Move services to tooling namespace

12 files changed, 263 insertions, 0 deletions

diff --git a/kubernetes/namespaces/tooling/bitwarden/README.md b/kubernetes/namespaces/tooling/bitwarden/README.md
new file mode 100644
index 0000000..37f01eb
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/README.md
@@ -0,0 +1,14 @@
+# BitWarden
+
+Our internal password manager, used by the admins to share passwords for our services. Hosted at https://bitwarden.pythondiscord.com
+
+To deploy this, first set up the secrets (see below) and then run `kubectl apply -f .` in this folder.
+
+## Secrets
+This deployment expects a few secrets to exist in a secret called `bitwarden-secret-env`.
+
+
+| Environment           | Description                               |
+|-----------------------|-------------------------------------------|
+| ADMIN_TOKEN           | 64-character token used for initial login |
+| DATABASE_URL          | Database string: host://user:pass/db      |
diff --git a/kubernetes/namespaces/tooling/bitwarden/configmap.yaml b/kubernetes/namespaces/tooling/bitwarden/configmap.yaml
new file mode 100644
index 0000000..29b9a84
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/configmap.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: bitwarden-config-env
+  namespace: tooling
+data:
+  # Domain to access bitwarden by
+  DOMAIN: "https://bitwarden.pythondiscord.com"
+
+  # Password hint must be sent to an email when this is false.
+  # When it's true, it'll be shown right on the page.
+  SHOW_PASSWORD_HINT: "false"
+
+  # Admins only, please!
+  SIGNUPS_ALLOWED: "false"
+
+  # Used for LiveSync
+  WEBSOCKET_ENABLED: "true"
+
+  # Max conns to the DB
+  DATABASE_MAX_CONNS: "2"
+
+  # Force bitwarden to use postgres, rather than it's own volume
+  I_REALLY_WANT_VOLATILE_STORAGE: "true"
diff --git a/kubernetes/namespaces/tooling/bitwarden/deployment.yaml b/kubernetes/namespaces/tooling/bitwarden/deployment.yaml
new file mode 100644
index 0000000..24177ae
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/deployment.yaml
@@ -0,0 +1,35 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bitwarden
+  namespace: tooling
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bitwarden
+  template:
+    metadata:
+      labels:
+        app: bitwarden
+    spec:
+      containers:
+        - name: bitwarden
+          image: vaultwarden/server:latest
+          imagePullPolicy: Always
+          resources:
+            requests:
+              cpu: 1m
+              memory: 50Mi
+            limits:
+              cpu: 50m
+              memory: 100Mi
+          ports:
+            - containerPort: 80
+          envFrom:
+            - secretRef:
+                name: bitwarden-secret-env
+            - configMapRef:
+                name: bitwarden-config-env
+          securityContext:
+            readOnlyRootFilesystem: true
diff --git a/kubernetes/namespaces/tooling/bitwarden/ingress.yaml b/kubernetes/namespaces/tooling/bitwarden/ingress.yaml
new file mode 100644
index 0000000..e7eab59
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: bitwarden
+  namespace: tooling
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: bitwarden.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: bitwarden
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/tooling/bitwarden/secrets.yaml b/kubernetes/namespaces/tooling/bitwarden/secrets.yaml
new file mode 100644
index 0000000..c22e91b
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/secrets.yaml
diff --git a/kubernetes/namespaces/tooling/bitwarden/service.yaml b/kubernetes/namespaces/tooling/bitwarden/service.yaml
new file mode 100644
index 0000000..f937bed
--- /dev/null
+++ b/kubernetes/namespaces/tooling/bitwarden/service.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: bitwarden
+  namespace: tooling
+spec:
+  ports:
+    - port: 80
+  selector:
+    app: bitwarden
diff --git a/kubernetes/namespaces/tooling/policy-bot/README.md b/kubernetes/namespaces/tooling/policy-bot/README.md
new file mode 100644
index 0000000..ed44a63
--- /dev/null
+++ b/kubernetes/namespaces/tooling/policy-bot/README.md
@@ -0,0 +1,24 @@
+# Policy Bot
+Policy Bot is our instance of [palantir/policy-bot](https://github.com/palantir/policy-bot) for managing review policy across our GitHub repositories.
+
+Actual review policy is stored inside our GitHub repositories in the `.github/review-policy.yml` file, so the configuration here is purely for interacting with GitHub and some lower level things.
+
+## GitHub Configuration
+
+Follow the instructions in the [repository](https://github.com/palantir/policy-bot#deployment) to provision a GitHub application. Our manifests are configured to run the policy bot at https://policy-bot.pythondiscord.com/.
