Move pixels to pixels namespace

Also add a pull secret for the new namespace
author: Joe Banks <[email protected]> 2024-04-15 12:41:13 +0100
committer: Joe Banks <[email protected]> 2024-04-15 12:41:13 +0100
commit: ee52b8bb839654559064e5a155bb7e90e51b619c (patch)
tree: 5fe8c3d44560c82677bc62bbafe29954aa215665 /kubernetes/namespaces/pixels
parent: Move blackbox to databases ns (diff)
11 files changed, 195 insertions, 0 deletions
diff --git a/kubernetes/namespaces/pixels/pixels-modsite/README.md b/kubernetes/namespaces/pixels/pixels-modsite/README.md
new file mode 100644
index 0000000..ee95650
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/README.md
@@ -0,0 +1,13 @@
+# Pixels
+
+The deployment for the [Pixels modsite project](https://git.pydis.com/pixels-modsite), hosted at https://pixels-modsite.pythondiscord.com.
+
+This mod site will give Discord mods easy access to moderation actions for the pixels event.
+
+## Secret
+
+It requires a `pixels-modsite-env` secret with the following entries:
+
+| Environment       | Description                                                     |
+|-------------------|-----------------------------------------------------------------|
+| DISCORD_BOT_TOKEN | The Discord bot token to use to check roles of users logging in |
diff --git a/kubernetes/namespaces/pixels/pixels-modsite/deployment.yaml b/kubernetes/namespaces/pixels/pixels-modsite/deployment.yaml
new file mode 100644
index 0000000..cba1381
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/deployment.yaml
@@ -0,0 +1,32 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pixels-modsite
+  namespace: pixels
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pixels-modsite
+  template:
+    metadata:
+      labels:
+        app: pixels-modsite
+    spec:
+      containers:
+        - name: pixels-modsite
+          image: ghcr.io/python-discord/pixels-modsite:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 3000
+          envFrom:
+            - secretRef:
+                name: pixels-modsite-env
+          securityContext:
+            readOnlyRootFilesystem: true
+      imagePullSecrets:
+        - name: ghcr-pull-secret
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml b/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml
new file mode 100644
index 0000000..7992344
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: pixels-modsite
+  namespace: pixels
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: pixels-modsite.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pixels-modsite
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/pixels/pixels-modsite/secrets.yaml b/kubernetes/namespaces/pixels/pixels-modsite/secrets.yaml
new file mode 100644
index 0000000..70b80ad
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/secrets.yaml
diff --git a/kubernetes/namespaces/pixels/pixels-modsite/service.yaml b/kubernetes/namespaces/pixels/pixels-modsite/service.yaml
new file mode 100644
index 0000000..1326a9a
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels-modsite/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pixels-modsite
+  namespace: pixels
+spec:
+  selector:
+    app: pixels-modsite
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 3000
diff --git a/kubernetes/namespaces/pixels/pixels/README.md b/kubernetes/namespaces/pixels/pixels/README.md
new file mode 100644
index 0000000..f4ebf12
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels/README.md
@@ -0,0 +1,18 @@
+# Pixels
+
+The deployment for the [Pixels project](https://git.pydis.com/pixels-v2), hosted at https://pixels.pythondiscord.com.
+
+## Secret
+
+It requires a `pixels-env` secret with the following entries:
+
+| Environment   | Description                                                                                             |
+|---------------|---------------------------------------------------------------------------------------------------------|
+| AUTH_URL      | A Discord OAuth2 URL with scopes: identify & guilds.members.read                                        |
+| CLIENT_ID     | Discord Oauth2 client ID                                                                                |
+| CLIENT_SECRET | Discord Oauth2 client secret                                                                            |
+| DATABASE_URL  | Postgres database URL.                                                                                  |
+| JWT_SECRET    | 32 byte (64 digit hex string) secret for encoding tokens. Any value can be used.                        |
+| REDIS_URL     | Redis storage URL                                                                                       |
+| SENTRY_DSN    | The Sentry DSN to send sentry events to                                                                 |
+| WEBHOOK_URL   | The webhook to periodically post the canvas state to                                                    |
diff --git a/kubernetes/namespaces/pixels/pixels/configmap.yaml b/kubernetes/namespaces/pixels/pixels/configmap.yaml
new file mode 100644
index 0000000..ca015f1
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels/configmap.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pixels-config-env
+  namespace: pixels
+data:
+  BASE_URL: https://pixels.pythondiscord.com
+  FORCE_LOGIN: 'True'
+  GUILD_ID: '267624335836053506'
+  HELPERS_ROLE: '267630620367257601'
+  LOG_LEVEL: debug
+  MOD_ROLE: '267630620367257601'
+  PRODUCTION: 'true'
diff --git a/kubernetes/namespaces/pixels/pixels/deployment.yaml b/kubernetes/namespaces/pixels/pixels/deployment.yaml
new file mode 100644
index 0000000..204d29a
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels/deployment.yaml
@@ -0,0 +1,45 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pixels
+  namespace: pixels
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pixels
+  template:
+    metadata:
+      labels:
+        app: pixels
+    spec:
+      containers:
+        - name: pixels
+          image: ghcr.io/python-discord/pixels:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+          envFrom:
+            - secretRef:
+                name: pixels-env
+            - configMapRef:
+                name: pixels-config-env
+          startupProbe:
+            httpGet:
+              path: /health
+              port: 8000
+              httpHeaders:
+                - name: Host
+                  value: pixels.pythondiscord.com
+            failureThreshold: 15
+            periodSeconds: 2
+            timeoutSeconds: 5
+            initialDelaySeconds: 10
+          securityContext:
+            readOnlyRootFilesystem: true
+      imagePullSecrets:
+        - name: ghcr-pull-secret
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/pixels/pixels/ingress.yaml b/kubernetes/namespaces/pixels/pixels/ingress.yaml
new file mode 100644
index 0000000..65fb03c
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: pixels
+  namespace: pixels
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: pixels.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pixels
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/pixels/pixels/secrets.yaml b/kubernetes/namespaces/pixels/pixels/secrets.yaml
new file mode 100644
index 0000000..e9d296e
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels/secrets.yaml
diff --git a/kubernetes/namespaces/pixels/pixels/service.yaml b/kubernetes/namespaces/pixels/pixels/service.yaml
new file mode 100644
index 0000000..0933571
--- /dev/null
+++ b/kubernetes/namespaces/pixels/pixels/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: pixels
+  namespace: pixels
+spec:
+  selector:
+    app: pixels
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8000
author	Joe Banks <[email protected]>	2024-04-15 12:41:13 +0100
committer	Joe Banks <[email protected]>	2024-04-15 12:41:13 +0100
commit	ee52b8bb839654559064e5a155bb7e90e51b619c (patch)
tree	5fe8c3d44560c82677bc62bbafe29954aa215665 /kubernetes/namespaces/pixels
parent	Move blackbox to databases ns (diff)