wip

3 years ago · 1e38eeb6bb
14 changed files with 377 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -58,14 +58,10 @@ aws s3api put-bucket-policy --bucket mad-roadshow-france-2023-helm-charts --poli
 }'
 rclone config
 rclone ls aws:mad-roadshow-france-2023-helm-charts
 mkdir -p /tmp/mad-roadshow-france-2023-helm-charts
 helm package -d /tmp/mad-roadshow-france-2023-helm-charts fruits-chart
 helm repo index --url "https://mad-roadshow-france-2023-helm-charts.s3.eu-west-3.amazonaws.com/" "/tmp/mad-roadshow-france-2023-helm-charts"
 rclone sync --delete-after /tmp/mad-roadshow-france-2023-helm-charts aws:mad-roadshow-france-2023-helm-charts
 rclone ls aws:mad-roadshow-france-2023-helm-charts
 curl https://mad-roadshow-france-2023-helm-charts.s3.eu-west-3.amazonaws.com/index.yaml
 ```
 ## Deploy Postgres CrunchyDB
 1. Create a namespace ***preprod-database***
 2. Install the crunchyDB operator
 3. run oc apply -k kustomize/postgres
 More details here : https://access.crunchydata.com/documentation/postgres-operator/5.3.1/quickstart/
--- a/fruits-chart/Chart.yaml
+++ b/fruits-chart/Chart.yaml
@ -0,0 +1,5 @@
 apiVersion: v2
 name: fruits-app
 type: application
 version: 0.0.1
 appVersion: "0.0.1"
--- a/fruits-chart/templates/database-operator.yaml
+++ b/fruits-chart/templates/database-operator.yaml
@ -1,10 +1,11 @@
 {{ if eq .Values.db.deployment "operator" }}
 apiVersion: postgres-operator.crunchydata.com/v1beta1
 kind: PostgresCluster
 metadata:
  name: hippo
 spec:
-  image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.2-0
+  image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.7-0
-  postgresVersion: 15
+  postgresVersion: 14
  instances:
    - name: instance1
      dataVolumeClaimSpec:
@ -25,3 +26,4 @@ spec:
            resources:
              requests:
                storage: 1Gi
 {{ end }}
--- a/fruits-chart/templates/database-vm.yaml
+++ b/fruits-chart/templates/database-vm.yaml
@ -0,0 +1,160 @@
 {{ if eq .Values.db.deployment "vm" }}
 apiVersion: v1
 kind: Secret
 metadata:
  name: database-cloudinit
 type: Opaque
 stringData:
  userData: |
    #cloud-config
    users:
    - name: nicolas
      gecos: Nicolas MASSE
      groups: wheel
      lock_passwd: false
      passwd: $6$XUTB20jVVXIqh78k$L1A9Lft5JlbOtNbeDP.fOZ5giLl09LfJGGCon5uwtsIhPJoNkj4SIk08Rb6vSowOps2ik5tlUwT2ZOZ6jjr7.0
      ssh_authorized_keys:
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR1tt58X0+vbvsCR12gMAqr+g7vjt1Fx/qqz9EiboIs nicolas@localhost.localdomain
      - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFW62WJXI1ZCMfNA4w0dMpL0fsldhbEfULNGIUB0nQui nmasse@localhost.localdomain
    write_files:
    - path: /etc/sudoers
      content: |
        Defaults   !visiblepw
        Defaults    always_set_home
        Defaults    match_group_by_gid
        Defaults    always_query_group_plugin
        Defaults    env_reset
        Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
        Defaults    env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
        Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
        Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
        Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
        Defaults    secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/var/lib/snapd/snap/bin
        root    ALL=(ALL)       ALL
        %wheel  ALL=(ALL)       NOPASSWD: ALL
        #includedir /etc/sudoers.d
      permissions: '0440'
      append: false
    - path: /root/bootstrap.sh
      content: |
        #!/bin/bash
        set -Eeuo pipefail
        PGSETUP_INITDB_OPTIONS=--auth-host=scram-sha-256 postgresql-setup --initdb --unit postgresql
        sed -i.bak -E "s/^#*\s*listen_addresses\s*=\s*'[^']*'/listen_addresses = '0.0.0.0'/" /var/lib/pgsql/data/postgresql.conf
        cat >> /var/lib/pgsql/data/pg_hba.conf <<EOF
        host    all             all             0.0.0.0/0               scram-sha-256
        EOF
        systemctl start postgresql.service
        systemctl enable postgresql.service
        cd /tmp
        sudo -u postgres psql -c "CREATE USER appli WITH ENCRYPTED PASSWORD 'secret'"
        sudo -u postgres psql -c "CREATE DATABASE appli OWNER 'appli';"
      permissions: '0755'
    packages:
    - postgresql-server
    runcmd:
