Bootstrap Kubernetes (#10)

* init kubernetes rough draft for dragonfly services

Signed-off-by: GitHub <[email protected]>

* ignore secrets

Signed-off-by: Bradley Reynolds <[email protected]>

* Rename imagePullSecrets

Signed-off-by: Bradley Reynolds <[email protected]>

* move ingress inside service directory

Signed-off-by: Bradley Reynolds <[email protected]>

* change domain to staging

Signed-off-by: Bradley Reynolds <[email protected]>

* update deprecated attribute

Signed-off-by: Bradley Reynolds <[email protected]>

* add test cluster issuer

Signed-off-by: Bradley Reynolds <[email protected]>

* move database init inside kubernetes folder

Signed-off-by: Bradley Reynolds <[email protected]>

* move scripts dir to root

Signed-off-by: Bradley Reynolds <[email protected]>

* add readme(s) per project

Signed-off-by: Bradley Reynolds <[email protected]>

* move kubernetes directory to repo root

Signed-off-by: Bradley Reynolds <[email protected]>

* move manifests into folder

Signed-off-by: Bradley Reynolds <[email protected]>

* init helm chart

Signed-off-by: Bradley Reynolds <[email protected]>

* init chart dependencies

Signed-off-by: Bradley Reynolds <[email protected]>

* remove alias and reset version

Signed-off-by: Bradley Reynolds <[email protected]>

* don't forget to run lints on PRs too

Signed-off-by: Bradley Reynolds <[email protected]>

* ci: disable shellcheck SC2028

Signed-off-by: Bradley Reynolds <[email protected]>

* dragonfly-client: use rewrite branch

Signed-off-by: Bradley Reynolds <[email protected]>

* add bot deployment

Signed-off-by: Bradley Reynolds <[email protected]>

* Setup Dependabot

Signed-off-by: GitHub <[email protected]>

* Add CI job to lint Kubernetes manifests

Signed-off-by: GitHub <[email protected]>

* ci: restrict manifest search to avoid picking up helm charts

Signed-off-by: GitHub <[email protected]>

* try using fork of k8s lint action

Signed-off-by: GitHub <[email protected]>

* Revert "try using fork of k8s lint action"

This reverts commit dcaa38a.

* lint: newline

Signed-off-by: Bradley Reynolds <[email protected]>

* ci: bump Azure K8s lint action version

Signed-off-by: GitHub <[email protected]>

* move db setup script back to scripts

Signed-off-by: Bradley Reynolds <[email protected]>

* cleanup find_manifests

Signed-off-by: Bradley Reynolds <[email protected]>

* add oneliner docstrings

Signed-off-by: Bradley Reynolds <[email protected]>

* add enviorment variables for the bot

Signed-off-by: Bradley Reynolds <[email protected]>

* remove unused config variables from helm chart

Signed-off-by: Bradley Reynolds <[email protected]>

* manually create cert-manager namespace

Signed-off-by: Bradley Reynolds <[email protected]>

* rename secrets

Signed-off-by: Bradley Reynolds <[email protected]>

* remove staging suffix in domain

Signed-off-by: Bradley Reynolds <[email protected]>

* add inital bootstrap docs

Signed-off-by: Bradley Reynolds <[email protected]>

---------

Signed-off-by: GitHub <[email protected]>
Signed-off-by: Bradley Reynolds <[email protected]>

.github/dependabot.yaml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "monthly"
+
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "monthly"

.github/workflows/bash-ci.yaml

@@ -4,6 +4,7 @@ on:
   push:
     branches:
       - main
+  pull_request:
 
 jobs:
   shellcheck:
@@ -15,3 +16,5 @@ jobs:
 
       - name: "Run ShellCheck"
         uses: ludeeus/action-shellcheck@master
+        env:
+          SHELLCHECK_OPTS: -e SC2028

.github/workflows/kubernetes-ci.yaml

@@ -0,0 +1,28 @@
+name: "CI - Kubernetes"
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+jobs:
+  lint:
+    name: "Lint manifests"
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v3
+
+      - id: manifest-files 
+        name: "Find manifest files"
+        run: |
+          echo "manifests<<EOF" >> $GITHUB_OUTPUT
+          python scripts/find_manifests.py >> $GITHUB_OUTPUT
+          echo "EOF" >> $GITHUB_OUTPUT
+        
+      - uses: azure/[email protected]
+        with:
+          manifests: ${{ steps.manifest-files.outputs.manifests }}

.gitignore

@@ -0,0 +1,5 @@
+# Secrets
+secrets.yaml
+
+# Helm
+kubernetes/chart/charts/*.tgz

docs/bootstrap.md

@@ -0,0 +1,43 @@
+# Bootstrapping a Kubernetes cluster
+
+## Create namespaces
+
+```bash
+kubectl apply -f kubernetes\manifests\cert-manager\namespace.yaml
+kubectl apply -f kubernetes\manifests\discord\namespace.yaml
+kubectl apply -f kubernetes\manifests\dragonfly\namespace.yaml
+```
+
+## Install the Helm Chart to get all the dependencies
+
+```bash
+helm install -f kubernetes\chart\production.yaml vipyrsec kubernetes\chart\
+```
+
+# Create image pull secrets
+
+Repeat this for both the Discord and the Dragonfly namespaces:
+
+```bash
+kubectl create secret docker-registry regcred --docker-server=https://ghcr.io --docker-username=shenanigansd --docker-password=ghp_xxx [email protected]
+```
+
+## Apply the Discord bot deployment
+
+```bash
+kubectl apply -f kubernetes\manifests\discord\bot
+```
+
+## Apply the Dragonfly Mainframe deployment
+
+```bash
+kubectl apply -f kubernetes\manifests\dragonfly\client
+```
+
+After the mainframe ingress is created, you will need create the DNS records before deploying the client.
+
+## Apply the Dragonfly client deployment
+
+```bash
+kubectl apply -f kubernetes\manifests\dragonfly\mainframe
+```

kubernetes/chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

kubernetes/chart/Chart.lock

@@ -0,0 +1,9 @@
+dependencies:
+- name: ingress-nginx
+  repository: https://kubernetes.github.io/ingress-nginx/
+  version: 4.7.1
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.12.0
+digest: sha256:57ebed200798be88cffe7363c99d2dd6bc252189aa756ec38803b9d83345cd95
+generated: "2023-07-15T10:28:49.9366857-05:00"

kubernetes/chart/Chart.yaml

@@ -0,0 +1,14 @@
+apiVersion: v2
+name: vipyrsec
+description: A Helm chart to automate the installation and configuration of our dependencies.
+type: application
+version: "0.1.0"
+appVersion: "0.1.0"
+dependencies:
+- name: ingress-nginx
+  version: "4.7.1"
+  repository: "https://kubernetes.github.io/ingress-nginx/"
+- name: cert-manager
+  version: "v1.12.0"
+  repository: https://charts.jetstack.io
+  condition: cert-manager.enabled

kubernetes/chart/README.md

@@ -0,0 +1,3 @@
+# Vipyrsec chart
+
+Our internal Helm Chart for deploying our dependencies.

kubernetes/chart/production.yaml

@@ -0,0 +1,3 @@
+cert-manager: 
+  namespace: "cert-manager"
+  installCRDs: true

kubernetes/manifests/README.md

@@ -0,0 +1,3 @@
+# Manifests
+
+The manifests for our Kubernetes infra.

kubernetes/manifests/cert-manager/cluster_issuer.yaml

@@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+  namespace: cert-manager
+spec:
+  acme:
+    email: [email protected]
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:      
+      name: letsencrypt-issuer-account-key
+    solvers:
+    - http01:
+        ingress:
+          ingressClassName: nginx

kubernetes/manifests/cert-manager/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+   name: cert-manager

kubernetes/manifests/discord/README.md

@@ -0,0 +1,3 @@
+# Discord
+
+Infra configuration for our Discord bots and services.

kubernetes/manifests/discord/bot/README.md

@@ -0,0 +1,19 @@
+# Bot
+
+Infra configuration for the Discord bot.
+
+## Secrets
+
+This deployment expects a number of secrets and environment variables to exist in a secret called `bot-env`.
+
+
+| Environment         | Description                         |
+| ------------------- | ----------------------------------- |
+| BOT_TOKEN           | Auth token for Discord              |
+| SENTRY_DSN          | Connection DSN for Sentry           |
+| ALLOWED_ROLES       | Allowed roles for the bot to assign |
+| AUTH0_USERNAME      | Username for Auth0                  |
+| AUTH0_PASSWORD      | Password for Auth0                  |
+| AUTH0_CLIENT_ID     | Client ID for Auth0                 |
+| AUTH0_CLIENT_SECRET | Client secret for Auth0             |
+

kubernetes/manifests/discord/bot/deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: discord
+  name: bot
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bot
+  template:
+    metadata:
+      labels:
+        app: bot
+    spec:
+      containers:
+        - name: bot
+          image: ghcr.io/vipyrsec/bot:edge
+          envFrom:
+            - secretRef:
+                name: bot-env
+      imagePullSecrets:
+        - name: ghcr-images

kubernetes/manifests/discord/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+   name: discord

kubernetes/manifests/dragonfly/README.md

@@ -0,0 +1,3 @@
+# Dragonfly
+
+Infra configuration for [project Dragonfly](https://github.com/vipyrsec/dragonfly).

