Last active
July 17, 2020 21:02
-
-
Save nathanleclaire/c3f25db981eaf27f5d52fa1aee1638b0 to your computer and use it in GitHub Desktop.
Secure Tenancy on Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM debian:stretch-slim | |
RUN mkdir -p /srv/hny && \ | |
apt-get update && \ | |
apt-get install -y ca-certificates openssl bzip2 | |
WORKDIR /srv/hny | |
# Need to build with tarball (provided by HNY team) adjacent in docker build directory | |
COPY st.tbz st.tbz | |
RUN tar --strip-components 1 -xjf st.tbz && \ | |
rm st.tbz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: honeycomb-secure-tenancy | |
labels: | |
app: honeycomb-secure-tenancy | |
spec: | |
ports: | |
- name: http | |
port: 80 | |
targetPort: 8080 | |
selector: | |
app: honeycomb-secure-tenancy | |
--- | |
apiVersion: v1 | |
kind: ConfigMap | |
apiVersion: v1 | |
metadata: | |
name: stconfig | |
data: | |
honeycomb.yml: | | |
#todo: use env var from secret | |
auth_token: "generated_token" | |
mysql.yml: | | |
user: root | |
#todo: use env var from secret | |
password: "dbpass" | |
host: honeycomb-mysql:3306 | |
database: honeycomb_secure_tenancy | |
maxopenconns: 100 | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: honeycomb-secure-tenancy | |
labels: | |
app: honeycomb-secure-tenancy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: honeycomb-secure-tenancy | |
template: | |
metadata: | |
labels: | |
app: honeycomb-secure-tenancy | |
spec: | |
containers: | |
- name: secure-tenancy | |
image: honeycombio/secure-tenancy:test | |
volumeMounts: | |
- name: stconfig | |
mountPath: /srv/hny/config/honeycomb.yml | |
subPath: honeycomb.yml | |
- name: stmysqlconfig | |
mountPath: /srv/hny/config/mysql.yml | |
subPath: mysql.yml | |
command: ["/srv/hny/bin/honeycomb_secure_proxy"] | |
ports: | |
- containerPort: 8080 | |
volumes: | |
- name: stconfig | |
configMap: | |
name: stconfig | |
- name: stmysqlconfig | |
configMap: | |
name: stconfig | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: honeycomb-example-client | |
labels: | |
app: honeycomb-example-client | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: honeycomb-example-client | |
template: | |
metadata: | |
labels: | |
app: honeycomb-example-client | |
spec: | |
containers: | |
- name: client | |
image: nathanleclaire/curl:localdev | |
command: ["/bin/sh"] | |
args: ["-c", "while true; do curl -i --header 'X-Honeycomb-Team: $(HONEYCOMB_WRITEKEY)' --data '{\"foo\": 2, \"bar\": \"spam\", \"quux\": \"useremail\"}' honeycomb-secure-tenancy/1/events/secure-tenancy-test; sleep 1; done"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: batch/v1 | |
kind: Job | |
metadata: | |
name: honeycomb-secure-tenancy-migrate | |
spec: | |
backoffLimit: 5 | |
activeDeadlineSeconds: 100 | |
template: | |
spec: | |
containers: | |
- name: migrate | |
image: honeycombio/secure-tenancy:test | |
workingDir: /srv/hny | |
command: ["/bin/migrate"] | |
args: ["-url", "root:$(DB_PASS)@tcp(honeycomb-mysql)/honeycomb_secure_tenancy?tls=skip-verify", "-path", "./migrate", "up"] | |
env: | |
name: DB_PASS | |
valueFrom: | |
secretKeyRef: | |
name: honeycomb-db-pass | |
key: password | |
restartPolicy: Never |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: apps/v1 | |
kind: StatefulSet | |
metadata: | |
name: honeycomb-mysql | |
spec: | |
selector: | |
matchLabels: | |
app: honeycomb-mysql | |
serviceName: honeycomb-mysql | |
replicas: 1 | |
template: | |
metadata: | |
labels: | |
app: honeycomb-mysql | |
spec: | |
containers: | |
- name: mysql | |
image: mysql:5 | |
env: | |
- name: MYSQL_ROOT_PASSWORD | |
valueFrom: | |
secretKeyRef: | |
name: honeycomb-db-pass | |
key: password | |
- name: MYSQL_DATABASE | |
value: honeycomb_secure_tenancy | |
ports: | |
- name: mysql | |
containerPort: 3306 | |
volumeMounts: | |
- name: data | |
mountPath: /var/lib/mysql | |
# config largely pulled from | |
# https://kubernetes.io/docs/tasks/run-application/run-replicated-stateful-application/#deploy-mysql | |
livenessProbe: | |
exec: | |
command: | |
- bash | |
- "-c" | |
- | | |
mysqladmin ping -p$MYSQL_ROOT_PASSWORD | |
initialDelaySeconds: 30 | |
periodSeconds: 10 | |
timeoutSeconds: 5 | |
readinessProbe: | |
exec: | |
command: | |
- bash | |
- "-c" | |
- | | |
mysql -h 127.0.0.1 -e 'SELECT 1' -p$MYSQL_ROOT_PASSWORD | |
initialDelaySeconds: 5 | |
periodSeconds: 2 | |
timeoutSeconds: 1 | |
# todo: add backup containers | |
volumes: | |
# todo: this is currently set as a bind mount, but should most likely be | |
# linked to a PersistentVolumeClaim for the proper environment, e.g., to a EBS | |
# volume on AWS. | |
- name: data | |
hostPath: | |
path: /var/lib/mysql | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: honeycomb-mysql | |
labels: | |
app: honeycomb-mysql | |
spec: | |
ports: | |
- name: honeycomb-mysql | |
port: 3306 | |
selector: | |
app: honeycomb-mysql |
instructions:
Clone gist as repo (button at top)
Get Secure Tenancy tarball and place in cloned repo dir
Build (and push) Docker image:
$ docker build -t honeycombio/secure-tenancy:test .
$ docker push honeycombio/secure-tenancy:test
(On Kube)
Create MySQL pass secret and Honeycomb API key secret:
$ kubectl create secret generic honeycomb-db-pass \
--from-literal=password=dbpass
$ kubectl create secret generic honeycomb-writekey \
--from-literal=key=$YOUR_API_KEY
Create MySQL statefulset and service:
$ kubectl apply -f honeycomb_secure_tenancy_mysql.yaml
Run DB migrations:
$ kubectl apply -f honeycomb_secure_tenancy_migrate_job.yaml
Set auth_token (from Honeycomb UI) in ConfigMap in honeycomb_secure_tenancy_core.yaml
Then Run the Secure Tenancy itself:
$ kubectl apply -f honeycomb_secure_tenancy_core.yaml
You can test the deployment by checking the logs in the test client (honeycomb-example-client
)
$ kubectl logs -l app=honeycomb-example-client
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Secure Tenancy on Kubernetes - TODO
Job