-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* init kubernetes rough draft for dragonfly services Signed-off-by: GitHub <[email protected]> * ignore secrets Signed-off-by: Bradley Reynolds <[email protected]> * Rename imagePullSecrets Signed-off-by: Bradley Reynolds <[email protected]> * move ingress inside service directory Signed-off-by: Bradley Reynolds <[email protected]> * change domain to staging Signed-off-by: Bradley Reynolds <[email protected]> * update deprecated attribute Signed-off-by: Bradley Reynolds <[email protected]> * add test cluster issuer Signed-off-by: Bradley Reynolds <[email protected]> * move database init inside kubernetes folder Signed-off-by: Bradley Reynolds <[email protected]> * move scripts dir to root Signed-off-by: Bradley Reynolds <[email protected]> * add readme(s) per project Signed-off-by: Bradley Reynolds <[email protected]> * move kubernetes directory to repo root Signed-off-by: Bradley Reynolds <[email protected]> * move manifests into folder Signed-off-by: Bradley Reynolds <[email protected]> * init helm chart Signed-off-by: Bradley Reynolds <[email protected]> * init chart dependencies Signed-off-by: Bradley Reynolds <[email protected]> * remove alias and reset version Signed-off-by: Bradley Reynolds <[email protected]> * don't forget to run lints on PRs too Signed-off-by: Bradley Reynolds <[email protected]> * ci: disable shellcheck SC2028 Signed-off-by: Bradley Reynolds <[email protected]> * dragonfly-client: use rewrite branch Signed-off-by: Bradley Reynolds <[email protected]> * add bot deployment Signed-off-by: Bradley Reynolds <[email protected]> * Setup Dependabot Signed-off-by: GitHub <[email protected]> * Add CI job to lint Kubernetes manifests Signed-off-by: GitHub <[email protected]> * ci: restrict manifest search to avoid picking up helm charts Signed-off-by: GitHub <[email protected]> * try using fork of k8s lint action Signed-off-by: GitHub <[email protected]> * Revert "try using fork of k8s lint action" This reverts commit dcaa38a. * lint: newline Signed-off-by: Bradley Reynolds <[email protected]> * ci: bump Azure K8s lint action version Signed-off-by: GitHub <[email protected]> * move db setup script back to scripts Signed-off-by: Bradley Reynolds <[email protected]> * cleanup find_manifests Signed-off-by: Bradley Reynolds <[email protected]> * add oneliner docstrings Signed-off-by: Bradley Reynolds <[email protected]> * add enviorment variables for the bot Signed-off-by: Bradley Reynolds <[email protected]> * remove unused config variables from helm chart Signed-off-by: Bradley Reynolds <[email protected]> * manually create cert-manager namespace Signed-off-by: Bradley Reynolds <[email protected]> * rename secrets Signed-off-by: Bradley Reynolds <[email protected]> * remove staging suffix in domain Signed-off-by: Bradley Reynolds <[email protected]> * add inital bootstrap docs Signed-off-by: Bradley Reynolds <[email protected]> --------- Signed-off-by: GitHub <[email protected]> Signed-off-by: Bradley Reynolds <[email protected]>
- Loading branch information
1 parent
0d43b65
commit a1c0529
Showing
31 changed files
with
367 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
version: 2 | ||
updates: | ||
- package-ecosystem: "github-actions" | ||
directory: "/" | ||
schedule: | ||
interval: "monthly" | ||
|
||
- package-ecosystem: "docker" | ||
directory: "/" | ||
schedule: | ||
interval: "monthly" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
name: "CI - Kubernetes" | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
pull_request: | ||
|
||
jobs: | ||
lint: | ||
name: "Lint manifests" | ||
|
||
runs-on: ubuntu-latest | ||
|
||
steps: | ||
- name: "Checkout code" | ||
uses: actions/checkout@v3 | ||
|
||
- id: manifest-files | ||
name: "Find manifest files" | ||
run: | | ||
echo "manifests<<EOF" >> $GITHUB_OUTPUT | ||
python scripts/find_manifests.py >> $GITHUB_OUTPUT | ||
echo "EOF" >> $GITHUB_OUTPUT | ||
- uses: azure/[email protected] | ||
with: | ||
manifests: ${{ steps.manifest-files.outputs.manifests }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,5 @@ | ||
# Secrets | ||
secrets.yaml | ||
|
||
# Helm | ||
kubernetes/chart/charts/*.tgz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
# Bootstrapping a Kubernetes cluster | ||
|
||
## Create namespaces | ||
|
||
```bash | ||
kubectl apply -f kubernetes\manifests\cert-manager\namespace.yaml | ||
kubectl apply -f kubernetes\manifests\discord\namespace.yaml | ||
kubectl apply -f kubernetes\manifests\dragonfly\namespace.yaml | ||
``` | ||
|
||
