Move site namespace

author: Joe Banks <[email protected]> 2024-04-15 12:02:31 +0100
committer: Joe Banks <[email protected]> 2024-04-15 12:02:31 +0100
commit: d3cb2bded9af86adae2bfac518b60496196a942a (patch)
tree: 54c83918764e21a805c0cf22bb29d1a93a9351c7 /kubernetes/namespaces/web/site
parent: Move API services to apis namespace (diff)
6 files changed, 172 insertions, 0 deletions
diff --git a/kubernetes/namespaces/web/site/README.md b/kubernetes/namespaces/web/site/README.md
new file mode 100644
index 0000000..3eff711
--- /dev/null
+++ b/kubernetes/namespaces/web/site/README.md
@@ -0,0 +1,25 @@
+# Python Discord Site
+This folder contains the manifests for Python Discord site.
+
+## Serving static files
+
+Usually, a web server like `nginx` should be deployed and configured to serve static files needed by Django. Then we'd put an `Ingress`
+rule to route traffic to the `STATIC_URL` to that webserver.
+Check the [official docs](https://docs.djangoproject.com/en/4.2/howto/static-files/deployment/) for more info.
+
+In this setup, we do it differently thanks to [WhiteNoise](https://whitenoise.readthedocs.io/en/stable/base.html#), which sets up
+a middleware that handles the caching, compression and serving of the static files for us.
+
+## Secrets
+
+The deployment expects the following secrets to be available in `site-env`:
+
+| Environment           | Description                                                |
+|-----------------------|------------------------------------------------------------|
+| DATABASE_URL          | The URL for the Postgresql database.                       |
+| GITHUB_APP_ID         | The ID of a GitHub Application (related to the above key). |
+| GITHUB_APP_KEY        | A PEM key for a GitHub Application.                        |
+| GITHUB_TOKEN          | An API key to the Github API                               |
+| METRICITY_DB_URL      | The URL for the Metricity database.                        |
+| SECRET_KEY            | Secret key for Django.                                     |
+| SITE_DSN              | The Sentry Data Source Name.                               |
diff --git a/kubernetes/namespaces/web/site/deployment.yaml b/kubernetes/namespaces/web/site/deployment.yaml
new file mode 100644
index 0000000..bdb4073
--- /dev/null
+++ b/kubernetes/namespaces/web/site/deployment.yaml
@@ -0,0 +1,73 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: site
+  namespace: web
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: site
+  template:
+    metadata:
+      labels:
+        app: site
+    spec:
+      containers:
+        - name: site
+          image: ghcr.io/python-discord/site:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 8000
+              httpHeaders:
+                - name: Host
+                  value: pythondiscord.com
+            failureThreshold: 2
+            periodSeconds: 30
+            timeoutSeconds: 5
+            initialDelaySeconds: 10
+          startupProbe:
+            httpGet:
+              path: /
+              port: 8000
+              httpHeaders:
+                - name: Host
+                  value: pythondiscord.com
+            failureThreshold: 15
+            periodSeconds: 2
+            timeoutSeconds: 5
+            initialDelaySeconds: 10
+          resources:
+            limits:
+              cpu: 500m
+              memory: 1000Mi
+            requests:
+              cpu: 250m
+              memory: 400Mi
+          env:
+            # Needs to match with the variable name being read in django-prometheus
+            # https://github.com/korfuri/django-prometheus/blob/434a3ba36bdada45c9633451f5f6cfd145814ccf/django_prometheus/exports.py#L119
+            - name: prometheus_multiproc_dir
+              value: /tmp
+          envFrom:
+            - secretRef:
+                name: site-env
+          volumeMounts:
+            # Used for `gunicorn` worker heartbeats as well as the Prometheus
+            # client library's multiprocessing mode.
+            - name: django-tmp
+              mountPath: /tmp
+          securityContext:
+            readOnlyRootFilesystem: true
+      volumes:
+      - name: django-tmp
+        emptyDir:
+          medium: Memory
+      securityContext:
+        fsGroup: 1000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/web/site/ingress.yaml b/kubernetes/namespaces/web/site/ingress.yaml
new file mode 100644
index 0000000..7b55d8f
--- /dev/null
+++ b/kubernetes/namespaces/web/site/ingress.yaml
@@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location ~* /metrics {
+        deny all;
+        return 403;
+      }
+  name: site
+  namespace: web
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: www.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: site
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/web/site/redirect.yaml b/kubernetes/namespaces/web/site/redirect.yaml
new file mode 100644
index 0000000..642a6a0
--- /dev/null
+++ b/kubernetes/namespaces/web/site/redirect.yaml
@@ -0,0 +1,29 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/server-snippet: |
+      location ~* / {
+        return 308 https://www.pythondiscord.com$request_uri;
+      }
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: www-redirect
+  namespace: web
+spec:
+  tls:
+  - hosts:
+      - "pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: pythondiscord.com
+    http:
+      paths:
+      - path: /(.*)
+        pathType: Prefix
+        backend:
+          service:
+            name: site
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/web/site/secrets.yaml b/kubernetes/namespaces/web/site/secrets.yaml
new file mode 100644
index 0000000..f1116e6
--- /dev/null
+++ b/kubernetes/namespaces/web/site/secrets.yaml
diff --git a/kubernetes/namespaces/web/site/service.yaml b/kubernetes/namespaces/web/site/service.yaml
new file mode 100644
index 0000000..f30eccb
--- /dev/null
+++ b/kubernetes/namespaces/web/site/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: site
+  namespace: web
+  annotations:
+    prometheus.io/scrape: "true"
+    prometheus.io/port: "8000"
+spec:
+  selector:
+    app: site
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8000
author	Joe Banks <[email protected]>	2024-04-15 12:02:31 +0100
committer	Joe Banks <[email protected]>	2024-04-15 12:02:31 +0100
commit	d3cb2bded9af86adae2bfac518b60496196a942a (patch)
tree	54c83918764e21a805c0cf22bb29d1a93a9351c7 /kubernetes/namespaces/web/site
parent	Move API services to apis namespace (diff)