diff --git a/.github/workflows/deploy-to-cluster.yaml b/.github/workflows/deploy-to-cluster.yaml deleted file mode 100644 index 7cba213..0000000 --- a/.github/workflows/deploy-to-cluster.yaml +++ /dev/null @@ -1,144 +0,0 @@ -# This workflow will build and push an application to a Azure Kubernetes Service (AKS) cluster when you push your code -# -# This workflow assumes you have already created the target AKS cluster and have created an Azure Container Registry (ACR) -# For instructions see: -# - https://docs.microsoft.com/en-us/azure/aks/kubernetes-walkthrough-portal -# - https://docs.microsoft.com/en-us/azure/container-registry/container-registry-get-started-portal -# - https://github.com/Azure/aks-create-action -# -# To configure this workflow: -# -# 1. Set the following secrets in your repository (instructions for getting these can be found at https://docs.microsoft.com/en-us/azure/developer/github/connect-from-azure?tabs=azure-cli%2Clinux): -# - AZURE_CLIENT_ID -# - AZURE_TENANT_ID -# - AZURE_SUBSCRIPTION_ID -# -# 2. Set the following environment variables (or replace the values below): -# - AZURE_CONTAINER_REGISTRY (name of your container registry / ACR) -# - RESOURCE_GROUP (where your cluster is deployed) -# - CLUSTER_NAME (name of your AKS cluster) -# - CONTAINER_NAME (name of the container image you would like to push up to your ACR) -# - IMAGE_PULL_SECRET_NAME (name of the ImagePullSecret that will be created to pull your ACR image) -# - DEPLOYMENT_MANIFEST_PATH (path to the manifest yaml for your deployment) -# -# For more information on GitHub Actions for Azure, refer to https://github.com/Azure/Actions -# For more samples to get started with GitHub Action workflows to deploy to Azure, refer to https://github.com/Azure/actions-workflow-samples -# For more options with the actions used below please refer to https://github.com/Azure/login - -name: Build and deploy jarvis to AKS - -# on: - # push: - # branches: - # - main - # workflow_dispatch: - -env: - AZURE_CONTAINER_REGISTRY: ${{ secrets.AZURE_CONTAINER_REGISTRY }} - CONTAINER_NAME: "jarvis" - RESOURCE_GROUP: ${{ secrets.AZURE_RESOURCE_GROUP }} - CLUSTER_NAME: ${{ secrets.AZURE_CLUSTER_NAME }} - IMAGE_PULL_SECRET_NAME: "github-ci-image-pull-secret" - DEPLOYMENT_MANIFEST_PATH: './rollout.yaml' - -jobs: - buildImage: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Builds and pushes an image up to your Azure Container Registry - - name: Build and push image to ACR - run: | - az acr build --image ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} --registry ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} -f ./Dockerfile ./server - - createSecret: - permissions: - contents: read - id-token: write - runs-on: ubuntu-latest - steps: - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Retrieves the credentials for pulling images from your Azure Container Registry - - name: Get ACR credentials - run: | - az acr update -n ${{ env.AZURE_CONTAINER_REGISTRY }} -g ${{ env.RESOURCE_GROUP }} --admin-enabled true - ACR_USERNAME=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query username -o tsv) - ACR_PASSWORD=$(az acr credential show -g ${{ env.RESOURCE_GROUP }} -n ${{ env.AZURE_CONTAINER_REGISTRY }} --query passwords[0].value -o tsv) - echo "::add-mask::${ACR_USERNAME}" - echo "::set-output name=username::${ACR_USERNAME}" - echo "::add-mask::${ACR_PASSWORD}" - echo "::set-output name=password::${ACR_PASSWORD}" - id: get-acr-creds - - # Creates a kubernetes secret on your Azure Kubernetes Service