kubernetes with https ingress

Author: bketelsen

Makefile

@@ -22,6 +22,10 @@ build/bindata/bindata.go: hashed-artifacts
 	go-bindata -modtime 1 -pkg bindata -prefix build/by-hash/ -o $@ build/by-hash/*
 
 
+# build the cms
+content: FORCE
+	@cd content && npm install && npm run build
+
 # build the website
 www: FORCE
 	@cd www && npm install && npm run build
@@ -36,7 +40,7 @@ GO            = GOPATH=$(CURDIR)/.gopath GOBIN=$(CURDIR)/build go
 GO_BUILDFLAGS =
 GO_LDFLAGS    = -s -w
 
-$(CMD):  generate www
+$(CMD):  deps generate www
 	$(GO) build $(GO_BUILDFLAGS) -ldflags '$(GO_LDFLAGS)' '$(PKG)'
 
 
@@ -56,3 +60,7 @@ vendor: FORCE
 generate: FORCE
 	@./generate.sh
 .PHONY: FORCE
+
+deps: FORCE
+	@go install github.com/pacedotdev/oto
+.PHONY: FORCE

content/config/ca-certificate.crt

@@ -0,0 +1,25 @@
+-----BEGIN CERTIFICATE-----
+MIIEQTCCAqmgAwIBAgIUHPelrk5WEIQnPwobbCJv0g3OxyAwDQYJKoZIhvcNAQEM
+BQAwOjE4MDYGA1UEAwwvZDFhNzgyNDgtMTY4Zi00YTBkLWFkNzUtZGEwZWU4NTgz
+ZWFiIFByb2plY3QgQ0EwHhcNMjAxMTIwMDE1OTM5WhcNMzAxMTE4MDE1OTM5WjA6
+MTgwNgYDVQQDDC9kMWE3ODI0OC0xNjhmLTRhMGQtYWQ3NS1kYTBlZTg1ODNlYWIg
+UHJvamVjdCBDQTCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBAOwjCZFB
+eWrzvFBL8nf5zn+Fd2hlTXWYv87ra9tdpE9udrpS2SovI/VoFkneaMpK85tuOWXQ
+j00iazPfSIEvs10syQRdk79kKntfx3jwpWcV0TH1soo5p1CwWk4lO8/RKE3lqqex
+oFeRxaPq+8hjkcZlxrJgmkCgJZOJBU/7jZlfIKTN6lJqcNStnoY1eNdUNT2VZNb5
+FfkL1CCIqFuN7q1N52L844kZKBsidHXkEafl3sa49Sa5z5awzLG40AxmOQBhOkzM
+6UD1540weTa/mhC8/e7xdiw7nnLIgg27pu3/+pt4hG3Ibfn3+t1m77qDjRjd3qL9
+wfF75LLWuOaGr4GH2nvydaPUwpCo8OGU+9+JrChp9wbyanEgRmBzNbIR369deuEA
+6C2YJz7qiOmoYy331cNh6mKf8zj+OVdCT9uAt0vH2km9++3I1zF5tSeC75jJLDdq
+Vu5cv91ufJ+27sMqOnFs5h5yTPcLKQtr0SE1xFkwFX0OXc+vjvo1V7F0wwIDAQAB
+oz8wPTAdBgNVHQ4EFgQUqnkWRngQTp+TSRefaoCt6G033RYwDwYDVR0TBAgwBgEB
+/wIBADALBgNVHQ8EBAMCAQYwDQYJKoZIhvcNAQEMBQADggGBAJE++/eFOAgIWQxN
+KijEB754vEg9gHv6aVlR8bXXxJAPmKI81Jz3nqj8QLpZFpPf6YbjFfha5G77hJOC
+iN1vK09QVBSiDVctmuQhxDZ62BxdM4djjOYJbBpqBnOpyWWz7uGfdEfewACM8rmn
+9glB+KeP/JFTwk0T5mRGbTqCcscR69E1dJqLPig28LvijQuylqewMlGosAq3d4DY
+IaxuuSgKnvmrgi5mLhw6iPxOuxk9A9xLQnVM/gFP6hiNA2C14XWAKQZ0O9uOgWoC
+aI61qddWng2nnDy+vv7ZbpsuLT9zvZYXrZ15YORxe7Eou+nhoQtpzJGPWUJB+e1C
+4GHY0/Hv3sriqCJGEDAzwgNK/XCKa1KBTtwvHB9qPEGvqaXQc88ihiP/7WrFP8pA
+qVcaaK+w5yL46mlX+FEfvFJhror80n8AdLxBrpdTespvP2vvOwjSTXk6Ijc/wq5f
+QQg7TgIELHjtpCNUI609vEdar9d3zisY7/wG9iFjlC9sI1g1cg==
+-----END CERTIFICATE-----

