initial

2024-01-30 10:53:37 +01:00
commit 6eacafe945
13 changed files with 351 additions and 0 deletions
--- a/deployment/decrypt-secrets.sh
+++ b/deployment/decrypt-secrets.sh
@ -0,0 +1,43 @@
+#!/bin/bash
+
+if [ "$ENCRYPTION_KEY" = "" ]; then
+  echo "ENCRYPTION_KEY not set"
+  exit 1
+fi
+
+if [ "$MD5_CHECKSUM" = "" ]; then
+  echo "No checksum given"
+  exit 1
+fi
+
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+SECRETS_PLAINTEXT_FILE=/tmp/secrets
+TMP_FILE=`mktemp`
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_CIPHERTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a -d" > \
+    $TMP_FILE
+
+if [ `uname` = "Darwin" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5`
+elif [ `uname` = "Linux" ]; then
+  CALCULATED_CHECKSUM=`cat $TMP_FILE | md5sum - | awk '{print $1}'`
+fi
+
+if [ "$MD5_CHECKSUM" != "$CALCULATED_CHECKSUM" ]; then
+  echo "Invalid checksum"
+  exit 1
+fi
+
+# cat $TMP_FILE
+mv $TMP_FILE $SECRETS_PLAINTEXT_FILE
+
+
--- a/deployment/deploy-yml.tmpl
+++ b/deployment/deploy-yml.tmpl
@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: locsrv
+  namespace: homea
+  labels:
+    app: locsrv
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: locsrv
+  template:
+    metadata:
+      labels:
+        app: locsrv
+    spec:
+      containers:
+        - name: locsrv
+          image: %IMAGE%
+          envFrom:
+            - secretRef: 
+                name: locsrv-db-cred
+          env:
+            - name: MQTT_BROKER
+              value: mqtt://emqx01-anonymous-cluster-internal.broker.svc.cluster.local:1883
+            - name: MQTT_TOPIC
+              value: locative/event
+            - name: GIN_MODE
+              value: release
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: locative
+spec:
+  type: ClusterIP
+  selector:
+    app: locsrv
+  ports:
+    - name: http
+      targetPort: 8080
+      port: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: locative
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production-http
+spec:
+  tls:
+    - hosts:
+        - locative.hottis.de
+      secretName: locative-cert
+  rules:
+    - host: locative.hottis.de
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: locative
+                port:
+                  number: 80
+
--- a/deployment/deploy.sh
+++ b/deployment/deploy.sh
@ -0,0 +1,41 @@
+#!/bin/bash
+
+if [ "$IMAGE_TAG" == "" ]; then
+  echo "Make sure IMAGE_TAG is set"
+  exit 1
+fi
+
+
+IMAGE_NAME=gitea.hottis.de/wn/oidc-python-example
+NAMESPACE=oidc-python-example
+DEPLOYMENT_DIR=$PWD/deployment
+
+pushd $DEPLOYMENT_DIR > /dev/null
+./decrypt-secrets.sh || exit 1 
+. /tmp/secrets
+rm /tmp/secrets
+
+kubectl create namespace $NAMESPACE \
+  --dry-run=client \
+  -o yaml | \
+  kubectl -f - apply
+
+kubectl create secret generic secrets \
+  --dry-run=client \
+  -o yaml \
+  --save-config \
+  --from-literal=SECRET="$SECRET" \
+  --from-literal=CLIENT_SECRETS="$CLIENT_SECRETS" \
+  --from-literal=PGUSER="$PGUSER" \
+  --from-literal=PGPASSWORD="$PGPASSWORD" \
+  --from-literal=PGDATABASE="$PGDATABASE" \
+  --from-literal=PGHOST="timescaledb.database.svc.cluster.local" \
+  --from-literal=PGSSLMODE="require" | \
+  kubectl apply -f - -n $NAMESPACE
+
+cat $DEPLOYMENT_DIR/deploy-yml.tmpl | \
+  sed -e 's,%IMAGE%,'$IMAGE_NAME':'$IMAGE_TAG','g | \
+  kubectl apply -f - -n $NAMESPACE
+
+popd > /dev/null
+
--- a/deployment/encrypt-secrets.sh
+++ b/deployment/encrypt-secrets.sh
@ -0,0 +1,27 @@
+#!/bin/bash
+
+ENCRYPTION_KEY=`openssl rand -hex 32`
+echo $ENCRYPTION_KEY
+
+SECRETS_PLAINTEXT_FILE=secrets.txt
+SECRETS_CIPHERTEXT_FILE=secrets.enc
+
+if [ `uname` = "Darwin" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5
+elif [ `uname` = "Linux" ]; then
+  cat $SECRETS_PLAINTEXT_FILE | md5sum - | awk '{print $1}'
+fi
+
+POD_NAME_SUFFIX=`date +%s`
+
+cat $SECRETS_PLAINTEXT_FILE | \
+  kubectl run openssl-$POD_NAME_SUFFIX \
+    --rm \
+    --image bitnami/debian-base-buildpack:latest \
+    --env KEY=$ENCRYPTION_KEY \
+    -i \
+    -q \
+    -- \
+    /bin/sh -c "openssl enc -aes-256-cbc -salt -pass env:KEY -a" > \
+    $SECRETS_CIPHERTEXT_FILE
+
--- a/deployment/oidc-config.json
+++ b/deployment/oidc-config.json
@ -0,0 +1,13 @@
+{
+    "web": {
+        "issuer": "https://auth2.hottis.de/realms/hottis",
+        "auth_uri": "https://auth2.hottis.de/ealms/hottis/protocol/openid-connect/auth",
+        "client_id": "oidc-python-example",
+        "client_secret": "%CLIENT_SECRET%",
+        "redirect_uris": [
+            "http://localhost:8080/*"
+        ],
+        "userinfo_uri": "https://auth2.hottis.de/realms/hottis/protocol/openid-connect/userinfo", 
+        "token_uri": "https://auth2.hottis.de/realms/hottis/protocol/openid-connect/token"
+    }
+}
--- a/deployment/secrets.enc
+++ b/deployment/secrets.enc
@ -0,0 +1,5 @@
+U2FsdGVkX1+uD433QQ1ZrBZgwtJsOHAXSLLhEoqQKwnt6IMztghrgnFihkUxkPo8
+LMjaH2aDwvEFh6BgzHgf+AAsbdQc0eUj1TJnIK9nd5e/5JZTRY9oQW5sMFjx7HDB
+VZ/YLX4/hsPMIsfG1cYXkE0dcpYPGgj2Y/YT33mNVcyU0VQ+DL7qRsMZXwohGQHE
+7R3sRXcUNLAnfdQWXOzkPtOg8UGE01Rki/DLEoDJgsLye6skqyIjrCQ7siaW5fER
+GoJCSzckwUUnzCrVa6b1tg==