cluster that matches up to the credentials from the last step - - name: Create K8s secret for pulling image from ACR - uses: Azure/k8s-create-secret@v1.1 - with: - container-registry-url: ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io - container-registry-username: ${{ steps.get-acr-creds.outputs.username }} - container-registry-password: ${{ steps.get-acr-creds.outputs.password }} - secret-name: ${{ env.IMAGE_PULL_SECRET_NAME }} - - deploy: - permissions: - actions: read - contents: read - id-token: write - runs-on: ubuntu-latest - needs: [buildImage, createSecret] - steps: - # Checks out the repository this file is in - - uses: actions/checkout@v3 - - # Logs in with your Azure credentials - - name: Azure login - uses: azure/login@v1.4.3 - with: - client-id: ${{ secrets.AZURE_CLIENT_ID }} - tenant-id: ${{ secrets.AZURE_TENANT_ID }} - subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }} - - # Retrieves your Azure Kubernetes Service cluster's kubeconfig file - - name: Get K8s context - uses: azure/aks-set-context@v2.0 - with: - resource-group: ${{ env.RESOURCE_GROUP }} - cluster-name: ${{ env.CLUSTER_NAME }} - - # Deploys application based on given manifest file - - name: Deploy application - uses: Azure/k8s-deploy@v3.1 - with: - action: deploy - manifests: ${{ env.DEPLOYMENT_MANIFEST_PATH }} - images: | - ${{ env.AZURE_CONTAINER_REGISTRY }}.azurecr.io/${{ env.CONTAINER_NAME }}:${{ github.sha }} - imagepullsecrets: | - ${{ env.IMAGE_PULL_SECRET_NAME }} \ No newline at end of file diff --git a/LICENSE b/LICENSE index 17b79e6..a732749 100644 --- a/LICENSE +++ b/LICENSE @@ -1,6 +1,6 @@ MIT License -Copyright (c) 2022 Josh Spicer +Copyright (c) 2023 Josh Spicer Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/configure/ssl-ingress/1_create_ingress_controller.sh b/configure/ssl-ingress/1_create_ingress_controller.sh new file mode 100755 index 0000000..6ec65a3 --- /dev/null +++ b/configure/ssl-ingress/1_create_ingress_controller.sh @@ -0,0 +1,17 @@ +#!/bin/bash + +# https://learn.microsoft.com/en-us/azure/aks/ingress-basic?tabs=azure-cli + +# Add the Jetstack Helm repository +helm repo add jetstack https://charts.jetstack.io + +# Update your local Helm chart repository cache +helm repo update + +# Add the ingress-nginx repository +helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx + +helm install ingress-nginx ingress-nginx/ingress-nginx \ + --create-namespace \ + --namespace ingress-basic \ + --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \ No newline at end of file diff --git a/configure/ssl-ingress/1_import_image_to_acr.sh b/configure/ssl-ingress/1_import_image_to_acr.sh deleted file mode 100755 index 464e148..0000000 --- a/configure/ssl-ingress/1_import_image_to_acr.sh +++ /dev/null @@ -1,12 +0,0 @@ -#!/bin/bash - -# https://docs.microsoft.com/en-us/azure/aks/ingress-tls?tabs=azure-cli - -source ssl-ingress.env - -az acr import --name $REGISTRY_NAME --source $SOURCE_REGISTRY/$CONTROLLER_IMAGE:$CONTROLLER_TAG --image $CONTROLLER_IMAGE:$CONTROLLER_TAG -az acr import --name $REGISTRY_NAME --source $SOURCE_REGISTRY/$PATCH_IMAGE:$PATCH_TAG --image $PATCH_IMAGE:$PATCH_TAG -az acr import --name $REGISTRY_NAME --source $SOURCE_REGISTRY/$DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG --image $DEFAULTBACKEND_IMAGE:$DEFAULTBACKEND_TAG -az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CONTROLLER:$CERT_MANAGER_TAG -az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_WEBHOOK:$CERT_MANAGER_TAG -az acr import --name $REGISTRY_NAME --source $CERT_MANAGER_REGISTRY/$CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG --image $CERT_MANAGER_IMAGE_CAINJECTOR:$CERT_MANAGER_TAG diff --git a/configure/ssl-ingress/2_cert_manager.sh b/configure/ssl-ingress/2_cert_manager.sh new file mode 100644 index 0000000..39d814d --- /dev/null +++ b/configure/ssl-ingress/2_cert_manager.sh @@ -0,0 +1,14 @@ +#!/bin/bash +# https://learn.microsoft.com/en-us/azure/aks/ingress-tls?tabs=azure-cli + +# Add the Jetstack Helm repository +helm repo add jetstack https://charts.jetstack.io + +# Update your local Helm chart repository cache +helm repo update + +kubectl label namespace ingress-basic cert-manager.io/disable-validation=true +helm install cert-manager jetstack/cert-manager \ + --namespace ingress-basic \ + --set installCRDs=true \ + --set nodeSelector."kubernetes\.io/os"=linux \ No newline at end of file diff --git a/configure/ssl-ingress/2_create_ingress_controller.sh b/configure/ssl-ingress/2_create_ingress_controller.sh deleted file mode 100755 index ddba164..0000000 --- a/configure/ssl-ingress/2_create_ingress_controller.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash - -# Add the ingress-nginx repository -helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx - -source ssl-ingress.env -echo $ACR_URL - -# Use Helm to deploy an NGINX ingress controller -helm install nginx-ingress ingress-nginx/ingress-nginx \ - --version 4.0.13 \ - --namespace ingress-basic --create-namespace \ - --set controller.replicaCount=2 \ - --set controller.nodeSelector."kubernetes\.io/os"=linux \ - --set controller.image.registry=$ACR_URL \ - --set controller.image.image=$CONTROLLER_IMAGE \ - --set controller.image.tag=$CONTROLLER_TAG \ - --set controller.image.digest="" \ - --set controller.admissionWebhooks.patch.nodeSelector."kubernetes\.io/os"=linux \ - --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-load-balancer-health-probe-request-path"=/healthz \ - --set controller.admissionWebhooks.patch.image.registry=$ACR_URL \ - --set controller.admissionWebhooks.patch.image.image=$PATCH_IMAGE \ - --set controller.admissionWebhooks.patch.image.tag=$PATCH_TAG \ - --set controller.admissionWebhooks.patch.image.digest="" \ - --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \ - --set defaultBackend.image.registry=$ACR_URL \ - --set defaultBackend.image.image=$DEFAULTBACKEND_IMAGE \ - --set defaultBackend.image.tag=$DEFAULTBACKEND_TAG \ - --set defaultBackend.image.digest="" - -echo $DNS_LABEL - -helm upgrade nginx-ingress ingress-nginx/ingress-nginx \ - --namespace ingress-basic \ - --set controller.service.annotations."service\.beta\.kubernetes\.io/azure-dns-label-name"=$DNS_LABEL \ No newline at end of file diff --git a/configure/ssl-ingress/3_cert_manager.sh b/configure/ssl-ingress/3_cert_manager.sh deleted file mode 100755 index c8dfba9..0000000 --- a/configure/ssl-ingress/3_cert_manager.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -source ssl-ingress.env - -# Label the ingress-basic namespace to disable resource validation -kubectl label namespace ingress-basic cert-manager.io/disable-validation=true - -# Add the Jetstack Helm repository -helm repo add jetstack https://charts.jetstack.io - - -# Update your local Helm chart repository cache -helm repo update - -# Install the cert-manager Helm chart -helm install cert-manager jetstack/cert-manager \ - --namespace ingress-basic \ - --version $CERT_MANAGER_TAG \ - --set installCRDs=true \ - --set nodeSelector."kubernetes\.io/os"=linux \ - --set image.repository=$ACR_URL/$CERT_MANAGER_IMAGE_CONTROLLER \ - --set image.tag=$CERT_MANAGER_TAG \ - --set webhook.image.repository=$ACR_URL/$CERT_MANAGER_IMAGE_WEBHOOK \ - --set webhook.image.tag=$CERT_MANAGER_TAG \ - --set cainjector.image.repository=$ACR_URL/$CERT_MANAGER_IMAGE_CAINJECTOR \ - --set cainjector.image.tag=$CERT_MANAGER_TAG - - \ No newline at end of file diff --git a/configure/ssl-ingress/ssl-ingress.env b/configure/ssl-ingress/ssl-ingress.env index bd4ebaf..daaa217 100644 --- a/configure/ssl-ingress/ssl-ingress.env +++ b/configure/ssl-ingress/ssl-ingress.env @@ -4,11 +4,11 @@ SOURCE_REGISTRY=k8s.gcr.io CONTROLLER_IMAGE=ingress-nginx/controller CONTROLLER_TAG=v1.0.4 PATCH_IMAGE=ingress-nginx/kube-webhook-certgen -PATCH_TAG=v1.1.1 +PATCH_TAG=v1.3.0 DEFAULTBACKEND_IMAGE=defaultbackend-amd64 DEFAULTBACKEND_TAG=1.5 CERT_MANAGER_REGISTRY=quay.io -CERT_MANAGER_TAG=v1.5.4 +CERT_MANAGER_TAG=v1.8.0 CERT_MANAGER_IMAGE_CONTROLLER=jetstack/cert-manager-controller CERT_MANAGER_IMAGE_WEBHOOK=jetstack/cert-manager-webhook CERT_MANAGER_IMAGE_CAINJECTOR=jetstack/cert-manager-cainjector diff --git a/rollout.yaml b/rollout.yaml index c92d60e..86e11b9 100644 --- a/rollout.yaml +++ b/rollout.yaml @@ -17,6 +17,7 @@ spec: containers: - name: jarvis image: ghcr.io/joshspicer/jarvis:latest + imagePullPolicy: Always resources: requests: cpu: 100m @@ -55,36 +56,6 @@ spec: secretKeyRef: name: env-secrets key: TrustedActors - - name: AUGUST_API_KEY - valueFrom: - secretKeyRef: - name: env-secrets - key: AugustApiKey - - name: AUGUST_INSTALLID - valueFrom: - secretKeyRef: - name: env-secrets - key: AugustInstallId - - name: AUGUST_PASSWORD - valueFrom: - secretKeyRef: - name: env-secrets - key: AugustPassword - - name: AUGUST_ID_TYPE - valueFrom: - secretKeyRef: - name: env-secrets - key: AugustIdType - - name: AUGUST_ID - valueFrom: - secretKeyRef: - name: env-secrets - key: AugustId - - name: AUGUST_LOCK_ID - valueFrom: - secretKeyRef: - name: env-secrets - key: AugustLockId volumes: - name: secrets-store01-inline csi: @@ -113,8 +84,8 @@ spec: parameters: usePodIdentity: "false" useVMManagedIdentity: "true" # Set to true for using managed identity - userAssignedIdentityID: dc34b44c-5ea3-40d3-8820-69945bc5ccde # Set the clientID of the user-assigned managed identity to use - keyvaultName: jarviskv # Set to the name of your key vault + userAssignedIdentityID: 334bf547-5989-4300-be4d-ed7a90894a03 # Set the clientID of the user-assigned managed identity to use + keyvaultName: secret-store-5h7SuPk389 # Set to the name of your key vault objects: | array: - | @@ -129,24 +100,6 @@ spec: - | objectName: TrustedActors objectType: secret - - | - objectName: AugustApiKey - objectType: secret - - | - objectName: AugustInstallId - objectType: secret - - | - objectName: AugustPassword - objectType: secret - - | - objectName: AugustIdType - objectType: secret - - | - objectName: AugustId - objectType: secret - - | - objectName: AugustLockId - objectType: secret tenantId: 0ad1a6ca-bf0b-4eea-b39d-a0a369403977 # The tenant ID of the key vault secretObjects: - data: @@ -158,18 +111,6 @@ spec: objectName: ValidTelegramGroups - key: TrustedActors objectName: TrustedActors - - key: AugustApiKey - objectName: AugustApiKey - - key: AugustInstallId - objectName: AugustInstallId - - key: AugustPassword - objectName: AugustPassword - - key: AugustIdType - objectName: AugustIdType - - key: AugustId - objectName: AugustId - - key: AugustLockId - objectName: AugustLockId secretName: env-secrets type: Opaque --- @@ -205,161 +146,18 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt spec: ingressClassName: nginx - tls: - - hosts: - - jarvis.spicer.dev - secretName: tls-secret-spicerdev rules: - host: jarvis.spicer.dev http: paths: - - path: /(.