## Install the Helm Chart to get all the dependencies | ||
|
||
```bash | ||
helm install -f kubernetes\chart\production.yaml vipyrsec kubernetes\chart\ | ||
``` | ||
|
||
# Create image pull secrets | ||
|
||
Repeat this for both the Discord and the Dragonfly namespaces: | ||
|
||
```bash | ||
kubectl create secret docker-registry regcred --docker-server=https://ghcr.io --docker-username=shenanigansd --docker-password=ghp_xxx [email protected] | ||
``` | ||
|
||
## Apply the Discord bot deployment | ||
|
||
```bash | ||
kubectl apply -f kubernetes\manifests\discord\bot | ||
``` | ||
|
||
## Apply the Dragonfly Mainframe deployment | ||
|
||
```bash | ||
kubectl apply -f kubernetes\manifests\dragonfly\client | ||
``` | ||
|
||
After the mainframe ingress is created, you will need create the DNS records before deploying the client. | ||
|
||
## Apply the Dragonfly client deployment | ||
|
||
```bash | ||
kubectl apply -f kubernetes\manifests\dragonfly\mainframe | ||
``` |
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Patterns to ignore when building packages. | ||
# This supports shell glob matching, relative path matching, and | ||
# negation (prefixed with !). Only one pattern per line. | ||
.DS_Store | ||
# Common VCS dirs | ||
.git/ | ||
.gitignore | ||
.bzr/ | ||
.bzrignore | ||
.hg/ | ||
.hgignore | ||
.svn/ | ||
# Common backup files | ||
*.swp | ||
*.bak | ||
*.tmp | ||
*.orig | ||
*~ | ||
# Various IDEs | ||
.project | ||
.idea/ | ||
*.tmproj | ||
.vscode/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
dependencies: | ||
- name: ingress-nginx | ||
repository: https://kubernetes.github.io/ingress-nginx/ | ||
version: 4.7.1 | ||
- name: cert-manager | ||
repository: https://charts.jetstack.io | ||
version: v1.12.0 | ||
digest: sha256:57ebed200798be88cffe7363c99d2dd6bc252189aa756ec38803b9d83345cd95 | ||
generated: "2023-07-15T10:28:49.9366857-05:00" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
apiVersion: v2 | ||
name: vipyrsec | ||
description: A Helm chart to automate the installation and configuration of our dependencies. | ||
type: application | ||
version: "0.1.0" | ||
appVersion: "0.1.0" | ||
dependencies: | ||
- name: ingress-nginx | ||
version: "4.7.1" | ||
repository: "https://kubernetes.github.io/ingress-nginx/" | ||
- name: cert-manager | ||
version: "v1.12.0" | ||
repository: https://charts.jetstack.io | ||
condition: cert-manager.enabled |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Vipyrsec chart | ||
|
||
Our internal Helm Chart for deploying our dependencies. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
cert-manager: | ||
namespace: "cert-manager" | ||
installCRDs: true |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Manifests | ||
|
||
The manifests for our Kubernetes infra. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
apiVersion: cert-manager.io/v1 | ||
kind: ClusterIssuer | ||
metadata: | ||
name: letsencrypt | ||
namespace: cert-manager | ||
spec: | ||
acme: | ||
email: [email protected] | ||
server: https://acme-v02.api.letsencrypt.org/directory | ||
privateKeySecretRef: | ||
name: letsencrypt-issuer-account-key | ||
solvers: | ||
- http01: | ||
ingress: | ||
ingressClassName: nginx |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: cert-manager |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Discord | ||
|
||
Infra configuration for our Discord bots and services. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
# Bot | ||
|
||
Infra configuration for the Discord bot. | ||
|
||
## Secrets | ||
|
||
This deployment expects a number of secrets and environment variables to exist in a secret called `bot-env`. | ||
|
||
|
||
| Environment | Description | | ||
| ------------------- | ----------------------------------- | | ||
| BOT_TOKEN | Auth token for Discord | | ||
| SENTRY_DSN | Connection DSN for Sentry | | ||
| ALLOWED_ROLES | Allowed roles for the bot to assign | | ||
| AUTH0_USERNAME | Username for Auth0 | | ||
| AUTH0_PASSWORD | Password for Auth0 | | ||
| AUTH0_CLIENT_ID | Client ID for Auth0 | | ||
| AUTH0_CLIENT_SECRET | Client secret for Auth0 | | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
namespace: discord | ||
name: bot | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: bot | ||
template: | ||
metadata: | ||
labels: | ||
app: bot | ||
spec: | ||
containers: | ||
- name: bot | ||
image: ghcr.io/vipyrsec/bot:edge | ||
envFrom: | ||
- secretRef: | ||
name: bot-env | ||
imagePullSecrets: | ||
- name: ghcr-images |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: discord |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
