Luca
468d4562c7
Toolkit per deployare/aggiornare un tenant LoginMaster su qualsiasi Kubernetes (EKS/AKS/DOKS/Scaleway/vSphere/...). Contiene: - deploy.sh: bootstrap di un nuovo tenant (idempotente, re-run protection, storage class auto-rilevata, prompt separati api/admin tag, generazione segreti crittografici via openssl rand). - update.sh: rolling update zero-downtime con tag api/admin separati, rollback hint via 'kubectl rollout undo', riapplicazione opzionale del ConfigMap. - templates/: 8 manifest parametrici (envsubst): namespace, cert-manager TLS Mongo, NetworkPolicy intra-namespace, ConfigMap, MongoDB StatefulSet 3 repliche con TLS interno + initContainer per keyfile/PEM, tenant-api Deployment 2 repliche con CA validation, tenant-admin, ingress nginx + Let's Encrypt. Sicurezza: TLS interno Mongo (cert-manager CA self-signed 10y), keyFile per auth replica set, password client mai in argv, NetworkPolicy che isola il tenant, pod Mongo non-root (uid 999) con initContainer come root per i file runtime in tmpfs.
112 lines
2.7 KiB
YAML
112 lines
2.7 KiB
YAML
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: tenant-api
|
|
namespace: ${NAMESPACE}
|
|
spec:
|
|
selector:
|
|
app: tenant-api
|
|
ports:
|
|
- port: 3000
|
|
targetPort: 3000
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: tenant-api
|
|
namespace: ${NAMESPACE}
|
|
spec:
|
|
replicas: 2
|
|
strategy:
|
|
type: RollingUpdate
|
|
rollingUpdate:
|
|
maxSurge: 1
|
|
maxUnavailable: 0
|
|
selector:
|
|
matchLabels:
|
|
app: tenant-api
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: tenant-api
|
|
spec:
|
|
imagePullSecrets:
|
|
- name: registry-codebaker
|
|
containers:
|
|
- name: tenant-api
|
|
image: hub.codebaker.it/loginmaster-tenant/api-tenant:${IMAGE_TAG_API}
|
|
ports:
|
|
- containerPort: 3000
|
|
envFrom:
|
|
- configMapRef:
|
|
name: tenant-api-config
|
|
env:
|
|
- name: MONGODB_URI
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: mongodb-tenant-auth
|
|
key: MONGODB_URI
|
|
- name: MASTER_ENCRYPTION_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: tenant-api-secrets
|
|
key: MASTER_ENCRYPTION_KEY
|
|
- name: SMTP_PASSWORD
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: tenant-api-secrets
|
|
key: SMTP_PASSWORD
|
|
volumeMounts:
|
|
- name: mongo-ca
|
|
mountPath: /etc/mongo-tls
|
|
readOnly: true
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
limits:
|
|
cpu: 500m
|
|
memory: 512Mi
|
|
startupProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 3000
|
|
initialDelaySeconds: 5
|
|
periodSeconds: 5
|
|
failureThreshold: 30
|
|
readinessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 3000
|
|
periodSeconds: 10
|
|
timeoutSeconds: 3
|
|
failureThreshold: 3
|
|
livenessProbe:
|
|
httpGet:
|
|
path: /health
|
|
port: 3000
|
|
periodSeconds: 20
|
|
timeoutSeconds: 5
|
|
failureThreshold: 3
|
|
volumes:
|
|
- name: mongo-ca
|
|
secret:
|
|
# Solo la ca.crt dal Secret cert-manager; il cert di servizio non serve
|
|
# all'API (non fa mTLS, valida solo il server).
|
|
secretName: mongodb-tenant-tls
|
|
items:
|
|
- key: ca.crt
|
|
path: ca.crt
|
|
defaultMode: 0444
|
|
---
|
|
apiVersion: policy/v1
|
|
kind: PodDisruptionBudget
|
|
metadata:
|
|
name: tenant-api-pdb
|
|
namespace: ${NAMESPACE}
|
|
spec:
|
|
minAvailable: 1
|
|
selector:
|
|
matchLabels:
|
|
app: tenant-api
|