diff --git a/.gitignore b/.gitignore index 923e59f4c..34d42a1ee 100644 --- a/.gitignore +++ b/.gitignore @@ -48,4 +48,7 @@ playwright/.auth apps/api/.env apps/spa-e2e/.env +# Infrastructure secrets +/**/*-secret.yaml + .nx/cache diff --git a/infra/base/config-map-templates/kordis-api-config-map.yaml b/infra/base/config-map-templates/kordis-api-config-map.yaml new file mode 100644 index 000000000..1ce3c3ae5 --- /dev/null +++ b/infra/base/config-map-templates/kordis-api-config-map.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kordis-api-config-map +data: + ENVIRONMENT_NAME: \ No newline at end of file diff --git a/infra/base/config-map-templates/kordis-spa-config-map.yaml b/infra/base/config-map-templates/kordis-spa-config-map.yaml new file mode 100644 index 000000000..599baed58 --- /dev/null +++ b/infra/base/config-map-templates/kordis-spa-config-map.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kordis-spa-config-map +data: + ENVIRONMENT_NAME: + OAUTH_CONFIG: | + + API_URL: \ No newline at end of file diff --git a/infra/base/kordis-api-deploy.yaml b/infra/base/kordis-api-deploy.yaml new file mode 100644 index 000000000..7af7bd331 --- /dev/null +++ b/infra/base/kordis-api-deploy.yaml @@ -0,0 +1,77 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kordis-api +spec: + replicas: 1 + selector: + matchLabels: + serverpod: kordis-api + template: + metadata: + labels: + serverpod: kordis-api + spec: + automountServiceAccountToken: false + containers: + - name: kordis-api + image: kordis-api:latest + imagePullPolicy: IfNotPresent + resources: + limits: + memory: 1Gi + cpu: 500m + requests: + memory: 128Mi + cpu: 100m + ports: + - containerPort: 3333 + name: http + protocol: TCP + envFrom: + - configMapRef: + name: kordis-api-config-map + env: + - name: MONGODB_URI + valueFrom: + secretKeyRef: + name: kordis-api-mongodb + key: connectionString + - name: SENTRY_KEY + valueFrom: + secretKeyRef: + name: api-vault-secrets + key: sentry-dns + readinessProbe: + httpGet: + scheme: HTTP + path: /health-check + port: 3333 + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + livenessProbe: + httpGet: + scheme: HTTP + path: /health-check + port: 3333 + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: secrets + mountPath: '/mnt/secrets' + readOnly: true + volumes: + - name: secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: azure-vault-secrets + nodePublishSecretRef: + name: azure-vault-creds diff --git a/infra/base/kordis-api-ing.yaml b/infra/base/kordis-api-ing.yaml new file mode 100644 index 000000000..7b05c078c --- /dev/null +++ b/infra/base/kordis-api-ing.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kordis-api + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: 'true' + traefik.ingress.kubernetes.io/router.tls.certResolver: default +spec: + rules: + - host: KUSTOMIZE_ME + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: kordis-api + port: + name: http diff --git a/infra/base/kordis-api-mongodb.yaml b/infra/base/kordis-api-mongodb.yaml new file mode 100644 index 000000000..5c5df927e --- /dev/null +++ b/infra/base/kordis-api-mongodb.yaml @@ -0,0 +1,7 @@ +apiVersion: persistence.sda-se.com/v1beta1 +kind: MongoDb +metadata: + name: kordis-api-mongodb +spec: + database: + pruneAfterDelete: false diff --git a/infra/base/kordis-api-svc.yaml b/infra/base/kordis-api-svc.yaml new file mode 100644 index 000000000..dcc739687 --- /dev/null +++ b/infra/base/kordis-api-svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: kordis-api +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + serverpod: kordis-api diff --git a/infra/base/kordis-spa-deploy.yaml b/infra/base/kordis-spa-deploy.yaml new file mode 100644 index 000000000..4f66ea9fc --- /dev/null +++ b/infra/base/kordis-spa-deploy.yaml @@ -0,0 +1,72 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kordis-spa +spec: + replicas: 1 + selector: + matchLabels: + serverpod: kordis-spa + template: + metadata: + labels: + serverpod: kordis-spa + spec: + automountServiceAccountToken: false + containers: + - name: kordis-spa + image: kordis-spa:latest + imagePullPolicy: IfNotPresent + resources: + limits: + memory: 256Mi + cpu: 200m + requests: + memory: 128Mi + cpu: 100m + ports: + - containerPort: 8080 + name: http + protocol: TCP + envFrom: + - configMapRef: + name: kordis-spa-config-map + env: + - name: SENTRY_KEY + valueFrom: + secretKeyRef: + name: spa-vault-secrets + key: sentry-dns + readinessProbe: + httpGet: + scheme: HTTP + path: / + port: 8080 + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8080 + initialDelaySeconds: 30 + periodSeconds: 5 + timeoutSeconds: 5 + securityContext: + runAsNonRoot: true + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + volumeMounts: + - name: secrets + mountPath: '/mnt/secrets' + readOnly: true + volumes: + - name: secrets + csi: + driver: secrets-store.csi.k8s.io + readOnly: true + volumeAttributes: + secretProviderClass: azure-vault-secrets + nodePublishSecretRef: + name: azure-vault-creds diff --git a/infra/base/kordis-spa-ing.yaml b/infra/base/kordis-spa-ing.yaml new file mode 100644 index 000000000..411292dc1 --- /dev/null +++ b/infra/base/kordis-spa-ing.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kordis-spa + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: 'true' + traefik.ingress.kubernetes.io/router.tls.certResolver: default +spec: + rules: + - host: KUSTOMIZE_ME + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: kordis-spa + port: + name: http diff --git a/infra/base/kordis-spa-svc.yaml b/infra/base/kordis-spa-svc.yaml new file mode 100644 index 000000000..355b45dbe --- /dev/null +++ b/infra/base/kordis-spa-svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: kordis-spa +spec: + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + selector: + serverpod: kordis-spa diff --git a/infra/base/kustomization.yaml b/infra/base/kustomization.yaml new file mode 100644 index 000000000..bd43cd6f3 --- /dev/null +++ b/infra/base/kustomization.yaml @@ -0,0 +1,11 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - kordis-spa-deploy.yaml + - kordis-spa-svc.yaml + - kordis-spa-ing.yaml + - kordis-api-deploy.yaml + - kordis-api-svc.yaml + - kordis-api-ing.yaml + - kordis-api-mongodb.yaml diff --git a/infra/overlays/next/kordis-api-config-map.yaml b/infra/overlays/next/kordis-api-config-map.yaml new file mode 100644 index 000000000..0935ddc46 --- /dev/null +++ b/infra/overlays/next/kordis-api-config-map.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kordis-api-config-map +data: + ENVIRONMENT_NAME: next \ No newline at end of file diff --git a/infra/overlays/next/kordis-azure-ss.yaml b/infra/overlays/next/kordis-azure-ss.yaml new file mode 100644 index 000000000..39eb921d8 --- /dev/null +++ b/infra/overlays/next/kordis-azure-ss.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: azure-vault-creds + namespace: kordis-next +spec: + encryptedData: + clientid: AgDGRmIFA+kYXoCRWaTeJwEM/rdRlMWMx9G7cnqJELJWShnCOXQSObB8Xd73LjotynRchw2EAhjAQHnDfzFEc2jGlzPPldysbPNbPd8CWRCc7gVvQHD9WHXbzNEYmIybBbltmYN42PyRyZs+AD7ksr+1ygwBiIauMbFVIBf59DXsX+dY7HS2Jd8057CdlbRwlKfzAaVRWAjh0iFXkwCHS2VBhR/X2TLe3i/XjbfUBzclumHLjnl+I3NIlphzFEJ6cm7aNG1XfzlvQLqIicRjKDCTZZRKZQOEF9j1nKD1LzVgaIt+z6uqf0X00roaHeG+zh+aPwxRXPSdGSqEBhre6f5XxBqj51oTP2zAbCEV6paI9kFASZ/BoSVBTpOnTdBYTrPumJTEXJ3cbui+UcgTixjW0V/JOHswYnKvQeDLIs9dZnSHRa3TqDdrExJ5ERVBBhJUOR9hTB8+jjV2BLSjwvoEv0BeiSjGlFyaXImdgAS5M748HAnVeVvxaD3Keb2UKHUmJw1JJREMJF8iqrCW7B+3VMlx9z2dgadJspyNW1IC+X7qluXkhXzIy+ZfB4ILF5hV6chwl6420+gs9crZGAN9WMflLdfKBxRAf1NLMTaX4SpwpCfMTbiXyrKJGvA11kL/4/yRV9229KJk1Wir/sF+i2RBLzLXhZoCTWyc6Co/TM+6BM6WoE8hBj0X3tfd3V9W7TcKmNNzaHPnGOyli0H9GxZwncdNkyfh86GMji72cTQozT0= + clientsecret: AgCVA40fg2N3Y6CE5cOBaywIco1LAJQ6kDupK0it4zQouzGV+jLDAcskXmY3Gt7KENgNuximrXrh88iqnpAmQJs7NRcZk26kOiKox0kd/FaVFDCX6nQyLbIaTQwMWwYF4cWCX+A7zycJvl7SMsYMFP6/BO1dtWzaFwDY37YNsuHbO/2MKRWzqNpiQBU/b6+568q97rXvi1r4z4u0k9hqUoJuQPmi8Cc6eWosdSQOnm6rIGE/HDJ6wpTjgvQJv7TA6onhCUcHMyTnZIeyi0mf5T3K1WDiDJFxj9FjGVAHOp89R2lL5uJDx6jXKPMM3Xwo2N2L9uYugUgwq1tqsaoz32V/qdU72fdNrEgXMJ16R5dwMZlDwNhzdmAJ5ZBbSxl5L6mWvdE8nz13hFcQbdYrlrW2JGkg77dHwpqZUeARw73TkPZPH5tPKVQcN7K+cMsbPiwid3w/pUsfRwnf2oMewpm/Sj72e8DP6+lm/oM8UuC92M44LwCkFIve1Uvhm//Br2E0+FnzgADrYfciPiwMyZmOzumwx8o+9cLWbRkCQdUhrbQDl+4a/hyuoU9hRdedqJnVD6QWmL2txbdTq3b+e58NeRY08RZk/3EXw/Mqswqlu8ZMLD5j0mIgjj6G0VrzdJD7OeWTab4NyeAw0IOMYUB/t7SnvBWHgMNStg5bsfbMzZkYohK0w6Bccxu7xGDa03bzpDqdOw0elQlWyOfNYHHfHNpAEvmj+7KDWxqgJUhXUDXaQIBYPMNt + template: + metadata: + creationTimestamp: null + name: azure-vault-creds + namespace: kordis-next diff --git a/infra/overlays/next/kordis-ns.yaml b/infra/overlays/next/kordis-ns.yaml new file mode 100644 index 000000000..ed7bd689e --- /dev/null +++ b/infra/overlays/next/kordis-ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kordis-next diff --git a/infra/overlays/next/kordis-spa-config-map.yaml b/infra/overlays/next/kordis-spa-config-map.yaml new file mode 100644 index 000000000..75177c5bd --- /dev/null +++ b/infra/overlays/next/kordis-spa-config-map.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kordis-spa-config-map +data: + ENVIRONMENT_NAME: next + OAUTH_CONFIG: | + { + "config": { + "redirectUri": "https://next.kordis-leitstelle.de/auth", + "oidc": true, + "responseType": "code", + "clientId": "6b5aa2b3-6237-44ba-8448-252052e73831", + "issuer": "https://kordisleitstelle.b2clogin.com/5b974891-a530-4e68-ac04-e26a18c3bd46/v2.0/", + "tokenEndpoint": "https://kordisleitstelle.b2clogin.com/kordisleitstelle.onmicrosoft.com/b2c_1_signin/oauth2/v2.0/token", + "scope": "openid offline_access 6b5aa2b3-6237-44ba-8448-252052e73831", + "strictDiscoveryDocumentValidation": false + }, + "discoveryDocumentUrl": "https://kordisleitstelle.b2clogin.com/kordisleitstelle.onmicrosoft.com/B2C_1_SignIn/v2.0/.well-known/openid-configuration" + } + API_URL: https://api.next.kordis-leitstelle.de \ No newline at end of file diff --git a/infra/overlays/next/kordis-spc.yaml b/infra/overlays/next/kordis-spc.yaml new file mode 100644 index 000000000..8606a48e7 --- /dev/null +++ b/infra/overlays/next/kordis-spc.yaml @@ -0,0 +1,28 @@ +apiVersion: secrets-store.csi.x-k8s.io/v1 +kind: SecretProviderClass +metadata: + name: azure-vault-secrets +spec: + provider: azure + parameters: + keyvaultName: kordisvault + tenantId: aef4dff0-4552-432b-a5c9-925890face46 + objects: | + array: + - | + objectName: sentry-api-dns + objectType: secret + - | + objectName: sentry-spa-dns + objectType: secret + secretObjects: + - secretName: api-vault-secrets + type: Opaque + data: + - key: sentry-dns + objectName: sentry-api-dns + - secretName: spa-vault-secrets + type: Opaque + data: + - key: sentry-dns + objectName: sentry-spa-dns diff --git a/infra/overlays/next/kustomization.yaml b/infra/overlays/next/kustomization.yaml new file mode 100644 index 000000000..76128c993 --- /dev/null +++ b/infra/overlays/next/kustomization.yaml @@ -0,0 +1,39 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: kordis-next + +resources: + - ../../base/ + - kordis-ns.yaml + - kordis-azure-ss.yaml + - kordis-spc.yaml + - kordis-api-config-map.yaml + - kordis-spa-config-map.yaml + +images: + - name: kordis-api + newName: ghcr.io/kordis-leitstelle/kordis-api + newTag: 8683454f374b5989ae30882db5b584152bab715a + - name: kordis-spa + newName: ghcr.io/kordis-leitstelle/kordis-spa + newTag: 8683454f374b5989ae30882db5b584152bab715a + +patches: + - patch: |- + - op: replace + path: /spec/rules/0/host + value: api.next.kordis-leitstelle.de + target: + group: networking.k8s.io + kind: Ingress + name: kordis-api + version: v1 + - patch: |- + - op: replace + path: /spec/rules/0/host + value: next.kordis-leitstelle.de + target: + group: networking.k8s.io + kind: Ingress + name: kordis-spa + version: v1