-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path.transpire.py
152 lines (141 loc) · 5.37 KB
/
.transpire.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
from transpire import helm, surgery, utils
from transpire.resources import Deployment, Ingress, Secret, Service
name = "outline"
namespace = name
# A lil' bit of magic to get the adjacent versions.toml file. DWAI.
versions = utils.get_versions(__file__)
image = f"docker.io/outlinewiki/outline:{versions[name]['version']}"
# I had to use awscli to fix the CORS rules to make Outline work...
# aws --profile=ceph --endpoint=https://o3.ocf.io s3api get-bucket-cors --bucket ocf-outline
# {
# "CORSRules": [
# {
# "AllowedHeaders": ["*"],
# "AllowedMethods": ["PUT", "POST", "GET", "DELETE"],
# "AllowedOrigins": ["https://docs.ocf.berkeley.edu"],
# "MaxAgeSeconds": 3000
# }
# ]
# }
def objects():
# Create an Ingress (a piece of standard configuration for web proxies).
# This will configure the Envoy listening at 169.229.226.81 to forward
# docs.ocf.berkeley.edu to the Service called "outline-web" on port 80.
yield Ingress(
host="docs.ocf.berkeley.edu",
service_name=f"{name}-web",
service_port=80,
).build()
# This returns a Kubernetes secret object, which actually contains secret
# data! Not to worry though, in production, transpire will intercept these
# and deploy a VaultSecret. You can use this to generate default values
# randomly, if possible. That makes your transpire module usable by others,
# and slightly speeds up bootstrapping.
yield Secret(
name=name,
# If you can automatically generate these, do so here.
# Then you can just `transpire secret push` these to Vault!
string_data={
"OIDC_CLIENT_SECRET": "",
"SECRET_KEY": "",
"UTILS_SECRET": "",
"AWS_ACCESS_KEY_ID": "",
"AWS_SECRET_ACCESS_KEY": "",
# You have to specify the user/pass in the URL so this has to go in a secret.
"DATABASE_URL": "",
"REDIS_URL": "",
},
).build()
# Configuration details for outline-- notice how these are injected
# as environment variables into the Deployment!
yield {
"apiVersion": "v1",
"kind": "ConfigMap",
"metadata": {"name": name},
"data": {
"AWS_REGION": "rgw-hdd",
"AWS_S3_ACL": "private",
"AWS_S3_FORCE_PATH_STYLE": "true",
"AWS_S3_UPLOAD_BUCKET_NAME": "ocf-outline",
"AWS_S3_UPLOAD_BUCKET_URL": "https://o3.ocf.io",
"AWS_S3_UPLOAD_MAX_SIZE": "26214400",
"DEFAULT_LANGUAGE": "en_US",
"ENABLE_UPDATES": "true",
"FORCE_HTTPS": "true",
"PGSSLMODE": "require",
"PORT": "8080",
"SLACK_MESSAGE_ACTIONS": "true",
"URL": "https://docs.ocf.berkeley.edu",
"OIDC_CLIENT_ID": "outline",
"OIDC_AUTH_URI": "https://idm.ocf.berkeley.edu/realms/ocf/protocol/openid-connect/auth",
"OIDC_TOKEN_URI": "https://idm.ocf.berkeley.edu/realms/ocf/protocol/openid-connect/token",
"OIDC_USERINFO_URI": "https://idm.ocf.berkeley.edu/realms/ocf/protocol/openid-connect/userinfo",
"OIDC_DISPLAY_NAME": "OCF",
},
}
# This will create a container, and watch it if it dies to continually
# restart it. Here we use a custom command, via the .patch() functionality.
deploy_outline = Deployment(
name=name,
image=image,
ports=[8080],
).patch(
surgery.make_edit_manifest(
{
("spec", "template", "spec", "containers", 0, "command"): [
"sh",
"-c",
"yarn db:migrate && yarn start",
]
}
)
)
deploy_outline.pod_spec().with_configmap_env(name).with_secret_env(name)
yield deploy_outline.build()
yield Service(
name="outline-web",
selector=deploy_outline.get_selector(),
port_on_pod=8080,
port_on_svc=80,
).build()
# This deploys everything you need to run redis! That was easy.
redis_chart = helm.build_chart_from_versions(
name="redis",
versions=versions,
# <https://github.com/bitnami/charts/tree/main/bitnami/redis>
values={
"architecture": "standalone",
# This will emit a VaultSecret in production!
"auth": {
"existingSecret": "redis",
"existingSecretPasswordKey": "redis-password",
},
},
)
yield Secret(
name="redis",
string_data={
"redis-password": "",
},
).build()
yield from surgery.edit_manifests(
{
# Chop off the automatically generated checksum for the secret only.
# The checksums exist to ensure that Redis is restarted when its
# configuration changes. However, the Helm chart randomly generates
# a new password each run, even though the real secret in Vault
# isn't changing, so we ignore only the secret checksum.
("StatefulSet", "redis-master"): surgery.make_edit_manifest(
{
(
"spec",
"template",
"metadata",
"annotations",
"checksum/secret",
): None,
}
)
},
redis_chart,
)