kubernetes/manifests/dragonfly/client/README.md

@@ -0,0 +1,15 @@
+# Dragonfly Client
+
+Infra configuration for the Dragonfly client. We're currently using the [Dragonfly Rust client](https://github.com/vipyrsec/dragonfly-client-rs).
+
+## Secrets
+
+This deployment expects a number of secrets and environment variables to exist in a secret called `dragonfly-client-secrets`.
+
+
+| Environment     | Description                   |
+|-----------------|-------------------------------|
+| CLIENT_ID       | Part of the OAUTH credentials |
+| CLIENT_SECRET   | Part of the OAUTH credentials |
+| USERNAME        | Part of the OAUTH credentials |
+| PASSWORD        | Part of the OAUTH credentials |

kubernetes/manifests/dragonfly/client/deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: dragonfly
+  name: client
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: client
+  template:
+    metadata:
+      labels:
+        app: client
+    spec:
+      containers:
+        - name: client
+          image: ghcr.io/vipyrsec/dragonfly-client-rs:rewrite
+          envFrom:
+            - secretRef:
+                name: dragonfly-client-env
+      imagePullSecrets:
+        - name: ghcr-images

kubernetes/manifests/dragonfly/mainframe/README.md

@@ -0,0 +1,16 @@
+# Dragonfly Mainframe
+
+Infra configuration for the [Dragonfly Mainframe](https://github.com/vipyrsec/dragonfly-mainframe).
+
+## Secrets
+This deployment expects a number of secrets and environment variables to exist in a secret called `dragonfly-mainframe-secrets`.
+
+
+| Environment             | Description                                              |
+|-------------------------|----------------------------------------------------------|
+| DB_URL                  | The database connection DSN                              |
+| DRAGONFLY_GITHUB_TOKEN  | A GitHub PAT to access the Security Intelligence ruleset |
+| EMAIL_RECIPIENT         | The default email recipient                              |
+| MICROSOFT_TENANT_ID     | Part of the credentials for the mailer                   |
+| MICROSOFT_CLIENT_ID     | Part of the credentials for the mailer                   |
+| MICROSOFT_CLIENT_SECRET | Part of the credentials for the mailer                   |

kubernetes/manifests/dragonfly/mainframe/deployment.yaml

@@ -0,0 +1,23 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: dragonfly
+  name: mainframe
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mainframe
+  template:
+    metadata:
+      labels:
+        app: mainframe
+    spec:
+      containers:
+        - name: mainframe
+          image: ghcr.io/vipyrsec/dragonfly-mainframe:edge
+          envFrom:
+            - secretRef:
+                name: dragonfly-mainframe-secrets
+      imagePullSecrets:
+        - name: ghcr-images

kubernetes/manifests/dragonfly/mainframe/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: dragonfly
+  name: dragonfly-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - dragonfly.vipyrsec.com
+      secretName: dragonfly-tls
+  rules:
+    - host: dragonfly.vipyrsec.com
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: mainframe
+                port:
+                  number: 8000

kubernetes/manifests/dragonfly/mainframe/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: dragonfly
+  name: mainframe
+spec:
+  selector:
+    app: mainframe
+  ports:
+    - protocol: TCP
+      port: 8000
+      targetPort: 8000

kubernetes/manifests/dragonfly/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+   name: dragonfly

scripts/bootstrap-db.sql

@@ -0,0 +1,14 @@
+-- Script to bootstrap the database with necessary roles and users
+
+-- Dragonfly
+-- Create the database
+CREATE DATABASE dragonfly OWNER dragonfly;
+-- Create an admin role
+CREATE ROLE dragonfly_admin;
+GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO dragonfly_admin;
+-- Create a read-only role
+CREATE ROLE dragonfly_read;
+GRANT SELECT ON ALL TABLES IN SCHEMA public TO dragonfly_read;
+-- Create initial user roles
+CREATE ROLE bradley WITH PASSWORD 'shadow' IN ROLE dragonfly_admin LOGIN;
+CREATE ROLE robin WITH PASSWORD 'shadow' IN ROLE dragonfly_read LOGIN;

infrastructure/scripts/bootstrap-vps.sh → scripts/bootstrap-vps.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# Script to bootstrap a new VPS with the necessary users and groups
 
 groupadd vipyrsec