[NE-27439] public facing api-service with nginx ingress protected by fastly

korenlev · korenlev · commit b0087f25d861 · 2024-04-14T15:32:40.000+03:00
diff --git a/cloudify-manager-worker/sops.sh b/cloudify-manager-worker/sops.sh
@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+command=$1
+
+aws_profile="cloudify-automation"
+aws_region="eu-west-1"
+key_alias="terraform"
+file_path="templates/k8s_secrets.yml"
+
+if [[ $command = "encrypt" ]]; then
+	key_info=$(aws --profile $aws_profile --region $aws_region kms list-aliases | jq -r ".Aliases[] | select(.AliasName | contains (\"$key_alias\"))")
+	echo "Using key:" 1>&2
+	echo "$key_info" | jq 1>&2
+	key_id=$(echo "$key_info" | jq -r .TargetKeyId)
+	arn_prefix=$(echo "$key_info" | jq -r .AliasArn | sed 's|:alias/.*$||')
+	key_arn="$arn_prefix:key/$key_id"
+	sops --aws-profile "$aws_profile" --kms "$key_arn" --in-place --encrypt "$file_path"
+	exit 0
+elif [[ $command = "decrypt" ]]; then
+	sops --decrypt --in-place "$file_path"
+	exit 0
+else
+	echo "Unknown command: $command"
+	exit 1
+fi
diff --git a/cloudify-manager-worker/templates/_helpers.tpl b/cloudify-manager-worker/templates/_helpers.tpl
@@ -118,4 +118,34 @@ Return values or placeholders for replace in script
     {{- else -}}
         {{- .Values.config.security.adminPassword -}}
     {{- end -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Function to generate Fastly image name
+*/}}
+{{- define "helper.fastly.image" -}}
+{{- printf "%s/%s:%s" .fastly.repo .fastly.image_name .fastly.tag }}
+{{- end }}
+
+{{/*
+{{ include "helper.fastly.revproxy.port" (dict "fastly" $.Values.nginx.fastly) }}
+*/}}
+
+{{/*
+Determine Fastly Service Port
+*/}}
+{{- define "helper.fastly.revproxy.port" -}}
+{{- if .fastly.enabled }}
+{{- .fastly.nginx.proxy_port }}
+{{- else }}
+80
+{{- end }}
+{{- end }}
+
+{{/*
+Generate String with Proxy Port
+*/}}
+{{- define "helper.fastly.revproxy.listener" -}}
+{{- $proxyPort := .fastly.nginx.proxy_port }}
+{{- print "http:{listener='http://0.0.0.0:" $proxyPort "',upstreams='http://0.0.0.0:80',access-log='/dev/stdout'}" }}
+{{- end }}
diff --git a/cloudify-manager-worker/templates/fastly-secret.yaml b/cloudify-manager-worker/templates/fastly-secret.yaml
@@ -0,0 +1,9 @@
+{{- if $.Values.nginx.fastly.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sigsci.fusion
+stringData:
+  accesskeyid: {{ $.Values.nginx.fastly.accesskeyid }}
+  secretaccesskey: {{ $.Values.nginx.fastly.secretaccesskey }}
+{{- end }}
diff --git a/cloudify-manager-worker/templates/k8s_secrets.yml b/cloudify-manager-worker/templates/k8s_secrets.yml
diff --git a/cloudify-manager-worker/templates/statefulset.yaml b/cloudify-manager-worker/templates/statefulset.yaml
@@ -125,6 +125,38 @@ spec:
             '
         {{- end }}
       containers:
+      {{- if .Values.nginx.fastly.enabled }}
+      - name: sigsci-agent
+        image: {{ include "helper.fastly.image" (dict "fastly" .Values.nginx.fastly) }}
+        imagePullPolicy: Always
+        env:
+        - name: SIGSCI_ACCESSKEYID
+          valueFrom:
+            secretKeyRef:
+              name: sigsci.fusion
+              key: accesskeyid
+        - name: SIGSCI_SECRETACCESSKEY
+          valueFrom:
+            secretKeyRef:
+              name: sigsci.fusion
+              key: secretaccesskey
+        # Configure the revproxy listener to listen on a new port 8001
+        # forwarding to the app on the original port 8000 as the upstream
+        - name: SIGSCI_REVPROXY_LISTENER
+          value: {{ include "helper.fastly.revproxy.listener" (dict "fastly" .Values.nginx.fastly) }}
+        ports:
+          - containerPort: {{ include "helper.fastly.revproxy.port" (dict "fastly" .Values.nginx.fastly) | int }}
+            protocol: TCP
+        securityContext:
+          # The sigsci-agent container should run with its root filesystem read only
+          readOnlyRootFilesystem: true
+        volumeMounts:
+        # Default volume mount location for sigsci-agent writeable data
+        # NOTE: Also change `SIGSCI_SHARED_CACHE_DIR` (default `/sigsci/tmp/cache`)
+        #       if mountPath is changed, but best not to change.