    - [ "/root/bootstrap.sh" ]
 ---
 apiVersion: kubevirt.io/v1
 kind: VirtualMachine
 metadata:
  labels:
    app: database
  name: database
 spec:
  dataVolumeTemplates:
  - apiVersion: cdi.kubevirt.io/v1beta1
    kind: DataVolume
    metadata:
      creationTimestamp: null
      name: database
    spec:
      source:
        http:
          url: https://download.fedoraproject.org/pub/fedora/linux/releases/38/Cloud/x86_64/images/Fedora-Cloud-Base-38-1.6.x86_64.qcow2
      pvc:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 6Gi
  runStrategy: Always
  template:
    metadata:
      annotations:
        vm.kubevirt.io/flavor: small
        vm.kubevirt.io/os: fedora
        vm.kubevirt.io/workload: server
      creationTimestamp: null
      labels:
        kubevirt.io/domain: database
        kubevirt.io/size: small
    spec:
      domain:
        cpu:
          cores: 2
          sockets: 1
          threads: 1
        devices:
          disks:
          - disk:
              bus: virtio
            name: rootdisk
          - disk:
              bus: virtio
            name: cloudinitdisk
          interfaces:
          - macAddress: '02:cd:c9:00:00:00'
            masquerade: {}
            name: default
          networkInterfaceMultiqueue: true
          rng: {}
        features:
          acpi: {}
          smm:
            enabled: true
        firmware:
          bootloader:
            efi: {}
        machine:
          type: pc-q35-rhel8.4.0
        resources:
          requests:
            memory: 2Gi
      evictionStrategy: LiveMigrate
      networks:
      - name: default
        pod: {}
      terminationGracePeriodSeconds: 180
      volumes:
      - dataVolume:
          name: database
        name: rootdisk
      - cloudInitNoCloud:
          secretRef:
            name: database-cloudinit
        name: cloudinitdisk
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: database
 spec:
  ports:
  - name: ssh
    port: 22
    protocol: TCP
    targetPort: 22
  - name: psql
    port: 5432
    protocol: TCP
    targetPort: 5432
  selector:
    kubevirt.io/domain: database
  type: ClusterIP
 {{ end }}
--- a/fruits-chart/templates/deployment.yaml
+++ b/fruits-chart/templates/deployment.yaml
@ -0,0 +1,59 @@
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  name: fruits
  labels:
    app: fruits
    app.kubernetes.io/component: fruits
    app.kubernetes.io/instance: fruits
    app.kubernetes.io/name: fruits
 spec:
  replicas: 1
  selector:
    matchLabels:
      deployment: fruits
  template:
    metadata:
      creationTimestamp: null
      labels:
        deployment: fruits
    spec:
      containers:
        - resources: {}
          terminationMessagePath: /dev/termination-log
          name: fruits
          env:
 {{ if eq .Values.db.deployment "vm" }}
          - name: QUARKUS_DATASOURCE_USERNAME
            value: appli
          - name: QUARKUS_DATASOURCE_PASSWORD
            value: secret
          - name: QUARKUS_DATASOURCE_JDBC_URL
            value: jdbc:postgresql://database:5432/appli
          - name: QUARKUS_HIBERNATE_ORM_SQL_LOAD_SCRIPT
            value: import-prod.sql
 {{ end }}
 {{ if eq .Values.db.deployment "operator" }}
          - name: QUARKUS_HIBERNATE_ORM_SQL_LOAD_SCRIPT
            value: import-test.sql
 {{ end }}
          ports:
            - containerPort: 8443
              protocol: TCP
            - containerPort: 8080
              protocol: TCP
          imagePullPolicy: Always
          terminationMessagePolicy: File
          image: image-registry.openshift-image-registry.svc:5000/fruits-dev/fruits:latest
      restartPolicy: Always
      terminationGracePeriodSeconds: 30
      dnsPolicy: ClusterFirst
      securityContext: {}
      schedulerName: default-scheduler
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxUnavailable: 25%
      maxSurge: 25%
  revisionHistoryLimit: 10
  progressDeadlineSeconds: 600
--- a/fruits-chart/templates/route.yaml
+++ b/fruits-chart/templates/route.yaml
@ -0,0 +1,20 @@
 kind: Route
 apiVersion: route.openshift.io/v1
 metadata:
  name: fruits
  labels:
    app: fruits
    app.kubernetes.io/component: fruits
    app.kubernetes.io/instance: fruits
    app.kubernetes.io/name: fruits
 spec:
  to:
    kind: Service
    name: fruits
