Open msz13 opened 2 years ago
versja podstawowa 1 server i 2 agenty
wersja produkcyjna 3 servery
wersja full wypas 3 servery - 2 vpc, 4gb 4 agenty - po 1vps, 2gb
mam jeszcze dwie instancje amd 1/4 core i 1 gb memory
skomplikowana siec https://docs.oracle.com/en-us/iaas/Content/Resources/Assets/whitepapers/using-oci-load-balancing-with-wordpress.pdf
lb https://docs.oracle.com/en-us/iaas/Content/GSG/Tasks/loadbalancing.htm
dostep poprzez bastion https://blogs.oracle.com/cloudsecurity/post/secure-access-with-oci-bastion
https://docs.oracle.com/en-us/iaas/Content/Security/Reference/compute_security.htm
https://medium.com/oracledevs/k3s-on-oci-a-kubernetes-cluster-in-under-5-mins-d7c194c19d59 https://github.com/k8s-at-home/awesome-home-kubernetes
k3s production https://digitalis.io/blog/kubernetes/k3s-lightweight-kubernetes-made-ready-for-production-part-1/
k3s cluster with k3os https://github.com/r0b2g1t/k3s-cluster-on-oracle-cloud-infrastructure
dostępne dla administratora z adresu kube.admin.zapisywarka.pl monitoring grafana.admin.zapisywarka.pl baza danych postgres.admin.zapisywarka.pl
dwie trasy:
opcje:
Architektura:
k3s terraform module
inputs: oci provider node pool k3s agents numbers of agents nodes number of server nodes public ports - 6443, 80, 443 domain name
output
deployment api
warianty:
kluster jedno nodowy
kluster 3 nody - servery - k3s
kluster 3 nody - oce
Add iptable rule
sed '/-A INPUT -j REJECT --reject-with icmp-host-prohibited/i -A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT/' rules.v4.bak sudo iptables-restore < /etc/iptables/rules.v
Struktura
dev stag
dev: deploy infra - helmfile, powalczyć raw manifests, template,
deploy api - ddeploy operator, database. dotnet app deploy infra sh script: helm install stackgres ..
deploy api i server
TODO
na srodowisku dev i na srodowisku staging
Do decyzji, jak zrobić warianty helm
Elementy aplikacji • Zapisywarka-rejestracja • Zapisywarka-api • Postgresql Różnice
Postgresql
Staging • Cert manager • Clusterissuer • Seald secrets?? • ImagePullSecret • Grafana agent?
Preview • Cert manager • Clusterissuer • Seald secrets?? • ImagePullSecret
Budowa zależności
Shared resources Postgresql Password Username Imagepull secrets Cert manager Issuer
Pytanie jak będzie deployowana aplikacja?
{{- define "test"}}
{{- $randomVal := randAlphaNum 12 -}}
{{ printf "%s" $randomVal }}
{{ end -}}
---
apiVersion: stackgres.io/v1
kind: SGCluster
metadata:
name: {{ template "test" . }}
spec:
instances: {{ .Values.instances | default 1 }}
postgres:
version: {{ .Values.pgVersion | default "latest" | quote }}
pods:
persistentVolume:
size: {{ required .Values.storageSize }}
---
---
instances: 1
pgVersion: 14
storageSize: 2Gi
Zwykły helm Realises
Budowa zależności
Kryteria szybkść stworzenia, łatwość obsługi, prostota, funkcjonalnosc Helmfile vs argo
helmfile - stworzenie pliku i konfiguracji instalacja helmfile lokalnie argo -
#staging
#production
releaseName: prod-zapisywarka
global:
registry: ghcr.io
imagePullSecrets: ghcr-cred
domain: test.zapisywarka.pl
certyficateIssuerRef:
type: Cluster
ssl:
enable: true
issuer: ACMA - prod
db-cluster:
name: zapisywarka-db
profile: 'small'
storageSize: '2Gi'
webUi:
ingress:
domainPrefix: postgres-admin.pr-34567.zapisywarka.pl
database:
users:
- name: dbowner
roles: [pg_db_owner ....]
secretName: zapisywarka-db-dbowner
- name: dbuser
roles: [...]
