Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

起動時にbleveのインデックスを貼るように変更 #32

Merged
merged 8 commits into from
Apr 27, 2024
Merged

起動時にbleveのインデックスを貼るように変更 #32

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
1881403
feat: readiness gate
xpadev-net Apr 21, 2024
5057c6a
fix: poststart script
xpadev-net Apr 21, 2024
03e64a4
refactor: change to use ephemeral storage
xpadev-net Apr 22, 2024
9ae8887
chore: add SA
xpadev-net Apr 23, 2024
3096a18
feat: external secret
xpadev-net Apr 23, 2024
02412ad
remove: secret config
xpadev-net Apr 23, 2024
cdbbab4
terraform/fix: format
xpadev-net Apr 27, 2024
05c4a22
fix: k8s service account name
xpadev-net Apr 27, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions kubernetes/mattermost/external-secret.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gcp-secret-mattermost-config
namespace: mattermost
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: gcp-secret-store
target:
name: gcp-secret-config
creationPolicy: Owner
data:
- secretKey: config.json
remoteRef:
key: mattermost-config
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gcp-secret-mattermost-env
namespace: mattermost
spec:
refreshInterval: 1h
secretStoreRef:
kind: ClusterSecretStore
name: gcp-secret-store
target:
name: gcp-secret-env
creationPolicy: Owner
dataFrom:
- extract:
key: mattermost-env
11,953 changes: 11,953 additions & 0 deletions kubernetes/mattermost/external-secrets-operator.yml
View file
Open in desktop

Large diffs are not rendered by default.

26 changes: 21 additions & 5 deletions kubernetes/mattermost/mattermost.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,8 @@ spec:
securityContext:
fsGroup: 2000
serviceAccountName: mattermost-primary
readinessGates:
- conditionType: bleve-ready
initContainers:
- name: secret-placer
image: gcr.io/google.com/cloudsdktool/cloud-sdk:latest
Expand All @@ -39,6 +41,12 @@ spec:
- name: mattermost
image: mattermost/mattermost-team-edition:release-9.1
imagePullPolicy: Always
env:
- name: MATTERMOST_TOKEN
valueFrom:
secretKeyRef:
name: gcp-secret-env
key: MATTERMOST_TOKEN
ports:
- name: http
containerPort: 8000
Expand All @@ -50,6 +58,14 @@ spec:
requests:
cpu: 500m
memory: 2Gi
lifecycle:
postStart:
exec:
command: [
"/usr/bin/bash",
"-c",
'(max_retries=60; retry_delay=10; retries=0; result=1; while [[ $retries -lt $max_retries && $result -ne 0 ]]; do ((retries++)); echo "retry $retries/$max_retries..."; curl http://localhost:8000/api/v4/system/ping -s; result=$?; if [[ $result -ne 0 ]]; then echo "retry"; sleep $retry_delay; fi; done; if [[ $result -ne 0 ]]; then echo "startup timeout";exit 1;fi;echo "ping success"; response=$(curl -s -i -H "Authorization: Bearer $MATTERMOST_TOKEN" http://localhost:8000/api/v4/jobs -X POST -d ''{"type":"bleve_post_indexing"}'' | grep bleve_post_indexing);if [[ "$response" == "" ]]; then echo "failed to create job";echo "$response" exit 1;fi;echo "job created"; max_retries=864; retry_delay=10; retries=0; result=""; while [[ $retries -lt $max_retries && "$result" == "" ]]; do ((retries++)); echo "wait for index $retries/$max_retries..."; response=$(curl -s "http://localhost:8000/api/v4/jobs/type/bleve_post_indexing?page=0&per_page=1" -H "Authorization: Bearer $MATTERMOST_TOKEN" | grep success); result=$response; if [[ "$result" == "" ]]; then echo "index not completed"; sleep $retry_delay; fi; done; if [[ "$result" == "" ]]; then echo "index timeout"; exit 1;else echo "index success"; fi; curl -s https://kubernetes.default.svc/api/v1/namespaces/$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)/pods/$(hostname)/status -X PATCH -H "Content-Type: application/json-patch+json" -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" -d ''[{"op": "add", "path": "/status/conditions/-", "value": {"type": "bleve-ready", "status": "True", "lastTransitionTime": "2018-10-16T06:59:45Z", "lastProbeTime": null}}]'' -k) > /var/tmp/post-start.log 2>&1'
]
readinessProbe:
timeoutSeconds: 5
periodSeconds: 5
Expand All @@ -74,14 +90,14 @@ spec:
volumeMounts:
- name: config
mountPath: /mattermost/config/
- name: bleve-cache
- name: bleve
mountPath: /mattermost/bleve/
volumes:
- name: config
emptyDir: {}
- name: bleve
emptyDir:
sizeLimit: 2Gi
- name: secret
secret:
secretName: secret-configs
- name: bleve-cache
persistentVolumeClaim:
claimName: mattermost-bleve-pvc
secretName: gcp-secret-config
12 changes: 0 additions & 12 deletions kubernetes/mattermost/pvc.yml
View file
Open in desktop