content/config/database.js

@@ -1,3 +1,4 @@
+const fs = require('fs');
 module.exports = ({ env }) => ({
   defaultConnection: 'default',
   connections: {
@@ -10,7 +11,9 @@ module.exports = ({ env }) => ({
         database: env('DATABASE_NAME', 'strapi'),
         username: env('DATABASE_USERNAME', 'strapi'),
         password: env('DATABASE_PASSWORD', 'magical_password'),
-        ssl: env.bool('DATABASE_SSL', false),
+        ssl: {
+          ca: fs.readFileSync(`${__dirname}/ca-certificate.crt`).toString(),
+        }
       },
       options: {}
     },

content/package-lock.json

@@ -9,7 +9,9 @@
     "build": "strapi build",
     "strapi": "strapi"
   },
-  "devDependencies": {},
+  "devDependencies": {
+    "fs": "0.0.1-security"
+  },
   "dependencies": {
     "strapi": "3.3.3",
     "strapi-admin": "3.3.3",

content/package.json

@@ -0,0 +1 @@
+kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.16.1/cert-manager.yaml

contrib/kubernetes/certs/certmanager.sh

@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: contentgc-prod
+  namespace: default
+spec:
+  secretName: contentgc-tls
+  issuerRef:
+    name: letsencrypt
+  commonName: content.gophercon.com
+  dnsNames:
+  - content.gophercon.com

contrib/kubernetes/certs/contentgcprod.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: 'true'
+    service.beta.kubernetes.io/do-loadbalancer-hostname: "lb.gophercon.com"
+  labels:
+    helm.sh/chart: ingress-nginx-2.11.1
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/version: 0.34.1
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/component: controller
+  name: ingress-nginx-controller
+  namespace: ingress-nginx
+spec:
+  type: LoadBalancer
+  externalTrafficPolicy: Local
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: http
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: https
+  selector:
+    app.kubernetes.io/name: ingress-nginx
+    app.kubernetes.io/instance: ingress-nginx
+    app.kubernetes.io/component: controller

contrib/kubernetes/certs/ingress-nginx-service.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: cert-manager
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: [email protected]
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class: nginx

contrib/kubernetes/certs/issuer-prod.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # You must replace this email address with your own.
+    # Let's Encrypt will use this to contact you about expiring
+    # certificates, and issues related to your account.
+    email: [email protected]
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      # Secret resource that will be used to store the account's private key.
+      name: example-issuer-account-key
+    # Add a single challenge solver, HTTP01 using nginx
+    solvers:
+    - http01:
+        ingress:
+          class: nginx

contrib/kubernetes/certs/issuer-stage.yaml

@@ -0,0 +1 @@
+kubectl get pods --namespace cert-manager

contrib/kubernetes/certs/validate-certmanager.sh

@@ -3,10 +3,15 @@ kind: Ingress
 metadata:
   name: strapi-ingress
   annotations:
-    kubernetes.io/ingress.class: addon-http-application-routing
+    kubernetes.io/ingress.class: "nginx"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
 spec:
+  tls:
+  - hosts:
+    - content.gophercon.com
+    secretName: contentgc-tls
   rules:
-  - host: content.44ec396da6024f08b75a.eastus2.aksapp.io
+  - host: content.gophercon.com
     http:
       paths:
       - backend:

contrib/kubernetes/ingress.yaml

@@ -0,0 +1,12 @@
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: strapi-temp-ingress
+spec:
+  rules:
+  - host: content.gophercon.com
+    http:
+      paths:
+      - backend:
+          serviceName: strapi
+          servicePort: strapi-port

contrib/kubernetes/manager-service.yaml

@@ -16,20 +16,23 @@ spec:
     spec:
       containers:
         - name: strapi
-          image: bketelsen/strapi:0
+          image: bketelsen/content:10
           imagePullPolicy: Always
           env:
             - name: DATABASE_NAME
               value: "strapi"
             - name: DATABASE_HOST
-              value: "gcpostgres-postgresql"
+              value: "private-gophercon-do-user-167863-0.b.db.ondigitalocean.com"
             - name: DATABASE_PORT
-              value: "5432"
+              value: "25060"
             - name: DATABASE_USERNAME
-              value: "postgres"
+              value: "strapi"
             - name: DATABASE_PASSWORD
-              value: "nope"
+              valueFrom:
+                secretKeyRef:
+                  name: strapi-db-secret
+                  key: password
           ports:
             - name: strapi-port
               containerPort: 1337
-              protocol: TCP
+              protocol: TCP

contrib/kubernetes/manager.yaml

@@ -11,6 +11,7 @@ require (
 	github.com/opentracing-contrib/go-grpc v0.0.0-20200813121455-4a6760c71486
 	github.com/opentracing-contrib/go-stdlib v0.0.0-20190519235532-cf7a6c988dc9
 	github.com/opentracing/opentracing-go v1.2.0
+	github.com/pacedotdev/oto v0.10.8 // indirect
 	github.com/pacedotdev/oto/otohttp v0.8.0
 	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.5.1