Secure Tenancy on Kubernetes

Dockerfile

FROM debian:stretch-slim

RUN mkdir -p /srv/hny && \
    apt-get update && \
    apt-get install -y ca-certificates openssl bzip2
WORKDIR /srv/hny

# Need to build with tarball (provided by HNY team) adjacent in docker build directory
COPY st.tbz st.tbz
RUN tar --strip-components 1 -xjf st.tbz && \
    rm st.tbz

honeycomb_secure_tenancy_core.yaml

---
apiVersion: v1
kind: Service
metadata:
  name: honeycomb-secure-tenancy
  labels:
    app: honeycomb-secure-tenancy
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  selector:
    app: honeycomb-secure-tenancy

---
apiVersion: v1
kind: ConfigMap
apiVersion: v1
metadata:
  name: stconfig
data:
  honeycomb.yml: |
    #todo: use env var from secret
    auth_token: "generated_token"

  mysql.yml: |
    user: root

    #todo: use env var from secret
    password: "dbpass"

    host: honeycomb-mysql:3306
    database: honeycomb_secure_tenancy
    maxopenconns: 100

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: honeycomb-secure-tenancy
  labels:
    app: honeycomb-secure-tenancy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: honeycomb-secure-tenancy
  template:
    metadata:
      labels:
        app: honeycomb-secure-tenancy
    spec:
      containers:
      - name: secure-tenancy
        image: honeycombio/secure-tenancy:test
        volumeMounts:
        - name: stconfig
          mountPath: /srv/hny/config/honeycomb.yml
          subPath: honeycomb.yml
        - name: stmysqlconfig
          mountPath: /srv/hny/config/mysql.yml
          subPath: mysql.yml
        command: ["/srv/hny/bin/honeycomb_secure_proxy"]
        ports:
        - containerPort: 8080

      volumes:
      - name: stconfig
        configMap:
          name: stconfig
      - name: stmysqlconfig
        configMap:
          name: stconfig

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: honeycomb-example-client
  labels:
    app: honeycomb-example-client
spec:
  replicas: 1
  selector:
    matchLabels:
      app: honeycomb-example-client
  template:
    metadata:
      labels:
        app: honeycomb-example-client
    spec:
      containers:
      - name: client
        image: nathanleclaire/curl:localdev
        command: ["/bin/sh"]
        args: ["-c", "while true; do curl -i --header 'X-Honeycomb-Team: $(HONEYCOMB_WRITEKEY)' --data '{\"foo\": 2, \"bar\": \"spam\", \"quux\": \"useremail\"}' honeycomb-secure-tenancy/1/events/secure-tenancy-test; sleep 1; done"]

honeycomb_secure_tenancy_migrate_job.yaml

apiVersion: batch/v1
kind: Job
metadata:
  name: honeycomb-secure-tenancy-migrate
spec:
  backoffLimit: 5
  activeDeadlineSeconds: 100
  template:
    spec:
      containers:
      - name: migrate
        image: honeycombio/secure-tenancy:test
        workingDir: /srv/hny
        command: ["/bin/migrate"]
        args: ["-url", "root:$(DB_PASS)@tcp(honeycomb-mysql)/honeycomb_secure_tenancy?tls=skip-verify", "-path", "./migrate", "up"]
        env:
          name: DB_PASS
          valueFrom:
            secretKeyRef:
              name: honeycomb-db-pass
              key: password
      restartPolicy: Never

honeycomb_secure_tenancy_mysql.yaml

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: honeycomb-mysql
spec:
  selector:
    matchLabels:
      app: honeycomb-mysql
  serviceName: honeycomb-mysql
  replicas: 1
  template:
    metadata:
      labels:
        app: honeycomb-mysql
    spec:
      containers:
      - name: mysql
        image: mysql:5
        env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: honeycomb-db-pass
              key: password

        - name: MYSQL_DATABASE
          value: honeycomb_secure_tenancy
        ports:
        - name: mysql
          containerPort: 3306

        volumeMounts:
        - name: data
          mountPath: /var/lib/mysql

        # config largely pulled from 
        # https://kubernetes.io/docs/tasks/run-application/run-replicated-stateful-application/#deploy-mysql
        livenessProbe:
          exec:
            command:
            - bash
            - "-c"
            - |
              mysqladmin ping -p$MYSQL_ROOT_PASSWORD
          initialDelaySeconds: 30
          periodSeconds: 10
          timeoutSeconds: 5
        readinessProbe:
          exec:
            command:
            - bash
            - "-c"
            - |
              mysql -h 127.0.0.1 -e 'SELECT 1' -p$MYSQL_ROOT_PASSWORD
          initialDelaySeconds: 5
          periodSeconds: 2
          timeoutSeconds: 1

      # todo: add backup containers

      volumes:
      # todo: this is currently set as a bind mount, but should most likely be
      # linked to a PersistentVolumeClaim for the proper environment, e.g., to a EBS
      # volume on AWS.
      - name: data
        hostPath:
          path: /var/lib/mysql

---
apiVersion: v1
kind: Service
metadata:
  name: honeycomb-mysql
  labels:
    app: honeycomb-mysql
spec:
  ports:
  - name: honeycomb-mysql
    port: 3306
  selector:
    app: honeycomb-mysql

Secure Tenancy on Kubernetes - TODO

• need to update init container for migrations to a Job

instructions:

Clone gist as repo (button at top)

Get Secure Tenancy tarball and place in cloned repo dir

Build (and push) Docker image:

$ docker build -t honeycombio/secure-tenancy:test .
$ docker push honeycombio/secure-tenancy:test

(On Kube)

Create MySQL pass secret and Honeycomb API key secret:

$ kubectl create secret generic honeycomb-db-pass \
        --from-literal=password=dbpass
$ kubectl create secret generic honeycomb-writekey \
        --from-literal=key=$YOUR_API_KEY

Create MySQL statefulset and service:

$ kubectl apply -f honeycomb_secure_tenancy_mysql.yaml

Run DB migrations:

$ kubectl apply -f honeycomb_secure_tenancy_migrate_job.yaml

Set auth_token (from Honeycomb UI) in ConfigMap in honeycomb_secure_tenancy_core.yaml

Then Run the Secure Tenancy itself:

$ kubectl apply -f honeycomb_secure_tenancy_core.yaml

You can test the deployment by checking the logs in the test client (honeycomb-example-client)

$ kubectl logs -l app=honeycomb-example-client