secretName: zapisywarka-db-dbowner
image:
repository: ghcr.com/msz13
secrets:
imagePullSecrets:
user: msz13
auth: xxx
zapisywarka-api:
#nameOverride: api
needs: ..
ingress:
domainPrefix: api
tls:
- hosts:
- api.zapisywarka.pl
secretName:
image:
tag: "123"
replicas: 2
env:
DB_CONNECTION:
secretRef: zapisywarka-db-dbuser
..
zapisywarka-rejestracja:
db_migration:
filePaths: "/ss"
env:
DB_CONNECTION:
secretRef:
db_migration:
enable: false
filePaths: "/ss"
env:
DB_CONNECTION:
secretRef:
zapisywarka-rejestracja:
hostNamePrefix: api
image:
registry:
repository:
tag:
enableMonitoring: true
środowisko dev:
db migrations warianty
TODO:
Lables
aplikacje: zapisywarka-api zapisywarka-rejestracja zapisywarka-db
postgresql-cluster part of: zapisywArka
app.kubernetes.io/name: aspnet-co app.kubernetes.io/instance: zapisywarka-api app.kubernetes.io/version: "4.9.4" app.kubernetes.io/managed-by: helm app.kubernetes.io/component: server app.kubernetes.io/part-of: zapisywarka
name: zapisywarka-api instance: staging-1
Install environment
repositories:
releases:
name: stackgres-operator chart: stackgres-charts/stackgres-operator
name: postgresql-cluster
name: zapisywarka-api
name: zapisywarka-rejestracja
environments: dev:
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: {{ .Values.issuerName }}
spec:
acme:
# The ACME server URL
server: {{ .Values.server }}
# Email address used for ACME registration
email: {{ .Values.email }}
# Name of a secret used to store the ACME account private key
privateKeySecretRef:
name: {{ .Values.issuerSecret }}
# Enable the HTTP-01 challenge provider
solvers:
- http01:
ingress:
class: {{ .Values.ingressClass }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: acme-crt
spec:
secretName: {{ .Values.certyficateSecret }}
dnsNames:
{{ .Values.hostNames | toYaml | indent 3 }}
issuerRef:
name: {{ .Values.issuerName }}
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
group: cert-manager.io
oracle container engine
---
{{- define "webservice.imagePullSecrets" -}}
{{- $pullSecrets := .Values.global.imagePullSecrets | default .Values.imagePullSecrets -}}
{{- if $pullSecrets -}}
imagePullSecrets:
- name: {{ $pullSecrets }}
{{ end }}
{{- end }}
example:
{{- include "webservice.imagePullSecrets" . | nindent 0 -}}
containers:
local workflow
ci/cd worflow local workflow
Components • app o Webservice o Task o imagePullSecret • Infrastructure o Cert issuer o Imagepull secrets
extraDeploy: | apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: name: mysecret namespace: mynamespace annotations: "kubectl.kubernetes.io/last-applied-configuration": .... spec: encryptedData: .dockerconfigjson: AgBy3i4OJSWK+PiTySYZZA9rO43cGDEq..... template: type: kubernetes.io/dockerconfigjson
metadata:
labels:
"jenkins.io/credentials-type": usernamePassword
annotations:
"jenkins.io/credentials-description": credentials from Kubernetes
How to add single resource to app: • extra deploy • template z secretem i values • chart referencing sub chart z dodanymi pełnymi resourcami w template • flux cd o kustomisation release namespace selad secret – dockerconfigjson kubectl apply namespace dokcer config json helm release
export PROJECT=test1 export ${PROJECT}_IMAGE="TESTVALUE" echo $test1_IMAGE
Do zrobienia:
Server Site MVC Dotnet-Apa – serverd in dotnet SPA, back, served separatley baza danych
Środowisko deweloperskie Docker + docker database
Run script (run database, migrate, serve) Docker compose (run database, migrate, run docker) Manage by test test containers
Środowisko staging
Deploying front Deploying backend Deoploung data base schema
Desription
Wymagania:
Faza druga, środowisko produkcyjne: wymagania
zadania:
jak to podzielić? wykorzystac gotowe moduły po modyfikacji? k3os?