From 9330a3ec89dbe3a61851bd345c25ea51690243a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Fri, 11 Jun 2021 11:57:27 +0200 Subject: [PATCH 1/9] Installing Wildcard certificate in CD environments Because we are limited to 50 domain names per week with Let's encrypt, the continuous delivery environment is pretty fast failing to get new certificates. We need to download a Wilcard certificate instead for the CD environments. --- .github/workflows/build-and-deploy.yml | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 3e4b0fff..8c726d7b 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -149,6 +149,21 @@ jobs: # Create a slugified value of the branch - uses: rlespinasse/github-slug-action@3.1.0 + - name: Write certificate + run: echo "${CERTS_PRIVATE_KEY}" > secret.key + env: + CERTS_PRIVATE_KEY: ${{ secrets.CERTS_PRIVATE_KEY }} + + - name: Download certificate + run: mkdir secrets && scp -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/ + + - name: Install certificates in namespace + uses: steebchen/kubectl@v1.0.0 + env: + KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_FILE }} + with: + args: -n workadventure-${{ github.event_name == 'pull_request' && env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} create secret tls certificate-tls --key="secrets/privkey.pem" --cert="secrets/fullchain.pem" + - name: Deploy uses: thecodingmachine/deeployer-action@master env: From 8b5055c7ef91035f9dacee6421e2aab6d1b75b51 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Fri, 11 Jun 2021 14:06:08 +0200 Subject: [PATCH 2/9] Disabling host check (not a big deal since we are only downloading files from the host) --- .github/workflows/build-and-deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 8c726d7b..22c42ec5 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -155,7 +155,7 @@ jobs: CERTS_PRIVATE_KEY: ${{ secrets.CERTS_PRIVATE_KEY }} - name: Download certificate - run: mkdir secrets && scp -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/ + run: mkdir secrets && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/ - name: Install certificates in namespace uses: steebchen/kubectl@v1.0.0 From c07d54f4c3c9a8efed95e94d82634236967ac51a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Fri, 11 Jun 2021 14:13:23 +0200 Subject: [PATCH 3/9] Fixing key access rights --- .github/workflows/build-and-deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 22c42ec5..27d895e1 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -155,7 +155,7 @@ jobs: CERTS_PRIVATE_KEY: ${{ secrets.CERTS_PRIVATE_KEY }} - name: Download certificate - run: mkdir secrets && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/ + run: mkdir secrets && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/ && chmod 0600 secrets/* - name: Install certificates in namespace uses: steebchen/kubectl@v1.0.0 From 83089f11975082c96887665c87adec2ce8dfd2f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Fri, 11 Jun 2021 14:25:02 +0200 Subject: [PATCH 4/9] Fixing key access rights --- .github/workflows/build-and-deploy.yml | 4 +-- deeployer.libsonnet | 35 +++++++++++++------------- 2 files changed, 19 insertions(+), 20 deletions(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 27d895e1..b01b2b64 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -150,12 +150,12 @@ jobs: - uses: rlespinasse/github-slug-action@3.1.0 - name: Write certificate - run: echo "${CERTS_PRIVATE_KEY}" > secret.key + run: echo "${CERTS_PRIVATE_KEY}" > secret.key && chmod 0600 secret.key env: CERTS_PRIVATE_KEY: ${{ secrets.CERTS_PRIVATE_KEY }} - name: Download certificate - run: mkdir secrets && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/ && chmod 0600 secrets/* + run: mkdir secrets && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/* - name: Install certificates in namespace uses: steebchen/kubectl@v1.0.0 diff --git a/deeployer.libsonnet b/deeployer.libsonnet index f9dd87bd..40da555d 100644 --- a/deeployer.libsonnet +++ b/deeployer.libsonnet @@ -11,8 +11,7 @@ "back1": { "image": "thecodingmachine/workadventure-back:"+tag, "host": { - "url": "api1."+url, - "https": "enable", + "url": "api1-"+url, "containerPort": 8080 }, "ports": [8080, 50051], @@ -30,8 +29,7 @@ "back2": { "image": "thecodingmachine/workadventure-back:"+tag, "host": { - "url": "api2."+url, - "https": "enable", + "url": "api2-"+url, "containerPort": 8080 }, "ports": [8080, 50051], @@ -50,8 +48,7 @@ "replicas": 2, "image": "thecodingmachine/workadventure-pusher:"+tag, "host": { - "url": "pusher."+url, - "https": "enable" + "url": "pusher-"+url, }, "ports": [8080], "env": { @@ -68,27 +65,25 @@ "front": { "image": "thecodingmachine/workadventure-front:"+tag, "host": { - "url": "play."+url, - "https": "enable" + "url": "play-"+url, }, "ports": [80], "env": { - "PUSHER_URL": "//pusher."+url, - "UPLOADER_URL": "//uploader."+url, + "PUSHER_URL": "//pusher-"+url, + "UPLOADER_URL": "//uploader-"+url, "ADMIN_URL": "//"+url, "JITSI_URL": env.JITSI_URL, "SECRET_JITSI_KEY": env.SECRET_JITSI_KEY, "TURN_SERVER": "turn:coturn.workadventu.re:443,turns:coturn.workadventu.re:443", "JITSI_PRIVATE_MODE": if env.SECRET_JITSI_KEY != '' then "true" else "false", - "START_ROOM_URL": "/_/global/maps."+url+"/Floor0/floor0.json" + "START_ROOM_URL": "/_/global/maps-"+url+"/Floor0/floor0.json" //"GA_TRACKING_ID": "UA-10196481-11" } }, "uploader": { "image": "thecodingmachine/workadventure-uploader:"+tag, "host": { - "url": "uploader."