diff --git a/.github/workflows/bin/humctl b/.github/workflows/bin/humctl new file mode 100755 index 0000000..986a1ae Binary files /dev/null and b/.github/workflows/bin/humctl differ diff --git a/.github/workflows/ob-frontend-pr.yaml b/.github/workflows/ob-frontend-pr.yaml new file mode 100644 index 0000000..8765a6a --- /dev/null +++ b/.github/workflows/ob-frontend-pr.yaml @@ -0,0 +1,117 @@ +name: Pull Request +on: + pull_request: + paths: + - 'samples/onlineboutique/frontend/**' + - '.github/workflows/ob-frontend-pr.yaml' +permissions: + contents: read + pull-requests: write +env: + WORKLOAD_FOLDER: 'samples/onlineboutique/frontend/' + BASE_ENVIRONMENT: 'development' + ENVIRONMENT_TYPE: 'development' + ENVIRONMENT_ID: pr-${{ github.event.number }}-frontend + ENVIRONMENT_NAME: PR-${{ github.event.number }} +jobs: + ob-frontend-pr: + runs-on: ubuntu-latest + steps: + - name: checkout code + uses: actions/checkout@v3 + - name: create humanitec env + run: | + .github/workflows/bin/humctl create environment ${{ env.ENVIRONMENT_ID }} \ + --token ${{ secrets.HUMANITEC_TOKEN }} \ + --context /orgs/${{ secrets.HUMANITEC_ORG }}/apps/${{ vars.APP_NAME }} \ + --name ${{ env.ENVIRONMENT_NAME }} \ + -t ${{ env.ENVIRONMENT_TYPE }} \ + --from ${{ env.BASE_ENVIRONMENT }} \ + || true + - name: install score-humanitec + run: | + curl https://gist.githubusercontent.com/mathieu-benoit/18ecd796c50c27badf0f00218bac2ba2/raw/06c49e649f630bc91199da119046d7e821e4337e/install-score-humanitec.sh | bash + - name: deploy score-humanitec + run: | + score-humanitec delta \ + --retry \ + --deploy \ + --token ${{ secrets.HUMANITEC_TOKEN }} \ + --org ${{ secrets.HUMANITEC_ORG }} \ + --app ${{ vars.APP_NAME }} \ + --env ${{ env.ENVIRONMENT_ID }} \ + -f ${{ env.WORKLOAD_FOLDER }}/score.yaml \ + --extensions ${{ env.WORKLOAD_FOLDER }}/humanitec.score.yaml \ + | tee score_output.json + - name: wait for deployment + run: | + sleep 1 + + IS_DONE=false + + while [ "$IS_DONE" = false ]; do + CURRENT_STATUS=$(.github/workflows/bin/humctl get environment ${{ env.ENVIRONMENT_ID }} -o json \ + --token ${{ secrets.HUMANITEC_TOKEN }} \ + --context /orgs/${{ secrets.HUMANITEC_ORG }}/apps/${{ vars.APP_NAME }} \ + | jq -r .object.last_deploy.status) + + INPROGRESS="in progress" + + if [ "$CURRENT_STATUS" = "$INPROGRESS" ]; then + echo "Deployment still in progress..." + sleep 1 + else + echo "Deployment complete!" + IS_DONE=true + fi + done + - name: build comment message + run: | + ENV_URL=$(jq -r ".metadata.url" score_output.json) + DEPLOYMENT_ID=$(jq -r ".id" score_output.json) + DOMAINS=$(.github/workflows/bin/humctl get active-resources \ + --token ${{ secrets.HUMANITEC_TOKEN }} \ + --context /orgs/${{ secrets.HUMANITEC_ORG }}/apps/${{ vars.APP_NAME }}/envs/${{ env.ENVIRONMENT_ID }} -o json \ + | jq -r '. | map(. | select(.object.type == "dns")) | map((.object.res_id | split(".") | .[1]) + ": [" + .object.resource.host + "](https://" + .object.resource.host + ")") | join("\n")') + + echo "## Deployment Complete for ${{ env.ENVIRONMENT_NAME }}! :tada:" >> pr_message.txt + echo "" >> pr_message.txt + + echo "### [View in Humanitec]($ENV_URL)" >> pr_message.txt + echo "Deployment ID: $DEPLOYMENT_ID" >> pr_message.txt + + echo "" >> pr_message.txt + echo "### Domains:" >> pr_message.txt + echo "" >> pr_message.txt + echo "$DOMAINS" >> pr_message.txt + echo "" >> pr_message.txt + + echo "
Deployment diff" >> pr_message.txt + echo "" >> pr_message.txt + echo "### Deployment diff:" >> pr_message.txt + echo '```json' >> pr_message.txt + echo "" >> pr_message.txt + .github/workflows/bin/humctl diff env ${{ env.ENVIRONMENT_ID }} ${{ env.BASE_ENVIRONMENT }} \ + --token ${{ secrets.HUMANITEC_TOKEN }} \ + --context /orgs/${{ secrets.HUMANITEC_ORG }}/apps/${{ vars.APP_NAME }} -o json >> pr_message.txt + echo "" >> pr_message.txt + echo '```' >> pr_message.txt + echo "" >> pr_message.txt + echo "
" >> pr_message.txt + + echo "
Score Output" >> pr_message.txt + echo "" >> pr_message.txt + echo "### Score Output:" >> pr_message.txt + echo '```json' >> pr_message.txt + echo "" >> pr_message.txt + cat score_output.json >> pr_message.txt + echo "" >> pr_message.txt + echo '```' >> pr_message.txt + echo "" >> pr_message.txt + echo "
" >> pr_message.txt + + cat pr_message.txt + - name: comment pr + uses: thollander/actions-comment-pull-request@v2 + with: + filePath: pr_message.txt diff --git a/.github/workflows/ob-pr-closed.yaml b/.github/workflows/ob-pr-closed.yaml new file mode 100644 index 0000000..f367761 --- /dev/null +++ b/.github/workflows/ob-pr-closed.yaml @@ -0,0 +1,21 @@ +name: Pull Request +on: + pull_request: + paths: + - 'samples/onlineboutique/frontend/**' + - '.github/workflows/ob-frontend-pr.yaml' + types: + - closed +env: + ENVIRONMENT_ID: pr-${{ github.event.number }}-frontend +jobs: + ob-pr-closed: + runs-on: ubuntu-latest + steps: + - name: checkout humctl bin + uses: actions/checkout@v3 + - name: delete humanitec env + run: | + .github/workflows/bin/humctl delete env ${{ env.ENVIRONMENT_ID }} \ + --token ${{ secrets.HUMANITEC_TOKEN }} \ + --context /orgs/${{ secrets.HUMANITEC_ORG }}/apps/${{ vars.APP_NAME }} diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b0e4845 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +.terraform +.terraform.lock.hcl \ No newline at end of file diff --git a/README.md b/README.md index e08399c..c62263f 100644 --- a/README.md +++ b/README.md @@ -1,41 +1,41 @@ # hello-humanitec 2 personas: -- **Platform admin** (PA) interacting with either Google Cloud (**PA-GCP**), Azure (**PA-AZ**) or Humanitec (**PA-HUM**) +- **Platform Engineer** (PE) interacting with either Google Cloud (**PE-GCP**), Azure (**PE-AZ**) or Humanitec (**PE-HUM**) - **Developer** (DE) interacting with Humanitec (**DE-HUM**) ![personas](/images/personas.png) Agenda: - [Humanitec default setup in Development](./docs/humanitec-default.md) - - [PA-HUM] Create Online Boutique App - - [PA-HUM] Create an in-cluster Redis database + - [PE-HUM] Create Online Boutique App + - [PE-HUM] Create an in-cluster Redis database - [DE-HUM] Deploy Online Boutique Workloads in the Development Environment - [Common setup](./docs/common.md) - - [PA-HUM] Create `staging` and `production` Environment types - - [PA-HUM] Create custom name `Namespace` - - [PA-HUM] Create custom `ServiceAccount` - - [PA-HUM] Create custom unprivileged Workload + - [PE-HUM] Create `staging` and `production` Environment types + - [PE-HUM] Create custom name `Namespace` + - [PE-HUM] Create custom `ServiceAccount` + - [PE-HUM] Create custom unprivileged Workload - [GKE basic setup in Staging](./docs/gke-basic.md) - - [PA-GCP] Create basic GKE setup - - [PA-GCP] Deploy a simple Nginx Ingress controller - - [PA-HUM] Create Staging Environment - - [PA-GCP] Create a Memorystore (Redis) database - - [PA-HUM] Deploy the Staging Environment + - [PE-GCP] Create basic GKE setup + - [PE-GCP] Deploy a simple Nginx Ingress controller + - [PE-HUM] Create Staging Environment + - [PE-GCP] Create a Memorystore (Redis) database + - [PE-HUM] Deploy the Staging Environment - [AKS basic setup in Staging](./docs/aks-basic.md) - - [PA-AZ] Create basic AKS setup - - [PA-AZ] Deploy a simple Nginx Ingress