6 files changed, 151 insertions, 0 deletions

diff --git a/kubernetes/namespaces/default/policy-bot/README.md b/kubernetes/namespaces/default/policy-bot/README.md
new file mode 100644
index 0000000..ed44a63
--- /dev/null
+++ b/kubernetes/namespaces/default/policy-bot/README.md
@@ -0,0 +1,24 @@
+# Policy Bot
+Policy Bot is our instance of [palantir/policy-bot](https://github.com/palantir/policy-bot) for managing review policy across our GitHub repositories.
+
+Actual review policy is stored inside our GitHub repositories in the `.github/review-policy.yml` file, so the configuration here is purely for interacting with GitHub and some lower level things.
+
+## GitHub Configuration
+
+Follow the instructions in the [repository](https://github.com/palantir/policy-bot#deployment) to provision a GitHub application. Our manifests are configured to run the policy bot at https://policy-bot.pythondiscord.com/.
+
+## Secrets
+
+This app requires a `policy-bot-defaults` secret with the following entries:
+
+| Environment                                      | Description                                                           |
+|--------------------------------------------------|-----------------------------------------------------------------------|
+| GITHUB_APP_PRIVATE_KEY                           | Contents of the PEM certificate downloadable from the GitHub App page |
+| GITHUB_APP_WEBHOOK_SECRET                        | Webhook secret from GitHub App Page                                   |
+| GITHUB_OAUTH_CLIENT_SECRET                       | OAuth 2 client secret from Github App page                            |
+| POLICYBOT_OPTIONS_DO_NOT_LOAD_COMMIT_PUSHED_DATE | Set to True to not use deprecated commit_pushed_date from Github API  |
+| POLICYBOT_SESSIONS_KEY                           | Random characters for signing user sessions                           |
+
+Run `kubectl apply -f .` inside this directory to apply the the configuration.
+
+Access the running application over [policy-bot.pythondiscord.com]([https://policy-bot.pythondiscord.com/])!
diff --git a/kubernetes/namespaces/default/policy-bot/configmap.yaml b/kubernetes/namespaces/default/policy-bot/configmap.yaml
new file mode 100644
index 0000000..6183948
--- /dev/null
+++ b/kubernetes/namespaces/default/policy-bot/configmap.yaml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-bot-defaults
+data:
+  policy-bot.yml: |
+    # Options for the http server
+    server:
+      # The listen address and port
+      address: "0.0.0.0"
+      port: 8080
+      # The public URL, used for URL generation when the server is behind a proxy
+      public_url: https://policy-bot.pythondiscord.com/
+
+    # Options for logging output
+    logging:
+      # If true, logs are printed in human-readable form. We recommend using
+      # "false" to output JSON-formatted logs in production
+      text: false
+      # Set a minimum logging level threshold
+      # Choose from: debug, info, warn, error
+      level: debug
+
+    # Options for connecting to GitHub
+    github:
+      # The URL of the GitHub homepage. Can also be set by the GITHUB_WEB_URL
+      # environment variable.
+      web_url: "https://github.com"
+      # The base URL for v3 (REST) API requests. Can also be set by the
+      # GITHUB_V3_API_URL environment variable.
+      v3_api_url: "https://api.github.com"
+      # The base URL for v4 (GraphQL) API requests. Can also be set by the
+      # GITHUB_V4_API_URL environment variable.
+      v4_api_url: "https://api.github.com/graphql"
+      app:
+        # The integration ID of the GitHub app. Can also be set by the
+        # GITHUB_APP_INTEGRATION_ID environment variable.
+        integration_id: 91554
+      oauth:
+        # The client ID of the OAuth app associated with the GitHub app. Can also
+        # be set by the GITHUB_OAUTH_CLIENT_ID environment variable.
+        client_id: "Iv1.5be42b7c960b1ab2"
+
+    # Options for application behavior
+    options:
+      # The path within repositories to find the policy.yml file
+      policy_path: .github/review-policy.yml
+      # The context prefix for status checks created by the bot
+      status_check_context: "Review requirements"
diff --git a/kubernetes/namespaces/default/policy-bot/deployment.yaml b/kubernetes/namespaces/default/policy-bot/deployment.yaml
new file mode 100644
index 0000000..1b3f96b
--- /dev/null
+++ b/kubernetes/namespaces/default/policy-bot/deployment.yaml
@@ -0,0 +1,43 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: policy-bot
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: policy-bot
+  template:
+    metadata:
+      labels:
+        app: policy-bot
+    spec:
+      containers:
+        - name: policy-bot
+          image: palantirtechnologies/policy-bot:latest
+          imagePullPolicy: Always
+          resources:
+            requests:
+              cpu: 50m
+              memory: 50Mi
+            limits:
+              cpu: 100m
+              memory: 100Mi
+          ports:
+            - containerPort: 8080
+          volumeMounts:
+            - mountPath: /secrets
+              name: policy-bot-config
+          securityContext:
+            readOnlyRootFilesystem: true
+          envFrom:
+            - secretRef:
+                name: policy-bot-secrets
+      volumes:
+        - name: policy-bot-config
+          configMap:
+            name: policy-bot-defaults
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/default/policy-bot/ingress.yaml b/kubernetes/namespaces/default/policy-bot/ingress.yaml
new file mode 100644
index 0000000..088dd01
--- /dev/null
+++ b/kubernetes/namespaces/default/policy-bot/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: policy-bot
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: policy-bot.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: policy-bot
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/default/policy-bot/secrets.yaml b/kubernetes/namespaces/default/policy-bot/secrets.yaml
new file mode 100644
index 0000000..9d91e70
--- /dev/null
+++ b/kubernetes/namespaces/default/policy-bot/secrets.yaml
diff --git a/kubernetes/namespaces/default/policy-bot/service.yaml b/kubernetes/namespaces/default/policy-bot/service.yaml
new file mode 100644
index 0000000..da0fb64
--- /dev/null
+++ b/kubernetes/namespaces/default/policy-bot/service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: policy-bot
+spec:
+  selector:
+    app: policy-bot
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8080