Last active
July 17, 2020 21:02
-
-
Save nathanleclaire/c3f25db981eaf27f5d52fa1aee1638b0 to your computer and use it in GitHub Desktop.
Secure Tenancy on Kubernetes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
FROM debian:stretch-slim | |
RUN mkdir -p /srv/hny && \ | |
apt-get update && \ | |
apt-get install -y ca-certificates openssl bzip2 | |
WORKDIR /srv/hny | |
# Need to build with tarball (provided by HNY team) adjacent in docker build directory | |
COPY st.tbz st.tbz | |
RUN tar --strip-components 1 -xjf st.tbz && \ | |
rm st.tbz |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: honeycomb-secure-tenancy | |
labels: | |
app: honeycomb-secure-tenancy | |
spec: | |
ports: | |
- name: http | |
port: 80 | |
targetPort: 8080 | |
selector: | |
app: honeycomb-secure-tenancy | |
--- | |
apiVersion: v1 | |
kind: ConfigMap | |
apiVersion: v1 | |
metadata: | |
name: stconfig | |
data: | |
honeycomb.yml: | | |
#todo: use env var from secret | |
auth_token: "generated_token" | |
mysql.yml: | | |
user: root | |
#todo: use env var from secret | |
password: "dbpass" | |
host: honeycomb-mysql:3306 | |
database: honeycomb_secure_tenancy | |
maxopenconns: 100 | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: honeycomb-secure-tenancy | |
labels: | |
app: honeycomb-secure-tenancy | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: honeycomb-secure-tenancy | |
template: | |
metadata: | |
labels: | |
app: honeycomb-secure-tenancy | |
spec: | |
containers: | |
- name: secure-tenancy | |
image: honeycombio/secure-tenancy:test | |
volumeMounts: | |
- name: stconfig | |
mountPath: /srv/hny/config/honeycomb.yml | |
subPath: honeycomb.yml | |
- name: stmysqlconfig | |
mountPath: /srv/hny/config/mysql.yml | |
subPath: mysql.yml | |
command: ["/srv/hny/bin/honeycomb_secure_proxy"] | |
ports: | |
- containerPort: 8080 | |
volumes: | |
- name: stconfig | |
configMap: | |
name: stconfig | |
- name: stmysqlconfig | |
configMap: | |
name: stconfig | |
--- | |
apiVersion: apps/v1 | |
kind: Deployment | |
metadata: | |
name: honeycomb-example-client | |
labels: | |
app: honeycomb-example-client | |
spec: | |
replicas: 1 | |
selector: | |
matchLabels: | |
app: honeycomb-example-client | |
template: | |
metadata: | |
labels: | |
app: honeycomb-example-client | |
spec: | |
containers: | |
- name: client | |
image: nathanleclaire/curl:localdev | |
command: ["/bin/sh"] | |
args: ["-c", "while true; do curl -i --header 'X-Honeycomb-Team: $(HONEYCOMB_WRITEKEY)' --data '{\"foo\": 2, \"bar\": \"spam\", \"quux\": \"useremail\"}' honeycomb-secure-tenancy/1/events/secure-tenancy-test; sleep 1; done"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
apiVersion: batch/v1 | |
kind: Job | |
metadata: | |
name: honeycomb-secure-tenancy-migrate | |
spec: | |
backoffLimit: 5 | |
activeDeadlineSeconds: 100 | |
template: | |
spec: | |
containers: | |
- name: migrate | |
image: honeycombio/secure-tenancy:test | |
workingDir: /srv/hny | |
command: ["/bin/migrate"] | |
args: ["-url", "root:$(DB_PASS)@tcp(honeycomb-mysql)/honeycomb_secure_tenancy?tls=skip-verify", "-path", "./migrate", "up"] | |
env: | |
name: DB_PASS | |
valueFrom: | |
secretKeyRef: | |
name: honeycomb-db-pass | |
key: password | |
restartPolicy: Never |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
apiVersion: apps/v1 | |
kind: StatefulSet | |
metadata: | |
name: honeycomb-mysql | |
spec: | |
selector: | |
matchLabels: | |
app: honeycomb-mysql | |
serviceName: honeycomb-mysql | |
replicas: 1 | |
template: | |
metadata: | |
labels: | |
app: honeycomb-mysql | |
spec: | |
containers: | |
- name: mysql | |
image: mysql:5 | |
env: | |
- name: MYSQL_ROOT_PASSWORD | |
valueFrom: | |
secretKeyRef: | |
name: honeycomb-db-pass | |
key: password | |
- name: MYSQL_DATABASE | |
value: honeycomb_secure_tenancy | |
ports: | |
- name: mysql | |
containerPort: 3306 | |
volumeMounts: | |
- name: data | |
mountPath: /var/lib/mysql | |
# config largely pulled from | |
# https://kubernetes.io/docs/tasks/run-application/run-replicated-stateful-application/#deploy-mysql | |
livenessProbe: | |
exec: | |
command: | |
- bash | |
- "-c" | |
- | | |
mysqladmin ping -p$MYSQL_ROOT_PASSWORD | |
initialDelaySeconds: 30 | |
periodSeconds: 10 | |
timeoutSeconds: 5 | |
readinessProbe: | |
exec: | |
command: | |
- bash | |
- "-c" | |
- | | |
mysql -h 127.0.0.1 -e 'SELECT 1' -p$MYSQL_ROOT_PASSWORD | |
initialDelaySeconds: 5 | |
periodSeconds: 2 | |
timeoutSeconds: 1 | |
# todo: add backup containers | |
volumes: | |
# todo: this is currently set as a bind mount, but should most likely be | |
# linked to a PersistentVolumeClaim for the proper environment, e.g., to a EBS | |
# volume on AWS. | |
- name: data | |
hostPath: | |
path: /var/lib/mysql | |
--- | |
apiVersion: v1 | |
kind: Service | |
metadata: | |
name: honeycomb-mysql | |
labels: | |
app: honeycomb-mysql | |
spec: | |
ports: | |
- name: honeycomb-mysql | |
port: 3306 | |
selector: | |
app: honeycomb-mysql |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
instructions:
Clone gist as repo (button at top)
Get Secure Tenancy tarball and place in cloned repo dir
Build (and push) Docker image:
(On Kube)
Create MySQL pass secret and Honeycomb API key secret:
Create MySQL statefulset and service:
Run DB migrations:
Set auth_token (from Honeycomb UI) in ConfigMap in
honeycomb_secure_tenancy_core.yaml
Then Run the Secure Tenancy itself:
You can test the deployment by checking the logs in the test client (
honeycomb-example-client
)