+        - name: sigsci-tmp
+          mountPath: /sigsci/tmp
+      {{- end }}
       - name: {{ template "cloudify-manager-worker.name" . }}
         image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
diff --git a/cloudify-manager-worker/values.saas_manager.dev.yaml b/cloudify-manager-worker/values.saas_manager.dev.yaml
@@ -0,0 +1,61 @@
+config:
+  labels:
+    compute-type: fargate
+  public_ip: ${manager_host}
+  replicas: 2
+  security:
+    existingAdminPassword:
+      secret: cfy-admin-password
+containerSecurityContext:
+  capabilities:
+    add: null
+    drop: null
+
+image:
+  tag: 7.0.2
+
+license:
+  secretName: cfy-license
+  useSecret: true
+
+resources:
+  limits:
+    cpu: 2
+    memory: 6Gi
+  requests:
+    cpu: 2
+    memory: 6Gi
+
+nginx:
+  # -- Fastly WAF option
+  # --set nginx.fastly.enabled to true if used as "saas_manager" with public access
+  # --set nginx.fastly.accesskeyid and --set nginx.fastly.secretaccesskey with values during deploy ..
+  fastly:
+    enabled: true
+    repo: docker.io/signalsciences
+    image_name: sigsci-agent
+    tag: latest
+    accesskeyid: override
+    secretaccesskey: override
+    nginx:
+      proxy_port: 8002
+
+ingress:
+  enabled: true
+  host: saas-manager.dev.nativeedge.dell.com
+  ingressClassName: alb
+  annotations:
+    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '60'
+    alb.ingress.kubernetes.io/healthcheck-path: /
+    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
+    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '20'
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
+    alb.ingress.kubernetes.io/scheme: internal
+    alb.ingress.kubernetes.io/success-codes: '200'
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-1:702886132326:certificate/87a36f47-14d2-44b3-9551-665ef7a84688
+    alb.ingress.kubernetes.io/group.name: eoaas-development
+  tls:
+    enabled: false
diff --git a/cloudify-manager-worker/values.saas_manager.prod.yaml b/cloudify-manager-worker/values.saas_manager.prod.yaml
@@ -0,0 +1,89 @@
+config:
+  labels:
+    compute-type: fargate
+  public_ip: ${manager_host}
+  replicas: 2
+  security:
+    existingAdminPassword:
+      secret: cfy-admin-password
+containerSecurityContext:
+  capabilities:
+    add: null
+    drop: null
+
+image:
+  tag: 7.0.2
+
+license:
+  secretName: cfy-license
+  useSecret: true
+
+resources:
+  limits:
+    cpu: 2
+    memory: 6Gi
+  requests:
+    cpu: 2
+    memory: 6Gi
+
+config:
+  labels:
+    compute-type: fargate
+  public_ip: ${manager_host}
+  replicas: 2
+  security:
+    existingAdminPassword:
+      secret: cfy-admin-password
+containerSecurityContext:
+  capabilities:
+    add: null
+    drop: null
+
+image:
+  tag: 7.0.2
+
+license:
+  secretName: cfy-license
+  useSecret: true
+
+resources:
+  limits:
+    cpu: 2
+    memory: 6Gi
+  requests:
+    cpu: 2
+    memory: 6Gi
+
+nginx:
+  # -- Fastly WAF option
+  # --set nginx.fastly.enabled to true if used as "saas_manager" with public access
+  # --set nginx.fastly.accesskeyid and --set nginx.fastly.secretaccesskey with values during deploy ..
+  fastly:
+    enabled: true
+    repo: docker.io/signalsciences
+    image_name: sigsci-agent
+    tag: latest
+    accesskeyid: override
+    secretaccesskey: override
+    nginx:
+      proxy_port: 8002
+
+ingress:
+  enabled: true
+  host: saas-manager.pub.nativeedge.dell.com
+  ingressClassName: alb
+  annotations:
+    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '60'
+    alb.ingress.kubernetes.io/healthcheck-path: /
+    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
+    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '20'
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/success-codes: '200'
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-1:008791006138:certificate/92a2092c-bd84-48e3-bd32-b5c62136b723
+    alb.ingress.kubernetes.io/group.name: eoaas-production-pub
+  tls:
+    enabled: false
diff --git a/cloudify-manager-worker/values.saas_manager.test.yaml b/cloudify-manager-worker/values.saas_manager.test.yaml
@@ -0,0 +1,61 @@
+config:
+  labels:
+    compute-type: fargate
+  public_ip: ${manager_host}
+  replicas: 2
+  security:
+    existingAdminPassword:
+      secret: cfy-admin-password
+containerSecurityContext:
+  capabilities:
+    add: null
+    drop: null
+
+image:
+  tag: 7.0.2
+
+license:
+  secretName: cfy-license
+  useSecret: true
+
+resources:
+  limits:
+    cpu: 2
+    memory: 6Gi
+  requests:
+    cpu: 2
+    memory: 6Gi
+
+nginx:
+  # -- Fastly WAF option
+  # --set nginx.fastly.enabled to true if used as "saas_manager" with public access
+  # --set nginx.fastly.accesskeyid and --set nginx.fastly.secretaccesskey with values during deploy ..
+  fastly:
+    enabled: true
+    repo: docker.io/signalsciences
+    image_name: sigsci-agent
+    tag: latest
+    accesskeyid: override
+    secretaccesskey: override
+    nginx:
+      proxy_port: 8002
+
+ingress:
+  enabled: true
+  host: saas-manager.test.nativeedge.dell.com
+  ingressClassName: alb
+  annotations:
+    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '60'
+    alb.ingress.kubernetes.io/healthcheck-path: /
+    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
+    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '20'
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
+    alb.ingress.kubernetes.io/scheme: internal
+    alb.ingress.kubernetes.io/success-codes: '200'
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-1:702886132326:certificate/99a36f47-14d2-44b3-9551-665ef7a84699
+    alb.ingress.kubernetes.io/group.name: eoaas-testing
+  tls:
+    enabled: false
diff --git a/cloudify-manager-worker/values.yaml b/cloudify-manager-worker/values.yaml
@@ -338,6 +338,20 @@ startupProbe:
   # -- startup probe initial delay in seconds
   initialDelaySeconds: 30
 
+nginx:
+  # -- Fastly WAF option
+  # --set nginx.fastly.enabled to true if used as "saas_manager" with public access
+  # --set nginx.fastly.accesskeyid and --set nginx.fastly.secretaccesskey with values during deploy ..
+  fastly:
+    enabled: false
+    repo: docker.io/signalsciences
+    image_name: sigsci-agent
+    tag: latest
+    accesskeyid: 
+    secretaccesskey: 
+    nginx:
+      proxy_port: 8002
+
 # -- Parameters group for ingress (managed external access to service)
 # @default -- object
 ingress:
