added secret manger for secreats

NashTech-Labs · Sep 12, 2023 · efec92f · efec92f
1 parent b27bcfd
commit efec92f
Show file tree

Hide file tree

Showing 9 changed files with 89 additions and 30 deletions.
diff --git a/.github/workflows/car-demo-pipeline.yml b/.github/workflows/car-demo-pipeline.yml
@@ -38,4 +38,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
         run: |
-          . apps-deployment-script.sh "us-east1"
+          . apps-deployment-script.sh "us-east1" ${{ secrets.GKE_KEY }}
diff --git a/apps-deployment-script.sh b/apps-deployment-script.sh
@@ -2,14 +2,17 @@
 
 PROJECT_ID="$(gcloud config get-value project)"
 REGION="$1"
+SA="$2"
 # install gke-gcloud-auth-plugin to install kubectl and authenticate gke.
 gcloud components install gke-gcloud-auth-plugin
+kubectl create secret generic gcpsm-secret --from-file=secret-access-credentials="$SA"
 
 build_and_deploy_service(){
 
    SERVICE_NAME=$1
    CLUSTER_NAME=$2
    DEPLOYMENT_NAME=$3
+   echo "---------build and deploy $SERVICE_NAME-----------"
    cd "$SERVICE_NAME" || exit
    mvn clean install
    echo "---------packaging done, start docker build-----------"
@@ -26,7 +29,7 @@ build_and_deploy_service(){
     # set docker image for kustomize
    ./kustomize edit set image gcr.io/PROJECT_ID/IMAGE:TAG=gcr.io/"$PROJECT_ID"/"$SERVICE_NAME":"$GITHUB_SHA"
    # deploy through kubectl
-   ./kustomize build . | kubectl apply -f -
+   ./kustomize build . | kubectl apply -f kuberesources/
     kubectl rollout status deployment/"$DEPLOYMENT_NAME"
     kubectl get services -o wide
     echo "-------------$SERVICE_NAME deployed on $CLUSTER_NAME----------"

diff --git a/order-service/deployment.yaml b/order-service/deployment.yaml
diff --git a/order-service/kuberesources/app-config.yaml b/order-service/kuberesources/app-config.yaml
@@ -0,0 +1,8 @@
+kind: ConfigMap 
+apiVersion: v1 
+metadata:
+  name: orderservice-configmap
+data:
+  # Configuration values can be set as key-value properties
+  MYSQL_HOST: 35.231.13.75
+  AXON_HOST: 34.139.161.101:8124
diff --git a/order-service/kuberesources/deployment.yaml b/order-service/kuberesources/deployment.yaml
@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: orderservice
+  labels:
+    app: orderservice
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: orderservice
+  template:
+    metadata:
+      labels:
+        app: orderservice
+    spec:
+      containers:
+        - name: orderservice
+          image: gcr.io/PROJECT_ID/IMAGE:TAG
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 9090
+              protocol: TCP
+          env:
+            - name: MYSQL_DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                name: cardemo-secret
+                key: cardemo-db-username
+                optional: false
+            - name: MYSQL_DB_PASSWORD
+              valueFrom:
+                  secretKeyRef:
+                  name: cardemo-secret
+                  key: cardemo-db-userpassword
+                  optional: false
+          envFrom:
+            - configMapRef:
+                name: orderservice-configmap
diff --git a/order-service/kuberesources/secretstore.yaml b/order-service/kuberesources/secretstore.yaml
@@ -0,0 +1,31 @@
+apiVersion: external-secrets.io/v1alpha1
+kind: SecretStore
+metadata:
+  name: car-demo-secretstore
+spec:
+  provider:
+    gcpsm:
+      auth:
+        secretRef:
+          secretAccessKeySecretRef:
+            name: gcpsm-secret
+            key: secret-access-credentials
+---
+apiVersion: external-secrets.io/v1alpha1
+kind: ExternalSecret
+metadata:
+  name: car-demo-externalsecret
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: car-demo-secretstore
+  target:
+    name: cardemo-secret
+  data:
+    - secretKey: cardemo-db-username
+      remoteRef:
+        key: mysql-db-username
+    - secretKey: cardemo-db-userpassword
+      remoteRef:
+        key: mysql-db-userpassword
diff --git a/order-service/service.yaml → order-service/kuberesources/service.yaml b/order-service/service.yaml → order-service/kuberesources/service.yaml
diff --git a/order-service/kustomization.yaml b/order-service/kustomization.yaml
@@ -4,4 +4,5 @@ kind: Kustomization
 resources:
 - service.yaml
 - deployment.yaml
-
+- secretstore.yaml
+- app-config.yaml
diff --git a/order-service/src/main/resources/application.yml b/order-service/src/main/resources/application.yml
@@ -4,10 +4,10 @@ spring:
   application:
   name: OrderService
   datasource:
-    url: jdbc:mysql://${MYSQL_HOST:localhost}:3306/order_db
+    url: jdbc:mysql://${MYSQL_HOST:localhost}:3306/orders_db
     driverClassName: com.mysql.cj.jdbc.Driver
-    username: ${DB_USER}
-    password: ${DB_PASSWORD}
+    username: ${MYSQL_DB_USER}
+    password: ${MY_DB_PASSWORD}
   jpa:
     database-platform: org.hibernate.dialect.MySQL8Dialect
     hibernate: