[NE-27439] public facing api-service with nginx ingress protected by fastly

Author: korenlev

cloudify-manager-worker/sops.sh

@@ -0,0 +1,27 @@
+#!/usr/bin/env bash
+
+set -eu -o pipefail
+
+command=$1
+
+aws_profile="cloudify-automation"
+aws_region="eu-west-1"
+key_alias="terraform"
+file_path="templates/k8s_secrets.yml"
+
+if [[ $command = "encrypt" ]]; then
+	key_info=$(aws --profile $aws_profile --region $aws_region kms list-aliases | jq -r ".Aliases[] | select(.AliasName | contains (\"$key_alias\"))")
+	echo "Using key:" 1>&2
+	echo "$key_info" | jq 1>&2
+	key_id=$(echo "$key_info" | jq -r .TargetKeyId)
+	arn_prefix=$(echo "$key_info" | jq -r .AliasArn | sed 's|:alias/.*$||')
+	key_arn="$arn_prefix:key/$key_id"
+	sops --aws-profile "$aws_profile" --kms "$key_arn" --in-place --encrypt "$file_path"
+	exit 0
+elif [[ $command = "decrypt" ]]; then
+	sops --decrypt --in-place "$file_path"
+	exit 0
+else
+	echo "Unknown command: $command"
+	exit 1
+fi

cloudify-manager-worker/templates/_helpers.tpl

@@ -118,4 +118,34 @@ Return values or placeholders for replace in script
     {{- else -}}
         {{- .Values.config.security.adminPassword -}}
     {{- end -}}
-{{- end -}}
+{{- end -}}
+
+{{/*
+Function to generate Fastly image name
+*/}}
+{{- define "helper.fastly.image" -}}
+{{- printf "%s/%s:%s" .fastly.repo .fastly.image_name .fastly.tag }}
+{{- end }}
+
+{{/*
+{{ include "helper.fastly.revproxy.port" (dict "fastly" $.Values.nginx.fastly) }}
+*/}}
+
+{{/*
+Determine Fastly Service Port
+*/}}
+{{- define "helper.fastly.revproxy.port" -}}
+{{- if .fastly.enabled }}
+{{- .fastly.nginx.proxy_port }}
+{{- else }}
+80
+{{- end }}
+{{- end }}
+
+{{/*
+Generate String with Proxy Port
+*/}}
+{{- define "helper.fastly.revproxy.listener" -}}
+{{- $proxyPort := .fastly.nginx.proxy_port }}
+{{- print "http:{listener='http://0.0.0.0:" $proxyPort "',upstreams='http://0.0.0.0:80',access-log='/dev/stdout'}" }}
+{{- end }}

cloudify-manager-worker/templates/claim.yaml

@@ -5,9 +5,9 @@ apiVersion: v1
 metadata:
   name: cfy-worker-pvc
   annotations:
-    volume.beta.kubernetes.io/storage-class: {{ .Values.volume.storageClass }}
     helm.sh/resource-policy: keep
 spec:
+  storageClassName: {{ .Values.volume.storageClass }}
   accessModes:
     - {{ .Values.volume.accessMode }}
   resources:

cloudify-manager-worker/templates/fastly-secret.yaml

@@ -0,0 +1,9 @@
+{{- if $.Values.nginx.fastly.enabled }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sigsci.fusion
+stringData:
+  accesskeyid: {{ $.Values.nginx.fastly.accesskeyid }}
+  secretaccesskey: {{ $.Values.nginx.fastly.secretaccesskey }}
+{{- end }}

cloudify-manager-worker/templates/k8s_secrets.yml

@@ -125,6 +125,40 @@ spec:
             '
         {{- end }}
       containers:
+      {{- if .Values.nginx.fastly.enabled }}
+      - name: sigsci-agent
+        env:
+        - name: SIGSCI_ACCESSKEYID
+          valueFrom:
+            secretKeyRef:
+              key: accesskeyid
+              name: sigsci.fusion
+        - name: SIGSCI_SECRETACCESSKEY
+          valueFrom:
+            secretKeyRef:
+              key: secretaccesskey
+              name: sigsci.fusion
+        # - name: SIGSCI_DEBUG_LOG_ALL_THE_THINGS
+        #   value: "true"
+        - name: SIGSCI_LOG_OUT
+          value: stdout
+        image: {{ include "helper.fastly.image" (dict "fastly" .Values.nginx.fastly) }}
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 9999
+          protocol: TCP
+        resources: {}
+        securityContext:
+          readOnlyRootFilesystem: true
+          runAsGroup: 101
+          runAsNonRoot: true
+          runAsUser: 100
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /sigsci/tmp
+          name: sigsci-tmp
+      {{- end }}
       - name: {{ template "cloudify-manager-worker.name" . }}
         image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
         imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -256,6 +290,12 @@ spec:
         {{- end }}
         {{- end }}
       volumes:
+      {{- if .Values.nginx.fastly.enabled }}
+      - name: sigsci-tmp
+        emptyDir:
+          medium: Memory
+          sizeLimit: "2Gi"
+      {{- end }}
       - name: run
         emptyDir:
           medium: Memory

