From d3cb2bded9af86adae2bfac518b60496196a942a Mon Sep 17 00:00:00 2001 From: Joe Banks Date: Mon, 15 Apr 2024 12:02:31 +0100 Subject: Move site namespace --- kubernetes/namespaces/default/site/README.md | 25 ------- kubernetes/namespaces/default/site/deployment.yaml | 72 -------------------- kubernetes/namespaces/default/site/ingress.yaml | 29 -------- kubernetes/namespaces/default/site/redirect.yaml | 28 -------- kubernetes/namespaces/default/site/secrets.yaml | Bin 2455 -> 0 bytes kubernetes/namespaces/default/site/service.yaml | 14 ---- kubernetes/namespaces/web/site/README.md | 25 +++++++ kubernetes/namespaces/web/site/deployment.yaml | 73 +++++++++++++++++++++ kubernetes/namespaces/web/site/ingress.yaml | 30 +++++++++ kubernetes/namespaces/web/site/redirect.yaml | 29 ++++++++ kubernetes/namespaces/web/site/secrets.yaml | Bin 0 -> 2451 bytes kubernetes/namespaces/web/site/service.yaml | 15 +++++ 12 files changed, 172 insertions(+), 168 deletions(-) delete mode 100644 kubernetes/namespaces/default/site/README.md delete mode 100644 kubernetes/namespaces/default/site/deployment.yaml delete mode 100644 kubernetes/namespaces/default/site/ingress.yaml delete mode 100644 kubernetes/namespaces/default/site/redirect.yaml delete mode 100644 kubernetes/namespaces/default/site/secrets.yaml delete mode 100644 kubernetes/namespaces/default/site/service.yaml create mode 100644 kubernetes/namespaces/web/site/README.md create mode 100644 kubernetes/namespaces/web/site/deployment.yaml create mode 100644 kubernetes/namespaces/web/site/ingress.yaml create mode 100644 kubernetes/namespaces/web/site/redirect.yaml create mode 100644 kubernetes/namespaces/web/site/secrets.yaml create mode 100644 kubernetes/namespaces/web/site/service.yaml (limited to 'kubernetes/namespaces') diff --git a/kubernetes/namespaces/default/site/README.md b/kubernetes/namespaces/default/site/README.md deleted file mode 100644 index 3eff711..0000000 --- a/kubernetes/namespaces/default/site/README.md +++ /dev/null @@ -1,25 +0,0 @@ -# Python Discord Site -This folder contains the manifests for Python Discord site. - -## Serving static files - -Usually, a web server like `nginx` should be deployed and configured to serve static files needed by Django. Then we'd put an `Ingress` -rule to route traffic to the `STATIC_URL` to that webserver. -Check the [official docs](https://docs.djangoproject.com/en/4.2/howto/static-files/deployment/) for more info. - -In this setup, we do it differently thanks to [WhiteNoise](https://whitenoise.readthedocs.io/en/stable/base.html#), which sets up -a middleware that handles the caching, compression and serving of the static files for us. - -## Secrets - -The deployment expects the following secrets to be available in `site-env`: - -| Environment | Description | -|-----------------------|------------------------------------------------------------| -| DATABASE_URL | The URL for the Postgresql database. | -| GITHUB_APP_ID | The ID of a GitHub Application (related to the above key). | -| GITHUB_APP_KEY | A PEM key for a GitHub Application. | -| GITHUB_TOKEN | An API key to the Github API | -| METRICITY_DB_URL | The URL for the Metricity database. | -| SECRET_KEY | Secret key for Django. | -| SITE_DSN | The Sentry Data Source Name. | diff --git a/kubernetes/namespaces/default/site/deployment.yaml b/kubernetes/namespaces/default/site/deployment.yaml deleted file mode 100644 index 2f88af8..0000000 --- a/kubernetes/namespaces/default/site/deployment.yaml +++ /dev/null @@ -1,72 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: site -spec: - replicas: 2 - selector: - matchLabels: - app: site - template: - metadata: - labels: - app: site - spec: - containers: - - name: site - image: ghcr.io/python-discord/site:latest - imagePullPolicy: Always - ports: - - containerPort: 8000 - livenessProbe: - httpGet: - path: / - port: 8000 - httpHeaders: - - name: Host - value: pythondiscord.com - failureThreshold: 2 - periodSeconds: 30 - timeoutSeconds: 5 - initialDelaySeconds: 10 - startupProbe: - httpGet: - path: / - port: 8000 - httpHeaders: - - name: Host - value: pythondiscord.com - failureThreshold: 15 - periodSeconds: 2 - timeoutSeconds: 5 - initialDelaySeconds: 10 - resources: - limits: - cpu: 500m - memory: 1000Mi - requests: - cpu: 250m - memory: 400Mi - env: - # Needs to match with the variable name being read in django-prometheus - # https://github.com/korfuri/django-prometheus/blob/434a3ba36bdada45c9633451f5f6cfd145814ccf/django_prometheus/exports.py#L119 - - name: prometheus_multiproc_dir - value: /tmp - envFrom: - - secretRef: - name: site-env - volumeMounts: - # Used for `gunicorn` worker heartbeats as well as the Prometheus - # client library's multiprocessing mode. - - name: django-tmp - mountPath: /tmp - securityContext: - readOnlyRootFilesystem: true - volumes: - - name: django-tmp - emptyDir: - medium: Memory - securityContext: - fsGroup: 1000 - runAsUser: 1000 - runAsNonRoot: true diff --git a/kubernetes/namespaces/default/site/ingress.yaml b/kubernetes/namespaces/default/site/ingress.yaml deleted file mode 100644 index 9f12daf..0000000 --- a/kubernetes/namespaces/default/site/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle" - nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ" - nginx.ingress.kubernetes.io/server-snippet: | - location ~* /metrics { - deny all; - return 403; - } - name: site -spec: - tls: - - hosts: - - "*.pythondiscord.com" - secretName: pythondiscord.com-tls - rules: - - host: www.pythondiscord.com - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: site - port: - number: 80 diff --git a/kubernetes/namespaces/default/site/redirect.yaml b/kubernetes/namespaces/default/site/redirect.yaml deleted file mode 100644 index 33cf7d2..0000000 --- a/kubernetes/namespaces/default/site/redirect.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - annotations: - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/server-snippet: | - location ~* / { - return 308 https://www.pythondiscord.com$request_uri; - } - nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle" - nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ" - name: www-redirect -spec: - tls: - - hosts: - - "pythondiscord.com" - secretName: pythondiscord.com-tls - rules: - - host: pythondiscord.com - http: - paths: - - path: /(.*) - pathType: Prefix - backend: - service: - name: site - port: - number: 80 diff --git a/kubernetes/namespaces/default/site/secrets.yaml b/kubernetes/namespaces/default/site/secrets.yaml deleted file mode 100644 index e71c56a..0000000 Binary files a/kubernetes/namespaces/default/site/secrets.yaml and /dev/null differ diff --git a/kubernetes/namespaces/default/site/service.yaml b/kubernetes/namespaces/default/site/service.yaml deleted file mode 100644 index 4f06394..0000000 --- a/kubernetes/namespaces/default/site/service.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: site - annotations: - prometheus.io/scrape: "true" - prometheus.io/port: "8000" -spec: - selector: - app: site - ports: - - protocol: TCP - port: 80 - targetPort: 8000 diff --git a/kubernetes/namespaces/web/site/README.md b/kubernetes/namespaces/web/site/README.md new file mode 100644 index 0000000..3eff711 --- /dev/null +++ b/kubernetes/namespaces/web/site/README.md @@ -0,0 +1,25 @@ +# Python Discord Site +This folder contains the manifests for Python Discord site. + +## Serving static files + +Usually, a web server like `nginx` should be deployed and configured to serve static files needed by Django. Then we'd put an `Ingress` +rule to route traffic to the `STATIC_URL` to that webserver. +Check the [official docs](https://docs.djangoproject.com/en/4.2/howto/static-files/deployment/) for more info. + +In this setup, we do it differently thanks to [WhiteNoise](https://whitenoise.readthedocs.io/en/stable/base.html#), which sets up +a middleware that handles the caching, compression and serving of the static files for us. + +## Secrets + +The deployment expects the following secrets to be available in `site-env`: + +| Environment | Description | +|-----------------------|------------------------------------------------------------| +| DATABASE_URL | The URL for the Postgresql database. | +| GITHUB_APP_ID | The ID of a GitHub Application (related to the above key). | +| GITHUB_APP_KEY | A PEM key for a GitHub Application. | +| GITHUB_TOKEN | An API key to the Github API | +| METRICITY_DB_URL | The URL for the Metricity database. | +| SECRET_KEY | Secret key for Django. | +| SITE_DSN | The Sentry Data Source Name. | diff --git a/kubernetes/namespaces/web/site/deployment.yaml b/kubernetes/namespaces/web/site/deployment.yaml new file mode 100644 index 0000000..bdb4073 --- /dev/null +++ b/kubernetes/namespaces/web/site/deployment.yaml @@ -0,0 +1,73 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: site + namespace: web +spec: + replicas: 2 + selector: + matchLabels: + app: site + template: + metadata: + labels: + app: site + spec: + containers: + - name: site + image: ghcr.io/python-discord/site:latest + imagePullPolicy: Always + ports: + - containerPort: 8000 + livenessProbe: + httpGet: + path: / + port: 8000 + httpHeaders: + - name: Host + value: pythondiscord.com + failureThreshold: 2 + periodSeconds: 30 + timeoutSeconds: 5 + initialDelaySeconds: 10 + startupProbe: + httpGet: + path: / + port: 8000 + httpHeaders: + - name: Host + value: pythondiscord.com + failureThreshold: 15 + periodSeconds: 2 + timeoutSeconds: 5 + initialDelaySeconds: 10 + resources: + limits: + cpu: 500m + memory: 1000Mi + requests: + cpu: 250m + memory: 400Mi + env: + # Needs to match with the variable name being read in django-prometheus + # https://github.com/korfuri/django-prometheus/blob/434a3ba36bdada45c9633451f5f6cfd145814ccf/django_prometheus/exports.py#L119 + - name: prometheus_multiproc_dir + value: /tmp + envFrom: + - secretRef: + name: site-env + volumeMounts: + # Used for `gunicorn` worker heartbeats as well as the Prometheus + # client library's multiprocessing mode. + - name: django-tmp + mountPath: /tmp + securityContext: + readOnlyRootFilesystem: true + volumes: + - name: django-tmp + emptyDir: + medium: Memory + securityContext: + fsGroup: 1000 + runAsUser: 1000 + runAsNonRoot: true diff --git a/kubernetes/namespaces/web/site/ingress.yaml b/kubernetes/namespaces/web/site/ingress.yaml new file mode 100644 index 0000000..7b55d8f --- /dev/null +++ b/kubernetes/namespaces/web/site/ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle" + nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ" + nginx.ingress.kubernetes.io/server-snippet: | + location ~* /metrics { + deny all; + return 403; + } + name: site + namespace: web +spec: + tls: + - hosts: + - "*.pythondiscord.com" + secretName: pythondiscord.com-tls + rules: + - host: www.pythondiscord.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: site + port: + number: 80 diff --git a/kubernetes/namespaces/web/site/redirect.yaml b/kubernetes/namespaces/web/site/redirect.yaml new file mode 100644 index 0000000..642a6a0 --- /dev/null +++ b/kubernetes/namespaces/web/site/redirect.yaml @@ -0,0 +1,29 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + nginx.ingress.kubernetes.io/server-snippet: | + location ~* / { + return 308 https://www.pythondiscord.com$request_uri; + } + nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle" + nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ" + name: www-redirect + namespace: web +spec: + tls: + - hosts: + - "pythondiscord.com" + secretName: pythondiscord.com-tls + rules: + - host: pythondiscord.com + http: + paths: + - path: /(.*) + pathType: Prefix + backend: + service: + name: site + port: + number: 80 diff --git a/kubernetes/namespaces/web/site/secrets.yaml b/kubernetes/namespaces/web/site/secrets.yaml new file mode 100644 index 0000000..f1116e6 Binary files /dev/null and b/kubernetes/namespaces/web/site/secrets.yaml differ diff --git a/kubernetes/namespaces/web/site/service.yaml b/kubernetes/namespaces/web/site/service.yaml new file mode 100644 index 0000000..f30eccb --- /dev/null +++ b/kubernetes/namespaces/web/site/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: site + namespace: web + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8000" +spec: + selector: + app: site + ports: + - protocol: TCP + port: 80 + targetPort: 8000 -- cgit v1.2.3