From 010798c8a84f0e2da740edde2272f19e3d88bd2f Mon Sep 17 00:00:00 2001 From: Jacob Cody Wimer Date: Wed, 20 Nov 2019 08:42:24 -0500 Subject: [PATCH] Updated kubernetes manifests --- deploy/kubernetes/README.md | 29 ++++++ deploy/kubernetes/manifests/db-migration.yaml | 47 +++++++++ deploy/kubernetes/manifests/ingress.yaml | 20 ++++ .../mariadb-standalone.yaml | 5 +- .../memcached-standalone.yaml | 0 .../{wdev => manifests}/wrestlingdev.yaml | 99 +++++++++---------- deploy/kubernetes/secrets/secrets.yaml | 11 +++ deploy/kubernetes/wdev/ingress.yaml | 16 --- 8 files changed, 156 insertions(+), 71 deletions(-) create mode 100644 deploy/kubernetes/README.md create mode 100644 deploy/kubernetes/manifests/db-migration.yaml create mode 100644 deploy/kubernetes/manifests/ingress.yaml rename deploy/kubernetes/{wdev => manifests}/mariadb-standalone.yaml (91%) rename deploy/kubernetes/{wdev => manifests}/memcached-standalone.yaml (100%) rename deploy/kubernetes/{wdev => manifests}/wrestlingdev.yaml (56%) create mode 100644 deploy/kubernetes/secrets/secrets.yaml delete mode 100644 deploy/kubernetes/wdev/ingress.yaml diff --git a/deploy/kubernetes/README.md b/deploy/kubernetes/README.md new file mode 100644 index 0000000..39f6b77 --- /dev/null +++ b/deploy/kubernetes/README.md @@ -0,0 +1,29 @@ +# How to deploy to Kubernetes + +## Prerequisites +1. A storageclass named standard +2. Cert manager installed [Install Cert Manager](https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html) + +## Steps +1. Fill out the secrets file in `deploy/kubernetes/secrets/secrets.yaml` +2. Fill out the ingress `deploy/kubernetes/manifests/ingress.yaml` because I own wrestlingdev.com not you. Put your own domain in there. +3. Run `kubectl apply -f deploy/kubernetes/secrets/` +4. Run `kubectl apply -f deploy/kubernetes/manifests/` + +## What do I get? +1. Wrestlingdev deployed with 2 replicas. Autoscaling is turned on up to 4 replcias. +2. A standalone mariadb. +3. A standalone memcahced. +4. A single job runner to run wrestlingdev background jobs. + +## How do I update the app? +Each push to master updates the docker `prod` tag and also pushes a tag with the git hash. +1. Set the git hash as a variable `TAG=$(git rev-parse --verify HEAD)` +2. Update the wrestlingdev deployment tag `kubectl --record deployment.apps/wrestlingdev-app-deployment set image deployment.v1.apps/wrestlingdev-app-deployment wrestlingdev-app=jcwimer/wrestlingdev:${TAG}` +3. Update the wrestlingdev job runner tag `kubectl --record deployment.apps/wrestlingdev-worker-deployment set image deployment.v1.apps/wrestlingdev-worker-deployment wrestlingdev-worker=jcwimer/wrestlingdev:${TAG}` +4. Delete the db migrations job so you can re-run it `kubectl delete job wrestlingdev-db-create-migrate` +5. Re-run the db migrations job `kubectl apply -f deploy/kubernetes/manifests/db-migration.yaml` + +## I'm a pro. What's bad about this? +Right now, mariadb's root password comes from the secrets.yaml and wrestlingdev uses the root password to run. Ideally, you'd create another secret for mariadb's root password and you'd create a user specifically for wrestlingdev. +From a mysql shell> `CREATE USER ${username} IDENTIFIED BY '${password}'; GRANT ALL PRIVILEGES ON ${database}.* TO ${username}; FLUSH PRIVILEGES;` $database would be wrestlingdev. I'll do this automatically later. \ No newline at end of file diff --git a/deploy/kubernetes/manifests/db-migration.yaml b/deploy/kubernetes/manifests/db-migration.yaml new file mode 100644 index 0000000..d591a72 --- /dev/null +++ b/deploy/kubernetes/manifests/db-migration.