SPDT
/
sapl
mirror of https://github.com/interlegis/sapl.git
5
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

Fix read-only mount on k8s
continuous-integration/drone/push Build is passing
Details

pull/3800/merge
Edward Ribeiro 1 month ago
parent
10691ac6f6
commit
4792c784bf
4 changed files with 243 additions and 7 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      docker/Dockerfile
  2. 12
      docker/k8s/sapl-deploy.sh
  3. 218
      docker/k8s/sapl-k8s.yaml
  4. 18
      docker/startup_scripts/start.sh

2
docker/Dockerfile
View File

@ -62,7 +62,7 @@ RUN set -eux; \
# Usuários/grupos (idempotente) # Usuários/grupos (idempotente)
RUN useradd --system --no-create-home --shell /usr/sbin/nologin sapl || true \ RUN useradd --system --no-create-home --shell /usr/sbin/nologin sapl || true \
&& groupadd -r nginx || true \ && groupadd -g 101 -r nginx || true \
&& usermod -aG nginx www-data || true \ && usermod -aG nginx www-data || true \
&& usermod -aG nginx sapl || true && usermod -aG nginx sapl || true

12
docker/k8s/sapl-deploy.sh
View File

@ -0,0 +1,12 @@
#!/bin/bash
kubectl create namespace sapl
mkdir -p ./sapl-secret-data
kubectl -n sapl create secret generic sapl-secretkey --from-file=./sapl-secret-data/
kubectl apply -f sapl-k8s.yaml
kubectl rollout status deployment/sapl -n sapl
POD=$(kubectl get pod -n sapl -l app=sapl -o jsonpath='{.items[0].metadata.name}')
kubectl exec -n sapl "$POD" -- ls -l /var/interlegis/sapl/data

218
docker/k8s/sapl-k8s.yaml
View File

@ -0,0 +1,218 @@
apiVersion: v1
kind: Namespace
metadata:
name: sapl
---
apiVersion: v1
kind: Service
metadata:
name: sapldb
namespace: sapl
spec:
selector:
app: sapldb
ports:
- name: postgres
port: 5432
targetPort: 5432
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sapldb-data
namespace: sapl
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: local-path
resources:
requests:
storage: 5Gi # or 1Gi for solr-configsets
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: sapldb
namespace: sapl
spec:
serviceName: sapldb
replicas: 1
selector:
matchLabels:
app: sapldb
template:
metadata:
labels:
app: sapldb
spec:
containers:
- name: postgres
image: postgres:10.5-alpine
env:
- name: POSTGRES_PASSWORD
value: "sapl"
- name: POSTGRES_USER
value: "sapl"
- name: POSTGRES_DB
value: "sapl"
- name: PGDATA
value: /var/lib/postgresql/data/
- name: TZ
value: UTC
- name: PG_TZ
value: UTC
ports:
- containerPort: 5432
volumeMounts:
- name: sapldb-data
mountPath: /var/lib/postgresql/data/
volumes:
- name: sapldb-data
persistentVolumeClaim:
claimName: sapldb-data
---
apiVersion: v1
kind: Service
metadata:
name: saplsolr
namespace: sapl
spec:
selector:
app: saplsolr
ports:
- name: solr
port: 8983
targetPort: 8983
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: solr-data
namespace: sapl
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: local-path
resources:
requests:
storage: 5Gi # or 1Gi for solr-configsets
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: solr-configsets
namespace: sapl
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: local-path
resources:
requests:
storage: 5Gi # or 1Gi for solr-configsets
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: saplsolr
namespace: sapl
spec:
serviceName: saplsolr
replicas: 1
selector:
matchLabels:
app: saplsolr
template:
metadata:
labels:
app: saplsolr
spec:
containers:
- name: solr
image: solr:8.11
command: ["bash","-lc","bin/solr start -c -f"]
ports:
- containerPort: 8983
volumeMounts:
- name: solr-data
mountPath: /var/solr
- name: solr-configsets
mountPath: /opt/solr/server/solr/configsets
volumes:
- name: solr-data
persistentVolumeClaim:
claimName: solr-data
- name: solr-configsets
persistentVolumeClaim:
claimName: solr-configsets
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sapl-media
namespace: sapl
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: local-path
resources:
requests:
storage: 5Gi # or 1Gi for solr-configsets
---
apiVersion: v1
kind: Service
metadata:
name: sapl
namespace: sapl
spec:
selector:
app: sapl
type: NodePort
ports:
- name: http
port: 80
targetPort: 80
nodePort: 30080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sapl
namespace: sapl
spec:
replicas: 1
selector:
matchLabels:
app: sapl
template:
metadata:
labels:
app: sapl
spec:
containers:
- name: sapl
image: eribeiro/sapl:debug-k8s-1
ports:
- containerPort: 80
volumeMounts:
- name: data
mountPath: /var/interlegis/sapl/data
readOnly: true # secrets are always mounted read-only
volumes:
- name: data
secret:
secretName: sapl-secretkey
defaultMode: 0440 # ensures read-only
env:
- name: ADMIN_PASSWORD
value: "interlegis"
- name: ADMIN_EMAIL
value: "email@dominio.net"
- name: DEBUG
value: "False"
- name: EMAIL_PORT
value: "587"
- name: EMAIL_USE_TLS
value: "False"
- name: EMAIL_HOST
value: "smtp.dominio.net"
- name: EMAIL_HOST_USER
value: "usuariosmtp"
- name: EMAIL_SEND_USER

18
docker/startup_scripts/start.sh
View File

@ -2,12 +2,21 @@
set -Eeuo pipefail set -Eeuo pipefail
IFS=$'\n\t' IFS=$'\n\t'
APP_DIR="/var/interlegis/sapl"
DATA_DIR="/var/interlegis/sapl/data" DATA_DIR="/var/interlegis/sapl/data"
APP_DIR="/var/interlegis/sapl/sapl" MEDIA_DIR="/var/interlegis/sapl/media"
RUN_DIR="/var/interlegis/sapl/run"
ENV_FILE="$APP_DIR/.env" ENV_FILE="$APP_DIR/.env"
SECRET_FILE="$DATA_DIR/secret.key" SECRET_FILE="$DATA_DIR/secret.key"
mkdir -p "$DATA_DIR" "$APP_DIR" chown -R root:nginx "$RUN_DIR" || true
chown -R root:nginx "$MEDIA_DIR" || true
chmod -R g+rwX "$RUN_DIR" || true
chmod -R g+rwX "$MEDIA_DIR" || true
# setgid bit on our writable trees (not data/)
find "$RUN_DIR" "$MEDIA_DIR" -type d -exec chmod g+s {} + 2>/dev/null || true
log() { printf '[%s] %s\n' "$(date -Is)" "$*"; } log() { printf '[%s] %s\n' "$(date -Is)" "$*"; }
err() { printf '[%s] ERROR: %s\n' "$(date -Is)" "$*" >&2; } err() { printf '[%s] ERROR: %s\n' "$(date -Is)" "$*" >&2; }
@ -76,7 +85,6 @@ create_secret() {
SECRET_KEY="$(python3 genkey.py)" SECRET_KEY="$(python3 genkey.py)"
umask 177 umask 177
printf '%s\n' "$SECRET_KEY" > "$SECRET_FILE" printf '%s\n' "$SECRET_KEY" > "$SECRET_FILE"
chmod 600 "$SECRET_FILE"
fi fi
export SECRET_KEY export SECRET_KEY
} }
@ -225,9 +233,7 @@ fix_logging_and_socket_perms() {
# dirs # dirs
mkdir -p "$APP_DIR/run" mkdir -p "$APP_DIR/run"
chown -R root:nginx "$APP_DIR" chmod 2775 "$APP_DIR/run"
chmod 2775 "$APP_DIR" "$APP_DIR/run"
chmod -R g+rwX "$APP_DIR"
# new files/sockets → 660 # new files/sockets → 660
umask 0007 umask 0007

Write Preview
Loading…
Cancel
Save