controller - - [PA-HUM] Create Staging Environment - - [PA-AZ] Create a Memorystore (Redis) database - - [PA-HUM] Deploy the Staging Environment + - [PE-AZ] Create basic AKS setup + - [PE-AZ] Deploy a simple Nginx Ingress controller + - [PE-HUM] Create Staging Environment + - [PE-AZ] Create a Memorystore (Redis) database + - [PE-HUM] Deploy the Staging Environment - [GKE advanced setup in Production](./docs/gke-advanced.md) - - [PA-GCP] Create advanced and secured GKE setup - - [PA-GCP] Deploy an Nginx Ingress controller - - [PA-GCP] Protect the Nginx Ingress controller behind a Global Cloud Load Balancer (GCLB) and Cloud Armor (WAF) - - [PA-GCP] Use Cloud Logging for Workload's logs - - [PA-HUM] Create Production Environment - - [PA-GCP] Create a Spanner database - - [PA-GCP] Create Kubernetes and Google Service Accounts to access Spanner via Workload Identity + - [PE-GCP] Create advanced and secured GKE setup + - [PE-GCP] Deploy an Nginx Ingress controller + - [PE-GCP] Protect the Nginx Ingress controller behind a Global Cloud Load Balancer (GCLB) and Cloud Armor (WAF) + - [PE-GCP] Use Cloud Logging for Workload's logs + - [PE-HUM] Create Production Environment + - [PE-GCP] Create a Spanner database + - [PE-GCP] Create Kubernetes and Google Service Accounts to access Spanner via Workload Identity - [DE-HUM] Deploy `cartservice` Workload connected to the Spanner database in the Production Environment diff --git a/docs/aks-advanced.md b/docs/aks-advanced.md index a5c9ea8..5fbbf5e 100644 --- a/docs/aks-advanced.md +++ b/docs/aks-advanced.md @@ -9,4 +9,6 @@ az aks create \ --enable-addons monitoring \ --enable-msi-auth-for-monitoring \ --no-ssh-key -``` \ No newline at end of file +``` + +https://denniszielke.medium.com/advanced-load-balancing-scenarios-with-the-new-azure-application-gateway-for-containers-dd35c4de64df diff --git a/docs/aks-basic.md b/docs/aks-basic.md index b9e0f49..3649556 100644 --- a/docs/aks-basic.md +++ b/docs/aks-basic.md @@ -2,14 +2,14 @@ # AKS basic setup in Staging -- [[PA-AZ] Create the AKS cluster](#pa-az-create-the-aks-cluster) -- [[PA-AZ] Deploy the Nginx Ingress controller](#pa-az-deploy-the-nginx-ingress-controller) -- [[PA-AZ] Create the Service Principal to access the AKS cluster](#pa-az-create-the-service-principal-to-access-the-aks-cluster) -- [[PA-HUM] Create the GKE access resource definition](#pa-hum-create-the-gke-access-resource-definition) -- [[PA-HUM] Create the Staging Environment](#pa-hum-create-the-staging-environment) -- [[PA-AZ] Create an Azure Redis Cache database](#pa-az-create-an-azure-redis-cache-database) -- [[PA-HUM] Create the Azure Redis Cache access resource definition](#pa-hum-create-the-azure-redis-cache-access-resource-definition) -- [[PA-HUM] Deploy the Staging Environment](#pa-hum-deploy-the-staging-environment) +- [[PE-AZ] Create the AKS cluster](#pe-az-create-the-aks-cluster) +- [[PE-AZ] Deploy the Nginx Ingress controller](#pe-az-deploy-the-nginx-ingress-controller) +- [[PE-AZ] Create the Service Principal to access the AKS cluster](#pe-az-create-the-service-principal-to-access-the-aks-cluster) +- [[PE-HUM] Create the AKS access resource definition](#pe-hum-create-the-aks-access-resource-definition) +- [[PE-HUM] Create the Staging Environment](#pe-hum-create-the-staging-environment) +- [[PE-AZ] Create an Azure Redis Cache database](#pe-az-create-an-azure-redis-cache-database) +- [[PE-HUM] Create the Azure Redis Cache access resource definition](#pe-hum-create-the-azure-redis-cache-access-resource-definition) +- [[PE-HUM] Deploy the Staging Environment](#pe-hum-deploy-the-staging-environment) - [Test the Online Boutique website](#test-the-online-boutique-website) ```mermaid @@ -65,9 +65,9 @@ export HUMANITEC_TOKEN=FIXME ENVIRONMENT=${STAGING_ENV}-aks ``` -## [PA-AZ] Create the AKS cluster +## [PE-AZ] Create the AKS cluster -As Platform Admin, in Azure. +As Platform Engineer, in Azure. ```bash az provider register \ @@ -90,9 +90,9 @@ az aks get-credentials \ -n ${CLUSTER_NAME} ``` -## [PA-AZ] Deploy the Nginx Ingress controller +## [PE-AZ] Deploy the Nginx Ingress controller -As Platform Admin, in Azure. +As Platform Engineer, in Azure. Deploy the Nginx Ingress Controller: ```bash @@ -113,9 +113,9 @@ echo ${INGRESS_IP} ``` _Note: re-run the above command until you get a value._ -## [PA-AZ] Create the Service Principal to access the AKS cluster +## [PE-AZ] Create the Service Principal to access the AKS cluster -As Platform Admin, in Azure. +As Platform Engineer, in Azure. Create the Service Principal with the appropriate role: ```bash @@ -135,9 +135,9 @@ az role assignment create \ --scope ${AKS_ID} ``` -## [PA-HUM] Create the AKS access resource definition +## [PE-HUM] Create the AKS access resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create the AKS access resource definition: ```bash @@ -199,9 +199,9 @@ rm ${CLUSTER_NAME}.yaml rm ${CLUSTER_NAME}.json ``` -## [PA-HUM] Create the Staging Environment +## [PE-HUM] Create the Staging Environment -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create the new Environment by cloning the existing Environment from its latest Deployment: ```bash @@ -250,9 +250,9 @@ humctl deploy env ${CLONED_ENVIRONMENT} ${ENVIRONMENT} \ At this stage, you can already [test the Online Boutique website](#test-the-online-boutique-website) in its existing state. -## [PA-AZ] Create an Azure Redis Cache database +## [PE-AZ] Create an Azure Redis Cache database -As Platform Admin, in Azure. +As Platform Engineer, in Azure. Create the Azure Redis Cache database: ```bash @@ -293,9 +293,9 @@ echo ${REDIS_AUTH} ``` _Note: re-run the above commands until you get the 3 values._ -## [PA-HUM] Create the Azure Redis Cache access resource definition +## [PE-HUM] Create the Azure Redis Cache access resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. ```bash cat < ${REDIS_NAME}.yaml @@ -351,9 +351,9 @@ Clean sensitive information locally: rm ${REDIS_NAME}.yaml ``` -## [PA-HUM] Deploy the Staging Environment +## [PE-HUM] Deploy the Staging Environment -As Platform admin, in Humanitec. +As Platform Engineer, in Humanitec. Deploy the new Environment to take into account all the new resource definitions: ```bash diff --git a/docs/common.md b/docs/common.md index 6b582e8..9292f9a 100644 --- a/docs/common.md +++ b/docs/common.md @@ -6,10 +6,10 @@ ## Common setup -- [[PA-HUM] Create `staging` and `production` Environment types](#pa-hum-create-staging-and-production-environment-types) -- [[PA-HUM] Create a custom `Namespace` resource definition](#pa-hum-create-a-custom-namespace-resource-definition) -- [[PA-HUM] Create a custom `ServiceAccount` resource definition](#pa-hum-create-a-custom-serviceaccount-resource-definition) -- [[PA-HUM] Create a custom Workload resource definition](#pa-hum-create-a-custom-workload-resource-definition) +- [[PE-HUM] Create `staging` and `production` Environment types](#pe-hum-create-staging-and-production-environment-types) +- [[PE-HUM] Create a custom `Namespace` resource definition](#pe-hum-create-a-custom-namespace-resource-definition) +- [[PE-HUM] Create a custom `ServiceAccount` resource definition](#pe-hum-create-a-custom-serviceaccount-resource-definition) +- [[PE-HUM] Create