+url, - "https": "enable", + "url": "uploader-"+url, "containerPort": 8080 }, "ports": [8080], @@ -98,16 +93,12 @@ "maps": { "image": "thecodingmachine/workadventure-maps:"+tag, "host": { - "url": "maps."+url, - "https": "enable" + "url": "maps-"+url }, "ports": [80] }, }, "config": { - "https": { - "mail": "d.negrier@thecodingmachine.com" - }, k8sextension(k8sConf):: k8sConf + { back1+: { @@ -122,6 +113,14 @@ } } } + }, + ingress+: { + spec+: { + tls+: [{ + hosts: ["api1-"+url], + secretName: "certificate-tls" + }] + } } }, back2+: { From 9b985a2a0c70e6d6b5142efe18f2c25d5e970290 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Fri, 11 Jun 2021 14:37:43 +0200 Subject: [PATCH 5/9] Providing Base 64 config file --- .github/workflows/build-and-deploy.yml | 2 +- deeployer.libsonnet | 50 ++++++++++++++++++++++++-- 2 files changed, 49 insertions(+), 3 deletions(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index b01b2b64..14af5cfe 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -160,7 +160,7 @@ jobs: - name: Install certificates in namespace uses: steebchen/kubectl@v1.0.0 env: - KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_FILE }} + KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_FILE_BASE64 }} with: args: -n workadventure-${{ github.event_name == 'pull_request' && env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} create secret tls certificate-tls --key="secrets/privkey.pem" --cert="secrets/fullchain.pem" diff --git a/deeployer.libsonnet b/deeployer.libsonnet index 40da555d..8d9c2bfd 100644 --- a/deeployer.libsonnet +++ b/deeployer.libsonnet @@ -135,6 +135,14 @@ } } } + }, + ingress+: { + spec+: { + tls+: [{ + hosts: ["api2-"+url], + secretName: "certificate-tls" + }] + } } }, pusher+: { @@ -149,8 +157,46 @@ } } } - } - } + }, + ingress+: { + spec+: { + tls+: [{ + hosts: ["pusher-"+url], + secretName: "certificate-tls" + }] + } + } + }, + front+: { + ingress+: { + spec+: { + tls+: [{ + hosts: ["play-"+url], + secretName: "certificate-tls" + }] + } + } + }, + uploader+: { + ingress+: { + spec+: { + tls+: [{ + hosts: ["uploader-"+url], + secretName: "certificate-tls" + }] + } + } + }, + maps+: { + ingress+: { + spec+: { + tls+: [{ + hosts: ["maps-"+url], + secretName: "certificate-tls" + }] + } + } + }, } } } From a6effe0a29dda8ce762e9ef55df212c18d80131d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Fri, 11 Jun 2021 14:44:23 +0200 Subject: [PATCH 6/9] Fixing scp --- .github/workflows/build-and-deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 14af5cfe..8049ea03 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -155,7 +155,7 @@ jobs: CERTS_PRIVATE_KEY: ${{ secrets.CERTS_PRIVATE_KEY }} - name: Download certificate - run: mkdir secrets && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/* + run: mkdir secrets && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/ - name: Install certificates in namespace uses: steebchen/kubectl@v1.0.0 From 2260f772a756ff8e8c507829eb9f220f9118f729 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Fri, 11 Jun 2021 14:52:59 +0200 Subject: [PATCH 7/9] Create the K8S namespace if required --- .github/workflows/build-and-deploy.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 8049ea03..70944bfa 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -157,6 +157,14 @@ jobs: - name: Download certificate run: mkdir secrets && scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -i secret.key ubuntu@cert.workadventu.re:./config/live/workadventu.re/* secrets/ + - name: Create namespace + uses: steebchen/kubectl@v1.0.0 + env: + KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_FILE_BASE64 }} + with: + args: create namespace workadventure-${{ github.event_name == 'pull_request' && env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} + continue-on-error: true + - name: Install certificates in namespace uses: steebchen/kubectl@v1.0.0 env: From fdf4b901b848d4807849a3af6ecf1deccceb4c07 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Fri, 11 Jun 2021 15:02:54 +0200 Subject: [PATCH 8/9] Fixing URL in message --- .github/workflows/build-and-deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index 70944bfa..f9602572 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -191,4 +191,4 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: - msg: Environment deployed at https://play.${{ env.GITHUB_HEAD_REF_SLUG }}.test.workadventu.re + msg: Environment deployed at https://play-${{ env.GITHUB_HEAD_REF_SLUG }}.test.workadventu.re From 2159e70399dcfbcbadc98a7b13355c04aec07db9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?David=20N=C3=A9grier?= Date: Fri, 11 Jun 2021 15:31:27 +0200 Subject: [PATCH 9/9] Deleting old certificate if one already exists --- .github/workflows/build-and-deploy.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/build-and-deploy.yml b/.github/workflows/build-and-deploy.yml index f9602572..3bf00b99 100644 --- a/.github/workflows/build-and-deploy.yml +++ b/.github/workflows/build-and-deploy.yml @@ -165,6 +165,14 @@ jobs: args: create namespace workadventure-${{ github.event_name == 'pull_request' && env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} continue-on-error: true + - name: Delete old certificates in namespace + uses: steebchen/kubectl@v1.0.0 + env: + KUBE_CONFIG_DATA: ${{ secrets.KUBE_CONFIG_FILE_BASE64 }} + with: + args: -n workadventure-${{ github.event_name == 'pull_request' && env.GITHUB_HEAD_REF_SLUG || env.GITHUB_REF_SLUG }} delete secret certificate-tls + continue-on-error: true + - name: Install certificates in namespace uses: steebchen/kubectl@v1.0.0 env: