Merge pull request #80 from mgueury/main

NoSQL + K8s CertManager/External DNS
oracle-devrel · Feb 7, 2024 · fa213f0 · fa213f0
2 parents cffc787 + 0eba2f4
commit fa213f0
Show file tree

Hide file tree

Showing 71 changed files with 1,146 additions and 1,202 deletions.
diff --git a/basis/bin/auto_env.sh b/basis/bin/auto_env.sh
@@ -1,8 +1,12 @@
 #!/bin/bash
 
-# Enable BASH history for Stack Trace. But do not store it.
-set -o history -o histexpand
-unset HISTFILE
+# Enable BASH history for Stack Trace.
+# - Do not store in HISTFILE 
+# - Do not use it when env.sh is called from bash directly.
+if [ "$0" != "-bash" ]; then
+  unset HISTFILE
+  set -o history -o histexpand
+fi
 
 if [[ -z "${BIN_DIR}" ]]; then
   export BIN_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
@@ -133,6 +137,11 @@ else
     export KUBECONFIG=$TARGET_DIR/kubeconfig_starter
   fi
 
+  if [ "$TF_VAR_db_type" == "nosql" ]; then
+    # export TF_VAR_nosql_endpoint="nosql.${TF_VAR_region}.oci.oraclecloud.com"
+    export TF_VAR_nosql_endpoint=`oci nosql table list --compartment-id $TF_VAR_compartment_ocid -d 2>&1 | grep "Endpoint: https" | sed "s#.* https:\/\/##" | sed "s#/.*##"`
+  fi
+
   # OpenAPI Spec
   if [ -f $PROJECT_DIR/src/app/openapi_spec.yaml ]; then
     export TF_VAR_openapi_spec=$(cat $PROJECT_DIR/src/app/openapi_spec.yaml)
@@ -263,8 +272,10 @@ if [ -f $STATE_FILE ]; then
   if [ "$TF_VAR_deploy_type" == "kubernetes" ] || [ -f $PROJECT_DIR/src/terraform/oke.tf ]; then
     # OKE
     get_output_from_tfstate "OKE_OCID" "oke_ocid"
-    export TF_VAR_ingress_ip=`kubectl get service -n ingress-nginx ingress-nginx-controller -o jsonpath="{.status.loadBalancer.ingress[0].ip}"`
-    export INGRESS_LB_OCID=`oci lb load-balancer list --compartment-id $TF_VAR_compartment_ocid | jq -r '.data[] | select(.["ip-addresses"][0]["ip-address"]=="'$TF_VAR_ingress_ip'") | .id'`  
+    if [ -f $KUBECONFIG ]; then
+      export TF_VAR_ingress_ip=`kubectl get service -n ingress-nginx ingress-nginx-controller -o jsonpath="{.status.loadBalancer.ingress[0].ip}"`
+      export INGRESS_LB_OCID=`oci lb load-balancer list --compartment-id $TF_VAR_compartment_ocid | jq -r '.data[] | select(.["ip-addresses"][0]["ip-address"]=="'$TF_VAR_ingress_ip'") | .id'`  
+    fi
   fi
 
   # JMS

diff --git a/basis/bin/done.sh b/basis/bin/done.sh
@@ -24,11 +24,6 @@ if [ ! -z "$UI_URL" ]; then
       kubectl get all
       sleep 5
     fi
-    if [ "$TF_VAR_deploy_type" == "compute" ]; then
-      # Get the compute logs
-      scp -r -o StrictHostKeyChecking=no -i $TF_VAR_ssh_private_path opc@$COMPUTE_IP:/home/opc/*.log target/.
-      scp -r -o StrictHostKeyChecking=no -i $TF_VAR_ssh_private_path opc@$COMPUTE_IP:/home/opc/app/*.log target/.
-    fi 
 
     # Retry several time. Needed for ORDS or Go or Tomcat that takes more time to start
     x=1
@@ -57,6 +52,12 @@ if [ ! -z "$UI_URL" ]; then
       rm /tmp/cookie.txt
     fi  
     curl $UI_URL/app/info -b /tmp/cookie.txt -c /tmp/cookie.txt -L --retry 5 --retry-max-time 20 -D /tmp/result_info.log > /tmp/result.info
+
+    if [ "$TF_VAR_deploy_type" == "compute" ]; then
+      # Get the compute logs
+      scp -r -o StrictHostKeyChecking=no -i $TF_VAR_ssh_private_path opc@$COMPUTE_IP:/home/opc/*.log target/.
+      scp -r -o StrictHostKeyChecking=no -i $TF_VAR_ssh_private_path opc@$COMPUTE_IP:/home/opc/app/*.log target/.
+    fi 
   fi
   if [ "$TF_VAR_ui_type" != "api" ]; then
     echo - User Interface: $UI_URL/

diff --git a/basis/bin/shared_bash_function.sh b/basis/bin/shared_bash_function.sh
@@ -107,7 +107,7 @@ error_exit() {
   echo
   LEN=${#BASH_LINENO[@]}
   printf "%-40s %-10s %-20s\n" "STACK TRACE"  "LINE" "FUNCTION"
-  for (( INDEX=0; INDEX<$LEN; INDEX++ ))
+  for (( INDEX=${LEN}-1; INDEX>=0; INDEX--))
   do
      printf "   %-37s %-10s %-20s\n" ${BASH_SOURCE[${INDEX}]#$PROJECT_DIR/}  ${BASH_LINENO[$(($INDEX-1))]} ${FUNCNAME[${INDEX}]}
   done
@@ -520,15 +520,17 @@ certificate_dir_before_terraform() {
 
 # Certificate - Post Deploy
 certificate_post_deploy() {
-  if [ "$TF_VAR_deploy_type" == "kubernetes" ]; then
+  if [ "$TF_VAR_tls" == "new_http_01" ]; then
+    if [ "$TF_VAR_deploy_type" == "compute" ]; then
+      certificate_run_certbot_http_01
+    elif [ "$TF_VAR_deploy_type" == "kubernetes" ]; then
+      echo "Skip: TLS - Kubernetes - HTTP_01"
+    fi
+  elif [ "$TF_VAR_deploy_type" == "kubernetes"  ]; then
     # Set the TF_VAR_ingress_ip
     get_ui_url 
     src/terraform/apply.sh --auto-approve -no-color
     exit_on_error
-  elif [ "$TF_VAR_tls" == "new_http_01" ]; then
-    if [ "$TF_VAR_deploy_type" == "compute" ]; then
-      certificate_run_certbot_http_01
-    fi
   fi  
 }
 

diff --git a/basis/src/app/app.j2.yaml b/basis/src/app/app.j2.yaml
@@ -28,14 +28,6 @@ spec:
             secretKeyRef:
               name: {{ prefix }}-db-secret
               key: jdbc_url
-{%- else %}        
-{%- if java_framework == "springboot" %}
-        - name: SPRING_APPLICATION_JSON
-          valueFrom:
-            secretKeyRef:
-              name: {{ prefix }}-db-secret
-              key: spring_application_json
-{%- endif %}        
 {%- endif %}
         - name: JDBC_URL
           valueFrom:
@@ -48,7 +40,7 @@ spec:
             secretKeyRef:
               name: {{ prefix }}-db-secret
               key: db_url
-{%- endif %}        
+{%- endif %}      
         - name: DB_USER
           valueFrom:
             secretKeyRef:
@@ -62,7 +54,19 @@ spec:
         - name: POD_IP
           valueFrom:
             fieldRef:
-              fieldPath: status.podIP              
+              fieldPath: status.podIP
+{%- if db_type == "nosql" %}
+        - name: TF_VAR_compartment_ocid
+          valueFrom:
+            secretKeyRef:
+              name: {{ prefix }}-db-secret
+              key: TF_VAR_compartment_ocid
+        - name: TF_VAR_nosql_endpoint
+          valueFrom:
+            secretKeyRef:
+              name: {{ prefix }}-db-secret
+              key: TF_VAR_nosql_endpoint
+{%- endif %}
       imagePullSecrets:
       - name: ocirsecret        
 ---

diff --git a/option/oke/ingress-app.j2.yaml b/option/oke/ingress-app.j2.yaml
@@ -0,0 +1,47 @@
+# Use 2 Ingress since the parameter replacement work differently in NGINX for / and /app (see annotation)
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ##PREFIX##-app-ingress
+  annotations:
+{%- if language == "apex" %}     
+    nginx.ingress.kubernetes.io/rewrite-target: /ords/r/apex_app/apex_app/$2
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/upstream-vhost: "##ORDS_HOST##"
+{%- elif language == "ords" %}     
+    nginx.ingress.kubernetes.io/rewrite-target: /ords/starter/module/$2
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+    nginx.ingress.kubernetes.io/upstream-vhost: "##ORDS_HOST##"
+{%- elif language == "java" and java_framework == "tomcat" %}     
+    nginx.ingress.kubernetes.io/rewrite-target: /starter-1.0/$2   
+{%- else %}    
+    nginx.ingress.kubernetes.io/rewrite-target: /$2    
+{%- endif %} 
+    # nginx.ingress.kubernetes.io/affinity: "cookie"   
+    # nginx.ingress.kubernetes.io/session-cookie-path: "/"    
+spec:
+  ingressClassName: nginx
+{%- if tls == "new_http_01" %}     
+  tls:
+  - hosts:
+    - ##DNS_NAME##
+    secretName: ##PREFIX##-tls-secret  
+  rules:
+    - host: ##DNS_NAME##
+      http:
+{%- else %}    
+  rules:
+    - http:
+{%- endif %} 
+        paths:
+          - path: /##PREFIX##/app(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: ##PREFIX##-app-service
+                port:
+{%- if language in [ "apex", "ords" ] %}     
+                  number: 443
+{%- else %}    
+                  number: 80
+{%- endif %} 
diff --git a/option/oke/ingress-app.yaml b/option/oke/ingress-app.yaml
diff --git a/option/oke/ingress-ui.j2.yaml b/option/oke/ingress-ui.j2.yaml
@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ##PREFIX##-ui-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /$2   
+    # nginx.ingress.kubernetes.io/affinity: "cookie"   
+    # nginx.ingress.kubernetes.io/session-cookie-path: "/"    
+{%- if tls == "new_http_01" %}  
+    cert-manager.io/issuer: "letsencrypt-prod"
+    # Logs: 
+    # - kubectl get certificate
+    # - kubectl get certificaterequest
+    # - kubectl describe issuer letsencrypt-prod   
+    external-dns.alpha.kubernetes.io/hostname: ##DNS_NAME##
+    # Logs: kubectl logs external-dns-xxxx
+{%- endif %}    
+spec:
+  ingressClassName: nginx
+{%- if tls == "new_http_01" %}     
+  tls:
+  - hosts:
+    - ##DNS_NAME##
+    secretName: ##PREFIX##-tls-secret  
+  rules:
+    - host: ##DNS_NAME##
+      http:
+{%- else %}    
+  rules:
+    - http:
+{%- endif %}    
+        paths:
+          - path: /##PREFIX##(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: ##PREFIX##-ui-service
+                port:
+                  number: 80
diff --git a/option/oke/ingress-ui.yaml b/option/oke/ingress-ui.yaml
diff --git a/option/oke/oke_deploy.sh b/option/oke/oke_deploy.sh
@@ -13,10 +13,35 @@ if [ ! -f $KUBECONFIG ]; then
 
   # Deploy Latest ingress-nginx
   kubectl create clusterrolebinding starter_clst_adm --clusterrole=cluster-admin --user=$TF_VAR_user_ocid
-  LATEST_INGRESS_CONTROLLER=`curl --silent "https://api.github.com/repos/kubernetes/ingress-nginx/releases/latest" | jq -r .name`
-  echo LATEST_INGRESS_CONTROLLER=$LATEST_INGRESS_CONTROLLER
-  kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/$LATEST_INGRESS_CONTROLLER/deploy/static/provider/cloud/deploy.yaml
-
+  # LATEST_INGRESS_CONTROLLER=`curl --silent "https://api.github.com/repos/kubernetes/ingress-nginx/releases/latest" | jq -r .name`
+  # echo LATEST_INGRESS_CONTROLLER=$LATEST_INGRESS_CONTROLLER
+  # kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/$LATEST_INGRESS_CONTROLLER/deploy/static/provider/cloud/deploy.yaml
+  if [ "$TF_VAR_tls" == "new_http_01" ]; then
+    helm install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx \
+    --namespace ingress-nginx \
+    --create-namespace \
+    --set controller.enableExternalDNS=true 
+
+    # ccm-letsencrypt-prod.yaml
+    sed "s&##CERTIFICATE_EMAIL##&${TF_VAR_certificate_email}&" src/oke/tls/ccm-letsencrypt-prod.yaml > $TARGET_DIR/ccm-letsencrypt-prod.yaml
+    kubectl apply -f $TARGET_DIR/ccm-letsencrypt-prod.yaml
+    sed "s&##CERTIFICATE_EMAIL##&${TF_VAR_certificate_email}&" src/oke/tls/ccm-letsencrypt-staging.yaml > $TARGET_DIR/ccm-letsencrypt-staging.yaml
+    kubectl apply -f $TARGET_DIR/ccm-letsencrypt-staging.yaml
+
+    # external-dns-config.yaml
+    sed "s&##COMPARTMENT_OCID##&${TF_VAR_compartment_ocid}&" src/oke/tls//external-dns-config.yaml > $TARGET_DIR/external-dns-config.yaml
+    kubectl create secret generic external-dns-config --from-file=$TARGET_DIR/external-dns-config.yaml
+
+    # external-dns.yaml
+    sed "s&##COMPARTMENT_OCID##&${TF_VAR_compartment_ocid}&" src/oke/tls/external-dns.yaml > $TARGET_DIR/external-dns.yaml
+    sed "s&##REGION##&${TF_VAR_region}&" $TARGET_DIR/external-dns.yaml > $TARGET_DIR/external-dns-config.yaml
+    kubectl apply -f $TARGET_DIR/external-dns.yaml
+  else
+    helm install ingress-nginx ingress-nginx --repo https://kubernetes.github.io/ingress-nginx \
+    --namespace ingress-nginx \
+    --create-namespace 
+  fi
+
   # Wait for the deployment
   echo "Waiting for Ingress Controller Pods..."
   kubectl wait --namespace ingress-nginx --for=condition=ready pod --selector=app.kubernetes.io/component=controller --timeout=600s
@@ -41,13 +66,20 @@ if [ ! -f $KUBECONFIG ]; then
   kubectl create secret docker-registry ocirsecret --docker-server=$TF_VAR_ocir --docker-username="$TF_VAR_namespace/$TF_VAR_username" --docker-password="$TF_VAR_auth_token" --docker-email="$TF_VAR_email"
   # XXXX - This should be by date 
   kubectl delete secret ${TF_VAR_prefix}-db-secret  --ignore-not-found=true
-  kubectl create secret generic ${TF_VAR_prefix}-db-secret --from-literal=db_user=$TF_VAR_db_user --from-literal=db_password=$TF_VAR_db_password --from-literal=db_url=$DB_URL --from-literal=jdbc_url=$JDBC_URL --from-literal=spring_application_json='{ "db.info": "Java - SpringBoot" }'
+  kubectl create secret generic ${TF_VAR_prefix}-db-secret --from-literal=db_user=$TF_VAR_db_user --from-literal=db_password=$TF_VAR_db_password --from-literal=db_url=$DB_URL --from-literal=jdbc_url=$JDBC_URL --from-literal=TF_VAR_compartment_ocid=$TF_VAR_compartment_ocid --from-literal=TF_VAR_nosql_endpoint=$TF_VAR_nosql_endpoint
 fi
 
 # Using & as separator
 sed "s&##DOCKER_PREFIX##&${DOCKER_PREFIX}&" src/app/app.yaml > $TARGET_DIR/app.yaml
 sed "s&##DOCKER_PREFIX##&${DOCKER_PREFIX}&" src/ui/ui.yaml > $TARGET_DIR/ui.yaml
 cp src/oke/ingress-app.yaml $TARGET_DIR/ingress-app.yaml
+cp src/oke/ingress-ui.yaml $TARGET_DIR/ingress-ui.yaml
+
+# TLS - Domain Name
+if [ "$TF_VAR_tls" == "new_http_01" ]; then
+  sed -i "s&##DNS_NAME##&$TF_VAR_dns_name&" $TARGET_DIR/ingress-app.yaml
+  sed -i "s&##DNS_NAME##&$TF_VAR_dns_name&" $TARGET_DIR/ingress-ui.yaml
+fi
 
 # If present, replace the ORDS URL
 if [ "$ORDS_URL" != "" ]; then
@@ -66,5 +98,5 @@ kubectl wait --for=delete deployment/${TF_VAR_prefix}-dep --timeout=30s
 kubectl apply -f $TARGET_DIR/app.yaml
 kubectl apply -f $TARGET_DIR/ui.yaml
 kubectl apply -f $TARGET_DIR/ingress-app.yaml
-kubectl apply -f src/oke/ingress-ui.yaml
+kubectl apply -f $TARGET_DIR/ingress-ui.yaml
 
diff --git a/option/oke/oke_destroy.sh b/option/oke/oke_destroy.sh
@@ -33,5 +33,6 @@ fi
 kubectl delete ingress,services --all
 
 # Delete the ingress controller
-kubectl delete -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml
+helm uninstall ingress-nginx --namespace ingress-nginx
+# kubectl delete -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.4.0/deploy/static/provider/cloud/deploy.yaml
 
diff --git a/option/oke/tls/ccm-letsencrypt-prod.yaml b/option/oke/tls/ccm-letsencrypt-prod.yaml
@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    # XXXXX
+    email: ##CERTIFICATE_EMAIL##
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+            # in 1.13
+            # ingressClassName: nginx
diff --git a/option/oke/tls/ccm-letsencrypt-staging.yaml b/option/oke/tls/ccm-letsencrypt-staging.yaml
@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ##CERTIFICATE_EMAIL##
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx
diff --git a/option/oke/tls/external-dns-config.yaml b/option/oke/tls/external-dns-config.yaml
@@ -0,0 +1,5 @@
+auth:
+  region: ##REGION##
+  useWorkloadIdentity: true
+compartment: ##COMPARMENT_OCID##
+