, you would not upload secrets like this to a public git
-repository. Instead, you would use something called sealed-secrets to further
-control access to the hidden values.
-
-The rbac resource definition is not pertinent to our discussion.
 
 ### services 
 

diff --git a/kind/Taskfile.yml b/kind/Taskfile.yml
@@ -0,0 +1,48 @@
+
+version: '3'
+
+vars:
+  #KUBECONFIG: /home/runner/.kube/config
+  pacman: constanze
+
+tasks:
+  cluster:
+    cmds:
+      - kind create cluster 
+    silent: false
+
+
+  namespace:
+    cmds:
+      - kubectl create namespace {{.pacman}}
+    silent: false
+
+  envsubst:
+    cmds:
+      - |
+        export PACMAN="{{.pacman}}"
+        sed "s/\$pacman/$PACMAN/g" ../kubernetes/persistentvolumeclaim/mongo-pvc.txt.yaml > manifests/mongo-pvc.yaml
+        sed "s/\$pacman/$PACMAN/g" ../kubernetes/security/secret.txt.yaml > manifests/secret.yaml
+    silent: false
+
+  deploy-manifests:
+    cmds:
+      - for i in manifests/*; do kubectl apply -f $i -n {{.pacman}}; done
+
+  delete-manifests:
+    cmds:
+      - for i in manifests/*; do kubectl delete -f $i -n {{.pacman}}; done
+
+  port-forward:
+    cmds:
+      - kubectl port-forward -n {{.pacman}} service/pacman 8000:80 
+    silent: false
+
+  ephemeral-debug:
+    cmds:
+      - |
+        export POD_NAME=$(kubectl get pods -n {{.pacman}} -l name=mongo -o jsonpath="{.items[0].metadata.name}")
+        kubectl debug -n {{.pacman}} -it $POD_NAME --image=alpine --  bash
+        #read the secret.yaml to understand where these values are coming from:
+        #kubectl debug -n {{.pacman}} -it $POD_NAME --image=mongo -- sh -c "mongosh mongodb://blinky:pinky@localhost:27017/pacman"
+    silent: false
diff --git a/kind/manifests/mongo-deployment.yaml b/kind/manifests/mongo-deployment.yaml
@@ -0,0 +1,120 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    name: mongo
+  name: mongo
+  annotations:
+    source: "https://github.com/saintdle/pacman-tanzu"
+spec:
+  progressDeadlineSeconds: 600
+  replicas: 1
+  revisionHistoryLimit: 10
+  selector:
+    matchLabels:
+      name: mongo
+  strategy:
+    rollingUpdate:
+      maxSurge: 25%
+      maxUnavailable: 25%
+    type: RollingUpdate
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        name: mongo
+    spec:
+      containers:
+      - env:
+        - name: BITNAMI_DEBUG
+          value: "false"
+        - name: MONGODB_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: database-admin-password
+              name: mongodb-users-secret
+        - name: MONGODB_DATABASE
+          valueFrom:
+            secretKeyRef:
+              key: database-name
+              name: mongodb-users-secret
+        - name: MONGODB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: database-password
+              name: mongodb-users-secret
+        - name: MONGODB_USERNAME
+          valueFrom:
+            secretKeyRef:
+              key: database-user
+              name: mongodb-users-secret
+        - name: ALLOW_EMPTY_PASSWORD
+          value: "no"
+        - name: MONGODB_SYSTEM_LOG_VERBOSITY
+          value: "0"
+        - name: MONGODB_DISABLE_SYSTEM_LOG
+          value: "no"
+        - name: MONGODB_DISABLE_JAVASCRIPT
+          value: "no"
+        - name: MONGODB_ENABLE_JOURNAL
+          value: "yes"
+        - name: MONGODB_PORT_NUMBER
+          value: "27017"
+        - name: MONGODB_ENABLE_IPV6
+          value: "no"
+        - name: MONGODB_ENABLE_DIRECTORY_PER_DB
+          value: "no"
+        image: bitnami/mongodb:4.4.14
+        imagePullPolicy: IfNotPresent
+        name: mongo
+        readinessProbe:
+          exec:
+            command:
+              - /bitnami/common-scripts/readiness-probe.sh
+          initialDelaySeconds: 5
+          periodSeconds: 20
+        livenessProbe:
+          exec:
+            command:
+              - /bitnami/common-scripts/ping-mongodb.sh
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        startupProbe:
+          exec:
+            command:
+              - /bitnami/common-scripts/startup-probe.sh
+          initialDelaySeconds: 5
+          failureThreshold: 5
+          periodSeconds: 10
+        ports:
+        - containerPort: 27017
+          name: mongo
+          protocol: TCP
+        securityContext: 
+          runAsNonRoot: true
+          runAsUser: 1001
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+          - name: mongo-db
+            subPath: mongodb
+            mountPath: /bitnami/mongodb/
+          - name: pacman-mongo-common-scripts-volume
+            mountPath: /bitnami/common-scripts/
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      securityContext:
+        fsGroup: 1001
+      serviceAccount: default
+      serviceAccountName: default
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - name: pacman-mongo-common-scripts-volume
+        configMap:
+          defaultMode: 0755
+          name: pacman-mongo-common-scripts
+      - name: mongo-db
+        persistentVolumeClaim:
+          claimName: mongo-storage
+
diff --git a/kind/manifests/mongo-service.yaml b/kind/manifests/mongo-service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    name: mongo
+  name: mongo
+spec:
+  type: ClusterIP
+  ports:
+    - port: 27017
+      targetPort: 27017
+  selector:
+    name: mongo
diff --git a/kind/manifests/pacman-deployment.yaml b/kind/manifests/pacman-deployment.yaml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    name: pacman
+  name: pacman
+  annotations:
+    source: "https://gitlab.tuwien.ac.at/ADLS/services-k8s/pacman/"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: pacman
+  template:
+    metadata:
+      labels:
+        name: pacman
+    spec:
+      containers:
+      - image: ghcr.io/austriandatalab/pacman:v0.0.6
+        name: pacman
+        ports:
+        - containerPort: 8080
+          name: http-server
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        env:
+        - name: MONGO_SERVICE_HOST
+          value: mongo
+        - name: MONGO_AUTH_USER
+          valueFrom:
+            secretKeyRef:
+              key: database-user
+              name: mongodb-users-secret
+        - name: MONGO_AUTH_PWD
+          valueFrom:
+            secretKeyRef:
+              key: database-password
+              name: mongodb-users-secret
+        - name: MONGO_DATABASE
+          value: pacman
+        - name: MY_MONGO_PORT
+          value: "27017"
+        - name: MONGO_USE_SSL
+          value: "false"
+        - name: MONGO_VALIDATE_SSL
+          value: "false"
+        - name: MY_NODE_NAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
diff --git a/kind/manifests/pacman-mongo-common-scripts.yaml b/kind/manifests/pacman-mongo-common-scripts.yaml
@@ -0,0 +1,18 @@
+apiVersion: v1
+data:
+  ping-mongodb.sh: |
+    #!/bin/bash
+    mongo --port $MONGODB_PORT_NUMBER --eval "db.adminCommand('ping')"
+  readiness-probe.sh: |
+    #!/bin/bash
+    mongo --port $MONGODB_PORT_NUMBER --eval 'db.isMaster().ismaster || db.isMaster().secondary' | grep -q 'true'
+  startup-probe.sh: |
+    #!/bin/bash
+    mongo --port $MONGODB_PORT_NUMBER --eval 'db.hello().isWritablePrimary || db.hello().secondary' | grep 'true'
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: mongo
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: mongo
+  name: pacman-mongo-common-scripts
diff --git a/kind/manifests/pacman-service.yaml b/kind/manifests/pacman-service.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pacman
+  labels:
+    name: pacman
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8080
+      protocol: TCP
+  selector:
+    name: pacman