Merge branch 'main' into containerized

containerized
2024-01-30 11:56:53 +01:00 · 2024-01-30 11:54:51 +01:00 · 2024-01-30 11:54:38 +01:00
18 changed files with 270 additions and 1 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -0,0 +1,3 @@
+src/__pycache__
+src/ENV
+src/.venv
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,5 @@
+deployment/secrets.txt
+src/.venv
+src/__pycache__
+src/ENV
+
--- a/.woodpecker.yml
+++ b/.woodpecker.yml
@ -0,0 +1,32 @@
+steps:
+  build:
+    image: plugins/kaniko
+    settings:
+      repo: gitea.hottis.de/wn/oidc-python-example
+      registry: 
+        from_secret: container_registry
+      tags: latest,${CI_COMMIT_SHA},${CI_COMMIT_TAG}
+      username: 
+        from_secret: container_registry_username
+      password: 
+        from_secret: container_registry_password
+      dockerfile: Dockerfile
+    when:
+      - event: [push, tag]
+
+  deploy:
+    image: portainer/kubectl-shell:latest
+    secrets:
+      - source: kube_config
+        target: KUBE_CONFIG_CONTENT
+      - source: encryption_key
+        target: ENCRYPTION_KEY
+      - source: secrets_checksum
+        target: MD5_CHECKSUM
+    commands:
+      - export IMAGE_TAG=$CI_COMMIT_TAG
+      - printf "$KUBE_CONFIG_CONTENT" > /tmp/kubeconfig
+      - export KUBECONFIG=/tmp/kubeconfig
+      - ./deployment/deploy.sh
+    when:
+      - event: tag
--- a/15
+++ b/15
@ -0,0 +1,15 @@
+FROM python:3.12-alpine3.19
+
+ARG APP_DIR="/opt/app"
+
+COPY ./src/ ${APP_DIR}/
+COPY start.sh ${APP_DIR}/
+
+WORKDIR ${APP_DIR}
+
+RUN pip install -r requirements.txt
+
+EXPOSE 8080
+
+CMD "./start.sh"
+
--- a/deployment/decrypt-secrets.sh
+++ b/deployment/decrypt-secrets.sh
@ -0,0 +1,43 @@
+#!/bin/bash
+
+if [ "$ENCRYPTION_KEY" = "" ]; then
+  echo "ENCRYPTION_KEY not set"
+  exit 1
+fi
+
+if [ "$MD5_CHECKSUM" = "" ]; then
+  echo "No checksum given"
+  exit 1
+fi
+
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+SECRETS_PLAINTEXT_FILE=/tmp/secrets
+TMP_FILE=`mktemp`
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_CIPHERTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
+    $TMP_FILE
+
+if [ `uname` = "Darwin" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
+elif [ `uname` = "Linux" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
+fi
+
+if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
+  echo "Invalid checksum"
+  exit 1
+fi
+
+# cat $TMP_FILE
+mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
+
+
--- a/deployment/deploy-yml.tmpl
+++ b/deployment/deploy-yml.tmpl
@ -0,0 +1,62 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: oidc-python-example
+  labels:
+    app: oidc-python-example
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: oidc-python-example
+  template:
+    metadata:
+      labels:
+        app: oidc-python-example
+    spec:
+      containers:
+        - name: oidc-python-example
+          image: %IMAGE%
+          envFrom:
+            - secretRef: 
+                name: secrets
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: oidc-python-example
+spec:
+  type: ClusterIP
+  selector:
+    app: oidc-python-example
+  ports:
+    - name: http
+      targetPort: 8080
+      port: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: oidc-python-example
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production-http
+spec:
+  tls:
+    - hosts:
+        - oidc-python-example.hottis.de
+      secretName: oidc-python-example-cert
+  rules:
+    - host: oidc-python-example.hottis.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: oidc-python-example
+                port:
+                  number: 80
+
--- a/deployment/deploy.sh
+++ b/deployment/deploy.sh
@ -0,0 +1,43 @@
+#!/bin/bash
+
+if [ "$IMAGE_TAG" == "" ]; then
+  echo "Make sure IMAGE_TAG is set"
+  exit 1
+fi
+
+
+IMAGE_NAME=gitea.hottis.de/wn/oidc-python-example
+NAMESPACE=oidc-python-example
+DEPLOYMENT_DIR=$PWD/deployment
+
+pushd $DEPLOYMENT_DIR > /dev/null
+./decrypt-secrets.sh || exit 1 
+. /tmp/secrets
+rm /tmp/secrets
+
+CLIENT_SECRETS=`cat oidc-config.json | sed -e's!%CLIENT_SECRET%!'$CLIENT_SECRET'!'`
+
+kubectl create namespace $NAMESPACE \
+  --dry-run=client \
+  -o yaml | \
+  kubectl -f - apply
+
+kubectl create secret generic secrets \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=SECRET="$SECRET" \
+  --from-literal=CLIENT_SECRETS="$CLIENT_SECRETS" \
+  --from-literal=PGUSER="$PGUSER" \
+  --from-literal=PGPASSWORD="$PGPASSWORD" \
+  --from-literal=PGDATABASE="$PGDATABASE" \
+  --from-literal=PGHOST="timescaledb.database.svc.cluster.local" \
+  --from-literal=PGSSLMODE="require" | \
+  kubectl apply -f - -n $NAMESPACE
+
+cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
+  sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
+  kubectl apply -f - -n $NAMESPACE
+
+popd > /dev/null
+
--- a/deployment/encrypt-secrets.sh
+++ b/deployment/encrypt-secrets.sh
@ -0,0 +1,27 @@
+#!/bin/bash
+
+ENCRYPTION_KEY=`openssl rand -hex 32`
+echo $ENCRYPTION_KEY
+
+SECRETS_PLAINTEXT_FILE=secrets.txt
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+
+if [ `uname` = "Darwin" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5
+elif [ `uname` = "Linux" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
+fi
+
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_PLAINTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
+    $SECRETS_CIPHERTEXT_FILE
+
--- a/deployment/oidc-config.json
+++ b/deployment/oidc-config.json
@ -0,0 +1,13 @@
+{
+    "web": {
+        "issuer": "https://auth2.hottis.de/realms/hottis",
+        "auth_uri": "https://auth2.hottis.de/ealms/hottis/protocol/openid-connect/auth",
+        "client_id": "oidc-python-example",
+        "client_secret": "%CLIENT_SECRET%",
+        "redirect_uris": [
+            "https://oidc-python-example.hottis.de/*"
+        ],
+        "userinfo_uri": "https://auth2.hottis.de/realms/hottis/protocol/openid-connect/userinfo", 
+        "token_uri": "https://auth2.hottis.de/realms/hottis/protocol/openid-connect/token"
+    }
+}
--- a/src/Run.py
+++ b/src/Run.py
@ -1,8 +1,10 @@
 from flask import Flask, request, render_template, jsonify, redirect, url_for
-import psycopg2
 import sqlite3

 app = Flask(__name__)
+app.config.update({
+    'SECRET_KEY': "fdsgffdgretfsdgfsf"
+})

 # Datenbankverbindung konfigurieren
 def get_db_connection():
--- a/src/db.py
+++ b/src/db.py
--- a/src/nu.csv
+++ b/src/nu.csv
--- a/src/nutrition.db
+++ b/src/nutrition.db
--- a/src/requirements.txt
+++ b/src/requirements.txt
@ -0,0 +1,20 @@
+Authlib==1.3.0
+blinker==1.7.0
+certifi==2023.11.17
+cffi==1.16.0
+charset-normalizer==3.3.2
+click==8.1.7
+cryptography==42.0.1
+Flask==3.0.1
+flask-oidc==2.1.1
+gunicorn==21.2.0
+idna==3.6
+itsdangerous==2.1.2
+Jinja2==3.1.3
+MarkupSafe==2.1.4
+packaging==23.2
+pycparser==2.21
+requests==2.31.0
+typing_extensions==4.9.0
+urllib3==2.1.0
+Werkzeug==3.0.1
--- a/src/static/style.css
+++ b/src/static/style.css
--- a/src/templates/index.html
+++ b/src/templates/index.html
--- a/src/templates/nutrition.html
+++ b/src/templates/nutrition.html
--- a/start.sh
+++ b/start.sh
@ -0,0 +1,4 @@
+#!/bin/sh
+
+gunicorn 'Run:app' --bind 0.0.0.0:8080 --log-level=info --workers=4
+
Author	SHA1	Message	Date
Wolfgang Hottgenroth	0bca4ba03b	Merge branch 'main' into containerized	2024-01-30 11:56:53 +01:00
Wolfgang Hottgenroth	8fa433f543	containerized	2024-01-30 11:54:51 +01:00
Wolfgang Hottgenroth	e72dbad617	containerized	2024-01-30 11:54:38 +01:00