From 8aed34d87230d9738d9f4b51b5f3909a70214884 Mon Sep 17 00:00:00 2001 From: Tejas <47889755+0xtejas@users.noreply.github.com> Date: Mon, 21 Oct 2024 15:57:38 +0530 Subject: [PATCH 01/10] Add Kubernetes service configurations for Redis, Postgres, Web, Ollama, and Nginx This commit adds the Kubernetes service configurations for Redis, Postgres, Web, Ollama, and Nginx. These services are essential for the application's functionality and communication within the Kubernetes cluster. Each service is defined with its respective port and targetPort, and is associated with the corresponding app label. The services are created with the necessary metadata and specifications to ensure proper networking and connectivity. The added service configurations include: - Redis service: Exposes port 6379 for Redis communication. - Postgres service: Exposes port 5432 for Postgres communication. - Web service: Exposes port 8000 for the web application. - Ollama service: Exposes port 11434 for the Ollama application. - Nginx service: Exposes ports 80 and 443 for HTTP and HTTPS traffic. These service configurations are crucial for enabling communication between different components of the application and facilitating external access to the services when needed. --- k8s/celery-beat/deployment.yml | 79 +++++++++++++++++++++++++++ k8s/celery-beat/pvc.yml | 65 ++++++++++++++++++++++ k8s/celery-beat/service.yml | 12 +++++ k8s/celery/deployment.yml | 66 +++++++++++++++++++++++ k8s/nginx/configmap.yml | 58 ++++++++++++++++++++ k8s/nginx/deployment.yml | 38 +++++++++++++ k8s/nginx/service.yml | 15 ++++++ k8s/ollama/deployment.yml | 28 ++++++++++ k8s/ollama/pvc.yml | 10 ++++ k8s/ollama/service.yml | 14 +++++ k8s/postgres/secret.yml | 11 ++++ k8s/postgres/service.yml | 10 ++++ k8s/postgres/statefulset.yml | 49 +++++++++++++++++ k8s/pvc.yml | 45 ++++++++++++++++ k8s/redis/deployment.yml | 21 ++++++++ k8s/redis/service.yml | 10 ++++ k8s/web/deployment.yml | 98 ++++++++++++++++++++++++++++++++++ k8s/web/secret.yml | 19 +++++++ k8s/web/service.yml | 11 ++++ 19 files changed, 659 insertions(+) create mode 100644 k8s/celery-beat/deployment.yml create mode 100644 k8s/celery-beat/pvc.yml create mode 100644 k8s/celery-beat/service.yml create mode 100644 k8s/celery/deployment.yml create mode 100644 k8s/nginx/configmap.yml create mode 100644 k8s/nginx/deployment.yml create mode 100644 k8s/nginx/service.yml create mode 100644 k8s/ollama/deployment.yml create mode 100644 k8s/ollama/pvc.yml create mode 100644 k8s/ollama/service.yml create mode 100644 k8s/postgres/secret.yml create mode 100644 k8s/postgres/service.yml create mode 100644 k8s/postgres/statefulset.yml create mode 100644 k8s/pvc.yml create mode 100644 k8s/redis/deployment.yml create mode 100644 k8s/redis/service.yml create mode 100644 k8s/web/deployment.yml create mode 100644 k8s/web/secret.yml create mode 100644 k8s/web/service.yml diff --git a/k8s/celery-beat/deployment.yml b/k8s/celery-beat/deployment.yml new file mode 100644 index 000000000..eb403dff9 --- /dev/null +++ b/k8s/celery-beat/deployment.yml @@ -0,0 +1,79 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: celery-beat +spec: + replicas: 1 + selector: + matchLabels: + app: celery-beat + template: + metadata: + labels: + app: celery-beat + spec: + containers: + - name: celery-beat + image: ghcr.io/0xtejas/rengine/celery-beat:latest + command: ["celery", "-A", "reNgine", "beat", "-l", "INFO", "--scheduler", "django_celery_beat.schedulers:DatabaseScheduler"] + env: + - name: CELERY_BROKER + value: redis://redis:6379/0 + - name: CELERY_BACKEND + value: redis://redis:6379/0 + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_DB + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_USER + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PASSWORD + - name: POSTGRES_HOST + value: db # Name of the PostgreSQL service + - name: POSTGRES_PORT + value: "5432" + volumeMounts: + - name: github-repos + mountPath: /usr/src/github + - name: wordlist + mountPath: /usr/src/wordlist + - name: scan-results + mountPath: /usr/src/scan_results + - name: gf-patterns + mountPath: /root/.gf + - name: nuclei-templates + mountPath: /root/nuclei-templates + - name: tool-config + mountPath: /root/.config + - name: shared-data + mountPath: /usr/src/app + volumes: + - name: github-repos + persistentVolumeClaim: + claimName: github-repos-pvc + - name: wordlist + persistentVolumeClaim: + claimName: wordlist-pvc + - name: scan-results + persistentVolumeClaim: + claimName: scan-results-pvc + - name: gf-patterns + persistentVolumeClaim: + claimName: gf-patterns-pvc + - name: nuclei-templates + persistentVolumeClaim: + claimName: nuclei-templates-pvc + - name: tool-config + persistentVolumeClaim: + claimName: tool-config-pvc + - name: shared-data + persistentVolumeClaim: + claimName: shared-data-pvc \ No newline at end of file diff --git a/k8s/celery-beat/pvc.yml b/k8s/celery-beat/pvc.yml new file mode 100644 index 000000000..a09a0362f --- /dev/null +++ b/k8s/celery-beat/pvc.yml @@ -0,0 +1,65 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: github-repos-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: wordlist-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: scan-results-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gf-patterns-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nuclei-templates-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: tool-config-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/k8s/celery-beat/service.yml b/k8s/celery-beat/service.yml new file mode 100644 index 000000000..5ae0621a6 --- /dev/null +++ b/k8s/celery-beat/service.yml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: celery-beat +spec: + selector: + app: celery-beat + ports: + - protocol: TCP + port: 5672 # Default Celery port (adjust as necessary) + targetPort: 5672 + type: ClusterIP # Change to NodePort or LoadBalancer if needed diff --git a/k8s/celery/deployment.yml b/k8s/celery/deployment.yml new file mode 100644 index 000000000..d9dc0759a --- /dev/null +++ b/k8s/celery/deployment.yml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: celery +spec: + replicas: 1 + selector: + matchLabels: + app: celery + template: + metadata: + labels: + app: celery + spec: + containers: + - name: celery + image: ghcr.io/0xtejas/rengine/celery:latest + command: ["/bin/bash", "-c", "/usr/src/app/celery-entrypoint.sh"] + env: + - name: DEBUG + value: "0" + - name: CELERY_BROKER + value: redis://redis:6379/0 + - name: CELERY_BACKEND + value: redis://redis:6379/0 + - name: DOMAIN_NAME + valueFrom: + secretKeyRef: + name: db-secret + key: DOMAIN_NAME + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_DB + - name: POSTGRES_PORT + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PORT + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_USER + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PASSWORD + - name: POSTGRES_HOST + value: db + volumeMounts: + - mountPath: /usr/src/app + name: shared-data + resources: + requests: + memory: "2Gi" + cpu: "600m" + limits: + memory: "2.5Gi" + cpu: "1.5" + volumes: + - name: shared-data + persistentVolumeClaim: + claimName: shared-data-pvc \ No newline at end of file diff --git a/k8s/nginx/configmap.yml b/k8s/nginx/configmap.yml new file mode 100644 index 000000000..556f47f87 --- /dev/null +++ b/k8s/nginx/configmap.yml @@ -0,0 +1,58 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: nginx-config +data: + rengine.conf: | + server { + listen 80; + listen [::]:80; + server_name rengine recon; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + server_name rengine recon; + + charset utf-8; + keepalive_timeout 70; + + client_max_body_size 800M; + + location / { + proxy_read_timeout 300; + proxy_connect_timeout 