*) - pathType: Prefix + - pathType: Prefix backend: service: name: jarvis port: number: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: willow-ingress - annotations: - nginx.ingress.kubernetes.io/rewrite-target: /$1 - nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/limit-rpm: "5" - nginx.ingress.kubernetes.io/limit-rps: "2" - nginx.ingress.kubernetes.io/limit-burst-multiplier: "1" - cert-manager.io/cluster-issuer: letsencrypt -spec: - ingressClassName: nginx + path: /(.*) tls: - hosts: - - willow.party - secretName: tls-secret-willowparty - rules: - - host: willow.party - http: - paths: - - path: /(.*) - pathType: Prefix - backend: - service: - name: jarvis - port: - number: 80 ---- -# VVVVVVV BEDROCK VVVVVVV -apiVersion: v1 -kind: ConfigMap -metadata: - name: minecraft-bedrock - labels: - role: service-config - app: bds -data: - # Find more options at https://github.com/itzg/docker-minecraft-bedrock-server#server-properties - # Remove # from in front of line if changing from default values. - EULA: "TRUE" # Must accept EULA to use this minecraft server - #GAMEMODE: "survival" # Options: survival, creative, adventure - #DIFFICULTY: "easy" # Options: peaceful, easy, normal, hard - #DEFAULT_PLAYER_PERMISSION_LEVEL: "member" # Options: visitor, member, operator - LEVEL_NAME: "bedrock_world" - #LEVEL_SEED: "33480944" - SERVER_NAME: "SpiceCraft2" - #SERVER_PORT: "19132" - #LEVEL_TYPE: "DEFAULT" # Options: FLAT, LEGACY, DEFAULT - ALLOW_CHEATS: "true" # Options: true, false - MAX_PLAYERS: "10" - #PLAYER_IDLE_TIMEOUT: "30" - #TEXTUREPACK_REQUIRED: "false" # Options: true, false - # - ## Changing these will have a security impact - #ONLINE_MODE: "true" # Options: true, false (removes Xbox Live account requirements) - #WHITE_LIST: "false" # If enabled, need to provide a whitelist.json by your own means. - # - ## Changing these will have a performance impact - #VIEW_DISTANCE: "10" - #TICK_DISTANCE: "4" - #MAX_THREADS: "8" ---- -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: bds -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - labels: - app: bds - name: bds -spec: - # never more than 1 since BDS is not horizontally scalable - replicas: 1 - serviceName: bds - selector: - matchLabels: - app: bds - template: - metadata: - labels: - app: bds - spec: - containers: - - name: main - image: itzg/minecraft-bedrock-server - imagePullPolicy: Always - envFrom: - - configMapRef: - name: minecraft-bedrock - volumeMounts: - - mountPath: /data - name: data - ports: - - containerPort: 19132 - protocol: UDP - readinessProbe: &probe - exec: - command: - - mc-monitor - - status-bedrock - - --host - # force health check against IPv4 port - - 127.0.0.1 - initialDelaySeconds: 30 - livenessProbe: *probe - tty: true - stdin: true - volumeClaimTemplates: - - metadata: - name: data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -apiVersion: v1 -kind: Service -metadata: - name: bds -spec: - selector: - app: bds - ports: - - port: 19132 - protocol: UDP - # Use LoadBalancer if running on a provider that supports that - type: LoadBalancer - # or use NodePort on a non-managed system; - # however, you'll need to lookup port assigned to the service - # type: NodePort \ No newline at end of file + - jarvis.spicer.dev + secretName: tls-secret \ No newline at end of file