+
+## Secrets
+
+This app requires a `policy-bot-defaults` secret with the following entries:
+
+| Environment                                      | Description                                                           |
+|--------------------------------------------------|-----------------------------------------------------------------------|
+| GITHUB_APP_PRIVATE_KEY                           | Contents of the PEM certificate downloadable from the GitHub App page |
+| GITHUB_APP_WEBHOOK_SECRET                        | Webhook secret from GitHub App Page                                   |
+| GITHUB_OAUTH_CLIENT_SECRET                       | OAuth 2 client secret from Github App page                            |
+| POLICYBOT_OPTIONS_DO_NOT_LOAD_COMMIT_PUSHED_DATE | Set to True to not use deprecated commit_pushed_date from Github API  |
+| POLICYBOT_SESSIONS_KEY                           | Random characters for signing user sessions                           |
+
+Run `kubectl apply -f .` inside this directory to apply the the configuration.
+
+Access the running application over [policy-bot.pythondiscord.com]([https://policy-bot.pythondiscord.com/])!
diff --git a/kubernetes/namespaces/tooling/policy-bot/configmap.yaml b/kubernetes/namespaces/tooling/policy-bot/configmap.yaml
new file mode 100644
index 0000000..c3e3660
--- /dev/null
+++ b/kubernetes/namespaces/tooling/policy-bot/configmap.yaml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-bot-defaults
+  namespace: tooling
+data:
+  policy-bot.yml: |
+    # Options for the http server
+    server:
+      # The listen address and port
+      address: "0.0.0.0"
+      port: 8080
+      # The public URL, used for URL generation when the server is behind a proxy
+      public_url: https://policy-bot.pythondiscord.com/
+
+    # Options for logging output
+    logging:
+      # If true, logs are printed in human-readable form. We recommend using
+      # "false" to output JSON-formatted logs in production
+      text: false
+      # Set a minimum logging level threshold
+      # Choose from: debug, info, warn, error
+      level: debug
+
+    # Options for connecting to GitHub
+    github:
+      # The URL of the GitHub homepage. Can also be set by the GITHUB_WEB_URL
+      # environment variable.
+      web_url: "https://github.com"
+      # The base URL for v3 (REST) API requests. Can also be set by the
+      # GITHUB_V3_API_URL environment variable.
+      v3_api_url: "https://api.github.com"
+      # The base URL for v4 (GraphQL) API requests. Can also be set by the
+      # GITHUB_V4_API_URL environment variable.
+      v4_api_url: "https://api.github.com/graphql"
+      app:
+        # The integration ID of the GitHub app. Can also be set by the
+        # GITHUB_APP_INTEGRATION_ID environment variable.
+        integration_id: 91554
+      oauth:
+        # The client ID of the OAuth app associated with the GitHub app. Can also
+        # be set by the GITHUB_OAUTH_CLIENT_ID environment variable.
+        client_id: "Iv1.5be42b7c960b1ab2"
+
+    # Options for application behavior
+    options:
+      # The path within repositories to find the policy.yml file
+      policy_path: .github/review-policy.yml
+      # The context prefix for status checks created by the bot
+      status_check_context: "Review requirements"
diff --git a/kubernetes/namespaces/tooling/policy-bot/deployment.yaml b/kubernetes/namespaces/tooling/policy-bot/deployment.yaml
new file mode 100644
index 0000000..bf4541c
--- /dev/null
+++ b/kubernetes/namespaces/tooling/policy-bot/deployment.yaml
@@ -0,0 +1,44 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-bot
+  namespace: tooling
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: policy-bot
+  template:
+    metadata:
+      labels:
+        app: policy-bot
+    spec:
+      containers:
+        - name: policy-bot
+          image: palantirtechnologies/policy-bot:latest
+          imagePullPolicy: Always
+          resources:
+            requests:
+              cpu: 50m
+              memory: 50Mi
+            limits:
+              cpu: 100m
+              memory: 100Mi
+          ports:
+            - containerPort: 8080
+          volumeMounts:
+            - mountPath: /secrets
+              name: policy-bot-config
+          securityContext:
+            readOnlyRootFilesystem: true
+          envFrom:
+            - secretRef:
+                name: policy-bot-secrets
+      volumes:
+        - name: policy-bot-config
+          configMap:
+            name: policy-bot-defaults
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/tooling/policy-bot/ingress.yaml b/kubernetes/namespaces/tooling/policy-bot/ingress.yaml
new file mode 100644
index 0000000..79c2f74
--- /dev/null
+++ b/kubernetes/namespaces/tooling/policy-bot/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: policy-bot
+  namespace: tooling
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: policy-bot.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: policy-bot
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/tooling/policy-bot/secrets.yaml b/kubernetes/namespaces/tooling/policy-bot/secrets.yaml
new file mode 100644
index 0000000..b98c96d
--- /dev/null
+++ b/kubernetes/namespaces/tooling/policy-bot/secrets.yaml
diff --git a/kubernetes/namespaces/tooling/policy-bot/service.yaml b/kubernetes/namespaces/tooling/policy-bot/service.yaml
new file mode 100644
index 0000000..aa8e669
--- /dev/null
+++ b/kubernetes/namespaces/tooling/policy-bot/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: policy-bot
+  namespace: tooling
+spec:
+  selector:
+    app: policy-bot
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080