refactor: add beat + celery deployments

k8s/beat.yaml

@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: beat
+spec:
+  replicas: 1
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: beat
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: beat
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+        - name: beat
+          image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+              name: http
+              protocol: TCP
+          volumeMounts:
+            - name: dt-vol
+              mountPath: /a
+            - name: dt-tmp
+              mountPath: /tmp
+            - name: dt-cfg
+              mountPath: /workspace/ietf/settings_local.py
+              subPath: settings_local.py
+          env:
+            - name: "CONTAINER_ROLE"
+              value: "beat"
+          envFrom:
+            - configMapRef:
+                name: django-config
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsUser: 1000
+            runAsGroup: 1000
+      volumes:
+        # To be overriden with the actual shared volume
+        - name: dt-vol
+        - name: dt-tmp
+          emptyDir:
+            sizeLimit: "2Gi"
+        - name: dt-cfg
+          configMap:
+            name: files-cfgmap
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30

k8s/celery.yaml

@@ -0,0 +1,80 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: celery
+spec:
+  replicas: 1
+  revisionHistoryLimit: 2
+  selector:
+    matchLabels:
+      app: celery
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: celery
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+        # -----------------------------------------------------
+        # ScoutAPM Container
+        # -----------------------------------------------------
+        - name: scoutapm
+          image: "scoutapp/scoutapm:version-1.4.0"
+          imagePullPolicy: IfNotPresent
+          livenessProbe:
+            exec:
+              command:
+                - "sh"
+                - "-c"
+                - "./core-agent probe --tcp 0.0.0.0:6590 | grep -q 'Agent found'"
+          securityContext:
+            readOnlyRootFilesystem: true
+            runAsUser: 65534 # "nobody" user by default
+            runAsGroup: 65534  # "nogroup" group by default
+        # -----------------------------------------------------
+        # Celery Container
+        # -----------------------------------------------------
+        - name: celery
+          image: "ghcr.io/ietf-tools/datatracker:$APP_IMAGE_TAG"
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8000
+              name: http
+              protocol: TCP
+          volumeMounts:
+            - name: dt-vol
+              mountPath: /a
+            - name: dt-tmp
+              mountPath: /tmp
+            - name: dt-cfg
+              mountPath: /workspace/ietf/settings_local.py
+              subPath: settings_local.py
+          env:
+            - name: "CONTAINER_ROLE"
+              value: "celery"
+          envFrom:
+            - configMapRef:
+                name: django-config
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+              - ALL
+            readOnlyRootFilesystem: true
+            runAsUser: 1000
+            runAsGroup: 1000
+      volumes:
+        # To be overriden with the actual shared volume
+        - name: dt-vol
+        - name: dt-tmp
+          emptyDir:
+            sizeLimit: "2Gi"
+        - name: dt-cfg
+          configMap:
+            name: files-cfgmap
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30

k8s/datatracker.yaml

@@ -52,6 +52,9 @@ spec:
             - name: dt-cfg
               mountPath: /workspace/ietf/settings_local.py
               subPath: settings_local.py
+          env:
+            - name: "CONTAINER_ROLE"
+              value: "datatracker"
           envFrom:
             - configMapRef:
                 name: django-config
@@ -77,84 +80,6 @@ spec:
       terminationGracePeriodSeconds: 30
 ---
 apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: django-config
-data:
-    # n.b., these are debug values / non-secret secrets
-  DATATRACKER_SERVER_MODE: "development"  # development for staging, production for production
-  DATATRACKER_ADMINS: |-
-    Robert Sparks <rjsparks@nostrum.com>
-    Ryan Cross <rcross@amsl.com>
-    Kesara Rathnayake <kesara@staff.ietf.org>
-    Jennifer Richards <jennifer@staff.ietf.org>
-    Nicolas Giard <nick@staff.ietf.org>
-  DATATRACKER_ALLOWED_HOSTS: ".ietf.org"  # newline-separated list also allowed
-  # DATATRACKER_DATATRACKER_DEBUG: "false"
-
-  # DB access details - needs to be filled in
-  # DATATRACKER_DBHOST: "db"
-  # DATATRACKER_DBPORT: "5432"
-  # DATATRACKER_DBNAME: "datatracker"
-  # DATATRACKER_DBUSER: "django"  # secret
-  # DATATRACKER_DBPASS: "RkTkDPFnKpko"  # secret
-
-  DATATRACKER_DJANGO_SECRET_KEY: "PDwXboUq!=hPjnrtG2=ge#N$Dwy+wn@uivrugwpic8mxyPfHk"  # secret
-
-  # Set this to point testing / staging at the production statics server until we
-  # sort that out
-  # DATATRACKER_STATIC_URL: "https://static.ietf.org/dt/12.10.0/"
-
-  # DATATRACKER_EMAIL_DEBUG: "true"
-
-  # Outgoing email details
-  # DATATRACKER_EMAIL_HOST: "localhost"  # defaults to localhost
-  # DATATRACKER_EMAIL_PORT: "2025"  # defaults to 2025
-
-  # The value here is the default from settings.py (i.e., not actually secret)
-  DATATRACKER_NOMCOM_APP_SECRET_B64: "m9pzMezVoFNJfsvU9XSZxGnXnwup6P5ZgCQeEnROOoQ="  # secret
-
-  DATATRACKER_IANA_SYNC_PASSWORD: "this-is-the-iana-sync-password"  # secret
-  DATATRACKER_RFC_EDITOR_SYNC_PASSWORD: "this-is-the-rfc-editor-sync-password"  # secret
-  DATATRACKER_YOUTUBE_API_KEY: "this-is-the-youtube-api-key"  # secret
-  DATATRACKER_GITHUB_BACKUP_API_KEY: "this-is-the-github-backup-api-key"  # secret
-
-  # API key configuration
-  DATATRACKER_API_KEY_TYPE: "ES265"
-  # secret - value here is the default from settings.py (i.e., not actually secret)
-  DATATRACKER_API_PUBLIC_KEY_PEM_B64: |-
-    Ci0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tCk1Ga3dFd1lIS29aSXpqMENBUVlJS
-    29aSXpqMERBUWNEUWdBRXFWb2pzYW9mREpTY3VNSk4rdHNodW15Tk01TUUKZ2Fyel
-    ZQcWtWb3ZtRjZ5RTdJSi9kdjRGY1YrUUtDdEovck9TOGUzNlk4WkFFVll1dWtoZXM
-    weVoxdz09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
-  # secret - value here is the default from settings.py (i.e., not actually secret)
-  DATATRACKER_API_PRIVATE_KEY_PEM_B64: |- 
-    Ci0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLQpNSUdIQWdFQU1CTUdCeXFHU000O
-    UFnRUdDQ3FHU000OUF3RUhCRzB3YXdJQkFRUWdvSTZMSmtvcEtxOFhySGk5ClFxR1
-    F2RTRBODNURllqcUx6KzhnVUxZZWNzcWhSQU5DQUFTcFdpT3hxaDhNbEp5NHdrMzY
-    yeUc2Ykkwemt3U0IKcXZOVStxUldpK1lYcklUc2duOTIvZ1Z4WDVBb0swbitzNUx4
-    N2ZwanhrQVJWaTY2U0Y2elRKblgKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
-
-  # DATATRACKER_MEETECHO_API_BASE: "https://meetings.conf.meetecho.com/api/v1/"
-  DATATRACKER_MEETECHO_CLIENT_ID: "this-is-the-meetecho-client-id"  # secret
-  DATATRACKER_MEETECHO_CLIENT_SECRET: "this-is-the-meetecho-client-secret"  # secret
-
-  # DATATRACKER_MATOMO_SITE_ID: "7"  # must be present to enable Matomo
-  # DATATRACKER_MATOMO_DOMAIN_PATH: "analytics.ietf.org"
-
-  CELERY_PASSWORD: "this-is-a-secret"  # secret
-
-  DATATRACKER_APP_API_TOKENS_JSON: "{}"  # secret 
-
-  # use this to override default - one entry per line
-  # DATATRACKER_CSRF_TRUSTED_ORIGINS: |-
-  #   https://datatracker.staging.ietf.org
-
-  # Scout configuration
-  DATATRACKER_SCOUT_KEY: "this-is-the-scout-key"
-  DATATRACKER_SCOUT_NAME: "StagingDatatracker"
----
-apiVersion: v1
 kind: Service
 metadata:
   name: datatracker

k8s/django-config.yaml

@@ -0,0 +1,77 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: django-config
+data:
+    # n.b., these are debug values / non-secret secrets
+  DATATRACKER_SERVER_MODE: "development"  # development for staging, production for production
+  DATATRACKER_ADMINS: |-
+    Robert Sparks <rjsparks@nostrum.com>
+    Ryan Cross <rcross@amsl.com>
+    Kesara Rathnayake <kesara@staff.ietf.org>
+    Jennifer Richards <jennifer@staff.ietf.org>
+    Nicolas Giard <nick@staff.ietf.org>
+  DATATRACKER_ALLOWED_HOSTS: ".ietf.org"  # newline-separated list also allowed
+  # DATATRACKER_DATATRACKER_DEBUG: "false"
+
+  # DB access details - needs to be filled in
+  # DATATRACKER_DBHOST: "db"
+  # DATATRACKER_DBPORT: "5432"
+  # DATATRACKER_DBNAME: "datatracker"
+  # DATATRACKER_DBUSER: "django"  # secret
+  # DATATRACKER_DBPASS: "RkTkDPFnKpko"  # secret
+
+  DATATRACKER_DJANGO_SECRET_KEY: "PDwXboUq!=hPjnrtG2=ge#N$Dwy+wn@uivrugwpic8mxyPfHk"  # secret
+
+  # Set this to point testing / staging at the production statics server until we
+  # sort that out
+  # DATATRACKER_STATIC_URL: "https://static.ietf.org/dt/12.10.0/"
+
+  # DATATRACKER_EMAIL_DEBUG: "true"
+
+  # Outgoing email details
+  # DATATRACKER_EMAIL_HOST: "localhost"  # defaults to localhost
+  # DATATRACKER_EMAIL_PORT: "2025"  # defaults to 2025
+
+  # The value here is the default from settings.py (i.e., not actually secret)
+  DATATRACKER_NOMCOM_APP_SECRET_B64: "m9pzMezVoFNJfsvU9XSZxGnXnwup6P5ZgCQeEnROOoQ="  # secret
+
+  DATATRACKER_IANA_SYNC_PASSWORD: "this-is-the-iana-sync-password"  # secret
+  DATATRACKER_RFC_EDITOR_SYNC_PASSWORD: "this-is-the-rfc-editor-sync-password"  # secret
+  DATATRACKER_YOUTUBE_API_KEY: "this-is-the-youtube-api-key"  # secret
+  DATATRACKER_GITHUB_BACKUP_API_KEY: "this-is-the-github-backup-api-key"  # secret
+
+  # API key configuration
+  DATATRACKER_API_KEY_TYPE: "ES265"
+  # secret - value here is the default from settings.py (i.e., not actually secret)
+  DATATRACKER_API_PUBLIC_KEY_PEM_B64: |-
+    Ci0tLS0tQkVHSU4gUFVCTElDIEtFWS0tLS0tCk1Ga3dFd1lIS29aSXpqMENBUVlJS
+    29aSXpqMERBUWNEUWdBRXFWb2pzYW9mREpTY3VNSk4rdHNodW15Tk01TUUKZ2Fyel
+    ZQcWtWb3ZtRjZ5RTdJSi9kdjRGY1YrUUtDdEovck9TOGUzNlk4WkFFVll1dWtoZXM
+    weVoxdz09Ci0tLS0tRU5EIFBVQkxJQyBLRVktLS0tLQo=
+  # secret - value here is the default from settings.py (i.e., not actually secret)
+  DATATRACKER_API_PRIVATE_KEY_PEM_B64: |- 
+    Ci0tLS0tQkVHSU4gUFJJVkFURSBLRVktLS0tLQpNSUdIQWdFQU1CTUdCeXFHU000O
+    UFnRUdDQ3FHU000OUF3RUhCRzB3YXdJQkFRUWdvSTZMSmtvcEtxOFhySGk5ClFxR1
+    F2RTRBODNURllqcUx6KzhnVUxZZWNzcWhSQU5DQUFTcFdpT3hxaDhNbEp5NHdrMzY
+    yeUc2Ykkwemt3U0IKcXZOVStxUldpK1lYcklUc2duOTIvZ1Z4WDVBb0swbitzNUx4
+    N2ZwanhrQVJWaTY2U0Y2elRKblgKLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=
+
+  # DATATRACKER_MEETECHO_API_BASE: "https://meetings.conf.meetecho.com/api/v1/"
+  DATATRACKER_MEETECHO_CLIENT_ID: "this-is-the-meetecho-client-id"  # secret
+  DATATRACKER_MEETECHO_CLIENT_SECRET: "this-is-the-meetecho-client-secret"  # secret
+
+  # DATATRACKER_MATOMO_SITE_ID: "7"  # must be present to enable Matomo
+  # DATATRACKER_MATOMO_DOMAIN_PATH: "analytics.ietf.org"
+
+  CELERY_PASSWORD: "this-is-a-secret"  # secret
+
+  DATATRACKER_APP_API_TOKENS_JSON: "{}"  # secret 
+
+  # use this to override default - one entry per line
+  # DATATRACKER_CSRF_TRUSTED_ORIGINS: |-
+  #   https://datatracker.staging.ietf.org
+
+  # Scout configuration
+  DATATRACKER_SCOUT_KEY: "this-is-the-scout-key"
+  DATATRACKER_SCOUT_NAME: "StagingDatatracker"

k8s/kustomization.yaml

@@ -5,6 +5,9 @@ configMapGenerator:
     files:
       - settings_local.py
 resources:
+  - beat.yaml
+  - celery.yaml
   - datatracker.yaml
+  - django-config.yaml
   - memcached.yaml
   - rabbitmq.yaml

k8s/memcached.yaml

@@ -1,3 +1,42 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: memcached
+spec:
+  replicas: 1
+  revisionHistoryLimit: 2
+  serviceName: memcached
+  selector:
+    matchLabels:
+      app: memcached
+  template:
+    metadata:
+      labels:
+        app: memcached
+    spec:
+      securityContext:
+        runAsNonRoot: true
+      containers:
+        - image: "memcached:1.6-alpine"
+          imagePullPolicy: IfNotPresent
+          args: ["-m", "1024"]
+          name: memcached
+          ports:
+            - name: memcached
+              containerPort: 11211
+              protocol: TCP
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            readOnlyRootFilesystem: true
+            # memcached image sets up uid/gid 11211
+            runAsUser: 11211
+            runAsGroup: 11211
+      dnsPolicy: ClusterFirst
+      restartPolicy: Always
+      terminationGracePeriodSeconds: 30
 ---
 apiVersion: v1
 kind: Service