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: wrestlingdev-db-create-migrate +spec: + template: + spec: + containers: + - name: wrestlingdev-db-create-migrate + image: jcwimer/wrestlingdev:prod + imagePullPolicy: Always + command: ["/bin/sh","-c"] + args: ["bundle exec rake db:create; bundle exec rake db:migrate"] + env: + - name: RAILS_ENV + value: production + - name: WRESTLINGDEV_DB_NAME + value: wrestlingdev + - name: WRESTLINGDEV_DB_USR + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: dbusername + - name: WRESTLINGDEV_DB_PWD + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: dbpassword + - name: WRESTLINGDEV_DB_PORT + value: "3306" + - name: MEMCACHIER_SERVERS + value: wrestlingdev-memcached:11211 + - name: WRESTLINGDEV_DB_HOST + value: mariadb + - name: WRESTLINGDEV_DEVISE_SECRET_KEY + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: devisesecretkey + - name: WRESTLINGDEV_SECRET_KEY_BASE + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: railssecretkey + restartPolicy: OnFailure + backoffLimit: 10 \ No newline at end of file diff --git a/deploy/kubernetes/manifests/ingress.yaml b/deploy/kubernetes/manifests/ingress.yaml new file mode 100644 index 0000000..33ec10c --- /dev/null +++ b/deploy/kubernetes/manifests/ingress.yaml @@ -0,0 +1,20 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: wrestlingdev-app-ingress-external + annotations: + certmanager.k8s.io/cluster-issuer: letsencrypt-prod + certmanager.k8s.io/acme-challenge-type: http01 +spec: + rules: + - host: wrestlingdev.com + http: + paths: + - path: / + backend: + serviceName: wrestlingdev-app + servicePort: 80 + tls: + - hosts: + - wrestlingdev.com + secretName: letsencrypt-prod diff --git a/deploy/kubernetes/wdev/mariadb-standalone.yaml b/deploy/kubernetes/manifests/mariadb-standalone.yaml similarity index 91% rename from deploy/kubernetes/wdev/mariadb-standalone.yaml rename to deploy/kubernetes/manifests/mariadb-standalone.yaml index adeecdc..ba2768e 100644 --- a/deploy/kubernetes/wdev/mariadb-standalone.yaml +++ b/deploy/kubernetes/manifests/mariadb-standalone.yaml @@ -46,7 +46,10 @@ spec: name: mariadb env: - name: MYSQL_ROOT_PASSWORD - value: password + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: dbpassword ports: - containerPort: 3306 name: mariadb diff --git a/deploy/kubernetes/wdev/memcached-standalone.yaml b/deploy/kubernetes/manifests/memcached-standalone.yaml similarity index 100% rename from deploy/kubernetes/wdev/memcached-standalone.yaml rename to deploy/kubernetes/manifests/memcached-standalone.yaml diff --git a/deploy/kubernetes/wdev/wrestlingdev.yaml b/deploy/kubernetes/manifests/wrestlingdev.yaml similarity index 56% rename from deploy/kubernetes/wdev/wrestlingdev.yaml rename to deploy/kubernetes/manifests/wrestlingdev.yaml index d935024..182bbe3 100644 --- a/deploy/kubernetes/wdev/wrestlingdev.yaml +++ b/deploy/kubernetes/manifests/wrestlingdev.yaml @@ -19,7 +19,7 @@ metadata: labels: app: wrestlingdev spec: - replicas: 1 + replicas: 2 selector: matchLabels: app: wrestlingdev @@ -41,25 +41,37 @@ spec: - name: RAILS_ENV value: production - name: WRESTLINGDEV_DB_NAME - value: wrestlingtourney + value: wrestlingdev - name: WRESTLINGDEV_DB_USR - value: root + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: dbusername - name: WRESTLINGDEV_DB_PWD - value: password + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: dbpassword - name: WRESTLINGDEV_DB_PORT value: "3306" - name: MEMCACHIER_SERVERS value: wrestlingdev-memcached:11211 - name: WRESTLINGDEV_DB_HOST - value: wrestlingdev-mariadb + value: mariadb - name: WRESTLINGDEV_DEVISE_SECRET_KEY - value: 2f29d49db6704377ba263f7cb9db085b386bcb301c0cd501126a674686ab1a109754071165b08cd72af03cec4642a4dd04361c994462254dd5d85e9594e8b9aa + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: devisesecretkey - name: WRESTLINGDEV_SECRET_KEY_BASE - value: 077cdbef5c2ccf22543fb17a67339f234306b7fa2e1e4463d851c444c10a5611829a2290b253da78339427f131571fac9a42c83d960b2d25ecc10a4a0a7ce1a2 + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: railssecretkey resources: limits: cpu: "0.5" - memory: "512Mi" + memory: "768Mi" requests: memory: "512Mi" cpu: "0.5" @@ -67,8 +79,9 @@ spec: httpGet: path: / port: 80 - initialDelaySeconds: 20 - periodSeconds: 10 + initialDelaySeconds: 180 + periodSeconds: 20 + timeoutSeconds: 10 --- apiVersion: autoscaling/v2beta1 kind: HorizontalPodAutoscaler @@ -79,13 +92,13 @@ spec: apiVersion: extensions/v1beta1 kind: Deployment name: wrestlingdev-app-deployment - minReplicas: 1 - maxReplicas: 10 + minReplicas: 2 + maxReplicas: 4 metrics: - type: Resource resource: name: cpu - targetAverageUtilization: 50 + targetAverageUtilization: 300 # - type: Resource # resource: # name: memory @@ -116,21 +129,33 @@ spec: - name: RAILS_ENV value: production - name: WRESTLINGDEV_DB_NAME - value: wrestlingtourney + value: wrestlingdev - name: WRESTLINGDEV_DB_USR - value: root + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: dbusername - name: WRESTLINGDEV_DB_PWD - value: password + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: dbpassword - name: WRESTLINGDEV_DB_PORT value: "3306" - name: MEMCACHIER_SERVERS value: wrestlingdev-memcached:11211 - name: WRESTLINGDEV_DB_HOST - value: wrestlingdev-mariadb + value: mariadb - name: WRESTLINGDEV_DEVISE_SECRET_KEY - value: 2f29d49db6704377ba263f7cb9db085b386bcb301c0cd501126a674686ab1a109754071165b08cd72af03cec4642a4dd04361c994462254dd5d85e9594e8b9aa + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: devisesecretkey - name: WRESTLINGDEV_SECRET_KEY_BASE - value: 077cdbef5c2ccf22543fb17a67339f234306b7fa2e1e4463d851c444c10a5611829a2290b253da78339427f131571fac9a42c83d960b2d25ecc10a4a0a7ce1a2 + valueFrom: + secretKeyRef: + name: wrestlingdev-secrets + key: railssecretkey command: ["bundle"] args: ["exec", "bin/delayed_job", "-n", "1", "run"] resources: @@ -140,38 +165,4 @@ spec: requests: memory: "512Mi" cpu: "0.2" ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: wrestlingdev-db-create-migrate -spec: - template: - spec: - containers: - - name: wrestlingdev-db-create-migrate - image: jcwimer/wrestlingdev:prod - imagePullPolicy: Always - command: ["/bin/sh","-c"] - args: ["bundle exec rake db:create; bundle exec rake db:migrate"] - env: - - name: RAILS_ENV - value: production - - name: WRESTLINGDEV_DB_NAME - value: wrestlingtourney - - name: WRESTLINGDEV_DB_USR - value: root - - name: WRESTLINGDEV_DB_PWD - value: password - - name: WRESTLINGDEV_DB_PORT - value: "3306" - - name: MEMCACHIER_SERVERS - value: wrestlingdev-memcached:11211 - - name: WRESTLINGDEV_DB_HOST - value: wrestlingdev-mariadb - - name: WRESTLINGDEV_DEVISE_SECRET_KEY - value: 2f29d49db6704377ba263f7cb9db085b386bcb301c0cd501126a674686ab1a109754071165b08cd72af03cec4642a4dd04361c994462254dd5d85e9594e8b9aa - - name: WRESTLINGDEV_SECRET_KEY_BASE - value: 077cdbef5c2ccf22543fb17a67339f234306b7fa2e1e4463d851c444c10a5611829a2290b253da78339427f131571fac9a42c83d960b2d25ecc10a4a0a7ce1a2 - restartPolicy: OnFailure - backoffLimit: 10 + diff --git a/deploy/kubernetes/secrets/secrets.yaml b/deploy/kubernetes/secrets/secrets.yaml new file mode 100644 index 0000000..7610432 --- /dev/null +++ b/deploy/kubernetes/secrets/secrets.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + name: wrestlingdev-secrets +type: Opaque +#data: +stringData: + dbusername: root + dbpassword: PUT_SECRET_HERE + devisesecretkey: PUT_SECRET_HERE get from running rails secret + railssecretkey: PUT_SECRET_HERE get from running rails secret \ No newline at end of file diff --git a/deploy/kubernetes/wdev/ingress.yaml b/deploy/kubernetes/wdev/ingress.yaml deleted file mode 100644 index b17d42d..0000000 --- a/deploy/kubernetes/wdev/ingress.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: wrestlingdev-app-ingress -spec: - rules: - - host: wrestlingdev.jqw43.platform-lab.cloud.cas.org - http: - paths: - - path: / - backend: - serviceName: wrestlingdev-app - servicePort: 80 - tls: - - hosts: - - wrestlingdev.jqw43.platform-lab.cloud.cas.org