a custom Workload resource definition](#pe-hum-create-a-custom-workload-resource-definition) ```mermaid flowchart LR @@ -33,7 +33,7 @@ export HUMANITEC_CONTEXT=/orgs/${HUMANITEC_ORG} export HUMANITEC_TOKEN=FIXME ``` -### [PA-HUM] Create `staging` and `production` Environment types +### [PE-HUM] Create `staging` and `production` Environment types The `development` Environment type is already created by default in Humanitec. @@ -83,9 +83,9 @@ humctl create environment-type ${PRODUCTION_ENV} \ ``` -### [PA-HUM] Create a custom `Namespace` resource definition +### [PE-HUM] Create a custom `Namespace` resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Customize the name of the Kubernetes `Namespace` for all our Apps in Production Environment Type ([reference](https://docs.humanitec.com/guides/orchestrate-infrastructure/define-namespaces)). One per App/Env. We are also adding the label to enforce [Pod Security Standards `restricted`](https://kubernetes.io/docs/concepts/security/pod-security-standards/): ```bash @@ -159,9 +159,9 @@ humctl create \ ``` -### [PA-HUM] Create a custom `ServiceAccount` resource definition +### [PE-HUM] Create a custom `ServiceAccount` resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create a dedicated Kubernetes `ServiceAccount` for all our Apps, one per Workload: ```bash @@ -231,9 +231,9 @@ humctl create \ ``` -### [PA-HUM] Create a custom Workload resource definition +### [PE-HUM] Create a custom Workload resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Customize the Kubernetes `Deployment` manifests for all our Workloads in Production Environment Type by adding the `securityContext` sections and other security features ([reference](https://docs.humanitec.com/integrations/resource-types/workload)): ```bash diff --git a/docs/gke-advanced.md b/docs/gke-advanced.md index 894a256..7da58c5 100644 --- a/docs/gke-advanced.md +++ b/docs/gke-advanced.md @@ -2,17 +2,17 @@ # GKE advanced setup in Production -- [[PA-GCP] Create the GKE cluster](#pa-gcp-create-the-gke-cluster) -- [[PA-GCP] Deploy the Nginx Ingress controller](#pa-gcp-deploy-the-nginx-ingress-controller) -- [[PA-GCP] Protect the Nginx Ingress controller behind a Global Cloud Load Balancer (GCLB) and Cloud Armor (WAF)](#pa-gcp-protect-the-nginx-ingress-controller-behind-a-global-cloud-load-balancer-gclb-and-cloud-armor-waf) -- [[PA-HUM] Create the associated DNS and TLS resource definitions](#pa-hum-create-the-associated-dns-and-tls-resource-definitions) -- [[PA-GCP] Create the Google Service Account to access the GKE cluster](#pa-gcp-create-the-google-service-account-to-access-the-gke-cluster) -- [[PA-HUM] Create the GKE access resource definition](#pa-hum-create-the-gke-access-resource-definition) -- [[PA-GCP] Create the Google Service Account to access Cloud Logging](#pa-gcp-create-the-google-service-account-to-access-cloud-logging) -- [[PA-HUM] Create the Production Environment](#pa-hum-create-the-production-environment) -- [[PA-GCP] Create a Spanner database](#pa-gcp-create-a-spanner-database) -- [[PA-HUM] Create the Spanner access resource definition](#pa-hum-create-the-spanner-access-resource-definition) -- [[PA-HUM] Update the custom Service Account resource definition with the Workload Identity annotation for `cartservice`](#pa-hum-update-the-custom-service-account-resource-definition-with-the-workload-identity-annotation-for-cartservice) +- [[PE-GCP] Create the GKE cluster](#pe-gcp-create-the-gke-cluster) +- [[PE-GCP] Deploy the Nginx Ingress controller](#pe-gcp-deploy-the-nginx-ingress-controller) +- [[PE-GCP] Protect the Nginx Ingress controller behind a Global Cloud Load Balancer (GCLB) and Cloud Armor (WAF)](#pe-gcp-protect-the-nginx-ingress-controller-behind-a-global-cloud-load-balancer-gclb-and-cloud-armor-waf) +- [[PE-HUM] Create the associated DNS and TLS resource definitions](#pe-hum-create-the-associated-dns-and-tls-resource-definitions) +- [[PE-GCP] Create the Google Service Account to access the GKE cluster](#pe-gcp-create-the-google-service-account-to-access-the-gke-cluster) +- [[PE-HUM] Create the GKE access resource definition](#pe-hum-create-the-gke-access-resource-definition) +- [[PE-GCP] Create the Google Service Account to access Cloud Logging](#pe-gcp-create-the-google-service-account-to-access-cloud-logging) +- [[PE-HUM] Create the Production Environment](#pe-hum-create-the-production-environment) +- [[PE-GCP] Create a Spanner database](#pe-gcp-create-a-spanner-database) +- [[PE-HUM] Create the Spanner access resource definition](#pe-hum-create-the-spanner-access-resource-definition) +- [[PE-HUM] Update the custom Service Account resource definition with the Workload Identity annotation for `cartservice`](#pe-hum-update-the-custom-service-account-resource-definition-with-the-workload-identity-annotation-for-cartservice) - [[DE-HUM] Deploy the `cartservice` connected to the Spanner database](#de-hum-deploy-the-cartservice-connected-to-the-spanner-database) - [Test the Online Boutique website](#test-the-online-boutique-website) @@ -85,9 +85,9 @@ export HUMANITEC_TOKEN=FIXME ENVIRONMENT=${PRODUCTION_ENV} ``` -## [PA-GCP] Create the GKE cluster +## [PE-GCP] Create the GKE cluster -As Platform Admin, in Google Cloud. +As Platform Engineer, in Google Cloud. ```bash gcloud services enable container.googleapis.com @@ -161,9 +161,9 @@ gcloud compute routers nats create ${CLUSTER_NAME} \ --auto-allocate-nat-external-ips ``` -## [PA-GCP] Deploy the Nginx Ingress controller +## [PE-GCP] Deploy the Nginx Ingress controller -As Platform Admin, in Google Cloud. +As Platform Engineer, in Google Cloud. Deploy the Nginx Ingress Controller: ```bash @@ -178,6 +178,17 @@ controller: cloud.google.com/neg: '{"exposed_ports": {"${NGINX_NEG_PORT}":{"name": "${NGINX_NEG_NAME}"}}}' config: use-forwarded-headers: true + containerSecurityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 101 + runAsGroup: 101 + allowPrivilegeEscalation: false + readOnlyRootFilesystem: false + runAsNonRoot: true EOF helm upgrade \ --install ingress-nginx ingress-nginx \ @@ -197,7 +208,7 @@ gcloud compute firewall-rules create k8s-masters-to-nodes-on-8443 \ --allow tcp:8443 ``` -## [PA-GCP] Protect the Nginx Ingress controller behind a Global Cloud Load Balancer (GCLB) and Cloud Armor (WAF) +## [PE-GCP] Protect the Nginx Ingress controller behind a Global Cloud Load Balancer (GCLB) and Cloud Armor (WAF) Allow traffic from the Global Load Balancer (GCLB) to the node pool on port `443` for Nginx Ingress controller: ```bash @@ -333,9 +344,9 @@ gcloud compute backend-services update ${CLUSTER_NAME}-ingress-nginx-backend-ser --security-policy ${CLUSTER_NAME}-security-policy ``` -## [PA-HUM] Create the associated DNS and TLS resource definitions +## [PE-HUM] Create the associated DNS and TLS resource definitions -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create the custom Ingress resource definition: ```bash @@ -431,9 +442,9 @@ humctl create \ ``` -## [PA-GCP] Create the Google Service Account to access the GKE cluster +## [PE-GCP] Create the Google Service Account to access the GKE cluster -As Platform Admin, in Google Cloud. +As Platform Engineer, in Google Cloud. Create the Google Service