Skip to content

Instantly share code, notes, and snippets.

@nathanleclaire

nathanleclaire/Dockerfile

Last active Jul 17, 2020
Embed
What would you like to do?
Secure Tenancy on Kubernetes
FROM debian:stretch-slim
RUN mkdir -p /srv/hny && \
apt-get update && \
apt-get install -y ca-certificates openssl bzip2
WORKDIR /srv/hny
# Need to build with tarball (provided by HNY team) adjacent in docker build directory
COPY st.tbz st.tbz
RUN tar --strip-components 1 -xjf st.tbz && \
rm st.tbz
---
apiVersion: v1
kind: Service
metadata:
name: honeycomb-secure-tenancy
labels:
app: honeycomb-secure-tenancy
spec:
ports:
- name: http
port: 80
targetPort: 8080
selector:
app: honeycomb-secure-tenancy
---
apiVersion: v1
kind: ConfigMap
apiVersion: v1
metadata:
name: stconfig
data:
honeycomb.yml: |
#todo: use env var from secret
auth_token: "generated_token"
mysql.yml: |
user: root
#todo: use env var from secret
password: "dbpass"
host: honeycomb-mysql:3306
database: honeycomb_secure_tenancy
maxopenconns: 100
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: honeycomb-secure-tenancy
labels:
app: honeycomb-secure-tenancy
spec:
replicas: 1
selector:
matchLabels:
app: honeycomb-secure-tenancy
template:
metadata:
labels:
app: honeycomb-secure-tenancy
spec:
containers:
- name: secure-tenancy
image: honeycombio/secure-tenancy:test
volumeMounts:
- name: stconfig
mountPath: /srv/hny/config/honeycomb.yml
subPath: honeycomb.yml
- name: stmysqlconfig
mountPath: /srv/hny/config/mysql.yml
subPath: mysql.yml
command: ["/srv/hny/bin/honeycomb_secure_proxy"]
ports:
- containerPort: 8080
volumes:
- name: stconfig
configMap:
name: stconfig
- name: stmysqlconfig
configMap:
name: stconfig
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: honeycomb-example-client
labels:
app: honeycomb-example-client
spec:
replicas: 1
selector:
matchLabels:
app: honeycomb-example-client
template:
metadata:
labels:
app: honeycomb-example-client
spec:
containers:
- name: client
image: nathanleclaire/curl:localdev
command: ["/bin/sh"]
args: ["-c", "while true; do curl -i --header 'X-Honeycomb-Team: $(HONEYCOMB_WRITEKEY)' --data '{\"foo\": 2, \"bar\": \"spam\", \"quux\": \"useremail\"}' honeycomb-secure-tenancy/1/events/secure-tenancy-test; sleep 1; done"]
apiVersion: batch/v1
kind: Job
metadata:
name: honeycomb-secure-tenancy-migrate
spec:
backoffLimit: 5
activeDeadlineSeconds: 100
template:
spec:
containers:
- name: migrate
image: honeycombio/secure-tenancy:test
workingDir: /srv/hny
command: ["/bin/migrate"]
args: ["-url", "root:$(DB_PASS)@tcp(honeycomb-mysql)/honeycomb_secure_tenancy?tls=skip-verify", "-path", "./migrate", "up"]
env:
name: DB_PASS
valueFrom:
secretKeyRef:
name: honeycomb-db-pass
key: password
restartPolicy: Never
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: honeycomb-mysql
spec:
selector:
matchLabels:
app: honeycomb-mysql
serviceName: honeycomb-mysql
replicas: 1
template:
metadata:
labels:
app: honeycomb-mysql
spec:
containers:
- name: mysql
image: mysql:5
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: honeycomb-db-pass
key: password
- name: MYSQL_DATABASE
value: honeycomb_secure_tenancy
ports:
- name: mysql
containerPort: 3306
volumeMounts:
- name: data
mountPath: /var/lib/mysql
# config largely pulled from
# https://kubernetes.io/docs/tasks/run-application/run-replicated-stateful-application/#deploy-mysql
livenessProbe:
exec:
command:
- bash
- "-c"
- |
mysqladmin ping -p$MYSQL_ROOT_PASSWORD
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
readinessProbe:
exec:
command:
- bash
- "-c"
- |
mysql -h 127.0.0.1 -e 'SELECT 1' -p$MYSQL_ROOT_PASSWORD
initialDelaySeconds: 5
periodSeconds: 2
timeoutSeconds: 1
# todo: add backup containers
volumes:
# todo: this is currently set as a bind mount, but should most likely be
# linked to a PersistentVolumeClaim for the proper environment, e.g., to a EBS
# volume on AWS.
- name: data
hostPath:
path: /var/lib/mysql
---
apiVersion: v1
kind: Service
metadata:
name: honeycomb-mysql
labels:
app: honeycomb-mysql
spec:
ports:
- name: honeycomb-mysql
port: 3306
selector:
app: honeycomb-mysql
@nathanleclaire

This comment has been minimized.

Copy link
Owner Author

@nathanleclaire nathanleclaire commented Apr 30, 2020

Secure Tenancy on Kubernetes - TODO

  • need to update init container for migrations to a Job
@nathanleclaire

This comment has been minimized.

Copy link
Owner Author

@nathanleclaire nathanleclaire commented Apr 30, 2020

instructions:

Clone gist as repo (button at top)

Get Secure Tenancy tarball and place in cloned repo dir

Build (and push) Docker image:

$ docker build -t honeycombio/secure-tenancy:test .
$ docker push honeycombio/secure-tenancy:test

(On Kube)

Create MySQL pass secret and Honeycomb API key secret:

$ kubectl create secret generic honeycomb-db-pass \
        --from-literal=password=dbpass
$ kubectl create secret generic honeycomb-writekey \
        --from-literal=key=$YOUR_API_KEY

Create MySQL statefulset and service:

$ kubectl apply -f honeycomb_secure_tenancy_mysql.yaml

Run DB migrations:

$ kubectl apply -f honeycomb_secure_tenancy_migrate_job.yaml

Set auth_token (from Honeycomb UI) in ConfigMap in honeycomb_secure_tenancy_core.yaml

Then Run the Secure Tenancy itself:

$ kubectl apply -f honeycomb_secure_tenancy_core.yaml

You can test the deployment by checking the logs in the test client (honeycomb-example-client)

$ kubectl logs -l app=honeycomb-example-client
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment