From 1f6ddc83b45a74e4b18e7451c6b36c7012a2b230 Mon Sep 17 00:00:00 2001 From: Bartosz Nowicki <116367402+bn-pass@users.noreply.github.com> Date: Fri, 15 Dec 2023 17:23:49 +0100 Subject: [PATCH] BC-5942 - dedicated ConfigMap and Secret for the Admin API deployment (#4644) * add loading Admin API server secret from 1Password * fix incorrect comment * add custom configmap for the Admin API server, add task that will deploy it * switch to the custom configmap and secret for the Admin API deployment * add ADMIN_API__PORT env to the Admin API server ConfigMap * change invalid refs names * modify Admin API server config map data * move Rocket.Chat URI from the configmap to the secrets (for the Admin API server) --- .../roles/schulcloud-server-core/tasks/main.yml | 14 ++++++++++++++ .../templates/admin-api-server-configmap.yml.j2 | 13 +++++++++++++ .../templates/admin-api-server-deployment.yml.j2 | 4 ++-- .../templates/admin-api-server-onepassword.yml.j2 | 9 +++++++++ .../templates/admin-api-server-svc.yml.j2 | 2 +- 5 files changed, 39 insertions(+), 3 deletions(-) create mode 100644 ansible/roles/schulcloud-server-core/templates/admin-api-server-configmap.yml.j2 create mode 100644 ansible/roles/schulcloud-server-core/templates/admin-api-server-onepassword.yml.j2 diff --git a/ansible/roles/schulcloud-server-core/tasks/main.yml b/ansible/roles/schulcloud-server-core/tasks/main.yml index 048da2580c8..6a83839a2fe 100644 --- a/ansible/roles/schulcloud-server-core/tasks/main.yml +++ b/ansible/roles/schulcloud-server-core/tasks/main.yml @@ -37,6 +37,20 @@ template: onepassword.yml.j2 when: ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool + - name: Admin API server ConfigMap + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: admin-api-server-configmap.yml.j2 + apply: yes + + - name: Admin API server Secret (from 1Password) + kubernetes.core.k8s: + kubeconfig: ~/.kube/config + namespace: "{{ NAMESPACE }}" + template: admin-api-server-onepassword.yml.j2 + when: ONEPASSWORD_OPERATOR is defined and ONEPASSWORD_OPERATOR|bool + - name: Admin API client secret (from 1Password) kubernetes.core.k8s: kubeconfig: ~/.kube/config diff --git a/ansible/roles/schulcloud-server-core/templates/admin-api-server-configmap.yml.j2 b/ansible/roles/schulcloud-server-core/templates/admin-api-server-configmap.yml.j2 new file mode 100644 index 00000000000..5726812014d --- /dev/null +++ b/ansible/roles/schulcloud-server-core/templates/admin-api-server-configmap.yml.j2 @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: admin-api-server-configmap + namespace: {{ NAMESPACE }} + labels: + app: api-admin +data: + NODE_OPTIONS: "--max-old-space-size=3072" + NEST_LOG_LEVEL: "info" + ADMIN_API__PORT: "4030" + SC_DOMAIN: "{{ DOMAIN }}" + FEATURE_PROMETHEUS_METRICS_ENABLED: "true" diff --git a/ansible/roles/schulcloud-server-core/templates/admin-api-server-deployment.yml.j2 b/ansible/roles/schulcloud-server-core/templates/admin-api-server-deployment.yml.j2 index ef0076fd15e..c0d911fb4ca 100644 --- a/ansible/roles/schulcloud-server-core/templates/admin-api-server-deployment.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/admin-api-server-deployment.yml.j2 @@ -51,9 +51,9 @@ spec: protocol: TCP envFrom: - configMapRef: - name: api-configmap + name: admin-api-server-configmap - secretRef: - name: api-secret + name: admin-api-server-secret command: ['npm', 'run', 'nest:start:admin-api-server:prod'] resources: limits: diff --git a/ansible/roles/schulcloud-server-core/templates/admin-api-server-onepassword.yml.j2 b/ansible/roles/schulcloud-server-core/templates/admin-api-server-onepassword.yml.j2 new file mode 100644 index 00000000000..8f5583bc122 --- /dev/null +++ b/ansible/roles/schulcloud-server-core/templates/admin-api-server-onepassword.yml.j2 @@ -0,0 +1,9 @@ +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: admin-api-server-secret + namespace: {{ NAMESPACE }} + labels: + app: api-admin +spec: + itemPath: "vaults/{{ ONEPASSWORD_OPERATOR_VAULT }}/items/admin-api-server" diff --git a/ansible/roles/schulcloud-server-core/templates/admin-api-server-svc.yml.j2 b/ansible/roles/schulcloud-server-core/templates/admin-api-server-svc.yml.j2 index cde6dcef4cd..8a1c44c14cd 100644 --- a/ansible/roles/schulcloud-server-core/templates/admin-api-server-svc.yml.j2 +++ b/ansible/roles/schulcloud-server-core/templates/admin-api-server-svc.yml.j2 @@ -8,7 +8,7 @@ metadata: spec: type: ClusterIP ports: - # port for http managing drawing data + # Admin API server port. - port: 4030 targetPort: 4030 protocol: TCP