K8s deployment

.gitignore

@@ -144,3 +144,5 @@ cython_debug/
 # Secrets
 secrets/
 !secrets/.keep_me
+
+.DS_Store

k8s/README.md

@@ -0,0 +1,44 @@
+# Kubernetes Deployment
+
+The `base` directory contains Kubernetes manifest files to deploy the Clair Berlin stack to a Kubernetes cluster.
+
+## Environment and Configuration Management
+
+We use [Kustomize](https://kustomize.io/) to configure the stack for different environments. An environment's configuration consists of a set of environment variables used to generate a config map called `clair-config-map` and a set of password files used to generate service-specific secrets. The secret files in `base/secrets` do not contain any real passwords. You will have to create a [Kustomize overlay](https://kubernetes.io/docs/tasks/manage-kubernetes-objects/kustomization/#bases-and-overlays) to override them.
+
+You can use the following shell script to generate the skeleton of a new environment (set ENV_NAME accordingly):
+
+```shell
+ENV_NAME=my-env
+ENV_DIR=environmemnts/$ENV_NAME
+mkdir -p $ENV_DIR
+cp -R base/config.env base/secrets environments/dev/kustomization.yaml $ENV_DIR
+```
+
+After that, edit `$ENV_DIR/config.env` and the files in `$ENV_DIR/secrets` to adapt the evironment's configuration.
+
+## cert-manager configuration
+
+The [SysEleven environment](environments/syseleven) contains an example how a cluster issuer and its corresponding annotation can be added to the Ingress object of the base layer.
+
+## Deployment
+
+To deploy an environment do the following:
+
+1) activate the target cluster's context using
+
+```shell
+kubectl config use-context $ENV_CONTEXT
+```
+
+2) apply the kustomized manifest files
+
+```shell
+kubectl apply -k $ENV_DIR
+```
+
+To delete the stack call
+
+```shell
+kubectl delete -k $ENV_DIR
+```

k8s/base/00-clair-berlin-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: clair-berlin

k8s/base/11-db-pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: db-data
+  namespace: clair-berlin
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi

k8s/base/12-db-service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: db
+  namespace: clair-berlin
+spec:
+  selector:
+    app: db
+  ports:
+    - port: 5432

k8s/base/13-db-deployment.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: db
+  name: db
+  namespace: clair-berlin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: db
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: db
+    spec:
+      containers:
+        - env:
+            - name: POSTGRES_DB
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: SQL_DATABASE
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: db-secret
+                  key: sql-password.txt
+            - name: POSTGRES_USER
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: SQL_USER
+          image: postgres:13.1
+          name: db
+          resources: {}
+          volumeMounts:
+            - mountPath: /var/lib/postgresql
+              name: db-data
+      restartPolicy: Always
+      volumes:
+        - name: db-data
+          persistentVolumeClaim:
+            claimName: db-data

k8s/base/22-redis-service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: clair-berlin
+spec:
+  selector:
+    app: redis
+  ports:
+    - port: 6379

k8s/base/23-redis-deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: redis
+  name: redis
+  namespace: clair-berlin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - image: redis:6.0.9
+          name: redis
+          resources: {}
+      restartPolicy: Always

k8s/base/32-ingestair-service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingestair
+  namespace: clair-berlin
+spec:
+  selector:
+    app: ingestair
+  ports:
+    - port: 8888

k8s/base/33-ingestair-deployment.yaml

@@ -0,0 +1,125 @@
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: ingestair
+  name: ingestair
+  namespace: clair-berlin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ingestair
+  strategy: {}
+  template:
+    metadata:
+      labels:
+        app: ingestair
+    spec:
+      containers:
+        - args:
+            - python
+            - manage.py
+            - runserver
+            - 0.0.0.0:8888
+          env:
+            - name: SECRET_KEY_FILE
+              value: "/var/secrets/ingestair-secret/ingestair-secret-key.txt"
+            - name: SENTRY
+              value: "0"
+            - name: SENTRY_URL_FILE
+              value: "/var/secrets/ingestair-secret/sentry-url.txt"
+            - name: DEBUG
+              value: "0"
+            - name: DJANGO_LOG_LEVEL
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: DJANGO_LOG_LEVEL
+            - name: DJANGO_DB_LOG_LEVEL
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: DJANGO_DB_LOG_LEVEL
+            - name: LOG_LEVEL
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: LOG_LEVEL
+            - name: SQL_ENGINE
+              value: "django.db.backends.postgresql"
+            - name: SQL_HOST
+              value: "db"
+            - name: SQL_PORT
+              value: "5432"
+            - name: SQL_DATABASE
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: SQL_DATABASE
+            - name: SQL_USER
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: SQL_USER
+            - name: SQL_PASSWORD_FILE
+              value: "/var/secrets/ingestair-secret/sql-password.txt"
+          # XXX why doesn't this work?
+          # - name: SQL_PASSWORD
+          #   valueFrom:
+          #     secretKeyRef:
+          #       name: sql-password
+          #       key: sql-password
+            - name: DATABASE
+              value: "postgresql"
+            - name: DB_MIGRATE
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: INGESTAIR_DB_MIGRATE
+            - name: COLLECT_STATIC_FILES
+              value: "false"
+            - name: NODE_FIDELITY
+              value: "1"
+            - name: DJANGO_ALLOWED_HOSTS
+              value: " ingestair localhost 127.0.0.1 [::1]"
+            - name: EMAIL_HOST
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: EMAIL_HOST
+            - name: EMAIL_PORT
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: EMAIL_PORT
+            - name: EMAIL_HOST_USER
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: EMAIL_HOST_USER
+            - name: EMAIL_HOST_PASSWORD_FILE
+              value: "/var/secrets/ingestair-secret/smtp-password.txt"
+            - name: EMAIL_USE_TLS
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: EMAIL_USE_TLS
+            - name: DEFAULT_FROM_EMAIL
+              valueFrom:
+                configMapKeyRef:
+                  name: clair-config-map
+                  key: DEFAULT_FROM_EMAIL
+          image: clairberlin/managair:0.6.5
+          name: ingestair-server
+          resources: {}
+          volumeMounts:
+            - mountPath: "/var/secrets/ingestair-secret"
+              name: ingestair-secret
+              readOnly: true
+      restartPolicy: Always
+      volumes:
+        - name: ingestair-secret
+          secret:
+            secretName: ingestair-secret

k8s/base/42-managair-service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: managair-server
+  namespace: clair-berlin
+spec:
+  selector:
+    app: managair-server
+  ports:
+    - port: 8888