Account (GSA) with the appropriate role: ```bash @@ -453,9 +464,9 @@ gcloud iam service-accounts keys create ${GKE_ADMIN_SA_NAME}.json \ --iam-account ${GKE_ADMIN_SA_ID} ``` -## [PA-HUM] Create the GKE access resource definition +## [PE-HUM] Create the GKE access resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create the GKE access resource definition: ```bash @@ -518,9 +529,9 @@ rm ${CLUSTER_NAME}.yaml rm ${CLUSTER_NAME}.json ``` -## [PA-GCP] Create the Google Service Account to access Cloud Logging +## [PE-GCP] Create the Google Service Account to access Cloud Logging -As Platform Admin, in Google Cloud. +As Platform Engineer, in Google Cloud. Create the Google Service Account (GSA) with the appropriate role: ```bash @@ -539,9 +550,9 @@ gcloud iam service-accounts keys create ${LOGGING_READER_SA_NAME}.json \ --iam-account ${LOGGING_READER_SA_ID} ``` -## [PA-HUM] Create the Cloud Logging access resource definition +## [PE-HUM] Create the Cloud Logging access resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create the Cloud Logging access resource definition for the Production Environment Type: ```bash @@ -602,9 +613,9 @@ rm ${CLUSTER_NAME}-logging.yaml rm ${CLUSTER_NAME}-logging.json ``` -## [PA-HUM] Create the Production Environment +## [PE-HUM] Create the Production Environment -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create the new Environment by cloning the existing Environment from its latest Deployment: ```bash @@ -653,7 +664,7 @@ humctl deploy env ${CLONED_ENVIRONMENT} ${ENVIRONMENT} \ At this stage, you can already [test the Online Boutique website](#test-the-online-boutique-website) in its existing state. -### [PA-GCP] Create a Spanner database +### [PE-GCP] Create a Spanner database Create the Spanner instance and database: ```bash @@ -699,9 +710,9 @@ echo ${SPANNER_DB_CONNECTION_STRING} ``` _Note: re-run the above the command until you get the value._ -## [PA-HUM] Create the Spanner access resource definition +## [PE-HUM] Create the Spanner access resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. ```bash cat < ${SPANNER_INSTANCE_NAME}-${SPANNER_DATABASE_NAME}-${ENVIRONMENT}-spanner.yaml @@ -750,7 +761,7 @@ humctl create \ _Note: Here we create a Redis resource definition but in a near future, this will be a Spanner resource type._ -## [PA-HUM] Update the custom Service Account resource definition with the Workload Identity annotation for `cartservice` +## [PE-HUM] Update the custom Service Account resource definition with the Workload Identity annotation for `cartservice` Update the Kubernetes `ServiceAccount` to add the Workload Identity annotation for allowing the `cartservice` to access the Spanner database: ```bash diff --git a/docs/gke-basic.md b/docs/gke-basic.md index c303c29..ae6f47b 100644 --- a/docs/gke-basic.md +++ b/docs/gke-basic.md @@ -4,14 +4,14 @@ # GKE basic setup in Staging -- [[PA-GCP] Create the GKE cluster](#pa-gcp-create-the-gke-cluster) -- [[PA-GCP] Deploy the Nginx Ingress controller](#pa-gcp-deploy-the-nginx-ingress-controller) -- [[PA-GCP] Create the Google Service Account to access the GKE cluster](#pa-gcp-create-the-google-service-account-to-access-the-gke-cluster) -- [[PA-HUM] Create the GKE access resource definition](#pa-hum-create-the-gke-access-resource-definition) -- [[PA-HUM] Create the Staging Environment](#pa-hum-create-the-staging-environment) -- [[PA-GCP] Create a Memorystore (Redis) database](#pa-gcp-create-a-memorystore-redis-database) -- [[PA-HUM] Create the Memorystore (Redis) access resource definition](#pa-hum-create-the-memorystore-redis-access-resource-definition) -- [[PA-HUM] Deploy the Staging Environment](#pa-hum-deploy-the-staging-environment) +- [[PE-GCP] Create the GKE cluster](#pe-gcp-create-the-gke-cluster) +- [[PE-GCP] Deploy the Nginx Ingress controller](#pe-gcp-deploy-the-nginx-ingress-controller) +- [[PE-GCP] Create the Google Service Account to access the GKE cluster](#pe-gcp-create-the-google-service-account-to-access-the-gke-cluster) +- [[PE-HUM] Create the GKE access resource definition](#pe-hum-create-the-gke-access-resource-definition) +- [[PE-HUM] Create the Staging Environment](#pe-hum-create-the-staging-environment) +- [[PE-GCP] Create a Memorystore (Redis) database](#pe-gcp-create-a-memorystore-redis-database) +- [[PE-HUM] Create the Memorystore (Redis) access resource definition](#pe-hum-create-the-memorystore-redis-access-resource-definition) +- [[PE-HUM] Deploy the Staging Environment](#pe-hum-deploy-the-staging-environment) - [Test the Online Boutique website](#test-the-online-boutique-website) ```mermaid @@ -68,9 +68,9 @@ export HUMANITEC_TOKEN=FIXME ENVIRONMENT=${STAGING_ENV} ``` -## [PA-GCP] Create the GKE cluster +## [PE-GCP] Create the GKE cluster -As Platform Admin, in Google Cloud. +As Platform Engineer, in Google Cloud. ```bash gcloud services enable container.googleapis.com @@ -91,9 +91,9 @@ gcloud container clusters get-credentials ${CLUSTER_NAME} \ --zone ${ZONE} ``` -## [PA-GCP] Deploy the Nginx Ingress controller +## [PE-GCP] Deploy the Nginx Ingress controller -As Platform Admin, in Google Cloud. +As Platform Engineer, in Google Cloud. Deploy the Nginx Ingress Controller: ```bash @@ -113,9 +113,9 @@ echo ${INGRESS_IP} ``` _Note: re-run the above command until you get a value._ -## [PA-GCP] Create the Google Service Account to access the GKE cluster +## [PE-GCP] Create the Google Service Account to access the GKE cluster -As Platform Admin, in Google Cloud. +As Platform Engineer, in Google Cloud. Create the Google Service Account (GSA) with the appropriate role: ```bash @@ -134,9 +134,9 @@ gcloud iam service-accounts keys create ${GKE_ADMIN_SA_NAME}.json \ --iam-account ${GKE_ADMIN_SA_ID} ``` -## [PA-HUM] Create the GKE access resource definition +## [PE-HUM] Create the GKE access resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create the GKE access resource definition: ```bash @@ -199,9 +199,9 @@ rm ${CLUSTER_NAME}.yaml rm ${CLUSTER_NAME}.json ``` -## [PA-HUM] Create the Staging Environment +## [PE-HUM] Create the Staging Environment -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create the new Environment by cloning the existing Environment from its latest Deployment: ```bash @@ -250,9 +250,9 @@ humctl deploy env ${CLONED_ENVIRONMENT} ${ENVIRONMENT} \ At this stage, you can already [test the Online Boutique website](#test-the-online-boutique-website) in its existing state. -## [PA-GCP] Create a Memorystore (Redis) database +## [PE-GCP] Create a Memorystore (Redis) database -As Platform Admin, in Google Cloud. +As Platform Engineer, in Google Cloud. Create the Memorystore (Redis) database with a password in same region and network as the GKE cluster: ```bash @@ -284,9 +284,9 @@ echo ${REDIS_AUTH} ``` _Note: re-run the above commands until you get the 3 values._ -## [PA-HUM] Create the Memorystore (Redis) access resource definition +## [PE-HUM] Create the Memorystore (Redis) access resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. ```bash cat < ${REDIS_NAME}.yaml @@ -342,9 +342,9 @@ Clean sensitive information locally: rm ${REDIS_NAME}.yaml ``` -## [PA-HUM] Deploy the Staging Environment +## [PE-HUM] Deploy the Staging Environment -As Platform admin, in Humanitec. +As Platform Engineer, in Humanitec. Deploy the new Environment to take into account all the new resource definitions: ```bash diff --git a/docs/humanitec-default.md b/docs/humanitec-default.md index 38754fe..551fc96 100644 --- a/docs/humanitec-default.md +++ b/docs/humanitec-default.md @@ -2,8 +2,8 @@ ## Humanitec default setup in Development -- [[PA-HUM] Create the Online Boutique App](#pa-hum-create-the-online-boutique-app) -- [[PA-HUM] Create the in-cluster Redis resource definition](#pa-hum-create-the-in-cluster-redis-resource-definition) +- [[PE-HUM] Create the Online Boutique App](#pe-hum-create-the-online-boutique-app) +- [[PE-HUM] Create the in-cluster Redis resource definition](#pe-hum-create-the-in-cluster-redis-resource-definition) - [[DE-HUM] Deploy the Online Boutique Workloads in Development Environment](#de-hum-deploy-the-online-boutique-workloads-in-development-environment) - [Test the Online Boutique website](#test-the-online-boutique-website) @@ -48,9 +48,9 @@ git clone https://github.com/mathieu-benoit/hello-humanitec cd hello-humanitec/ ``` -## [PA-HUM] Create the Online Boutique App +## [PE-HUM] Create the Online Boutique App -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. ```bash ONLINEBOUTIQUE_APP=onlineboutique @@ -76,26 +76,27 @@ humctl create app ${ONLINEBOUTIQUE_APP} \ ``` -## [PA-HUM] Create the in-cluster Redis resource definition +## [PE-HUM] Create the in-cluster Redis resource definition -As Platform Admin, in Humanitec. +As Platform Engineer, in Humanitec. Create the in-cluster Redis resource definition: ```bash -REDIS_NAME=redis-cart -REDIS_PORT=6379 -cat < ${REDIS_NAME}-in-cluster.yaml +cat < redis-in-cluster.yaml apiVersion: core.api.humanitec.io/v1 kind: Definition metadata: - id: ${REDIS_NAME}-in-cluster + id: redis-in-cluster object: - name: ${REDIS_NAME}-in-cluster + name: redis-in-cluster type: redis driver_type: humanitec/template driver_inputs: values: templates: + init: |- + name: redis + port: 6379 manifests: |- deployment.yaml: location: namespace @@ -103,15 +104,15 @@ object: apiVersion: apps/v1 kind: Deployment metadata: - name: ${REDIS_NAME} + name: {{ .init.name }} spec: selector: matchLabels: - app: ${REDIS_NAME} + app: {{ .init.name }} template: metadata: labels: - app: ${REDIS_NAME} + app: {{ .init.name }} spec: securityContext: fsGroup: 1000 @@ -121,7 +122,7 @@ object: seccompProfile: type: RuntimeDefault containers: - - name: redis + - name: {{ .init.name }} securityContext: allowPrivilegeEscalation: false capabilities: @@ -131,7 +132,7 @@ object: readOnlyRootFilesystem: true image: redis:alpine ports: - - containerPort: ${REDIS_PORT} + - containerPort: {{ .init.port }} volumeMounts: - mountPath: /data name: redis-data @@ -144,23 +145,23 @@ object: apiVersion: v1 kind: Service metadata: - name: ${REDIS_NAME} + name: {{ .init.name }} spec: type: ClusterIP selector: - app: ${REDIS_NAME} + app: {{ .init.name }} ports: - name: tcp-redis - port: ${REDIS_PORT} - targetPort: ${REDIS_PORT} + port: {{ .init.port }} + targetPort: {{ .init.port }} outputs: | - host: ${REDIS_NAME} - port: ${REDIS_PORT} + host: {{ .init.name }} + port: {{ .init.port }} criteria: - {} EOF humctl create \ - -f ${REDIS_NAME}-in-cluster.yaml + -f redis-in-cluster.yaml ``` ## [DE-HUM] Deploy the Online Boutique Workloads in Development Environment diff --git a/images/personas.png b/images/personas.png index cdcc3fe..369c117 100644 Binary files a/images/personas.png and b/images/personas.png differ diff --git a/samples/nginx/nginx-secured/humanitec.score.yaml b/samples/nginx/nginx-secured/humanitec.score.yaml index 453cd00..2e3efa9 100644 --- a/samples/nginx/nginx-secured/humanitec.score.yaml +++ b/samples/nginx/nginx-secured/humanitec.score.yaml @@ -1,12 +1,6 @@ apiVersion: humanitec.org/v1b1 profile: humanitec/default-module spec: - containers: - nginx-secured: - volume_mounts: - /tmp: - id: volumes.tmp - read_only: false ingress: rules: "${resources.dns}": diff --git a/samples/nginx/nginx-secured/score-not-supported.yaml b/samples/nginx/nginx-secured/score-not-supported.yaml deleted file mode 100644 index 7f93e13..0000000 --- a/samples/nginx/nginx-secured/score-not-supported.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: score.dev/v1b1 -metadata: - name: nginx-secured -containers: - nginx-secured: - image: nginxinc/nginx-unprivileged:latest - volumes: - - source: ${resources.tmp} - target: /tmp -resources: - dns: - type: dns - tmp: - type: emptyDir -service: - ports: - tcp: - port: 80 - targetPort: 8080 diff --git a/samples/nginx/nginx-secured/score.yaml b/samples/nginx/nginx-secured/score.yaml index 04b0a21..418194c 100644 --- a/samples/nginx/nginx-secured/score.yaml +++ b/samples/nginx/nginx-secured/score.yaml @@ -3,7 +3,11 @@ metadata: name: nginx-secured containers: nginx-secured: - image: nginxinc/nginx-unprivileged:latest + image: nginxinc/nginx-unprivileged:alpine-slim + volumes: + - source: volumes.tmp + target: /tmp + read_only: false resources: dns: type: dns diff --git a/samples/nginx/nginx-unprivileged/score.yaml b/samples/nginx/nginx-unprivileged/score.yaml index 2f8e7bd..322e2d7 100644 --- a/samples/nginx/nginx-unprivileged/score.yaml +++ b/samples/nginx/nginx-unprivileged/score.yaml @@ -3,7 +3,7 @@ metadata: name: nginx-unprivileged containers: nginx-unprivileged: - image: nginxinc/nginx-unprivileged:latest + image: nginxinc/nginx-unprivileged:alpine-slim resources: dns: type: dns diff --git a/samples/nginx/nginx/score.yaml b/samples/nginx/nginx/score.yaml index 6dc8673..0b1e6b4 100644 --- a/samples/nginx/nginx/score.yaml +++ b/samples/nginx/nginx/score.yaml @@ -3,7 +3,7 @@ metadata: name: nginx containers: nginx: - image: nginx:latest + image: nginx:alpine-slim resources: dns: type: dns diff --git a/samples/onlineboutique/adservice/humanitec.score.yaml b/samples/onlineboutique/adservice/humanitec.score.yaml index 1f09c7e..e14817b 100644 --- a/samples/onlineboutique/adservice/humanitec.score.yaml +++ b/samples/onlineboutique/adservice/humanitec.score.yaml @@ -4,12 +4,10 @@ spec: containers: adservice: liveness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:9555' - type: command + grpc: + port: 9555 + type: grpc readiness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:9555' - type: command \ No newline at end of file + grpc: + port: 9555 + type: grpc \ No newline at end of file diff --git a/samples/onlineboutique/adservice/score.yaml b/samples/onlineboutique/adservice/score.yaml index 3c2ec04..0fe1a1a 100644 --- a/samples/onlineboutique/adservice/score.yaml +++ b/samples/onlineboutique/adservice/score.yaml @@ -3,7 +3,7 @@ metadata: name: adservice containers: adservice: - image: gcr.io/google-samples/microservices-demo/adservice:v0.7.0 + image: gcr.io/google-samples/microservices-demo/adservice:v0.8.0 variables: PORT: "9555" service: diff --git a/samples/onlineboutique/cartservice/humanitec.score.yaml b/samples/onlineboutique/cartservice/humanitec.score.yaml index 303b7a9..065d8ad 100644 --- a/samples/onlineboutique/cartservice/humanitec.score.yaml +++ b/samples/onlineboutique/cartservice/humanitec.score.yaml @@ -4,12 +4,10 @@ spec: containers: cartservice: liveness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:7070' - type: command + grpc: + port: 7070 + type: grpc readiness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:7070' - type: command \ No newline at end of file + grpc: + port: 7070 + type: grpc \ No newline at end of file diff --git a/samples/onlineboutique/cartservice/score.yaml b/samples/onlineboutique/cartservice/score.yaml index f8f8069..997aa0a 100644 --- a/samples/onlineboutique/cartservice/score.yaml +++ b/samples/onlineboutique/cartservice/score.yaml @@ -3,19 +3,14 @@ metadata: name: cartservice containers: cartservice: - image: gcr.io/google-samples/microservices-demo/cartservice:v0.7.0 + image: gcr.io/google-samples/microservices-demo/cartservice:v0.8.0 variables: REDIS_ADDR: "${resources.redis-cart.host}:${resources.redis-cart.port},user=${resources.redis-cart.user},password=${resources.redis-cart.password}" resources: redis-cart: type: redis - properties: - host: - port: - user: - password: service: ports: grpc: port: 7070 - targetPort: 7070 \ No newline at end of file + targetPort: 7070 diff --git a/samples/onlineboutique/checkoutservice/humanitec.score.yaml b/samples/onlineboutique/checkoutservice/humanitec.score.yaml index 9ae1d3b..f790b6d 100644 --- a/samples/onlineboutique/checkoutservice/humanitec.score.yaml +++ b/samples/onlineboutique/checkoutservice/humanitec.score.yaml @@ -4,12 +4,10 @@ spec: containers: checkoutservice: liveness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:5050' - type: command + grpc: + port: 5050 + type: grpc readiness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:5050' - type: command \ No newline at end of file + grpc: + port: 5050 + type: grpc \ No newline at end of file diff --git a/samples/onlineboutique/checkoutservice/score.yaml b/samples/onlineboutique/checkoutservice/score.yaml index 64d23b1..d71a9d6 100644 --- a/samples/onlineboutique/checkoutservice/score.yaml +++ b/samples/onlineboutique/checkoutservice/score.yaml @@ -3,7 +3,7 @@ metadata: name: checkoutservice containers: checkoutservice: - image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.7.0 + image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.8.0 variables: CART_SERVICE_ADDR: "${resources.cartservice.name}:7070" CURRENCY_SERVICE_ADDR: "${resources.currencyservice.name}:7000" diff --git a/samples/onlineboutique/currencyservice/humanitec.score.yaml b/samples/onlineboutique/currencyservice/humanitec.score.yaml index a1a4ac0..726b445 100644 --- a/samples/onlineboutique/currencyservice/humanitec.score.yaml +++ b/samples/onlineboutique/currencyservice/humanitec.score.yaml @@ -4,12 +4,10 @@ spec: containers: currencyservice: liveness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:7000' - type: command + grpc: + port: 7000 + type: grpc readiness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:7000' - type: command \ No newline at end of file + grpc: + port: 7000 + type: grpc \ No newline at end of file diff --git a/samples/onlineboutique/currencyservice/score.yaml b/samples/onlineboutique/currencyservice/score.yaml index 5d64d0c..6b2a4a1 100644 --- a/samples/onlineboutique/currencyservice/score.yaml +++ b/samples/onlineboutique/currencyservice/score.yaml @@ -3,7 +3,7 @@ metadata: name: currencyservice containers: currencyservice: - image: gcr.io/google-samples/microservices-demo/currencyservice:v0.7.0 + image: gcr.io/google-samples/microservices-demo/currencyservice:v0.8.0 variables: DISABLE_PROFILER: "1" PORT: "7000" diff --git a/samples/onlineboutique/emailservice/humanitec.score.yaml b/samples/onlineboutique/emailservice/humanitec.score.yaml index 13e8e8e..34df6e8 100644 --- a/samples/onlineboutique/emailservice/humanitec.score.yaml +++ b/samples/onlineboutique/emailservice/humanitec.score.yaml @@ -4,12 +4,10 @@ spec: containers: emailservice: liveness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:8080' - type: command + grpc: + port: 8080 + type: grpc readiness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:8080' - type: command \ No newline at end of file + grpc: + port: 8080 + type: grpc \ No newline at end of file diff --git a/samples/onlineboutique/emailservice/score.yaml b/samples/onlineboutique/emailservice/score.yaml index 7eb3ba1..3e7adfd 100644 --- a/samples/onlineboutique/emailservice/score.yaml +++ b/samples/onlineboutique/emailservice/score.yaml @@ -3,7 +3,7 @@ metadata: name: emailservice containers: emailservice: - image: gcr.io/google-samples/microservices-demo/emailservice:v0.7.0 + image: gcr.io/google-samples/microservices-demo/emailservice:v0.8.0 variables: DISABLE_PROFILER: "1" PORT: "8080" diff --git a/samples/onlineboutique/frontend/score.yaml b/samples/onlineboutique/frontend/score.yaml index 2c1e2ec..8232009 100644 --- a/samples/onlineboutique/frontend/score.yaml +++ b/samples/onlineboutique/frontend/score.yaml @@ -3,7 +3,7 @@ metadata: name: frontend containers: frontend: - image: gcr.io/google-samples/microservices-demo/frontend:v0.7.0 + image: gcr.io/google-samples/microservices-demo/frontend:v0.8.0 livenessProbe: httpGet: path: /_healthz @@ -29,6 +29,8 @@ containers: PRODUCT_CATALOG_SERVICE_ADDR: "${resources.productcatalogservice.name}:3550" RECOMMENDATION_SERVICE_ADDR: "${resources.recommendationservice.name}:8080" SHIPPING_SERVICE_ADDR: "${resources.shippingservice.name}:50051" + CYMBAL_BRANDING: "false" + FRONTEND_MESSAGE: "" resources: adservice: type: service @@ -68,4 +70,4 @@ service: ports: grpc: port: 80 - targetPort: 8080 \ No newline at end of file + targetPort: 8080 diff --git a/samples/onlineboutique/loadgenerator/score.yaml b/samples/onlineboutique/loadgenerator/score.yaml index d60da85..ad4b1c3 100644 --- a/samples/onlineboutique/loadgenerator/score.yaml +++ b/samples/onlineboutique/loadgenerator/score.yaml @@ -3,7 +3,7 @@ metadata: name: loadgenerator containers: loadgenerator: - image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.7.0 + image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.8.0 variables: FRONTEND_ADDR: "${resources.frontend.name}:80" USERS: "10" diff --git a/samples/onlineboutique/paymentservice/humanitec.score.yaml b/samples/onlineboutique/paymentservice/humanitec.score.yaml index d08672f..dda003e 100644 --- a/samples/onlineboutique/paymentservice/humanitec.score.yaml +++ b/samples/onlineboutique/paymentservice/humanitec.score.yaml @@ -4,12 +4,10 @@ spec: containers: paymentservice: liveness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:50051' - type: command + grpc: + port: 50051 + type: grpc readiness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:50051' - type: command \ No newline at end of file + grpc: + port: 50051 + type: grpc \ No newline at end of file diff --git a/samples/onlineboutique/paymentservice/score.yaml b/samples/onlineboutique/paymentservice/score.yaml index 84a0807..22269fa 100644 --- a/samples/onlineboutique/paymentservice/score.yaml +++ b/samples/onlineboutique/paymentservice/score.yaml @@ -3,7 +3,7 @@ metadata: name: paymentservice containers: paymentservice: - image: gcr.io/google-samples/microservices-demo/paymentservice:v0.7.0 + image: gcr.io/google-samples/microservices-demo/paymentservice:v0.8.0 variables: DISABLE_PROFILER: "1" PORT: "50051" diff --git a/samples/onlineboutique/productcatalogservice/humanitec.score.yaml b/samples/onlineboutique/productcatalogservice/humanitec.score.yaml index b400a4e..d44c5fe 100644 --- a/samples/onlineboutique/productcatalogservice/humanitec.score.yaml +++ b/samples/onlineboutique/productcatalogservice/humanitec.score.yaml @@ -4,12 +4,10 @@ spec: containers: productcatalogservice: liveness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:3550' - type: command + grpc: + port: 3550 + type: grpc readiness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:3550' - type: command \ No newline at end of file + grpc: + port: 3550 + type: grpc \ No newline at end of file diff --git a/samples/onlineboutique/productcatalogservice/score.yaml b/samples/onlineboutique/productcatalogservice/score.yaml index 04a7777..98ff31a 100644 --- a/samples/onlineboutique/productcatalogservice/score.yaml +++ b/samples/onlineboutique/productcatalogservice/score.yaml @@ -3,7 +3,7 @@ metadata: name: productcatalogservice containers: productcatalogservice: - image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.7.0 + image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.8.0 variables: DISABLE_PROFILER: "1" PORT: "3550" diff --git a/samples/onlineboutique/recommendationservice/humanitec.score.yaml b/samples/onlineboutique/recommendationservice/humanitec.score.yaml index c220a3f..ea03e59 100644 --- a/samples/onlineboutique/recommendationservice/humanitec.score.yaml +++ b/samples/onlineboutique/recommendationservice/humanitec.score.yaml @@ -4,12 +4,10 @@ spec: containers: recommendationservice: liveness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:8080' - type: command + grpc: + port: 8080 + type: grpc readiness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:8080' - type: command \ No newline at end of file + grpc: + port: 8080 + type: grpc \ No newline at end of file diff --git a/samples/onlineboutique/recommendationservice/score.yaml b/samples/onlineboutique/recommendationservice/score.yaml index b6f164c..4b60bba 100644 --- a/samples/onlineboutique/recommendationservice/score.yaml +++ b/samples/onlineboutique/recommendationservice/score.yaml @@ -3,7 +3,7 @@ metadata: name: recommendationservice containers: recommendationservice: - image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.7.0 + image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.8.0 variables: DISABLE_PROFILER: "1" PORT: "8080" diff --git a/samples/onlineboutique/shippingservice/humanitec.score.yaml b/samples/onlineboutique/shippingservice/humanitec.score.yaml index df99802..bb116cb 100644 --- a/samples/onlineboutique/shippingservice/humanitec.score.yaml +++ b/samples/onlineboutique/shippingservice/humanitec.score.yaml @@ -4,12 +4,10 @@ spec: containers: shippingservice: liveness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:50051' - type: command + grpc: + port: 50051 + type: grpc readiness_probe: - command: - - /bin/grpc_health_probe - - '-addr=:50051' - type: command \ No newline at end of file + grpc: + port: 50051 + type: grpc \ No newline at end of file diff --git a/samples/onlineboutique/shippingservice/score.yaml b/samples/onlineboutique/shippingservice/score.yaml index 43a3670..e8fd12d 100644 --- a/samples/onlineboutique/shippingservice/score.yaml +++ b/samples/onlineboutique/shippingservice/score.yaml @@ -3,7 +3,7 @@ metadata: name: shippingservice containers: shippingservice: - image: gcr.io/google-samples/microservices-demo/shippingservice:v0.7.0 + image: gcr.io/google-samples/microservices-demo/shippingservice:v0.8.0 variables: DISABLE_PROFILER: "1" PORT: "50051" diff --git a/terraform/azure-blob/README.md b/terraform/azure-blob/README.md new file mode 100644 index 0000000..5f6e698 --- /dev/null +++ b/terraform/azure-blob/README.md @@ -0,0 +1,50 @@ +## Test the Azure Blob Storage Terraform locally + +```bash +terraform init +terraform plan -var-file terraform.tfvars.example +``` + +## Deploy the Azure Blob Storage Terraform Resource Definition + +```bash +HUMANITEC_ORG= +LOCATION= +RESOURCE_GROUP= +AZURE_SUBCRIPTION_ID= +AZURE_SUBCRIPTION_TENANT_ID= +AZURE_SERVICE_PRINCIPAL_ID= +AZURE_SERVICE_PRINCIPAL_SECRET= + +cat < azure-blob-terraform.yaml +apiVersion: core.api.humanitec.io/v1 +kind: Definition +metadata: + id: azure-blob-terraform +object: + name: azure-blob-terraform + type: azure-blob + driver_type: ${HUMANITEC_ORG}/terraform + driver_inputs: + values: + source: + path: terraform/azure-blob/ + rev: refs/heads/main + url: https://github.com/mathieu-benoit/hello-humanitec.git + variables: + storage_account_location: ${LOCATION} + resource_group_name: ${RESOURCE_GROUP} + secrets: + variables: + credentials: + azure_subscription_id: ${AZURE_SUBCRIPTION_ID} + azure_subscription_tenant_id: ${AZURE_SUBCRIPTION_TENANT_ID} + service_principal_id: ${AZURE_SERVICE_PRINCIPAL_ID} + service_principal_password: ${AZURE_SERVICE_PRINCIPAL_SECRET} + criteria: + - {} +EOF + +humctl create \ + -f azure-blob-terraform.yaml +``` diff --git a/terraform/azure-blob/main.tf b/terraform/azure-blob/main.tf new file mode 100644 index 0000000..18dd025 --- /dev/null +++ b/terraform/azure-blob/main.tf @@ -0,0 +1,29 @@ +resource "random_string" "storage_account_name_sufix" { + length = 16 + special = false + lower = true + upper = false +} + +resource "random_string" "storage_container_name_sufix" { + length = 16 + special = false + lower = true + upper = false +} + +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account +resource "azurerm_storage_account" "storage_account" { + name = "storage${random_string.storage_account_name_sufix.result}" + resource_group_name = var.resource_group_name + location = var.storage_account_location + account_tier = "Standard" + account_replication_type = "LRS" +} + +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container +resource "azurerm_storage_container" "storage_container" { + name = "storage${random_string.storage_container_name_sufix.result}" + storage_account_name = azurerm_storage_account.storage_account.name + container_access_type = "private" +} \ No newline at end of file diff --git a/terraform/azure-blob/outputs.tf b/terraform/azure-blob/outputs.tf new file mode 100644 index 0000000..ca8177a --- /dev/null +++ b/terraform/azure-blob/outputs.tf @@ -0,0 +1,7 @@ +output "container" { + value = azurerm_storage_container.storage_container.name +} + +output "account" { + value = azurerm_storage_account.storage_account.name +} diff --git a/terraform/azure-blob/providers.tf b/terraform/azure-blob/providers.tf new file mode 100644 index 0000000..a9d84bf --- /dev/null +++ b/terraform/azure-blob/providers.