# Dragonfly | ||
|
||
Infra configuration for [project Dragonfly](https://github.com/vipyrsec/dragonfly). |
File renamed without changes.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,15 @@ | ||
# Dragonfly Client | ||
|
||
Infra configuration for the Dragonfly client. We're currently using the [Dragonfly Rust client](https://github.com/vipyrsec/dragonfly-client-rs). | ||
|
||
## Secrets | ||
|
||
This deployment expects a number of secrets and environment variables to exist in a secret called `dragonfly-client-secrets`. | ||
|
||
|
||
| Environment | Description | | ||
|-----------------|-------------------------------| | ||
| CLIENT_ID | Part of the OAUTH credentials | | ||
| CLIENT_SECRET | Part of the OAUTH credentials | | ||
| USERNAME | Part of the OAUTH credentials | | ||
| PASSWORD | Part of the OAUTH credentials | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
namespace: dragonfly | ||
name: client | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: client | ||
template: | ||
metadata: | ||
labels: | ||
app: client | ||
spec: | ||
containers: | ||
- name: client | ||
image: ghcr.io/vipyrsec/dragonfly-client-rs:rewrite | ||
envFrom: | ||
- secretRef: | ||
name: dragonfly-client-env | ||
imagePullSecrets: | ||
- name: ghcr-images |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
# Dragonfly Mainframe | ||
|
||
Infra configuration for the [Dragonfly Mainframe](https://github.com/vipyrsec/dragonfly-mainframe). | ||
|
||
## Secrets | ||
This deployment expects a number of secrets and environment variables to exist in a secret called `dragonfly-mainframe-secrets`. | ||
|
||
|
||
| Environment | Description | | ||
|-------------------------|----------------------------------------------------------| | ||
| DB_URL | The database connection DSN | | ||
| DRAGONFLY_GITHUB_TOKEN | A GitHub PAT to access the Security Intelligence ruleset | | ||
| EMAIL_RECIPIENT | The default email recipient | | ||
| MICROSOFT_TENANT_ID | Part of the credentials for the mailer | | ||
| MICROSOFT_CLIENT_ID | Part of the credentials for the mailer | | ||
| MICROSOFT_CLIENT_SECRET | Part of the credentials for the mailer | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
namespace: dragonfly | ||
name: mainframe | ||
spec: | ||
replicas: 1 | ||
selector: | ||
matchLabels: | ||
app: mainframe | ||
template: | ||
metadata: | ||
labels: | ||
app: mainframe | ||
spec: | ||
containers: | ||
- name: mainframe | ||
image: ghcr.io/vipyrsec/dragonfly-mainframe:edge | ||
envFrom: | ||
- secretRef: | ||
name: dragonfly-mainframe-secrets | ||
imagePullSecrets: | ||
- name: ghcr-images |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,24 @@ | ||
apiVersion: networking.k8s.io/v1 | ||
kind: Ingress | ||
metadata: | ||
namespace: dragonfly | ||
name: dragonfly-ingress | ||
annotations: | ||
cert-manager.io/cluster-issuer: "letsencrypt" | ||
spec: | ||
ingressClassName: nginx | ||
tls: | ||
- hosts: | ||
- dragonfly.vipyrsec.com | ||
secretName: dragonfly-tls | ||
rules: | ||
- host: dragonfly.vipyrsec.com | ||
http: | ||
paths: | ||
- path: / | ||
pathType: Prefix | ||
backend: | ||
service: | ||
name: mainframe | ||
port: | ||
number: 8000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
namespace: dragonfly | ||
name: mainframe | ||
spec: | ||
selector: | ||
app: mainframe | ||
ports: | ||
- protocol: TCP | ||
port: 8000 | ||
targetPort: 8000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,4 @@ | ||
apiVersion: v1 | ||
kind: Namespace | ||
metadata: | ||
name: dragonfly |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,14 @@ | ||
-- Script to bootstrap the database with necessary roles and users | ||
|
||
-- Dragonfly | ||
-- Create the database | ||
CREATE DATABASE dragonfly OWNER dragonfly; | ||
-- Create an admin role | ||
CREATE ROLE dragonfly_admin; | ||
GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO dragonfly_admin; | ||
-- Create a read-only role | ||
CREATE ROLE dragonfly_read; | ||
GRANT SELECT ON ALL TABLES IN SCHEMA public TO dragonfly_read; | ||
-- Create initial user roles | ||
CREATE ROLE bradley WITH PASSWORD 'shadow' IN ROLE dragonfly_admin LOGIN; | ||
CREATE ROLE robin WITH PASSWORD 'shadow' IN ROLE dragonfly_read LOGIN; |
1 change: 1 addition & 0 deletions
1
infrastructure/scripts/bootstrap-vps.sh → scripts/bootstrap-vps.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
#!/bin/bash | ||
# Script to bootstrap a new VPS with the necessary users and groups | ||
|
||
groupadd vipyrsec | ||
|
||
|
Oops, something went wrong.