Changes to deploy prod cloud (#9)

* Add prod secrets and sops config

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Temporary cloud_deps changes to get cloud deployed

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Add private/prod kustomize manifests

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Remove node selector from all deployments

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Add script bundle for upcoming demo that includes sql injection pxl script

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Fix plugin load job by allowing skaffold to override the image

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Revert change to OSS configs to remove nodeSelector

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Revert node selector changes to OSS configs in favor of private cloud_deps patches

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Reduce prod NATs volume size

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Replace remaining pixielabs.ai link and remove wording about being free

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Logos before switching to different color logos

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Add yaml header to fix linting issues

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Use lighter logo for dark mode and update font color to match. Size logo appropriately

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Fix license for private configurable files

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Fix linting issues

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Opt out a few UI files from copybara until changes are upstream

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Update favicon and add PodMonitoring resource (unsuccessfully) for custom prometheus metrics

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Switch back to monochrome logo

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Add additional copybara excludes to correct file

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Add private configurables that will be available upstream

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

* Add private signup message configurable

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

---------

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

Author: ddelnano

.arclint

@@ -15,9 +15,7 @@
     "(^k8s/devinfra/prow/prowjob_customresourcedefinition.yaml$)",
     "(^k8s/operator/crd/base/px\\.dev_viziers\\.yaml$)",
     "(^private/users/)",
-    "(^private\/credentials\/.*\\.sh)",
-    "(^private\/credentials\/.*\\.sh)",
-    "(^private\/credentials\/.*\\.yaml)",
+    "(^private\/.*\\.yaml)",
     "(^src/operator/client/versioned/)",
     "(^src/operator/apis/px.dev/v1alpha1/zz_generated.deepcopy.go)",
     "(^src/stirling/bpf_tools/bcc_bpf/system-headers)",

.sops.yaml

@@ -1,5 +1,7 @@
 ---
 creation_rules:
+- path_regex: private\/prod\/.*yaml$
+  gcp_kms: projects/csmc-prod/locations/global/keyRings/prod-keyring/cryptoKeys/sops-key
 - path_regex: private\/staging\/.*yaml$
   gcp_kms: projects/csmc-staging/locations/global/keyRings/staging-keyring/cryptoKeys/sops-key
 - path_regex: private\/testing\/.*yaml$

private/cloud_deps/prod/elastic_node_selector_patch.yaml

@@ -0,0 +1,11 @@
+---
+- op: test
+  path: /spec/nodeSets/0/podTemplate/spec/nodeSelector/node-size
+  value: large
+- op: test
+  path: /spec/nodeSets/1/podTemplate/spec/nodeSelector/node-size
+  value: large
+- op: remove
+  path: /spec/nodeSets/0/podTemplate/spec/nodeSelector
+- op: remove
+  path: /spec/nodeSets/1/podTemplate/spec/nodeSelector

private/cloud_deps/prod/kustomization.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: plc
+resources:
+- ../../../k8s/cloud_deps/prod
+patches:
+- path: nats_storage_patch.yaml
+  target:
+    kind: StatefulSet
+    name: pl-nats
+- path: node_selector_patch.yaml
+  target:
+    kind: StatefulSet
+- path: elastic_node_selector_patch.yaml
+  target:
+    kind: Elasticsearch

private/cloud_deps/prod/nats_storage_patch.yaml

@@ -0,0 +1,7 @@
+---
+- op: test
+  path: /spec/volumeClaimTemplates/0/spec/resources/requests/storage
+  value: 200Gi
+- op: replace
+  path: /spec/volumeClaimTemplates/0/spec/resources/requests/storage
+  value: 50Gi

private/cloud_deps/prod/node_selector_patch.yaml

@@ -0,0 +1,6 @@
+---
+- op: test
+  path: /spec/template/spec/nodeSelector/node-size
+  value: large
+- op: remove
+  path: /spec/template/spec/nodeSelector

private/prod/announcement_config.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pl-announcement-config
+data:
+  # Flip this flag to enable announce kit for changelogs, release notes etc.
+  ANNOUNCEMENT_ENABLED: "false"
+  # The URL for the announce kit widget.
+  ANNOUNCE_WIDGET_URL: ""

private/prod/auth_connector_config.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pl-auth-connector-config
+data:
+  # Pixie can be used as an auth connector with other products. By calling "api/auth/<connector_name>",
+  # Pixie can send user info and access tokens to other products through the given callback URL.
+  PL_AUTH_CONNECTOR_NAME: ""
+  PL_AUTH_CONNECTOR_CALLBACK_URL: ""

private/prod/auth_deployment.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: auth-server
+  labels:
+    db: pgsql
+spec:
+  template:
+    spec:
+      containers:
+      - name: auth-server
+        env:
+        - name: PL_AUTH0_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: cloud-auth0-secrets
+              key: auth0-client-id
+              optional: true
+        - name: PL_AUTH0_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: cloud-auth0-secrets
+              key: auth0-client-secret

private/prod/backend_config.yaml

@@ -0,0 +1,4 @@
+---
+- op: replace
+  path: /spec/securityPolicy/name
+  value: ""