canonical / konf Goto Github PK

View Code? Open in Web Editor NEW

8.0 11.0 7.0 65 KB

Repository for the Konf snap - https://snapcraft.io/konf

License: GNU Lesser General Public License v2.1

Python 65.88% Shell 34.12%

web-and-design

konf's Introduction

Kubernetes configs for canonical websites

This repository contains the configuration files the Kubernetes deployments for some of our websites.

We are using jinja2 as a template system for our configurations. All the template values for our projects can be found under the sites folder.

Structure

We deploy our services into one of two namespaces:

staging: Services for our staging servers (there's usually one per production website)
production: Services for our production servers

Template system

All configurations for our projects can be found under the sites folder. Using the konf.py script, we generate the following Kubernetes objects:

service
deployment
ingress

E.g.:

./konf.py staging sites/canonical.com.yaml

Deploying

Using create-project

When creating a new project, you can either copy an existing projects values file and modify the file as you want. Here is a document explaining all the possibles values:

Values file manual

Or use ./create-project. To auto-generate the files for a new project. Run ./create-project project.name and the tool will create the config files for you.

For example: ./create-project new-site.com

Will create:

/sites/new-site.com.yaml

To deploy a new service

E.g. to deploy the snapcraft.io service to staging from scratch:

# E.g. To deploy the snapcraft.io services to staging
./konf.py staging sites/snapcraft.io.yaml | kubectl apply --filename -

E.g. to deploy a specific docker image

# E.g. To deploy the snapcraft.io services to staging
./konf.py staging sites/snapcraft.io.yaml --tag a264efb326485 | kubectl apply --filename -

To update an existing service

Or to update an existing snapcraft.io service without changing the deployed image:

# E.g. for snapcraft.io
TAG_TO_DEPLOY=$(kubectl get deployment snapcraft-io --namespace staging -o jsonpath="{.spec.template.spec.containers[*].image}" | grep -P -o '(?<=:)[^:]*$')

./konf.py staging sites/snapcraft.io.yaml --tag $TAG_TO_DEPLOY | kubectl apply --filename -

konf's People

Contributors

Stargazers

Watchers

Forkers

jkfran jpmartinspt tbille goulinkh albertkol nottrobin

konf's Issues

Add extra metadata to container spec

We need to add extra metadata to a container spec, is there a way to easily do this with konf.

In our case for a reason when pods get generated they don't use the only docker creds available, I had to add an extra parameter:

          imagePullSecrets:
          - name: regcred

Overridden ENVs getting filtered out incorrectly

Some override envs are missing, here is an example that illustrates the problem:

# Override demo
demo:
  env:
    - name: WORKPLACE_ENGINEERING_DATABASE_URL
      secretKeyRef:
        key: workplace_engineering_database_url
        name: hiring-com

This is getting filtered out because it container the keyword DATABASE_URL in the name.

Not working for new versions of Microk8s

Investigate issue with demos

sudo snap install konf --edge is causing a redirection with demos so we can't release to stable

Add a namespace for cronjobs

In our team we have a custom namespace: automation. Currently konf limits the namespaces to we can deploy to (staging, production and demo)

Could we add the possibility to add custom namespaces to konf so we can use konf to deploy to our cool namespaces :)

Support for Ubuntu security API

We need to add new Ingress rule for ubuntu.com for a service that will be using an external Docker image. Currently this is not supported.

I think the best approach will be to add new property for routes, like independent: true.

In the konf file for ubuntu.com it will be something like:

  routes:
    - paths: [/security-api]
      name: security-api
      independent: true

Konf modifications:

We add a condition to skip the Service and Deployment objects for routes with independent: true. That should be done here between line 4 and 5 with {% if not independent %}:
https://github.com/canonical-web-and-design/konf/blob/849f537cf69dfa5219e5611e97c72ab3c97fe6a8/templates/site.yaml#L4-L8
And
https://github.com/canonical-web-and-design/konf/blob/849f537cf69dfa5219e5611e97c72ab3c97fe6a8/templates/site.yaml#L14-L18
We add a --no-ingress argument for konf.py that will be used for another if statement here:
https://github.com/canonical-web-and-design/konf/blob/849f537cf69dfa5219e5611e97c72ab3c97fe6a8/templates/site.yaml#L21

I think this way is a good aproach to continue using the konf snap for both services.

Build snap broken

Build the snap locally and run any command.

python3: /lib/x86_64-linux-gnu/libm.so.6: version `GLIBC_2.29' not found (required by python3)
python3: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.28' not found (required by python3)

Ingress version "networking.k8s.io/v1beta1" is broken on k8s version v1.20+

PS5 and WPE k8s clusters have more up to date versions so konf output isn't accepted anymore by k8s.
I had to replace this part from the output manually:

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: undefined

Domain sharing same TLS cert should use same K8s secret

Origin: https://chat.canonical.com/canonical/pl/qkepzrxcw3rk98dj3q19dw1j4r

font.ubuntu.com
www.font.ubuntu.com

Those 2 domains share the same TLS certificate but use different secrets. This involved an issue because when expired, one secret was updated but not the other.

We should find a way to share the same k8s secret between domains that share the same TLS cert. This will help renewing certificates in only one place.