Updated kubernetes manifests

deploy/kubernetes/README.md

@@ -0,0 +1,29 @@
+# How to deploy to Kubernetes
+
+## Prerequisites
+1. A storageclass named standard
+2. Cert manager installed [Install Cert Manager](https://docs.cert-manager.io/en/latest/getting-started/install/kubernetes.html)
+
+## Steps
+1. Fill out the secrets file in `deploy/kubernetes/secrets/secrets.yaml`
+2. Fill out the ingress `deploy/kubernetes/manifests/ingress.yaml` because I own wrestlingdev.com not you. Put your own domain in there.
+3. Run `kubectl apply -f deploy/kubernetes/secrets/`
+4. Run `kubectl apply -f deploy/kubernetes/manifests/`
+
+## What do I get?
+1. Wrestlingdev deployed with 2 replicas. Autoscaling is turned on up to 4 replcias. 
+2. A standalone mariadb.
+3. A standalone memcahced.
+4. A single job runner to run wrestlingdev background jobs.
+
+## How do I update the app?
+Each push to master updates the docker `prod` tag and also pushes a tag with the git hash.
+1. Set the git hash as a variable `TAG=$(git rev-parse --verify HEAD)`
+2. Update the wrestlingdev deployment tag `kubectl --record deployment.apps/wrestlingdev-app-deployment set image deployment.v1.apps/wrestlingdev-app-deployment wrestlingdev-app=jcwimer/wrestlingdev:${TAG}`
+3. Update the wrestlingdev job runner tag `kubectl --record deployment.apps/wrestlingdev-worker-deployment set image deployment.v1.apps/wrestlingdev-worker-deployment wrestlingdev-worker=jcwimer/wrestlingdev:${TAG}`
+4. Delete the db migrations job so you can re-run it `kubectl delete job wrestlingdev-db-create-migrate`
+5. Re-run the db migrations job `kubectl apply -f deploy/kubernetes/manifests/db-migration.yaml`
+
+## I'm a pro. What's bad about this?
+Right now, mariadb's root password comes from the secrets.yaml and wrestlingdev uses the root password to run. Ideally, you'd create another secret for mariadb's root password and you'd create a user specifically for wrestlingdev.
+From a mysql shell> `CREATE USER ${username} IDENTIFIED BY '${password}'; GRANT ALL PRIVILEGES ON  ${database}.* TO ${username}; FLUSH PRIVILEGES;` $database would be wrestlingdev. I'll do this automatically later.

deploy/kubernetes/manifests/db-migration.yaml

@@ -0,0 +1,47 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: wrestlingdev-db-create-migrate
+spec:
+  template:
+    spec:
+      containers:
+      - name: wrestlingdev-db-create-migrate
+        image: jcwimer/wrestlingdev:prod
+        imagePullPolicy: Always
+        command: ["/bin/sh","-c"]
+        args: ["bundle exec rake db:create; bundle exec rake db:migrate"]
+        env:
+        - name: RAILS_ENV
+          value: production
+        - name: WRESTLINGDEV_DB_NAME
+          value: wrestlingdev
+        - name: WRESTLINGDEV_DB_USR
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: dbusername
+        - name: WRESTLINGDEV_DB_PWD
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: dbpassword
+        - name: WRESTLINGDEV_DB_PORT
+          value: "3306"
+        - name: MEMCACHIER_SERVERS
+          value: wrestlingdev-memcached:11211
+        - name: WRESTLINGDEV_DB_HOST
+          value: mariadb
+         - name: WRESTLINGDEV_DEVISE_SECRET_KEY
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: devisesecretkey
+        - name: WRESTLINGDEV_SECRET_KEY_BASE
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: railssecretkey
+      restartPolicy: OnFailure
+  backoffLimit: 10

deploy/kubernetes/manifests/ingress.yaml

@@ -0,0 +1,20 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: wrestlingdev-app-ingress-external
+  annotations:
+    certmanager.k8s.io/cluster-issuer: letsencrypt-prod
+    certmanager.k8s.io/acme-challenge-type: http01
+spec:
+  rules:
+  - host: wrestlingdev.com
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: wrestlingdev-app
+          servicePort: 80
+  tls:
+    - hosts:
+      - wrestlingdev.com
+      secretName: letsencrypt-prod

deploy/kubernetes/manifests/mariadb-standalone.yaml

@@ -46,7 +46,10 @@ spec:
         name: mariadb
         env:
         - name: MYSQL_ROOT_PASSWORD
-          value: password
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: dbpassword
         ports:
         - containerPort: 3306
           name: mariadb