300; + proxy_redirect off; + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://rengine:8000/; + } + + location /staticfiles/ { + alias /usr/src/app/staticfiles/; + } + + location /protected_media/ { + internal; + alias /usr/src/scan_results/; + autoindex off; + } + + ssl_protocols TLSv1.2; + ssl_certificate /etc/nginx/certs/rengine.pem; + ssl_certificate_key /etc/nginx/certs/rengine_rsa.key; + ssl_trusted_certificate /etc/nginx/certs/rengine_chain.pem; + + ssl_ciphers '!EDH:!EXP:!SHA:!DSS:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256'; + ssl_prefer_server_ciphers on; + ssl_ecdh_curve secp384r1:X25519:prime256v1; + + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + ssl_session_tickets off; + } \ No newline at end of file diff --git a/k8s/nginx/deployment.yml b/k8s/nginx/deployment.yml new file mode 100644 index 000000000..5f01503ec --- /dev/null +++ b/k8s/nginx/deployment.yml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nginx +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + template: + metadata: + labels: + app: nginx + spec: + containers: + - name: nginx + image: nginx:alpine + volumeMounts: + - name: nginx-config-volume + mountPath: /etc/nginx/conf.d/rengine.conf + subPath: rengine.conf + - name: certs + mountPath: /etc/nginx/certs + - name: static-files + mountPath: /usr/src/app/staticfiles + ports: + - containerPort: 8082 + - containerPort: 443 + volumes: + - name: nginx-config-volume + configMap: + name: nginx-config + - name: certs + secret: + secretName: nginx-certificates + - name: static-files + persistentVolumeClaim: + claimName: static-pvc \ No newline at end of file diff --git a/k8s/nginx/service.yml b/k8s/nginx/service.yml new file mode 100644 index 000000000..af38aef77 --- /dev/null +++ b/k8s/nginx/service.yml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: nginx +spec: + type: LoadBalancer + selector: + app: nginx + ports: + - name: http + port: 80 + targetPort: 80 + - name: https + port: 443 + targetPort: 443 \ No newline at end of file diff --git a/k8s/ollama/deployment.yml b/k8s/ollama/deployment.yml new file mode 100644 index 000000000..8e131f248 --- /dev/null +++ b/k8s/ollama/deployment.yml @@ -0,0 +1,28 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ollama + labels: + app: ollama +spec: + replicas: 1 + selector: + matchLabels: + app: ollama + template: + metadata: + labels: + app: ollama + spec: + containers: + - name: ollama + image: ollama/ollama:latest # Using the image from docker-compose + ports: + - containerPort: 11434 # Port used inside the container + volumeMounts: + - name: ollama-data + mountPath: /root/.ollama # Same mount path as in docker-compose + volumes: + - name: ollama-data + persistentVolumeClaim: + claimName: ollama-pvc diff --git a/k8s/ollama/pvc.yml b/k8s/ollama/pvc.yml new file mode 100644 index 000000000..2bdbbdeaa --- /dev/null +++ b/k8s/ollama/pvc.yml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: ollama-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi # Adjust storage size as needed diff --git a/k8s/ollama/service.yml b/k8s/ollama/service.yml new file mode 100644 index 000000000..cf0d4be19 --- /dev/null +++ b/k8s/ollama/service.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + name: ollama + labels: + app: ollama +spec: + selector: + app: ollama + ports: + - protocol: TCP + port: 11434 # Service port exposed + targetPort: 11434 # Port in the container + type: ClusterIP # Or LoadBalancer if you need external access diff --git a/k8s/postgres/secret.yml b/k8s/postgres/secret.yml new file mode 100644 index 000000000..abe6849d1 --- /dev/null +++ b/k8s/postgres/secret.yml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: db-secret +type: Opaque +data: + POSTGRES_DB: cmVuZ2luZQ== + POSTGRES_USER: cmVuZ2luZQ== + POSTGRES_PASSWORD: aEUyYTVASyY5bkVZMWZ6Z0E2WA== + POSTGRES_PORT: NTQzMg== + DOMAIN_NAME: cmVuZ2luZS5leGFtcGxlLmNvbQ== \ No newline at end of file diff --git a/k8s/postgres/service.yml b/k8s/postgres/service.yml new file mode 100644 index 000000000..41f82a20c --- /dev/null +++ b/k8s/postgres/service.yml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: db +spec: + ports: + - port: 5432 + targetPort: 5432 + selector: + app: postgres \ No newline at end of file diff --git a/k8s/postgres/statefulset.yml b/k8s/postgres/statefulset.yml new file mode 100644 index 000000000..8e1c7f3c8 --- /dev/null +++ b/k8s/postgres/statefulset.yml @@ -0,0 +1,49 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: postgres +spec: + selector: + matchLabels: + app: postgres + serviceName: postgres + replicas: 1 + template: + metadata: + labels: + app: postgres + spec: + containers: + - name: postgres + image: "postgres:12.3-alpine" + env: + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_DB + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_USER + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PASSWORD + - name: PGDATA + value: /var/lib/postgresql/data/pgdata # Specify a subdirectory here + ports: + - containerPort: 5432 + volumeMounts: + - mountPath: /var/lib/postgresql/data # Volume mount path remains the same + name: postgres-storage + volumeClaimTemplates: + - metadata: + name: postgres-storage + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 5Gi diff --git a/k8s/pvc.yml b/k8s/pvc.yml new file mode 100644 index 000000000..94220b6aa --- /dev/null +++ b/k8s/pvc.yml @@ -0,0 +1,45 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nfs-rwx-storage +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: web-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: shared-data-pvc +spec: + storageClassName: nfs-rwx-storage + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: static-pvc +spec: + storageClassName: nfs-rwx-storage + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi diff --git a/k8s/redis/deployment.yml b/k8s/redis/deployment.yml new file mode 100644 index 000000000..e9b4b018b --- /dev/null +++ b/k8s/redis/deployment.yml @@ -0,0 +1,21 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis +spec: + replicas: 1 + selector: + matchLabels: + app: redis + template: + metadata: + labels: + app: redis + spec: + containers: + - name: redis + image: redis:alpine + ports: + - containerPort: 6379 +--- + diff --git a/k8s/redis/service.yml b/k8s/redis/service.yml new file mode 100644 index 000000000..db7772346 --- /dev/null +++ b/k8s/redis/service.yml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: redis +spec: + ports: + - port: 6379 + targetPort: 6379 + selector: + app: redis \ No newline at end of file diff --git a/k8s/web/deployment.yml b/k8s/web/deployment.yml new file mode 100644 index 000000000..c12387b8a --- /dev/null +++ b/k8s/web/deployment.yml @@ -0,0 +1,98 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: web +spec: + replicas: 1 + selector: + matchLabels: + app: web + template: + metadata: + labels: + app: web + spec: + containers: + - name: web + image: ghcr.io/0xtejas/rengine/web:latest + command: ["gunicorn", "reNgine.wsgi:application", "--bind", "0.0.0.0:8000", "-w", "2", "--access-logfile", "-", "--error-logfile", "-"] + env: + - name: DEBUG + value: "0" + - name: CELERY_BROKER + value: redis://redis:6379/0 + - name: CELERY_BACKEND + value: redis://redis:6379/0 + - name: POSTGRES_HOST + value: db + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_DB + - name: POSTGRES_PORT + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PORT + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_USER + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PASSWORD + - name: DJANGO_SUPERUSER_PASSWORD + valueFrom: + secretKeyRef: + name: web-secret + key: DJANGO_SUPERUSER_PASSWORD + volumeMounts: + - mountPath: /usr/src/app/staticfiles + name: static-volume + - mountPath: /usr/src/app + name: shared-data + ports: + - containerPort: 8000 + volumes: + - name: static-volume + persistentVolumeClaim: + claimName: static-pvc + - name: shared-data + persistentVolumeClaim: + claimName: shared-data-pvc + initContainers: + - name: init-migrate + image: ghcr.io/0xtejas/rengine/web:latest + command: ["sh", "-c", "mkdir -p /usr/src/shared-app && cp -r /usr/src/app/* /usr/src/shared-app && python3 manage.py migrate && python3 manage.py collectstatic --noinput"] + env: + - name: POSTGRES_HOST + value: db + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_DB + - name: POSTGRES_PORT + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PORT + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_USER + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PASSWORD + volumeMounts: + - mountPath: /usr/src/app/staticfiles + name: static-volume + - mountPath: /usr/src/shared-app + name: shared-data \ No newline at end of file diff --git a/k8s/web/secret.yml b/k8s/web/secret.yml new file mode 100644 index 000000000..334e88d80 --- /dev/null +++ b/k8s/web/secret.yml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Secret +metadata: + name: web-secret +type: Opaque +data: + DJANGO_SUPERUSER_PASSWORD: U203SUpHLklmSEFGdzlzblNLdg== + DJANGO_SUPERUSER_USERNAME: cmVuZ2luZQ== + DJANGO_SUPERUSER_EMAIL: cmVuZ2luZUBleGFtcGxlLmNvbQ== +--- +apiVersion: v1 +kind: Secret +metadata: + name: nginx-certificates +type: Opaque +data: + rengine_chain.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZvakNDQTRxZ0F3SUJBZ0lVQXBhMEtnV1IwWkFWVlpSbHpVanJZZVpHb0J3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd01URUxNQWtHQTFVRUJoTUNWVk14RURBT0JnTlZCQW9NQjNKbFRtZHBibVV4RURBT0JnTlZCQU1NQjNKbApUbWRwYm1Vd0hoY05NalF4TURJd01UVXhNekE0V2hjTk16UXhNREU0TVRVeE16QTRXakF4TVFzd0NRWURWUVFHCkV3SlZVekVRTUE0R0ExVUVDZ3dIY21WT1oybHVaVEVRTUE0R0ExVUVBd3dIY21WT1oybHVaVENDQWlJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBS0ZRc3ZaTXhBSENyQ1ZXcFVZbStJU3BXdThVbmowNQpPY240NUY0RnlONWJIZ1dnQzNTcUloT1BKSlJDd3BqOFdETEJLeHZoUE8xcjZNMFNJME1MbnJSRElxd1hvZ1JmClhScnNHZFFLMUVuT0F2Skt6a0dzSENzUkdZQWdjek51MnF2SUtlRjF1NVV3aFhZYzNZaCsxMkJNNVM2NUlTT0MKTEtBYXpGb1ZTWE9vWWIvNDJ1U2tJbDZJQnpCRWVKcXJnelROb0pEKzdvaXdNS3lHNlZtTmFENkpvTTh6R1JPdwp1T1k4WHZmeDJNS3BCYUtnZmRSdkZmOENoWXB6UW5wYldsQ05hUzk1MkYvVnhUSksvcENvQjduUHpCSGRzTXhhClFpNkEvamZxdTRtRHpicGxFYmlxY1pHVTVXejdPYlNScVhIN0FRUU55UTFoN2YvRjNvblgvUFFsQXZnM25aZ20KR21tbmdqaEpuYThuV084L2s1WFhjSktVSHc4SWRJeFFlTU0wbVVVQnEzVW4rbEJiK21rRlIwZVlDbGR6blBCQQoxMUNRMlEyS1RvWTVGTlNsL2YzOFNoa2w4MTNnUWs5WThnN2VUUEoxVG41TzhXTHdpbHZlbGljVisza242OXAwCmwxTUpWOTVUNTlvTTRkYlZELzBFUVZyQlRYQWJVYVlrU3haRDIwaVBPVGM0cFRtRVRqRG9oQW5ic2kvdzdCZG4KK0I3S29oUGVMVitvYXpvQXhhTTBKazhKVC95Zk9JcklJOURvanljTVVaV3B5NnFTUzIvWk1OVzVpS1QxT1Q4MQo2Vno0SWtLdFlFRFBsL3g2QVVOeDRPellWaTZabkVteUxIZGhUK3BtaldtOTBIZjVGejR5QTdtY2RCZVg1TVF5ClI5NllqRXpKZ0RsL0FnTUJBQUdqZ2JFd2dhNHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVUKNzZ1SGlEeVFnRDE1MDBlYnNrQVNTQ3VUc3J3d2JBWURWUjBqQkdVd1k0QVU3NnVIaUR5UWdEMTUwMGVic2tBUwpTQ3VUc3J5aE5hUXpNREV4Q3pBSkJnTlZCQVlUQWxWVE1SQXdEZ1lEVlFRS0RBZHlaVTVuYVc1bE1SQXdEZ1lEClZRUUREQWR5WlU1bmFXNWxnaFFDbHJRcUJaSFJrQlZWbEdYTlNPdGg1a2FnSERBT0JnTlZIUThCQWY4RUJBTUMKQVlZd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFFWEJMak1yOE9nczlzQjhndEozdlRQSlpmTXNrTjFBTlQ2SAp3RVkzcmZONVgvK0JDSURtQWZURElQMzd1K0pjeXRZazc5UWk0eVdlUkRWamZyM2V2Y1dJQ3NQWjNUYnVzTzllCnJuUzIrVTBDdTE1UkRqRWh4YlNISUU3VG9KOEQrSFFUZ3Q2K0dXcndPNVhWNmh4YU1VMGI3Tk1OekNYL0ZOcjQKTzlXbXF3blpmU1R2ZmowaW0ybGVJWVNqL3ZYRFpmL01jd09RbUp6dW9UZW15RTczNHZEVFZzWW4zRDE5REVOSwptWjlMdFdLTGwxWlZNKzYvM2NEUi9HUENNeE1PUEZzcEE5YzI2aEUvcC8vQXZrSjZCc0FFcEhINnQwZEJHdEpzCndZNDhmaFZoTWEzYzFNbUJpZmdpWmJVVUZObWRqNHZJTCtrWTlvL0YwVUs3S0JFbkZibkIzN2txZHpScEhPZ2cKTkhCeEZEYTl1b2JWK0tPUzhwTU5UeXNqZlVldXV1SDJJOEIrMHhtSUQyYkxVZDNhUHh5MlBXZ2FzbDByUUw4dQpUcXEyUjJxQkRNVG9hOHJhR0huUUs1RWtibGdpaHZ4SzBGc2RVOFBMWGZ0WEVBN2lFYUJ3UUJ2dS9kN3h3UjQ1CjhEOGIxeUlkZXRqZzBXcXY2S1ltSE41ejVadGRJczgxaDkwSnRJRks0YXRYVWJrMGxyNlRsWGNJTjUxdXh2SncKM0liZjZ0Rm5RTVpBSGNlZm1jSUlXUXY5TmNxQ1luWUYybUprbkRvbGNGNVNxdnNlcVNaRHV3SjB6VTlORi94ZApaU2ozUUdETWJwUE1VTDlmTmg1SUNwV2tURUN6dHMrMXVYUjZYNUpwUFpoMy8zb1RLNFVPWklPcXF4SHBybm9WCjhKRHcrY3BKCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + rengine_rsa.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRUUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Nzd2dna25BZ0VBQW9JQ0FRRG5YbnlzbnhkMUkxV3UKTTBtekVvWFhVazcxaVd3Rjd5MzlKaG9OdWRHbFFIdkVmVEdpVnFaSVE1cDk1cnNjWFFNOENML3FyV2MxSXpQOQpvNDluREI2YW42MmFpSFdlZWVMb2ZaSTNUSUQvelRGU0JKc1F3SkE4dmpPSXFnRnhmcHJ0K0NBanBHdHZNeTJECngwTFk2Q2o2TXBISlFkVElXRzF0VTRDejVyZ01YWk91MDNKQzVEYlZuY1Q4cExaSS9KSEVmVUk4SW9LdHBySjQKWjdvbE1WN3MyNkFwWE9mYzJRZStlN1F0NlN2cHhsYkxiQ3RKZmp6OTlBTkpQR004ZUdRNkRXTm9IZEFiak5xTQpNUWhXbXZVUFQyU2FCdTR5ekVDREZ2T1drcERqaFdLT0ZxWVN1ZElHRW9wejZwdU4vaUl3b3JLUkFLQ1lsSGEvCjM0R2xJOGdVbDAvMG9FT2J6dTBML2Z1dXdBUE1sTVZ0ZUN6RWZnRHk0VnNxQlM4ZUJ0dFl6UU45NmJuanBKWUsKZVBtVFBQYjIxdU4zVVNBZGV5UHd0TVJvOFB2c2hub2tvR0kzdGhaOTVqSFZUMFN1QUEzbmdaakI3djN5bEdMZQpIdGFhRUFXcmgwSW4xVHFnRFVITzZTMHhJMFJkQytwTUVKdzFJN01iODA3eTB4a0FlaUg1Z1pDUmVVNjRHbEhMCkpmV0hFNTQyTEQyN3FwOHFQM01NNjNucmcxZ3ovRVBXZFNLbjdyZEVLbjAxSWZnSGlLckZKci9pRHZaa0djaGQKVFdSOU5tbVg4TWVPOHhzeUZ0aXdiSWVsMlN1OWpjMGt5TXlpdW9qbWxOMUZwOFFBTHFsWXp0WmRDRE5oYWYveQpSbTVmdm9aNFB0RDhkeUp6ajdkQ3BwNXVUTitDZ1FJREFRQUJBb0lDQUFITUNLOVVlNitrbFhGVFFWOFUwNHVUCnFuQ2MvWFR3QjdZbFZwRVBJWjJiT2kvZGJDQTRiSm1McmYrTXZpemtKSHk5N1pmTEFxWG5uZXRPTXR4N1JEbkYKc0NENjFzRW5MYXJpSW11TDBHM2VNUndUdkZ5bVhudHNpN0xqMVVPeGFzNmF3M1VENlhSRVVqbjVmMFdIQzNZTwpwR1lEQ1FZUXBPSlBNbTBCUjRwRDYvd3M3UGlQMER6SFdUL0lKNmphVG5kM2ZLY3A4bVJxNnJ5SmM1VkhSbmM3CjlTVHJtWExjU0J1QnYyMXVxK1ZJbWJrU0dDMnBuM3VlWm9QeUprUWFoRGFreHVJVXJ0S1BOTzJIT2ljZUxGVisKNzVsVU9OdDkzV21ZUFJaeEdWTkZVSDI1ajRiK1RNTXdsOFQ2M2t3VmRHeCt6OERGVjczNkk1aEp3aHFCUkRnWQpFUGRZU0JJWWw3YU5YeEcrM0dmYUYvMnkrb2g5VHJpWGM4TEMxYXdKR1IzSjIzTm95K2FMUURmcUV0ZGdPVjYxClJGa0M5bURzWE5BM1l3M0RDaUFnR1d3Zzg1STU4bENuRXJTUXEwOEVJZklDcmZyQStMWVBmeGthUnZWdjgvQjcKWUFPbFAzTWNqaHNDM3pMZUtZL3ZKOGoyRU9sZGpQOGFtWnNRZStaSnFvZGZ1ZDNSNzR3THRGNTQrajh2L05zMApvaWcxNjlZUjBNMk1GQ3FkWWlQa0JiV0VxbzdxU2Z2dGxZb1hydUFFZytYNW0wVWp6MnYzZ1NJdDl5NWxzMmVqCndRY240d0p6VDdJV1ZPZlFWNmRMek81TXh3M2dIT2o3bVJwMlk1cnE3VnB5bHNNYzA1N29ZNEpRTDdnUXJXQmsKb0lvaVdZVGpGSk5XT3kvMytib0JBb0lCQVFENWRGT2xvNjdQdFBLUzR6SUxjOU44YjJPaXJwUkZCcHF0KzhNYgpOOVY5VTJiUStHTCswdjlNU1RwbnJDc3BxT3FZdWE2Z2tmUGN6UUFEazVmYjBnbExJZkVJYkpvME1JWmhVZ3QzCkVjVFhZSitySmxhbU5ySVBIRXJ0RkM2dm1IbzRReDR0UU1IbzlqVlk5ckRISXVSa29mZEViVFdhbFpBSWFTTm8KMnVXdmVUZWFNa1Irb0pIb3hqWFJWankzak9EM1lndkY4RkFKUnBmSVZsK1FzYlI0SWdaUWJWbXhPMTBqdVdCRQpVUk8xMWhFTTVCNWYxK21YNzIxNUpRRjBLcWFvNitFNEQ5K3k5U0NxWHdoZitPVGU2bUo0VktMbGlWazFRS2NyCkticDlhTFJHWnRMUUxBK2x4L290NWNRTXNvK08vT3NXNk9oK0ZabVM4Y084YXQrQkFvSUJBUUR0Y0t6Q2Z2dUIKOTZDc0cvRGszTEJSMGVzenF2c2tLbGE3QUs1R080YjhJNFNrUTN6dGZ4ZmgwbkJSQzh5ay8veHhEcFp6NWJUaApSb2diZnQ2QlA1YUFFcVNjd1M2Qi9zL21Fd0tXNzY4Zm1LakJFYzJqejVMVmhnVXQwSzB4ODZCQVM1ZEJ1UnVCClFJYU12SEdMejVJVlhvc0VKc3dSSWk4SjgxQ0ZhVUpuWEJCVnlFazZaajFEdzY1ZG5xSkROcVlrODRkdVNDNHUKQ0tFOEZXd1l2clNPZW50RUJEdVhOS3oxWWc1YTlCTTF0UUFLalkxdjVENGxPZUx5V0RZM2sxbW5SSmZUUms5QQpJWUVzNXRLczJocUpDVHJkcldIbjgwalFRN0FKd2tBVXZtbzgxK1FpMWRQcE5kRUpPNmFwZU9ma0xNeFZYN3ZCCmpQVEhYN1ltNWlNQkFvSUJBQ05DL2svN3cwbzVHZEVKckpsUjFpTlEyNVN6ZU9JSS9QUjdFaWxXeXliY0V6eVcKMytlRmkvRU1xT1Rld1hzeUZYZGhSLzRLbzU0aW5FM2xIeUpEbm15d2I1SHhTQnI0Z1FaZ3dwNGlOT0Q5RjVUcAo1blc0WlpNZFBMb21rRExpS3VTcEdDcnRiSHV4MGZpeFptdS8wdWttdS8xQU1zT1hRTFR2cDhHNnI1ME9WWDNHCmZVZ3BDbmNORGE1NXNqdC8vb3o1bnhCcjErUjN4aHpibU1hcldBZGpSK0UyaytjcHJSRFBzM3YwdWdTS0xmN1UKZ0Rhc0hxa0xmejRRclJQdXM0Qk5WNWpGSmFuMlhKZTR0MFpadUlDS1FVRWhOYVdjdEsrQ1pCOEYxd2JETmpoOQpjRzljeXhsMEd6bEJzV1RhR05EdGo0MjlmcC9VRGRGbnUzTjI2QUVDZ2dFQU9wRFJQQVFnT3pWK0h4V2hQSUltCngzZTB3UURLZzJnaURtd2prRlU4ZlZLeGMrYmxtSnNCcEFUSkNXU1VySm9yaFNOby90dEkyMHdQWkdETnR5bWQKRUtnSWpGV21DQkIyN1RRQkxvT2VPWGZwSC80cEw5K1NRektVY25HSFZzdlYyaVlLLy80Tmg3c0h0UTBDSU04cApKRFkycWVaNzdUbjJTa2tHc25GOUhJdDd4L3puK3d5ZXpla2xTQmhKdzdSbUZMVXcwWVhpUmg2QXpwWW1ISkJsCmJzTk5Sa0NaQmpuSzg1ZWxITkFaTU9VZFJuMFZ4dVNRWTVROG96UVk0MnBuOGJjY2o5TkcxdldzckF1ZktWMSsKc0JCandhdnplMGZwek56MVBlTDQ5V1RtUlcybTZ1UzlLVWZKOExJUzhMaE8wbHd1Wmx4L3JrVDdWM1lITXQ4UApBUUtDQVFCZ2FHOGFXNUZlcFRKMEpCRkc1ZHVqY0NIUGxqdEZOTkd2TlNkTFFsL2VERWVyd2RZR3FvbEFjY1JqCmV1TUlwZ29wM2YreWN6V29wQWs2VkhxREZ2SlJZQ1ppYXkvUUdLNjNRUTlPeGpmM0M2SnhBVnJ6blNGTVkzakMKNllFOHRYNFAyamhPUVlVYkpKZysyVVc0MGlubFZjUG44eE1YbmlCVHVhNlRjWG90Ym5paWp5YTRmK3BnL1VGLwpXS01uS0tTTUQ3RW1wY2ZROWw5SjBBR0YvaElDQmJCWG5rY0Q3VzVuSkR2YkJCOEE4T0ZVQThaaHkwcDBLcmg2Cmo2YnFDamRJVFdWeVM0YzR0T0FwZmZ1NFFJamR6RmU0OHd0N1JGOC9LSkNEVk9QRk9mODNRUThZVnFGV1hGczYKL2t1TzdpdEtsOEIwcXgwTmNqcC9CbHJNSU1LdwotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg== + rengine.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZiekNDQTFlZ0F3SUJBZ0lCQWpBTkJna3Foa2lHOXcwQkFRc0ZBREF4TVFzd0NRWURWUVFHRXdKVlV6RVEKTUE0R0ExVUVDZ3dIY21WT1oybHVaVEVRTUE0R0ExVUVBd3dIY21WT1oybHVaVEFlRncweU5ERXdNakF4TlRFegpNRGhhRncwek5ERXdNVGd4TlRFek1EaGFNR0V4Q3pBSkJnTlZCQVlUQWxWVE1SQXdEZ1lEVlFRSURBZEhaVzl5CloybGhNUkF3RGdZRFZRUUhEQWRCZEd4aGJuUmhNUkF3RGdZRFZRUUtEQWR5WlU1bmFXNWxNUnd3R2dZRFZRUUQKREJOeVpXNW5hVzVsTG1WNFlXMXdiR1V1WTI5dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQwpDZ0tDQWdFQTUxNThySjhYZFNOVnJqTkpzeEtGMTFKTzlZbHNCZTh0L1NZYURiblJwVUI3eEgweG9sYW1TRU9hCmZlYTdIRjBEUEFpLzZxMW5OU016L2FPUFp3d2VtcCt0bW9oMW5ubmk2SDJTTjB5QS84MHhVZ1NiRU1DUVBMNHoKaUtvQmNYNmE3ZmdnSTZScmJ6TXRnOGRDMk9nbytqS1J5VUhVeUZodGJWT0FzK2E0REYyVHJ0TnlRdVEyMVozRQovS1MyU1B5UnhIMUNQQ0tDcmFheWVHZTZKVEZlN051Z0tWem4zTmtIdm51MExla3I2Y1pXeTJ3clNYNDgvZlFEClNUeGpQSGhrT2cxamFCM1FHNHphakRFSVZwcjFEMDlrbWdidU1zeEFneGJ6bHBLUTQ0VmlqaGFtRXJuU0JoS0sKYytxYmpmNGlNS0t5a1FDZ21KUjJ2OStCcFNQSUZKZFA5S0JEbTg3dEMvMzdyc0FEekpURmJYZ3N4SDRBOHVGYgpLZ1V2SGdiYldNMERmZW01NDZTV0NuajVrenoyOXRiamQxRWdIWHNqOExURWFQRDc3SVo2SktCaU43WVdmZVl4CjFVOUVyZ0FONTRHWXdlNzk4cFJpM2g3V21oQUZxNGRDSjlVNm9BMUJ6dWt0TVNORVhRdnFUQkNjTlNPekcvTk8KOHRNWkFIb2grWUdRa1hsT3VCcFJ5eVgxaHhPZU5pdzl1NnFmS2o5ekRPdDU2NE5ZTS94RDFuVWlwKzYzUkNwOQpOU0g0QjRpcXhTYS80ZzcyWkJuSVhVMWtmVFpwbC9ESGp2TWJNaGJZc0d5SHBka3J2WTNOSk1qTW9ycUk1cFRkClJhZkVBQzZwV003V1hRZ3pZV24vOGtadVg3NkdlRDdRL0hjaWM0KzNRcWFlYmt6ZmdvRUNBd0VBQWFOaU1HQXcKSGdZRFZSMFJCQmN3RllJVGNtVnVaMmx1WlM1bGVHRnRjR3hsTG1OdmJUQWRCZ05WSFE0RUZnUVVlUFQ2OWptUworeUVuQU1iTXlyU1hkK3NRMjYwd0h3WURWUjBqQkJnd0ZvQVU3NnVIaUR5UWdEMTUwMGVic2tBU1NDdVRzcnd3CkRRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFDMm5ZVWhMMmxTVE5kTjhnUDZGYVczYXJ4WnVNUzhBMVM3dk1Wb08KK0k3eFNzTHZhVG9xbnZHRUErL1F2dTV3a3ZRSTIwaXdqRVRrTnpRY284OFJJTzBicE0zVGhkVWpxUjViMVY0YgozKzBqTXQ1V3ZFR05GUlBWdkR6cXJGWGtjQ1ZhUmNsWGx2K081RDh4WUQwMGxzcjRFYTlaRFZGN3A2SFBIU2gyCkR3ZHhsZU5oVzdrWHNpZVkzSXBXS3RVelZmSXI0UXpUSFNaQ3VVemVBRkcrOVFsQXhQWHRxa09sQXpoeDNRSVUKRkMxVTludVJQVTFGYmdsRHBUek90anIxQVV4MmJEL1lDUkhKeDRIbS9KTXlTUGJjTko4RS9xVnpJVVhXT0EzQQpSblZYQ3pXZ3lUdDVDd2ExdnJROFg5SnNpdzdWc1pGcDk3NFIxN1BxWVRqQzRVbXVLMjRqQ1hjSEdkMEh2b0hYCmNnVHkzUS91SlYrY0xRdXVaZE9qUnJ1UFEzZ1ZNV1RRbnY1QTdlNUlIVTV0NGdtekl1RlJxblZJZ21DM2VIVzQKWU5kRllIVGtLd0NscCtZd3BvT1ZvYmpndWpMRzVVaDgwcEY3eEY0RGU0OWt2MUkyYWJmM0xtNWo1SnRFUGFyUQo5WEltZ29GRWZiU0NOSWY1OXRTa0FURWc3WnUxQ21nNE9HZkJVTGFubUdkMFNyK1MwK1lkWTloVnpuZ2x5OThECmlPM0F3QXVCSUUxZE1mWHVjV3VsdVJxKzFvVHJ0OFJnOTJqRmROcmFTbzI5SXYrQUxpS0lucm54bUEzT0R6RnQKSWFpd1QzOFNxa2x2YytmWXhqeUtkVFRyN0s1VmQyYitUeXpSRnFES2ZJREs3R2NsQmE4T3JRSUMwNGE3TlVVbQpqVXR0Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K diff --git a/k8s/web/service.yml b/k8s/web/service.yml new file mode 100644 index 000000000..9ea605608 --- /dev/null +++ b/k8s/web/service.yml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: rengine +spec: + ports: + - name: http + port: 8000 + targetPort: 8000 + selector: + app: web \ No newline at end of file From 92963298ebb03ced236ec4046ab295b4575bfb5b Mon Sep 17 00:00:00 2001 From: Tejas <47889755+0xtejas@users.noreply.github.com> Date: Tue, 29 Oct 2024 11:46:10 +0530 Subject: [PATCH 02/10] Removed a PVC definition that was added by mistake --- k8s/pvc.yml | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/k8s/pvc.yml b/k8s/pvc.yml index 94220b6aa..a3ab3c254 100644 --- a/k8s/pvc.yml +++ b/k8s/pvc.yml @@ -1,16 +1,5 @@ apiVersion: v1 kind: PersistentVolumeClaim -metadata: - name: nfs-rwx-storage -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 5Gi ---- -apiVersion: v1 -kind: PersistentVolumeClaim metadata: name: web-pvc spec: From 0150c0d0219c01150cc2d2567d895aa98bd994ea Mon Sep 17 00:00:00 2001 From: Tejas <47889755+0xtejas@users.noreply.github.com> Date: Tue, 29 Oct 2024 11:51:48 +0530 Subject: [PATCH 03/10] Refactor nginx service, TLS support with Letsencrypt and certmanager with fallback with custom certs - Changed the service type from LoadBalancer to ClusterIP in the nginx service configuration. - Updated the containerPort in the nginx deployment configuration from 8082 to 80. - Added new files for cert-manager configuration: certificate.yaml and cluster-issuer.yml. - Created an ingress configuration for nginx with SSL redirection and rewrite rules. --- k8s/cert-manager/certificate.yaml | 12 ++++++++++++ k8s/cert-manager/cluster-issuer.yml | 14 ++++++++++++++ k8s/nginx/configmap.yml | 22 +-------------------- k8s/nginx/deployment.yml | 2 +- k8s/nginx/ingress.yml | 30 +++++++++++++++++++++++++++++ k8s/nginx/service.yml | 2 +- k8s/web/secret.yml | 7 +++---- 7 files changed, 62 insertions(+), 27 deletions(-) create mode 100644 k8s/cert-manager/certificate.yaml create mode 100644 k8s/cert-manager/cluster-issuer.yml create mode 100644 k8s/nginx/ingress.yml diff --git a/k8s/cert-manager/certificate.yaml b/k8s/cert-manager/certificate.yaml new file mode 100644 index 000000000..39e46270c --- /dev/null +++ b/k8s/cert-manager/certificate.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: rengine-cert + namespace: default +spec: + secretName: rengine-tls + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + dnsNames: + - rengine.example.com diff --git a/k8s/cert-manager/cluster-issuer.yml b/k8s/cert-manager/cluster-issuer.yml new file mode 100644 index 000000000..4f0d9d3cf --- /dev/null +++ b/k8s/cert-manager/cluster-issuer.yml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: rengine@example.com + privateKeySecretRef: + name: letsencrypt-prod + solvers: + - http01: + ingress: + class: nginx \ No newline at end of file diff --git a/k8s/nginx/configmap.yml b/k8s/nginx/configmap.yml index 556f47f87..fda770dfc 100644 --- a/k8s/nginx/configmap.yml +++ b/k8s/nginx/configmap.yml @@ -7,14 +7,7 @@ data: server { listen 80; listen [::]:80; - server_name rengine recon; - return 301 https://$host$request_uri; - } - - server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name rengine recon; + server_name rengine.example.com; charset utf-8; keepalive_timeout 70; @@ -42,17 +35,4 @@ data: alias /usr/src/scan_results/; autoindex off; } - - ssl_protocols TLSv1.2; - ssl_certificate /etc/nginx/certs/rengine.pem; - ssl_certificate_key /etc/nginx/certs/rengine_rsa.key; - ssl_trusted_certificate /etc/nginx/certs/rengine_chain.pem; - - ssl_ciphers '!EDH:!EXP:!SHA:!DSS:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256'; - ssl_prefer_server_ciphers on; - ssl_ecdh_curve secp384r1:X25519:prime256v1; - - ssl_session_cache shared:SSL:10m; - ssl_session_timeout 5m; - ssl_session_tickets off; } \ No newline at end of file diff --git a/k8s/nginx/deployment.yml b/k8s/nginx/deployment.yml index 5f01503ec..72981d140 100644 --- a/k8s/nginx/deployment.yml +++ b/k8s/nginx/deployment.yml @@ -24,7 +24,7 @@ spec: - name: static-files mountPath: /usr/src/app/staticfiles ports: - - containerPort: 8082 + - containerPort: 80 - containerPort: 443 volumes: - name: nginx-config-volume diff --git a/k8s/nginx/ingress.yml b/k8s/nginx/ingress.yml new file mode 100644 index 000000000..fad6297d6 --- /dev/null +++ b/k8s/nginx/ingress.yml @@ -0,0 +1,30 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nginx-ingress + annotations: + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/proxy-body-size: "800m" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "300" + nginx.ingress.kubernetes.io/whitelist-source-range: "0.0.0.0/0" + acme.cert-manager.io/http01-edit-in-place: "true" + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + ingressClassName: nginx + tls: + - hosts: + - rengine.example.com + secretName: rengine-tls + rules: + - host: rengine.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: nginx + port: + number: 80 diff --git a/k8s/nginx/service.yml b/k8s/nginx/service.yml index af38aef77..94e728065 100644 --- a/k8s/nginx/service.yml +++ b/k8s/nginx/service.yml @@ -3,7 +3,7 @@ kind: Service metadata: name: nginx spec: - type: LoadBalancer + type: ClusterIP selector: app: nginx ports: diff --git a/k8s/web/secret.yml b/k8s/web/secret.yml index 334e88d80..def3f1b58 100644 --- a/k8s/web/secret.yml +++ b/k8s/web/secret.yml @@ -10,10 +10,9 @@ data: --- apiVersion: v1 kind: Secret +type: kubernetes.io/tls metadata: name: nginx-certificates -type: Opaque data: - rengine_chain.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZvakNDQTRxZ0F3SUJBZ0lVQXBhMEtnV1IwWkFWVlpSbHpVanJZZVpHb0J3d0RRWUpLb1pJaHZjTkFRRUwKQlFBd01URUxNQWtHQTFVRUJoTUNWVk14RURBT0JnTlZCQW9NQjNKbFRtZHBibVV4RURBT0JnTlZCQU1NQjNKbApUbWRwYm1Vd0hoY05NalF4TURJd01UVXhNekE0V2hjTk16UXhNREU0TVRVeE16QTRXakF4TVFzd0NRWURWUVFHCkV3SlZVekVRTUE0R0ExVUVDZ3dIY21WT1oybHVaVEVRTUE0R0ExVUVBd3dIY21WT1oybHVaVENDQWlJd0RRWUoKS29aSWh2Y05BUUVCQlFBRGdnSVBBRENDQWdvQ2dnSUJBS0ZRc3ZaTXhBSENyQ1ZXcFVZbStJU3BXdThVbmowNQpPY240NUY0RnlONWJIZ1dnQzNTcUloT1BKSlJDd3BqOFdETEJLeHZoUE8xcjZNMFNJME1MbnJSRElxd1hvZ1JmClhScnNHZFFLMUVuT0F2Skt6a0dzSENzUkdZQWdjek51MnF2SUtlRjF1NVV3aFhZYzNZaCsxMkJNNVM2NUlTT0MKTEtBYXpGb1ZTWE9vWWIvNDJ1U2tJbDZJQnpCRWVKcXJnelROb0pEKzdvaXdNS3lHNlZtTmFENkpvTTh6R1JPdwp1T1k4WHZmeDJNS3BCYUtnZmRSdkZmOENoWXB6UW5wYldsQ05hUzk1MkYvVnhUSksvcENvQjduUHpCSGRzTXhhClFpNkEvamZxdTRtRHpicGxFYmlxY1pHVTVXejdPYlNScVhIN0FRUU55UTFoN2YvRjNvblgvUFFsQXZnM25aZ20KR21tbmdqaEpuYThuV084L2s1WFhjSktVSHc4SWRJeFFlTU0wbVVVQnEzVW4rbEJiK21rRlIwZVlDbGR6blBCQQoxMUNRMlEyS1RvWTVGTlNsL2YzOFNoa2w4MTNnUWs5WThnN2VUUEoxVG41TzhXTHdpbHZlbGljVisza242OXAwCmwxTUpWOTVUNTlvTTRkYlZELzBFUVZyQlRYQWJVYVlrU3haRDIwaVBPVGM0cFRtRVRqRG9oQW5ic2kvdzdCZG4KK0I3S29oUGVMVitvYXpvQXhhTTBKazhKVC95Zk9JcklJOURvanljTVVaV3B5NnFTUzIvWk1OVzVpS1QxT1Q4MQo2Vno0SWtLdFlFRFBsL3g2QVVOeDRPellWaTZabkVteUxIZGhUK3BtaldtOTBIZjVGejR5QTdtY2RCZVg1TVF5ClI5NllqRXpKZ0RsL0FnTUJBQUdqZ2JFd2dhNHdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVUKNzZ1SGlEeVFnRDE1MDBlYnNrQVNTQ3VUc3J3d2JBWURWUjBqQkdVd1k0QVU3NnVIaUR5UWdEMTUwMGVic2tBUwpTQ3VUc3J5aE5hUXpNREV4Q3pBSkJnTlZCQVlUQWxWVE1SQXdEZ1lEVlFRS0RBZHlaVTVuYVc1bE1SQXdEZ1lEClZRUUREQWR5WlU1bmFXNWxnaFFDbHJRcUJaSFJrQlZWbEdYTlNPdGg1a2FnSERBT0JnTlZIUThCQWY4RUJBTUMKQVlZd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFFWEJMak1yOE9nczlzQjhndEozdlRQSlpmTXNrTjFBTlQ2SAp3RVkzcmZONVgvK0JDSURtQWZURElQMzd1K0pjeXRZazc5UWk0eVdlUkRWamZyM2V2Y1dJQ3NQWjNUYnVzTzllCnJuUzIrVTBDdTE1UkRqRWh4YlNISUU3VG9KOEQrSFFUZ3Q2K0dXcndPNVhWNmh4YU1VMGI3Tk1OekNYL0ZOcjQKTzlXbXF3blpmU1R2ZmowaW0ybGVJWVNqL3ZYRFpmL01jd09RbUp6dW9UZW15RTczNHZEVFZzWW4zRDE5REVOSwptWjlMdFdLTGwxWlZNKzYvM2NEUi9HUENNeE1PUEZzcEE5YzI2aEUvcC8vQXZrSjZCc0FFcEhINnQwZEJHdEpzCndZNDhmaFZoTWEzYzFNbUJpZmdpWmJVVUZObWRqNHZJTCtrWTlvL0YwVUs3S0JFbkZibkIzN2txZHpScEhPZ2cKTkhCeEZEYTl1b2JWK0tPUzhwTU5UeXNqZlVldXV1SDJJOEIrMHhtSUQyYkxVZDNhUHh5MlBXZ2FzbDByUUw4dQpUcXEyUjJxQkRNVG9hOHJhR0huUUs1RWtibGdpaHZ4SzBGc2RVOFBMWGZ0WEVBN2lFYUJ3UUJ2dS9kN3h3UjQ1CjhEOGIxeUlkZXRqZzBXcXY2S1ltSE41ejVadGRJczgxaDkwSnRJRks0YXRYVWJrMGxyNlRsWGNJTjUxdXh2SncKM0liZjZ0Rm5RTVpBSGNlZm1jSUlXUXY5TmNxQ1luWUYybUprbkRvbGNGNVNxdnNlcVNaRHV3SjB6VTlORi94ZApaU2ozUUdETWJwUE1VTDlmTmg1SUNwV2tURUN6dHMrMXVYUjZYNUpwUFpoMy8zb1RLNFVPWklPcXF4SHBybm9WCjhKRHcrY3BKCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K - rengine_rsa.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRUUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1Nzd2dna25BZ0VBQW9JQ0FRRG5YbnlzbnhkMUkxV3UKTTBtekVvWFhVazcxaVd3Rjd5MzlKaG9OdWRHbFFIdkVmVEdpVnFaSVE1cDk1cnNjWFFNOENML3FyV2MxSXpQOQpvNDluREI2YW42MmFpSFdlZWVMb2ZaSTNUSUQvelRGU0JKc1F3SkE4dmpPSXFnRnhmcHJ0K0NBanBHdHZNeTJECngwTFk2Q2o2TXBISlFkVElXRzF0VTRDejVyZ01YWk91MDNKQzVEYlZuY1Q4cExaSS9KSEVmVUk4SW9LdHBySjQKWjdvbE1WN3MyNkFwWE9mYzJRZStlN1F0NlN2cHhsYkxiQ3RKZmp6OTlBTkpQR004ZUdRNkRXTm9IZEFiak5xTQpNUWhXbXZVUFQyU2FCdTR5ekVDREZ2T1drcERqaFdLT0ZxWVN1ZElHRW9wejZwdU4vaUl3b3JLUkFLQ1lsSGEvCjM0R2xJOGdVbDAvMG9FT2J6dTBML2Z1dXdBUE1sTVZ0ZUN6RWZnRHk0VnNxQlM4ZUJ0dFl6UU45NmJuanBKWUsKZVBtVFBQYjIxdU4zVVNBZGV5UHd0TVJvOFB2c2hub2tvR0kzdGhaOTVqSFZUMFN1QUEzbmdaakI3djN5bEdMZQpIdGFhRUFXcmgwSW4xVHFnRFVITzZTMHhJMFJkQytwTUVKdzFJN01iODA3eTB4a0FlaUg1Z1pDUmVVNjRHbEhMCkpmV0hFNTQyTEQyN3FwOHFQM01NNjNucmcxZ3ovRVBXZFNLbjdyZEVLbjAxSWZnSGlLckZKci9pRHZaa0djaGQKVFdSOU5tbVg4TWVPOHhzeUZ0aXdiSWVsMlN1OWpjMGt5TXlpdW9qbWxOMUZwOFFBTHFsWXp0WmRDRE5oYWYveQpSbTVmdm9aNFB0RDhkeUp6ajdkQ3BwNXVUTitDZ1FJREFRQUJBb0lDQUFITUNLOVVlNitrbFhGVFFWOFUwNHVUCnFuQ2MvWFR3QjdZbFZwRVBJWjJiT2kvZGJDQTRiSm1McmYrTXZpemtKSHk5N1pmTEFxWG5uZXRPTXR4N1JEbkYKc0NENjFzRW5MYXJpSW11TDBHM2VNUndUdkZ5bVhudHNpN0xqMVVPeGFzNmF3M1VENlhSRVVqbjVmMFdIQzNZTwpwR1lEQ1FZUXBPSlBNbTBCUjRwRDYvd3M3UGlQMER6SFdUL0lKNmphVG5kM2ZLY3A4bVJxNnJ5SmM1VkhSbmM3CjlTVHJtWExjU0J1QnYyMXVxK1ZJbWJrU0dDMnBuM3VlWm9QeUprUWFoRGFreHVJVXJ0S1BOTzJIT2ljZUxGVisKNzVsVU9OdDkzV21ZUFJaeEdWTkZVSDI1ajRiK1RNTXdsOFQ2M2t3VmRHeCt6OERGVjczNkk1aEp3aHFCUkRnWQpFUGRZU0JJWWw3YU5YeEcrM0dmYUYvMnkrb2g5VHJpWGM4TEMxYXdKR1IzSjIzTm95K2FMUURmcUV0ZGdPVjYxClJGa0M5bURzWE5BM1l3M0RDaUFnR1d3Zzg1STU4bENuRXJTUXEwOEVJZklDcmZyQStMWVBmeGthUnZWdjgvQjcKWUFPbFAzTWNqaHNDM3pMZUtZL3ZKOGoyRU9sZGpQOGFtWnNRZStaSnFvZGZ1ZDNSNzR3THRGNTQrajh2L05zMApvaWcxNjlZUjBNMk1GQ3FkWWlQa0JiV0VxbzdxU2Z2dGxZb1hydUFFZytYNW0wVWp6MnYzZ1NJdDl5NWxzMmVqCndRY240d0p6VDdJV1ZPZlFWNmRMek81TXh3M2dIT2o3bVJwMlk1cnE3VnB5bHNNYzA1N29ZNEpRTDdnUXJXQmsKb0lvaVdZVGpGSk5XT3kvMytib0JBb0lCQVFENWRGT2xvNjdQdFBLUzR6SUxjOU44YjJPaXJwUkZCcHF0KzhNYgpOOVY5VTJiUStHTCswdjlNU1RwbnJDc3BxT3FZdWE2Z2tmUGN6UUFEazVmYjBnbExJZkVJYkpvME1JWmhVZ3QzCkVjVFhZSitySmxhbU5ySVBIRXJ0RkM2dm1IbzRReDR0UU1IbzlqVlk5ckRISXVSa29mZEViVFdhbFpBSWFTTm8KMnVXdmVUZWFNa1Irb0pIb3hqWFJWankzak9EM1lndkY4RkFKUnBmSVZsK1FzYlI0SWdaUWJWbXhPMTBqdVdCRQpVUk8xMWhFTTVCNWYxK21YNzIxNUpRRjBLcWFvNitFNEQ5K3k5U0NxWHdoZitPVGU2bUo0VktMbGlWazFRS2NyCkticDlhTFJHWnRMUUxBK2x4L290NWNRTXNvK08vT3NXNk9oK0ZabVM4Y084YXQrQkFvSUJBUUR0Y0t6Q2Z2dUIKOTZDc0cvRGszTEJSMGVzenF2c2tLbGE3QUs1R080YjhJNFNrUTN6dGZ4ZmgwbkJSQzh5ay8veHhEcFp6NWJUaApSb2diZnQ2QlA1YUFFcVNjd1M2Qi9zL21Fd0tXNzY4Zm1LakJFYzJqejVMVmhnVXQwSzB4ODZCQVM1ZEJ1UnVCClFJYU12SEdMejVJVlhvc0VKc3dSSWk4SjgxQ0ZhVUpuWEJCVnlFazZaajFEdzY1ZG5xSkROcVlrODRkdVNDNHUKQ0tFOEZXd1l2clNPZW50RUJEdVhOS3oxWWc1YTlCTTF0UUFLalkxdjVENGxPZUx5V0RZM2sxbW5SSmZUUms5QQpJWUVzNXRLczJocUpDVHJkcldIbjgwalFRN0FKd2tBVXZtbzgxK1FpMWRQcE5kRUpPNmFwZU9ma0xNeFZYN3ZCCmpQVEhYN1ltNWlNQkFvSUJBQ05DL2svN3cwbzVHZEVKckpsUjFpTlEyNVN6ZU9JSS9QUjdFaWxXeXliY0V6eVcKMytlRmkvRU1xT1Rld1hzeUZYZGhSLzRLbzU0aW5FM2xIeUpEbm15d2I1SHhTQnI0Z1FaZ3dwNGlOT0Q5RjVUcAo1blc0WlpNZFBMb21rRExpS3VTcEdDcnRiSHV4MGZpeFptdS8wdWttdS8xQU1zT1hRTFR2cDhHNnI1ME9WWDNHCmZVZ3BDbmNORGE1NXNqdC8vb3o1bnhCcjErUjN4aHpibU1hcldBZGpSK0UyaytjcHJSRFBzM3YwdWdTS0xmN1UKZ0Rhc0hxa0xmejRRclJQdXM0Qk5WNWpGSmFuMlhKZTR0MFpadUlDS1FVRWhOYVdjdEsrQ1pCOEYxd2JETmpoOQpjRzljeXhsMEd6bEJzV1RhR05EdGo0MjlmcC9VRGRGbnUzTjI2QUVDZ2dFQU9wRFJQQVFnT3pWK0h4V2hQSUltCngzZTB3UURLZzJnaURtd2prRlU4ZlZLeGMrYmxtSnNCcEFUSkNXU1VySm9yaFNOby90dEkyMHdQWkdETnR5bWQKRUtnSWpGV21DQkIyN1RRQkxvT2VPWGZwSC80cEw5K1NRektVY25HSFZzdlYyaVlLLy80Tmg3c0h0UTBDSU04cApKRFkycWVaNzdUbjJTa2tHc25GOUhJdDd4L3puK3d5ZXpla2xTQmhKdzdSbUZMVXcwWVhpUmg2QXpwWW1ISkJsCmJzTk5Sa0NaQmpuSzg1ZWxITkFaTU9VZFJuMFZ4dVNRWTVROG96UVk0MnBuOGJjY2o5TkcxdldzckF1ZktWMSsKc0JCandhdnplMGZwek56MVBlTDQ5V1RtUlcybTZ1UzlLVWZKOExJUzhMaE8wbHd1Wmx4L3JrVDdWM1lITXQ4UApBUUtDQVFCZ2FHOGFXNUZlcFRKMEpCRkc1ZHVqY0NIUGxqdEZOTkd2TlNkTFFsL2VERWVyd2RZR3FvbEFjY1JqCmV1TUlwZ29wM2YreWN6V29wQWs2VkhxREZ2SlJZQ1ppYXkvUUdLNjNRUTlPeGpmM0M2SnhBVnJ6blNGTVkzakMKNllFOHRYNFAyamhPUVlVYkpKZysyVVc0MGlubFZjUG44eE1YbmlCVHVhNlRjWG90Ym5paWp5YTRmK3BnL1VGLwpXS01uS0tTTUQ3RW1wY2ZROWw5SjBBR0YvaElDQmJCWG5rY0Q3VzVuSkR2YkJCOEE4T0ZVQThaaHkwcDBLcmg2Cmo2YnFDamRJVFdWeVM0YzR0T0FwZmZ1NFFJamR6RmU0OHd0N1JGOC9LSkNEVk9QRk9mODNRUThZVnFGV1hGczYKL2t1TzdpdEtsOEIwcXgwTmNqcC9CbHJNSU1LdwotLS0tLUVORCBQUklWQVRFIEtFWS0tLS0tCg== - rengine.pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZiekNDQTFlZ0F3SUJBZ0lCQWpBTkJna3Foa2lHOXcwQkFRc0ZBREF4TVFzd0NRWURWUVFHRXdKVlV6RVEKTUE0R0ExVUVDZ3dIY21WT1oybHVaVEVRTUE0R0ExVUVBd3dIY21WT1oybHVaVEFlRncweU5ERXdNakF4TlRFegpNRGhhRncwek5ERXdNVGd4TlRFek1EaGFNR0V4Q3pBSkJnTlZCQVlUQWxWVE1SQXdEZ1lEVlFRSURBZEhaVzl5CloybGhNUkF3RGdZRFZRUUhEQWRCZEd4aGJuUmhNUkF3RGdZRFZRUUtEQWR5WlU1bmFXNWxNUnd3R2dZRFZRUUQKREJOeVpXNW5hVzVsTG1WNFlXMXdiR1V1WTI5dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQwpDZ0tDQWdFQTUxNThySjhYZFNOVnJqTkpzeEtGMTFKTzlZbHNCZTh0L1NZYURiblJwVUI3eEgweG9sYW1TRU9hCmZlYTdIRjBEUEFpLzZxMW5OU016L2FPUFp3d2VtcCt0bW9oMW5ubmk2SDJTTjB5QS84MHhVZ1NiRU1DUVBMNHoKaUtvQmNYNmE3ZmdnSTZScmJ6TXRnOGRDMk9nbytqS1J5VUhVeUZodGJWT0FzK2E0REYyVHJ0TnlRdVEyMVozRQovS1MyU1B5UnhIMUNQQ0tDcmFheWVHZTZKVEZlN051Z0tWem4zTmtIdm51MExla3I2Y1pXeTJ3clNYNDgvZlFEClNUeGpQSGhrT2cxamFCM1FHNHphakRFSVZwcjFEMDlrbWdidU1zeEFneGJ6bHBLUTQ0VmlqaGFtRXJuU0JoS0sKYytxYmpmNGlNS0t5a1FDZ21KUjJ2OStCcFNQSUZKZFA5S0JEbTg3dEMvMzdyc0FEekpURmJYZ3N4SDRBOHVGYgpLZ1V2SGdiYldNMERmZW01NDZTV0NuajVrenoyOXRiamQxRWdIWHNqOExURWFQRDc3SVo2SktCaU43WVdmZVl4CjFVOUVyZ0FONTRHWXdlNzk4cFJpM2g3V21oQUZxNGRDSjlVNm9BMUJ6dWt0TVNORVhRdnFUQkNjTlNPekcvTk8KOHRNWkFIb2grWUdRa1hsT3VCcFJ5eVgxaHhPZU5pdzl1NnFmS2o5ekRPdDU2NE5ZTS94RDFuVWlwKzYzUkNwOQpOU0g0QjRpcXhTYS80ZzcyWkJuSVhVMWtmVFpwbC9ESGp2TWJNaGJZc0d5SHBka3J2WTNOSk1qTW9ycUk1cFRkClJhZkVBQzZwV003V1hRZ3pZV24vOGtadVg3NkdlRDdRL0hjaWM0KzNRcWFlYmt6ZmdvRUNBd0VBQWFOaU1HQXcKSGdZRFZSMFJCQmN3RllJVGNtVnVaMmx1WlM1bGVHRnRjR3hsTG1OdmJUQWRCZ05WSFE0RUZnUVVlUFQ2OWptUworeUVuQU1iTXlyU1hkK3NRMjYwd0h3WURWUjBqQkJnd0ZvQVU3NnVIaUR5UWdEMTUwMGVic2tBU1NDdVRzcnd3CkRRWUpLb1pJaHZjTkFRRUxCUUFEZ2dJQkFDMm5ZVWhMMmxTVE5kTjhnUDZGYVczYXJ4WnVNUzhBMVM3dk1Wb08KK0k3eFNzTHZhVG9xbnZHRUErL1F2dTV3a3ZRSTIwaXdqRVRrTnpRY284OFJJTzBicE0zVGhkVWpxUjViMVY0YgozKzBqTXQ1V3ZFR05GUlBWdkR6cXJGWGtjQ1ZhUmNsWGx2K081RDh4WUQwMGxzcjRFYTlaRFZGN3A2SFBIU2gyCkR3ZHhsZU5oVzdrWHNpZVkzSXBXS3RVelZmSXI0UXpUSFNaQ3VVemVBRkcrOVFsQXhQWHRxa09sQXpoeDNRSVUKRkMxVTludVJQVTFGYmdsRHBUek90anIxQVV4MmJEL1lDUkhKeDRIbS9KTXlTUGJjTko4RS9xVnpJVVhXT0EzQQpSblZYQ3pXZ3lUdDVDd2ExdnJROFg5SnNpdzdWc1pGcDk3NFIxN1BxWVRqQzRVbXVLMjRqQ1hjSEdkMEh2b0hYCmNnVHkzUS91SlYrY0xRdXVaZE9qUnJ1UFEzZ1ZNV1RRbnY1QTdlNUlIVTV0NGdtekl1RlJxblZJZ21DM2VIVzQKWU5kRllIVGtLd0NscCtZd3BvT1ZvYmpndWpMRzVVaDgwcEY3eEY0RGU0OWt2MUkyYWJmM0xtNWo1SnRFUGFyUQo5WEltZ29GRWZiU0NOSWY1OXRTa0FURWc3WnUxQ21nNE9HZkJVTGFubUdkMFNyK1MwK1lkWTloVnpuZ2x5OThECmlPM0F3QXVCSUUxZE1mWHVjV3VsdVJxKzFvVHJ0OFJnOTJqRmROcmFTbzI5SXYrQUxpS0lucm54bUEzT0R6RnQKSWFpd1QzOFNxa2x2YytmWXhqeUtkVFRyN0s1VmQyYitUeXpSRnFES2ZJREs3R2NsQmE4T3JRSUMwNGE3TlVVbQpqVXR0Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZiVENDQTFXZ0F3SUJBZ0lCQXpBTkJna3Foa2lHOXcwQkFRc0ZBREF4TVFzd0NRWURWUVFHRXdKVlV6RVEKTUE0R0ExVUVDZ3dIY21WT1oybHVaVEVRTUE0R0ExVUVBd3dIY21WT1oybHVaVEFlRncweU5ERXdNamd4TkRJMQpNekphRncwek5ERXdNall4TkRJMU16SmFNR0F4Q3pBSkJnTlZCQVlUQWxWVE1SQXdEZ1lEVlFRSURBZEhaVzl5CloybGhNUkF3RGdZRFZRUUhEQWRCZEd4aGJuUmhNUkF3RGdZRFZRUUtEQWR5WlU1bmFXNWxNUnN3R1FZRFZRUUQKREJKeVpXNW5hVzVsTGpCNGRHVnFZWE11YldVd2dnSWlNQTBHQ1NxR1NJYjNEUUVCQVFVQUE0SUNEd0F3Z2dJSwpBb0lDQVFDaXlGalVna0xZREUxRVMzbkYvV1d6NUZVdGNGYUJVdjc0eDZYMGt5WTdsYzVkMWRObXhlNnpnZmxVCmJlUUU1YTIxOHZvUFdsOTBzL3UxaUZ6YW8xTmhHR20xb1Z3c0p3NmFJT1lkdHRGbWI0KzA3SlZFYXpRR2tHWlMKS3l0YXpZUGVLcytTME9ZbDZ4TzNmeUthc3dCVHBkeldGbE9kU3pnVWRFaSt6anl4aCsvbE0xazVvNzRXVWwwRgpYMjNjOWtJK29uZmtXcXBndzRZcVJ2cWxCZHQzZ3lwVndaK3lidCtBQmRyNmxFcUdrYnZVNk1uYlk4b0V1RTYvCnBIRVdQYm8rQ1I4R0tWQXROQkgzSUZpRWlzNlpsWDA5Q0MzUjEwcmZ6MWdoNDN2WVJrZXkyQU1aTEw2TUZvMEUKd3JNTnJYN2hZRWVVZUswQlN6c3NTTjl0SWFGUCtqWGpEQ0gxNmlzU1d0eHlaOTlSYnM1N2pCWHkwWTVXQmNPRwpNaTFHZTFXRjdJYUU1SHptbTlhK0k4OHRNNkVuek8wOHRjUlJuYW5ON28vVXNZeTRreVZ2TkdzMmF2NlBJZDQ1CnV3dkRSQXlqNGw0M1pVWkdEei9pZG8rdFU1SzdQU2NwRkphU0N0cExwU1RNQnZXNGtRejEzalF4UnR6YVZtcHkKS3dxejlqNm1pbFFWazY2OVRVSS9pcGV2cFpRY1NsOWE0QUpSQ2U1dnA5UnpUaHlQa20vQldEdEJzUTk2YndULwp1V0I3MkR5U2VwL0Z0QnBWbHd5aiswQ2ZLMm11Nk9HcTRpVlg1c3RsSXhKMW1GaGc2aENVMVFpY09PWDl1ZUZTCnVKc2FjTklHVjlkUVR6c2I2Mm5NN3B6NzVsT1RrTG4rZ3lBam9mWFFwU2s2b1l0VmN3SURBUUFCbzJFd1h6QWQKQmdOVkhSRUVGakFVZ2hKeVpXNW5hVzVsTGpCNGRHVnFZWE11YldVd0hRWURWUjBPQkJZRUZHQzk2d3BRSi9UTApOSU9FSlRGb1JxTXZSdmErTUI4R0ExVWRJd1FZTUJhQUZPK3JoNGc4a0lBOWVkTkhtN0pBRWtncms3SzhNQTBHCkNTcUdTSWIzRFFFQkN3VUFBNElDQVFCVWp1b3Myc0pZbkZ5Vlo3VEpONUg3ai9ZazFEZ3A1NUYraS9wQ1loTEYKeldtVFk1K1EyVG5UcHk1WGFhT1QzQTFOSnNLZWlLL01QV2VVa2U4ODNUSEhTV1JoQXZ4QlhCVXRrMEc4WU9TUQpuNVJEdVp5UmFqcmNNTU0waDViaGRQajJjdFZqY2U0NVQxajI1V3R0T0lVT1NMbXdRWkVXNUFYWFpuUnNFMUhwCklHV25OOWFuOUhEOWJaSWN2ODFtZEt4UlloVmtCZlk2ZU5LY1Bqa0JpNVJtUnFFc1B1ckFzTVNMWlEwek12MWcKM2F5UzlLSVJXUmJKdHhiWEdyS05saWZ0RGo1cVhmSEhWYzhoWXZXcm9CV0R6M2F5aTR6ci80UmVrVW1Ia0JiZQpTZVVJMzZmWHdVeXhKa1JqdnE3YytSRzJwK2Q4WTFQUlJIUXlOVVRxVWZMWnRxYVkzbEVpNTcxNTNQUG1xSjBqCmgyUE1rWC9OanJqWnpQUUpIZTJrNGJwa2dYNXRaODR4QnpvODhIUGM3dVFMeXNsa2dMRHErUnlUZlpUbE9KVWMKQ2k3U2FUVk1NN21aR0xlclo2eXlHb24yVWliNEQ3ZHBsN1EvN1RMZE91U2lQVzJWdzZta09VK3BXam5CRWFudAp5RHFzTDIzL25VL0ZrNXhXeW80VDdDVncwUkROTzZ6ekcvRjEvVXd2RW1EZlRSa3VETTlPS3pPbGo5WUJIRzBkCm93Qk9iYnFQVUhZT2hnZ2NFRE1GeE9aQktDRlFOcGY3TTFQOWZacFF6dUplaXdkVW9XWnJ0VGY2U0R2ZW1iWG4KUktyVk1pT096KzFUTTI2UHlMbm5jVTQ0VmRLbnc4a0FES3AydUE5ckhoZUZ6SE8wKzB5eVNjMkJxeDJWWU9GVQpodz09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRQ2l5RmpVZ2tMWURFMUUKUzNuRi9XV3o1RlV0Y0ZhQlV2NzR4Nlgwa3lZN2xjNWQxZE5teGU2emdmbFViZVFFNWEyMTh2b1BXbDkwcy91MQppRnphbzFOaEdHbTFvVndzSnc2YUlPWWR0dEZtYjQrMDdKVkVhelFHa0daU0t5dGF6WVBlS3MrUzBPWWw2eE8zCmZ5S2Fzd0JUcGR6V0ZsT2RTemdVZEVpK3pqeXhoKy9sTTFrNW83NFdVbDBGWDIzYzlrSStvbmZrV3FwZ3c0WXEKUnZxbEJkdDNneXBWd1oreWJ0K0FCZHI2bEVxR2tidlU2TW5iWThvRXVFNi9wSEVXUGJvK0NSOEdLVkF0TkJIMwpJRmlFaXM2WmxYMDlDQzNSMTByZnoxZ2g0M3ZZUmtleTJBTVpMTDZNRm8wRXdyTU5yWDdoWUVlVWVLMEJTenNzClNOOXRJYUZQK2pYakRDSDE2aXNTV3R4eVo5OVJiczU3akJYeTBZNVdCY09HTWkxR2UxV0Y3SWFFNUh6bW05YSsKSTg4dE02RW56TzA4dGNSUm5hbk43by9Vc1l5NGt5VnZOR3MyYXY2UElkNDV1d3ZEUkF5ajRsNDNaVVpHRHovaQpkbyt0VTVLN1BTY3BGSmFTQ3RwTHBTVE1Cdlc0a1F6MTNqUXhSdHphVm1weUt3cXo5ajZtaWxRVms2NjlUVUkvCmlwZXZwWlFjU2w5YTRBSlJDZTV2cDlSelRoeVBrbS9CV0R0QnNROTZid1QvdVdCNzJEeVNlcC9GdEJwVmx3eWoKKzBDZksybXU2T0dxNGlWWDVzdGxJeEoxbUZoZzZoQ1UxUWljT09YOXVlRlN1SnNhY05JR1Y5ZFFUenNiNjJuTQo3cHo3NWxPVGtMbitneUFqb2ZYUXBTazZvWXRWY3dJREFRQUJBb0lDQUFUMkJpbXoyVVdzV2s1OU03WTNzQ1I0CnVQL1cyZmE4WGlPY01nL3ZkczEvYTAxV0pFaVFPbU40eiszUUlPV1ArbWlwTEdYUXVKMWQ2WXRHeWZoVk1mS3IKbVNKOVN4OHRYRGM3cEIwVHQvTmZRd256Tm82M1FGdjloVXQyZFZraHhQc1REWnNlaUEvRkhQeTRBSWltY1VRYgpYS0pKc1QxWFVERGt1bDJBKzVNNE5Bb2xpU1ZGNVpmWWtCZmNmZ1NyUjFROEJMQzQ4cWhhOTg1M1lLYlczdHdZClFKb01lZlFvM09HUjlzZmNRblBjelNvQ280N3V6a3dHaDBxS2xjZTZhZC8vZHlxV1BSTk9SWjNsSm5nam90aEcKR0xoYmRNb0lhRjBaMGZNaEhtSjJWek81ZkVsYXk3NkpQQk1CRVdQci9iU2JYVDNHZW1uOUE2TlROVHY3alJHagp3S1pOTE8zTklPYjZ3cGhMY2J1bTVMcVhiTUpOaGJWWUo1aXFKZ3pEeUhRd3d2cnpMaDkrOXRvQnd5R0o0djNjCnVveEJ6cXZ3NkJCZnUvMjdUbUlXWk9XSTU1QW0zSWxLd2lwTjZTN1FBSHVoTXlVU0RMeVRsOGJWTXB4VVlubWwKQlZ6a2dycTFsRXB4TXZHUXkvY0VTUnduWE1mMk5DQ2Q5Vnl2MUd3bkxyZ295MEsvbitVRVRCL2ZZS2R3RWN4UApaQ0EvV1JzRGd6OURnTWpTVnBOUDF6TE1rd1V3ZlcvMVFGTDBySFpIWVlmbVF3cmRjTnovc3VNekZiOUxFQm1nCjd2bEh1eFhqNzZQZklPWXRwakdyM2owclVJQWpLYjZLYnpySnpicEFncGZGczc5RUhLWEttMmRrMnU2dE9mTnoKR2VMaWdRMEZxQVpkZThKQmovSUJBb0lCQVFEaENFTlZlemI3N0VudGFsOGthRTQrZ1lxaEpGc3VaNC91ajcxTApSaUVSam9tSU55bytjMTFvUWRFS2RYRnk2RnFQQVdvVVIyVWR3bEpZMk1TeWUyVVlVV2pXTjhLZHppMUVxNnZSClQ2Z2ExQVRsUndyb0kwRTFzSzhsYXBsSmlOQXhKVzJoc0o3UTQ2blk1UXBUdTI3QWZLNHdFZU81dlI1MmY3MTEKQk1WNjJnUjExZjBSMkZHeGhhaHV3MzIxT2xRWkxodzMwOCtpMzBaZWJsLzVGUDUwNUtROGg0L1g5YnowZk1IQQpPZjBsTjIrYzZaRXI4TFkxQjlZbWgyc3h1QnFzRE1uaFJjaHE5ODUyS241WGxCWlo3dVU1aWpHU05CZzh0UndhCnBkamN2R0ZyUFhWeVBOSlNNbVl6T0dYVFhnY0p5MnNTbDRhU0V4VzRjYjVpaVRQVEFvSUJBUUM1THhITzJKdDIKY1laVnFRMjBWbEVKU2F5MkRMYktIUzJWdHUwLzdzNEZwZFgwcHJmWjJnYXJhM0g1N2xTU3J1d0o2cXZLejVWbAp3YmpLZVlZQTdzd3ozY1prdWFQYW1mbTFjdGhwek82VG01Mi9ZajlPRkgrQ2gxN0ZLd2pqa2R4cUlEOTdKazV4CnpaMVZwRHJseVlXWWZuTmVZSmhjdjllaVQrRFI2RjUzOHViWGpyc3J0YktCUmN2Nm01d2tmR3pJTlF6K2V4cjEKSCtVV3pzclFmaUNITFNBSzVGZ3c4Z2tDM3JBc2ZreE9OM2l1Z25OYjc0d3JzRm81Ymd2aDJLQVJXTjRYNWEwQQp3ZGNXN3M0VkpCUkx5UWVYQWVlZVFEUS9tRHVjaGxhblNZOWFqRHJzamtkTkw2QWVqaXh3M3VkNm9KQjcvZWhyCjNSYUFjRzAxZjNQaEFvSUJBQmpJd2pHOStsWlF0ZXV5Rlh4N0NITVY3V0RHRWt6UUZ5Z2RLS29MdFVTcndEWUMKYldLbmJoZzNkNENCWXRkWEEvSlFJNURNTkRUTTNDanc1dWtKY2g3MWlHaGZoODI5a1hySXRZbStEak8yT2p2TwpVVU16N3RDcy92MU4ra2dCQzN6K05FN2tsdmxHdWNRcnBiR0hLVEdHQ2VFOWR5bFR6UEVjTEkrZzBPY3c3K0RTCmlxYldmbGpnOGFZUlhkMEI2WlZFWU5NOVB0Y2ZaQzZ1VlYrbmtrYnBqN1VpOFJMRisrT3BnZVZiL2FlRnJZTkkKcmpaNnNuYXd3RU5LRXVKTTlwTVFiWU9rSGVpNkZrRXBlUFRJV0pYYkc5LzBlblV4eTZHVUNONWVlYjRGK1d6SQpQaEV3NWJFcjM5bXdVbmF2R25OWHRoazhHeFFuaWZMZ2hDbHlGd1VDZ2dFQVdVeDBadTJYRWlldVl0SlJ0SHZICk9oWlgvYlhsMDFMOHIyeDF2ZFczYll2SnY5OUJXd0ZESkJoODdzdlo1cDRKWHNMV01zZWxRRnVKYzhIa044RHYKb2JjNU8wczEwMjFhdC8vNGtoUnJtNng0Qmxrbk04eTRyRVlCRWswdFRTZ0NSUDdsL2NtOEhDN054d1dhRFVMLwpkRWpOODEzYk95YWJvajZvcURCSWxja0JQa01xeU9vbWVTWWlOZWdpQklvbm51Zk9LMDFMODVaOHoySEs5WDFNCnpFS2JhQVV5N2U5Wkh4UXBtbHNSQ3NxL0hFLzF0d2l0N0VkdlNyQmhkSGdVd0NpOWVJS2R5WGF2OVBRVlZxWisKVHdsUzZxUFZnRDl2c3BjRGIvaHNBdUY3Q213QzRoMitEbDkvOUJ3VkhCeXhQVFgrVm54YlB1QnZRR0oybDB5dApvUUtDQVFFQTJLRHhZeXVxRDJhbU42M3FhMjgxYWZmRDQwaFc4TXJoRktpWXVlZnNIYmVDTWFyR3Bub3dINnNXCkwzbDdtUURTOS9oT0lMVHRRcGFqcFVNWHA3cC9tVEVOcHVMZHBHM0NUV093Z2hDUTFBZXJYa3FFbWtFcEc3enUKeFVWb25CbU1YWGFoV3Z2cHJnZTUvVlNIZU5xNkJTcFZmYUVzL3Q0cXVxWGNmRk1yOHZiUml3QjNCME80Uy83egp3RWp6TjRpRThsY1BTWk5FejZZYklGU1lBRkFIeHZhWEhuSkhQc2VyRnFvdnhHUVN1ZURuNjVnUDVyRUlQYkdqCjRoUDFvSjhUaHdzQlJIeVl4VzVYc29GZHkzQTNXMy9ob3dIcUJ1Mk4rdGVySGNGamkrcXhURHU0UjU0cUJqYUQKaFc0SDVDM25YS0NiS1ZOeUFGdHNYcGJiTThoamdnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo= \ No newline at end of file From 67f3bd24737c66bee5b90de7846e21e89a741580 Mon Sep 17 00:00:00 2001 From: Tejas <47889755+0xtejas@users.noreply.github.com> Date: Tue, 29 Oct 2024 13:20:12 +0530 Subject: [PATCH 04/10] Add Kubernetes job configuration for creating Django superuser --- k8s/web/job.yml | 62 +++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) create mode 100644 k8s/web/job.yml diff --git a/k8s/web/job.yml b/k8s/web/job.yml new file mode 100644 index 000000000..365cb63fb --- /dev/null +++ b/k8s/web/job.yml @@ -0,0 +1,62 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: create-django-superuser +spec: + template: + spec: + containers: + - name: create-superuser + image: ghcr.io/0xtejas/rengine/web:latest + command: + - /bin/sh + - -c + - | + python3 manage.py shell -c ' + from django.contrib.auth import get_user_model + User = get_user_model() + if not User.objects.filter(username="$DJANGO_SUPERUSER_USERNAME").exists(): + User.objects.create_superuser( + "$DJANGO_SUPERUSER_USERNAME", + "$DJANGO_SUPERUSER_EMAIL", + "$DJANGO_SUPERUSER_PASSWORD" + )' + env: + - name: POSTGRES_DB + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_DB + - name: POSTGRES_HOST + value: db # Make sure this is the correct hostname for your database service + - name: POSTGRES_PORT + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PORT + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_USER + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: db-secret + key: POSTGRES_PASSWORD + - name: DJANGO_SUPERUSER_USERNAME + valueFrom: + secretKeyRef: + name: web-secret + key: DJANGO_SUPERUSER_USERNAME + - name: DJANGO_SUPERUSER_EMAIL + valueFrom: + secretKeyRef: + name: web-secret + key: DJANGO_SUPERUSER_EMAIL + - name: DJANGO_SUPERUSER_PASSWORD + valueFrom: + secretKeyRef: + name: web-secret + key: DJANGO_SUPERUSER_PASSWORD + restartPolicy: OnFailure From bab17426df4d6f26774d3c2fa760051bd0c691a4 Mon Sep 17 00:00:00 2001 From: Tejas <47889755+0xtejas@users.noreply.github.com> Date: Tue, 29 Oct 2024 19:19:51 +0530 Subject: [PATCH 05/10] Refactor deployment and Dockerfile to add readiness and liveness probes --- k8s/web/deployment.yml | 21 ++++++++++++++++----- web/Dockerfile | 6 ++++++ 2 files changed, 22 insertions(+), 5 deletions(-) diff --git a/k8s/web/deployment.yml b/k8s/web/deployment.yml index c12387b8a..9a5f885fc 100644 --- a/k8s/web/deployment.yml +++ b/k8s/web/deployment.yml @@ -45,11 +45,6 @@ spec: secretKeyRef: name: db-secret key: POSTGRES_PASSWORD - - name: DJANGO_SUPERUSER_PASSWORD - valueFrom: - secretKeyRef: - name: web-secret - key: DJANGO_SUPERUSER_PASSWORD volumeMounts: - mountPath: /usr/src/app/staticfiles name: static-volume @@ -57,6 +52,22 @@ spec: name: shared-data ports: - containerPort: 8000 + readinessProbe: + exec: + command: + - sh + - -c + - "pg_isready -h $POSTGRES_HOST -p $POSTGRES_PORT && redis-cli -h redis ping" + initialDelaySeconds: 10 + periodSeconds: 10 + livenessProbe: + exec: + command: + - sh + - -c + - "pg_isready -h $POSTGRES_HOST -p $POSTGRES_PORT && redis-cli -h redis ping" + initialDelaySeconds: 30 + periodSeconds: 30 volumes: - name: static-volume persistentVolumeClaim: diff --git a/web/Dockerfile b/web/Dockerfile index 66d709e75..38ab86d20 100644 --- a/web/Dockerfile +++ b/web/Dockerfile @@ -53,6 +53,12 @@ RUN apt install -y --no-install-recommends \ python3-netaddr \ software-properties-common +# Install PostgreSQL client and Redis tools +RUN apt-get update && \ + apt-get install -y postgresql-client redis-tools && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + RUN add-apt-repository ppa:mozillateam/ppa RUN ARCH=$(dpkg --print-architecture) \ From 5aa14d041ee9a36296d3341ed762ddac13a821c2 Mon Sep 17 00:00:00 2001 From: Tejas <47889755+0xtejas@users.noreply.github.com> Date: Tue, 29 Oct 2024 19:56:41 +0530 Subject: [PATCH 06/10] Refactor Kubernetes job configuration to create Django superuser with environment variables --- k8s/web/job.yml | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/k8s/web/job.yml b/k8s/web/job.yml index 365cb63fb..2907a8d77 100644 --- a/k8s/web/job.yml +++ b/k8s/web/job.yml @@ -12,15 +12,23 @@ spec: - /bin/sh - -c - | - python3 manage.py shell -c ' + python3 manage.py shell -c " + import os from django.contrib.auth import get_user_model User = get_user_model() - if not User.objects.filter(username="$DJANGO_SUPERUSER_USERNAME").exists(): - User.objects.create_superuser( - "$DJANGO_SUPERUSER_USERNAME", - "$DJANGO_SUPERUSER_EMAIL", - "$DJANGO_SUPERUSER_PASSWORD" - )' + + # Retrieve superuser credentials from environment variables + username = os.environ.get('DJANGO_SUPERUSER_USERNAME') + email = os.environ.get('DJANGO_SUPERUSER_EMAIL') + password = os.environ.get('DJANGO_SUPERUSER_PASSWORD') + + # Check if a user with the specified username already exists + if User.objects.filter(username=username).exists(): + print(f'Superuser \"{username}\" already exists.') + else: + User.objects.create_superuser(username=username, email=email, password=password) + print(f'Superuser \"{username}\" has been successfully created.') + " env: - name: POSTGRES_DB valueFrom: @@ -59,4 +67,4 @@ spec: secretKeyRef: name: web-secret key: DJANGO_SUPERUSER_PASSWORD - restartPolicy: OnFailure + restartPolicy: OnFailure \ No newline at end of file From 9c2246f212e238e3a999ce864030e0a9af025ac9 Mon Sep 17 00:00:00 2001 From: Tejas <47889755+0xtejas@users.noreply.github.com> Date: Tue, 29 Oct 2024 20:28:23 +0530 Subject: [PATCH 07/10] Kubernetes deployment instructions --- k8s/readme.md | 100 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 100 insertions(+) create mode 100644 k8s/readme.md diff --git a/k8s/readme.md b/k8s/readme.md new file mode 100644 index 000000000..16489cec7 --- /dev/null +++ b/k8s/readme.md @@ -0,0 +1,100 @@ +# K8s Deployment Instructions + +This guide provides step-by-step instructions for deploying the application on a Kubernetes cluster. The deployment files should be applied in the following order: `ollama`, `postgres`, `redis`, `web`, `celery`, and `celery-beat`. + +## Prerequisites + +- A running Kubernetes cluster +- `kubectl` installed and configured to interact with your cluster + +## Step 1: Install the Ingress Controller + +1. **Add the NGINX Ingress Controller Helm repository:** + ```sh + helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx + helm repo update + ``` + +2. **Install the NGINX Ingress Controller:** + ```sh + helm install ingress-nginx ingress-nginx/ingress-nginx + ``` + +## Step 2: Install Cert Manager + +1. **Add the Jetstack Helm repository:** + ```sh + helm repo add jetstack https://charts.jetstack.io + helm repo update + ``` + +2. **Install Cert Manager:** + ```sh + kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.crds.yaml + helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace + ``` + +3. **Verify the installation:** + ```sh + kubectl get pods --namespace cert-manager + ``` + +## Step 3: Install OpenEBS NFS Provisioner + +1. **Add the OpenEBS Helm repository:** + ```sh + helm repo add openebs https://openebs.github.io/charts + helm repo update + ``` + +2. **Install OpenEBS NFS Provisioner:** + ```sh + helm install openebs-nfs openebs/openebs --namespace openebs --create-namespace + ``` + +3. **Verify the installation:** + ```sh + kubectl get pods --namespace openebs + ``` + +## Step 4: Deploy the Application Manifests + +1. **Navigate to the `k8s` directory:** + ```sh + cd k8s + ``` + +2. **Apply the manifests in the following order:** + ```sh + kubectl apply -f ollama/ + kubectl apply -f postgres/ + kubectl apply -f redis/ + kubectl apply -f web/ + kubectl apply -f celery/ + kubectl apply -f celery-beat/ + ``` + +## Step 5: Verify the Deployment + +1. **Check the status of the pods:** + ```sh + kubectl get pods + ``` + +2. **Check the status of the services:** + ```sh + kubectl get svc + ``` + +3. **Check the status of the Ingress:** + ```sh + kubectl get ingress + ``` + +## Additional Configuration + +- **Ingress Configuration:** Ensure that your Ingress resources are correctly configured to route traffic to your services. +- **Certificates:** Use Cert Manager to issue and manage TLS certificates for your Ingress resources. +- **Persistent Volumes:** Ensure that your Persistent Volume Claims (PVCs) are correctly bound to the Persistent Volumes (PVs) provided by OpenEBS NFS Provisioner. + +By following these steps, you should be able to deploy your application on Kubernetes with the necessary Ingress controller, Cert Manager, and OpenEBS NFS Provisioner. \ No newline at end of file From d3ea8222f2446efefdc27d0ec78c58f7db4cc07e Mon Sep 17 00:00:00 2001 From: Tejas <47889755+0xtejas@users.noreply.github.com> Date: Thu, 31 Oct 2024 10:21:18 +0530 Subject: [PATCH 08/10] Add Celery ConfigMap and update deployment to use environment variables --- k8s/celery/celery-config.yml | 7 +++++++ k8s/celery/deployment.yml | 5 ++++- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 k8s/celery/celery-config.yml diff --git a/k8s/celery/celery-config.yml b/k8s/celery/celery-config.yml new file mode 100644 index 000000000..ffba68267 --- /dev/null +++ b/k8s/celery/celery-config.yml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: celery-config +data: + MAX_CONCURRENCY: "10" + MIN_CONCURRENCY: "1" diff --git a/k8s/celery/deployment.yml b/k8s/celery/deployment.yml index d9dc0759a..ab9db017b 100644 --- a/k8s/celery/deployment.yml +++ b/k8s/celery/deployment.yml @@ -50,6 +50,9 @@ spec: key: POSTGRES_PASSWORD - name: POSTGRES_HOST value: db + envFrom: + - configMapRef: + name: celery-config volumeMounts: - mountPath: /usr/src/app name: shared-data @@ -58,7 +61,7 @@ spec: memory: "2Gi" cpu: "600m" limits: - memory: "2.5Gi" + memory: "4Gi" cpu: "1.5" volumes: - name: shared-data From 81a9cef496efc1c8ca84d5488f112d7496d76d41 Mon Sep 17 00:00:00 2001 From: Tejas <47889755+0xtejas@users.noreply.github.com> Date: Thu, 31 Oct 2024 12:41:28 +0530 Subject: [PATCH 09/10] Update Kubernetes deployment instructions and add SSL configuration details --- k8s/readme.md | 45 ++++++++++++++++++++++++++++++++++++++++----- 1 file changed, 40 insertions(+), 5 deletions(-) diff --git a/k8s/readme.md b/k8s/readme.md index 16489cec7..e6a4e359d 100644 --- a/k8s/readme.md +++ b/k8s/readme.md @@ -7,17 +7,23 @@ This guide provides step-by-step instructions for deploying the application on a - A running Kubernetes cluster - `kubectl` installed and configured to interact with your cluster +## Configuration + +- To get a LetsEncrypt SSL certificate, you'll require to set up the Nginx Ingres Controller first. Then, configure the DNS record. Following that repace rengine.example.com to the domain name that you wish to receive SSL certificate for. + +- To use openssl or existing SSL certificate you can use `nginx-certificates` secret instead of `rengine-tls` secret and ignore creating cert-manager. + ## Step 1: Install the Ingress Controller 1. **Add the NGINX Ingress Controller Helm repository:** ```sh - helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx + helm repo add nginx-stable https://helm.nginx.com/stable helm repo update ``` 2. **Install the NGINX Ingress Controller:** ```sh - helm install ingress-nginx ingress-nginx/ingress-nginx + helm install nginx-ingress nginx-stable/nginx-ingress --namespace ingress-nginx --create-namespace --set controller.service.type=LoadBalancer ``` ## Step 2: Install Cert Manager @@ -30,8 +36,11 @@ This guide provides step-by-step instructions for deploying the application on a 2. **Install Cert Manager:** ```sh - kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.5.3/cert-manager.crds.yaml - helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace + helm install cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --create-namespace \ + --version v1.11.0 \ + --set installCRDs=true ``` 3. **Verify the installation:** @@ -39,7 +48,9 @@ This guide provides step-by-step instructions for deploying the application on a kubectl get pods --namespace cert-manager ``` -## Step 3: Install OpenEBS NFS Provisioner +## Step 3: Install OpenEBS NFS Provisioner (Optional) + +Note: Either you can install it manually or use the OpenEBS provisioner from the marketplace in the Cloud Provider. 1. **Add the OpenEBS Helm repository:** ```sh @@ -57,6 +68,26 @@ This guide provides step-by-step instructions for deploying the application on a kubectl get pods --namespace openebs ``` +4. **Create the Storage Class nfsrwx** + ```sh + kubectl apply -f - < Date: Thu, 31 Oct 2024 12:44:56 +0530 Subject: [PATCH 10/10] Clarify BackendStorageClass value in Kubernetes README for cloud provider variability --- k8s/readme.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/k8s/readme.md b/k8s/readme.md index e6a4e359d..8aada7859 100644 --- a/k8s/readme.md +++ b/k8s/readme.md @@ -79,7 +79,7 @@ Note: Either you can install it manually or use the OpenEBS provisioner from the - name: NSFServerType value: "kernel" - name: BackendStorageClass - value: "do-block-storage" + value: "do-block-storage" # This value changes as per the cloud provider openebs.io/cas-type: nsfrwx name: nfs-rwx-storage provisioner: openebs.io/nfsrwx