cloudify-manager-worker/templates/statefulset.yaml

@@ -0,0 +1,88 @@
+config:
+  labels:
+    compute-type: fargate
+  public_ip: ${manager_host}
+  replicas: 2
+  security:
+    existingAdminPassword:
+      secret: cfy-admin-password
+containerSecurityContext:
+  capabilities:
+    add: null
+    drop: null
+
+image:
+  tag: 7.0.2
+
+license:
+  secretName: cfy-license
+  useSecret: true
+
+resources:
+  limits:
+    cpu: 2
+    memory: 6Gi
+  requests:
+    cpu: 2
+    memory: 6Gi
+
+rabbitmq:
+  deploy: true
+  podAnnotations:
+    backup.velero.io/backup-volumes: cloudify-data
+  extraVolumeMounts:
+    - name: cloudify-data
+      mountPath: /mnt/cloudify-data
+      readOnly: true
+  extraVolumes:
+    - name: cloudify-data
+      persistentVolumeClaim:
+        claimName: cfy-worker-pvc
+
+postgresql:
+  deploy: true
+
+tls:
+  certManager:
+    generate: true
+  pgsqlSslCaName: global-bundle.pem
+  pgsqlSslSecretName: postgres-external-cert
+
+volume:
+  accessMode: ReadWriteMany
+  size: 30Gi
+  storageClass: efs
+
+nginx:
+  # -- Fastly WAF option
+  # --set nginx.fastly.enabled to true if used as "saas_manager" with public access
+  # --set nginx.fastly.accesskeyid and --set nginx.fastly.secretaccesskey with values during deploy ..
+  fastly:
+    enabled: true
+    repo: docker.io/signalsciences
+    image_name: sigsci-agent
+    tag: latest
+    accesskeyid: override
+    secretaccesskey: override
+    nginx:
+      proxy_port: 8002
+
+ingress:
+  enabled: true
+  host: saas-manager.dev.nativeedge.dell.com
+  ingressClassName: alb
+  annotations:
+    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '60'
+    alb.ingress.kubernetes.io/healthcheck-path: /
+    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
+    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '20'
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
+    alb.ingress.kubernetes.io/scheme: internal
+    alb.ingress.kubernetes.io/success-codes: '200'
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-1:702886132326:certificate/87a36f47-14d2-44b3-9551-665ef7a84688
+    alb.ingress.kubernetes.io/group.name: eoaas-development
+  tls:
+    enabled: false

cloudify-manager-worker/values.saas_manager.dev.yaml

@@ -0,0 +1,122 @@
+config:
+  labels:
+    compute-type: fargate
+  public_ip: ${manager_host}
+  replicas: 2
+  security:
+    existingAdminPassword:
+      secret: cfy-admin-password
+containerSecurityContext:
+  capabilities:
+    add: null
+    drop: null
+
+image:
+  tag: 7.0.2
+
+license:
+  secretName: cfy-license
+  useSecret: true
+
+resources:
+  limits:
+    cpu: 2
+    memory: 6Gi
+  requests:
+    cpu: 2
+    memory: 6Gi
+
+rabbitmq:
+  deploy: true
+  podAnnotations:
+    backup.velero.io/backup-volumes: cloudify-data
+  extraVolumeMounts:
+    - name: cloudify-data
+      mountPath: /mnt/cloudify-data
+      readOnly: true
+  extraVolumes:
+    - name: cloudify-data
+      persistentVolumeClaim:
+        claimName: cfy-worker-pvc
+
+postgresql:
+  deploy: true
+
+config:
+  labels:
+    compute-type: fargate
+  public_ip: ${manager_host}
+  replicas: 2
+  security:
+    existingAdminPassword:
+      secret: cfy-admin-password
+containerSecurityContext:
+  capabilities:
+    add: null
+    drop: null
+
+image:
+  tag: 7.0.2
+
+license:
+  secretName: cfy-license
+  useSecret: true
+
+resources:
+  limits:
+    cpu: 2
+    memory: 6Gi
+  requests:
+    cpu: 2
+    memory: 6Gi
+
+rabbitmq:
+  deploy: true
+
+postgresql:
+  deploy: true
+
+tls:
+  certManager:
+    generate: true
+  pgsqlSslCaName: global-bundle.pem
+  pgsqlSslSecretName: postgres-external-cert
+
+volume:
+  accessMode: ReadWriteMany
+  size: 30Gi
+  storageClass: efs
+
+nginx:
+  # -- Fastly WAF option
+  # --set nginx.fastly.enabled to true if used as "saas_manager" with public access
+  # --set nginx.fastly.accesskeyid and --set nginx.fastly.secretaccesskey with values during deploy ..
+  fastly:
+    enabled: true
+    repo: docker.io/signalsciences
+    image_name: sigsci-agent
+    tag: latest
+    accesskeyid: override
+    secretaccesskey: override
+    nginx:
+      proxy_port: 8002
+
+ingress:
+  enabled: true
+  host: saas-manager.pub.nativeedge.dell.com
+  ingressClassName: alb
+  annotations:
+    alb.ingress.kubernetes.io/actions.ssl-redirect: '{"Type": "redirect", "RedirectConfig": { "Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}'
+    alb.ingress.kubernetes.io/healthcheck-interval-seconds: '60'
+    alb.ingress.kubernetes.io/healthcheck-path: /
+    alb.ingress.kubernetes.io/healthcheck-port: traffic-port
+    alb.ingress.kubernetes.io/healthcheck-protocol: HTTP
+    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: '20'
+    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}, {"HTTP":80}]'
+    alb.ingress.kubernetes.io/scheme: internet-facing
+    alb.ingress.kubernetes.io/success-codes: '200'
+    alb.ingress.kubernetes.io/target-type: ip
+    alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:eu-west-1:008791006138:certificate/92a2092c-bd84-48e3-bd32-b5c62136b723
+    alb.ingress.kubernetes.io/group.name: eoaas-production-pub
+  tls:
+    enabled: false