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } + + required_version = ">= 1.1.0" +} + +provider "azurerm" { + features {} + subscription_id = var.credentials.azure_subscription_id + tenant_id = var.credentials.azure_subscription_tenant_id + client_id = var.credentials.service_principal_id + client_secret = var.credentials.service_principal_password +} \ No newline at end of file diff --git a/terraform/azure-blob/terraform.tfvars.example b/terraform/azure-blob/terraform.tfvars.example new file mode 100644 index 0000000..3fee5b6 --- /dev/null +++ b/terraform/azure-blob/terraform.tfvars.example @@ -0,0 +1,8 @@ +resource_group_name = "test" +storage_account_location = "eastus" +credentials = { + azure_subscription_id = " " + azure_subscription_tenant_id = " " + service_principal_id = " " + service_principal_password = " " +} \ No newline at end of file diff --git a/terraform/azure-blob/variables.tf b/terraform/azure-blob/variables.tf new file mode 100644 index 0000000..d83bcb5 --- /dev/null +++ b/terraform/azure-blob/variables.tf @@ -0,0 +1,21 @@ +variable "credentials" { + description = "The credentials for connecting to Azure." + type = object({ + azure_subscription_id = string + azure_subscription_tenant_id = string + service_principal_id = string + service_principal_password = string + }) + sensitive = true +} + +variable "resource_group_name" { + description = "Name of the Azure Resource Group to use" + type = string +} + +variable "storage_account_location" { + description = "Location of the Azure Storage Account" + type = string + default = "eastus" +} \ No newline at end of file diff --git a/terraform/azure-mysql/README.md b/terraform/azure-mysql/README.md new file mode 100644 index 0000000..f111fbe --- /dev/null +++ b/terraform/azure-mysql/README.md @@ -0,0 +1,50 @@ +## Test the Azure MySQL Terraform locally + +```bash +terraform init +terraform plan -var-file terraform.tfvars.example +``` + +## Deploy the Azure MySQL Terraform Resource Definition + +```bash +HUMANITEC_ORG= +LOCATION= +RESOURCE_GROUP= +AZURE_SUBCRIPTION_ID= +AZURE_SUBCRIPTION_TENANT_ID= +AZURE_SERVICE_PRINCIPAL_ID= +AZURE_SERVICE_PRINCIPAL_SECRET= + +cat < azure-mysql-terraform.yaml +apiVersion: core.api.humanitec.io/v1 +kind: Definition +metadata: + id: azure-mysql-terraform +object: + name: azure-mysql-terraform + type: mysql + driver_type: ${HUMANITEC_ORG}/terraform + driver_inputs: + values: + source: + path: terraform/azure-mysql/ + rev: refs/heads/main + url: https://github.com/mathieu-benoit/hello-humanitec.git + variables: + mysql_server_location: ${LOCATION} + resource_group_name: ${RESOURCE_GROUP} + secrets: + variables: + credentials: + azure_subscription_id: ${AZURE_SUBCRIPTION_ID} + azure_subscription_tenant_id: ${AZURE_SUBCRIPTION_TENANT_ID} + service_principal_id: ${AZURE_SERVICE_PRINCIPAL_ID} + service_principal_password: ${AZURE_SERVICE_PRINCIPAL_SECRET} + criteria: + - {} +EOF + +humctl create \ + -f azure-mysql-terraform.yaml +``` diff --git a/terraform/azure-mysql/main.tf b/terraform/azure-mysql/main.tf new file mode 100644 index 0000000..eb9f493 --- /dev/null +++ b/terraform/azure-mysql/main.tf @@ -0,0 +1,74 @@ +resource "random_string" "server_name" { + length = 16 + lower = true + numeric = false + special = false + upper = false +} + +resource "random_string" "database_name" { + length = 8 + lower = true + numeric = false + special = false + upper = false +} + +resource "random_string" "login" { + length = 8 + lower = true + numeric = false + special = false + upper = false +} + +resource "random_password" "password" { + length = 8 + lower = true + min_lower = 1 + min_numeric = 1 + min_special = 1 + min_upper = 1 + numeric = true + override_special = "_" + special = true + upper = true +} + +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server +resource "azurerm_mysql_flexible_server" "server" { + location = var.mysql_server_location + name = "mysqlserver${random_string.server_name.result}" + resource_group_name = var.resource_group_name + administrator_login = random_string.login.result + administrator_password = random_password.password.result + sku_name = "B_Standard_B1ms" + version = "8.0.21" + zone = "2" +} + +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server_configuration +resource "azurerm_mysql_flexible_server_configuration" "require_secure_transport" { + name = "require_secure_transport" + resource_group_name = var.resource_group_name + server_name = azurerm_mysql_flexible_server.server.name + value = "OFF" +} + +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_server_firewall_rule +resource "azurerm_mysql_flexible_server_firewall_rule" "azure_services" { + name = "azure_services" + resource_group_name = var.resource_group_name + server_name = azurerm_mysql_flexible_server.server.name + start_ip_address = "0.0.0.0" + end_ip_address = "0.0.0.0" +} + +# https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mysql_flexible_database +resource "azurerm_mysql_flexible_database" "database" { + charset = "utf8mb4" + collation = "utf8mb4_unicode_ci" + name = "mysqldatabase${random_string.database_name.result}" + resource_group_name = var.resource_group_name + server_name = azurerm_mysql_flexible_server.server.name +} \ No newline at end of file diff --git a/terraform/azure-mysql/outputs.tf b/terraform/azure-mysql/outputs.tf new file mode 100644 index 0000000..878b7e5 --- /dev/null +++ b/terraform/azure-mysql/outputs.tf @@ -0,0 +1,21 @@ +output "host" { + value = azurerm_mysql_flexible_server.server.fqdn +} + +output "name" { + value = azurerm_mysql_flexible_database.database.name +} + +output "port" { + value = 3306 +} + +output "password" { + value = azurerm_mysql_flexible_server.server.administrator_password + sensitive = true +} + +output "username" { + value = azurerm_mysql_flexible_server.server.administrator_login + sensitive = true +} \ No newline at end of file diff --git a/terraform/azure-mysql/providers.tf b/terraform/azure-mysql/providers.tf new file mode 100644 index 0000000..a9d84bf --- /dev/null +++ b/terraform/azure-mysql/providers.tf @@ -0,0 +1,23 @@ +terraform { + required_providers { + azurerm = { + source = "hashicorp/azurerm" + version = "~>3.0" + } + + random = { + source = "hashicorp/random" + version = "~>3.0" + } + } + + required_version = ">= 1.1.0" +} + +provider "azurerm" { + features {} + subscription_id = var.credentials.azure_subscription_id + tenant_id = var.credentials.azure_subscription_tenant_id + client_id = var.credentials.service_principal_id + client_secret = var.credentials.service_principal_password +} \ No newline at end of file diff --git a/terraform/azure-mysql/terraform.tfvars.example b/terraform/azure-mysql/terraform.tfvars.example new file mode 100644 index 0000000..9dcb712 --- /dev/null +++ b/terraform/azure-mysql/terraform.tfvars.example @@ -0,0 +1,8 @@ +resource_group_name = "test" +mysql_server_location = "eastus" +credentials = { + azure_subscription_id = " " + azure_subscription_tenant_id = " " + service_principal_id = " " + service_principal_password = " " +} \ No newline at end of file diff --git a/terraform/azure-mysql/variables.tf b/terraform/azure-mysql/variables.tf new file mode 100644 index 0000000..a21fb67 --- /dev/null +++ b/terraform/azure-mysql/variables.tf @@ -0,0 +1,21 @@ +variable "credentials" { + description = "The credentials for connecting to Azure." + type = object({ + azure_subscription_id = string + azure_subscription_tenant_id = string + service_principal_id = string + service_principal_password = string + }) + sensitive = true +} + +variable "resource_group_name" { + description = "Name of the Azure Resource Group to use" + type = string +} + +variable "mysql_server_location" { + description = "Location of Azure MySQL Server" + type = string + default = "eastus" +} \ No newline at end of file