    weight: 100
  port:
    targetPort: 8080-tcp
  tls:
    termination: edge
    insecureEdgeTerminationPolicy: Allow
  wildcardPolicy: None
--- a/fruits-chart/templates/service.yaml
+++ b/fruits-chart/templates/service.yaml
@ -0,0 +1,23 @@
 kind: Service
 apiVersion: v1
 metadata:
  name: fruits
  labels:
    app: fruits
    app.kubernetes.io/component: fruits
    app.kubernetes.io/instance: fruits
    app.kubernetes.io/name: fruits
 spec:
  ports:
    - name: 8080-tcp
      protocol: TCP
      port: 8080
      targetPort: 8080
    - name: 8443-tcp
      protocol: TCP
      port: 8443
      targetPort: 8443
  type: ClusterIP
  sessionAffinity: None
  selector:
    deployment: fruits
--- a/fruits-chart/templates/servicebinding.yaml
+++ b/fruits-chart/templates/servicebinding.yaml
@ -0,0 +1,15 @@
 {{ if eq .Values.db.deployment "operator" }}
 apiVersion: servicebinding.io/v1beta1
 kind: ServiceBinding
 metadata:
  name: fruits
 spec:
  workload:
    apiVersion: apps/v1
    kind: Deployment
    name: fruits
  service:
    apiVersion: postgres-operator.crunchydata.com/v1beta1
    kind: PostgresCluster
    name: hippo
 {{ end }}
--- a/fruits-chart/values.yaml
+++ b/fruits-chart/values.yaml
@ -0,0 +1,2 @@
 db:
  deployment: operator # or vm
--- a/infrastructure/templates/crunchy.yaml
+++ b/infrastructure/templates/crunchy.yaml
@ -0,0 +1,14 @@
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "10"
  name: crunchy-postgres-operator
  namespace: openshift-operators
 spec:
  channel: v5
  installPlanApproval: Automatic
  name: crunchy-postgres-operator
  source: certified-operators
  sourceNamespace: openshift-marketplace
  startingCSV: postgresoperator.v5.3.0
--- a/infrastructure/templates/fruits-dev.yaml
+++ b/infrastructure/templates/fruits-dev.yaml
@ -65,6 +65,38 @@ subjects:
  name: stackrox-hook
  namespace: stackrox
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: test-can-pull
  namespace: fruits-dev
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:image-puller
 subjects:
 - kind: ServiceAccount
  name: default
  namespace: fruits-test
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: prod-can-pull
  namespace: fruits-dev
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:image-puller
 subjects:
 - kind: ServiceAccount
  name: default
  namespace: fruits-prod
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
@ -233,7 +265,7 @@ spec:
    - name: deploy-in-test
      params:
        - name: SCRIPT
-          value: oc rollout status deploy/$(params.APP_NAME) -n test
+          value: oc delete pods -l deployment=$(params.APP_NAME) -n fruits-test
      runAfter:
        - build
      taskRef:
@ -254,7 +286,7 @@ spec:
    - name: deploy-in-prod
      params:
        - name: SCRIPT
-          value: oc rollout status deploy/$(params.APP_NAME) -n prod
+          value: oc delete pods -l deployment=$(params.APP_NAME) -n fruits-prod
      runAfter:
        - slack-approval
      taskRef:
@ -263,3 +295,14 @@ spec:
  workspaces:
    - name: workspace
 ---
 apiVersion: image.openshift.io/v1
 kind: ImageStream
 metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: fruits
  namespace: fruits-dev
 spec:
  lookupPolicy:
    local: false
--- a/infrastructure/templates/helmchartrepository.yaml
+++ b/infrastructure/templates/helmchartrepository.yaml
@ -0,0 +1,10 @@
 apiVersion: helm.openshift.io/v1beta1
 kind: HelmChartRepository
 metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "20"
  name: fruits-charts
 spec:
  name: fruits-charts
  connectionConfig:
    url: https://mad-roadshow-france-2023-helm-charts.s3.eu-west-3.amazonaws.com
--- a/infrastructure/templates/servicebinding.yaml
+++ b/infrastructure/templates/servicebinding.yaml
@ -0,0 +1,14 @@
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
  annotations:
    argocd.argoproj.io/sync-wave: "10"
  name: rh-service-binding-operator
  namespace: openshift-operators
 spec:
  channel: stable
  installPlanApproval: Automatic
  name: rh-service-binding-operator
  source: redhat-operators
  sourceNamespace: openshift-marketplace
  startingCSV: service-binding-operator.v1.3.3
--- a/kustomize/postgres/kustomization.yaml
+++ b/kustomize/postgres/kustomization.yaml
@ -1,4 +0,0 @@
 namespace: postgres-operator
 resources:
 - postgres.yaml