deploy/kubernetes/manifests/wrestlingdev.yaml

@@ -19,7 +19,7 @@ metadata:
   labels:
     app: wrestlingdev
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app: wrestlingdev
@@ -41,25 +41,37 @@ spec:
         - name: RAILS_ENV
           value: production
         - name: WRESTLINGDEV_DB_NAME
-          value: wrestlingtourney
+          value: wrestlingdev
         - name: WRESTLINGDEV_DB_USR
-          value: root
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: dbusername
         - name: WRESTLINGDEV_DB_PWD
-          value: password
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: dbpassword
         - name: WRESTLINGDEV_DB_PORT
           value: "3306"
         - name: MEMCACHIER_SERVERS
           value: wrestlingdev-memcached:11211
         - name: WRESTLINGDEV_DB_HOST
-          value: wrestlingdev-mariadb
+          value: mariadb
         - name: WRESTLINGDEV_DEVISE_SECRET_KEY
-          value: 2f29d49db6704377ba263f7cb9db085b386bcb301c0cd501126a674686ab1a109754071165b08cd72af03cec4642a4dd04361c994462254dd5d85e9594e8b9aa
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: devisesecretkey
         - name: WRESTLINGDEV_SECRET_KEY_BASE
-          value: 077cdbef5c2ccf22543fb17a67339f234306b7fa2e1e4463d851c444c10a5611829a2290b253da78339427f131571fac9a42c83d960b2d25ecc10a4a0a7ce1a2
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: railssecretkey
         resources:
           limits:
             cpu: "0.5"
-            memory: "512Mi"
+            memory: "768Mi"
           requests:
             memory: "512Mi"
             cpu: "0.5"
@@ -67,8 +79,9 @@ spec:
           httpGet:
             path: /
             port: 80
-          initialDelaySeconds: 20
+          initialDelaySeconds: 180
-          periodSeconds: 10
+          periodSeconds: 20
+          timeoutSeconds: 10
 ---
 apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
@@ -79,13 +92,13 @@ spec:
     apiVersion: extensions/v1beta1
     kind: Deployment
     name: wrestlingdev-app-deployment
-  minReplicas: 1
+  minReplicas: 2
-  maxReplicas: 10
+  maxReplicas: 4
   metrics:
   - type: Resource
     resource:
       name: cpu
-      targetAverageUtilization: 50
+      targetAverageUtilization: 300
   # - type: Resource
   #   resource:
   #     name: memory
@@ -116,21 +129,33 @@ spec:
         - name: RAILS_ENV
           value: production
         - name: WRESTLINGDEV_DB_NAME
-          value: wrestlingtourney
+          value: wrestlingdev
         - name: WRESTLINGDEV_DB_USR
-          value: root
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: dbusername
         - name: WRESTLINGDEV_DB_PWD
-          value: password
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: dbpassword
         - name: WRESTLINGDEV_DB_PORT
           value: "3306"
         - name: MEMCACHIER_SERVERS
           value: wrestlingdev-memcached:11211
         - name: WRESTLINGDEV_DB_HOST
-          value: wrestlingdev-mariadb
+          value: mariadb
         - name: WRESTLINGDEV_DEVISE_SECRET_KEY
-          value: 2f29d49db6704377ba263f7cb9db085b386bcb301c0cd501126a674686ab1a109754071165b08cd72af03cec4642a4dd04361c994462254dd5d85e9594e8b9aa
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: devisesecretkey
         - name: WRESTLINGDEV_SECRET_KEY_BASE
-          value: 077cdbef5c2ccf22543fb17a67339f234306b7fa2e1e4463d851c444c10a5611829a2290b253da78339427f131571fac9a42c83d960b2d25ecc10a4a0a7ce1a2
+          valueFrom:
+           secretKeyRef:
+             name: wrestlingdev-secrets
+             key: railssecretkey
         command: ["bundle"]
         args: ["exec", "bin/delayed_job", "-n", "1", "run"]
         resources:
@@ -140,38 +165,4 @@ spec:
           requests:
             memory: "512Mi"
             cpu: "0.2"
----
+
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: wrestlingdev-db-create-migrate
-spec:
-  template:
-    spec:
-      containers:
-      - name: wrestlingdev-db-create-migrate
-        image: jcwimer/wrestlingdev:prod
-        imagePullPolicy: Always
-        command: ["/bin/sh","-c"]
-        args: ["bundle exec rake db:create; bundle exec rake db:migrate"]
-        env:
-        - name: RAILS_ENV
-          value: production
-        - name: WRESTLINGDEV_DB_NAME
-          value: wrestlingtourney
-        - name: WRESTLINGDEV_DB_USR
-          value: root
-        - name: WRESTLINGDEV_DB_PWD
-          value: password
-        - name: WRESTLINGDEV_DB_PORT
-          value: "3306"
-        - name: MEMCACHIER_SERVERS
-          value: wrestlingdev-memcached:11211
-        - name: WRESTLINGDEV_DB_HOST
-          value: wrestlingdev-mariadb
-        - name: WRESTLINGDEV_DEVISE_SECRET_KEY
-          value: 2f29d49db6704377ba263f7cb9db085b386bcb301c0cd501126a674686ab1a109754071165b08cd72af03cec4642a4dd04361c994462254dd5d85e9594e8b9aa
-        - name: WRESTLINGDEV_SECRET_KEY_BASE
-          value: 077cdbef5c2ccf22543fb17a67339f234306b7fa2e1e4463d851c444c10a5611829a2290b253da78339427f131571fac9a42c83d960b2d25ecc10a4a0a7ce1a2
-      restartPolicy: OnFailure
-  backoffLimit: 10

deploy/kubernetes/secrets/secrets.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: wrestlingdev-secrets
+type: Opaque
+#data:
+stringData:
+  dbusername: root
+  dbpassword: PUT_SECRET_HERE
+  devisesecretkey: PUT_SECRET_HERE get from running rails secret
+  railssecretkey: PUT_SECRET_HERE get from running rails secret

deploy/kubernetes/wdev/ingress.yaml

@@ -1,16 +0,0 @@
-apiVersion: extensions/v1beta1
-kind: Ingress
-metadata:
-  name: wrestlingdev-app-ingress
-spec:
-  rules:
-  - host: wrestlingdev.jqw43.platform-lab.cloud.cas.org
-    http:
-      paths:
-      - path: /
-        backend:
-          serviceName: wrestlingdev-app
-          servicePort: 80
-  tls:
-    - hosts:
-      - wrestlingdev.jqw43.platform-lab.cloud.cas.org