This file was deleted.

8 changes: 8 additions & 0 deletions kubernetes/mattermost/sa.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,11 @@ metadata:
name: mattermost-primary
annotations:
iam.gke.io/gcp-service-account: "[email protected]"
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: mattermost
name: secret-mattermost-primary
annotations:
iam.gke.io/gcp-service-account: "[email protected]"
8 changes: 0 additions & 8 deletions kubernetes/mattermost/secret-configs.yml
View file
Open in desktop

This file was deleted.

17 changes: 17 additions & 0 deletions kubernetes/mattermost/secret-store.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: gcp-secret-store
namespace: mattermost
spec:
provider:
gcpsm:
projectID: mitou-jr
auth:
workloadIdentity:
clusterLocation: asia-northeast1
clusterName: primary-cluster
clusterProjectID: primary-cluster
serviceAccountRef:
name: secret-mattermost-primary
namespace: mattermost
8 changes: 4 additions & 4 deletions terraform/basic/uptime-check.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
resource "google_monitoring_uptime_check_config" "https_check" {
provider = google-beta
provider = google-beta
display_name = "Health check for Mattermost server"
timeout = "10s"
period = "60s"
Expand All @@ -23,7 +23,7 @@ resource "google_monitoring_uptime_check_config" "https_check" {
type = "uptime_url"
labels = {
project_id = "mitou-jr"
host = "mattermost.jr.mitou.org" # 監視対象のホスト名またはIPアドレスを記載します
host = "mattermost.jr.mitou.org" # 監視対象のホスト名またはIPアドレスを記載します
}
}

Expand All @@ -45,7 +45,7 @@ resource "google_monitoring_alert_policy" "https_check_alert" {
# filter に 稼働時間チェックの指標を指定して、関連づけています。
filter = "resource.type = \"uptime_url\" AND metric.type = \"monitoring.googleapis.com/uptime_check/check_passed\" AND metric.labels.check_id = \"${google_monitoring_uptime_check_config.https_check.uptime_check_id}\""
duration = "0s"
threshold_value = 1 # 失敗が1回より多くなったときにアラートを通知
threshold_value = 1 # 失敗が1回より多くなったときにアラートを通知
comparison = "COMPARISON_GT"
aggregations {
alignment_period = "1200s"
Expand All @@ -63,7 +63,7 @@ resource "google_monitoring_alert_policy" "https_check_alert" {
google_monitoring_notification_channel.default.id,
google_monitoring_notification_channel.email.id
]
enabled = true
enabled = true

depends_on = [
google_monitoring_uptime_check_config.https_check
Expand Down
23 changes: 18 additions & 5 deletions terraform/iam/iam.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ locals {
gsa = "${google_service_account.wi-mattermost-primary.name}",
ksa_namespace = "mattermost",
ksa_name = "mattermost-primary"
},
{
gsa = "${google_service_account.wi-secret-mattermost-primary.name}",
ksa_namespace = "mattermost",
ksa_name = "secret-mattermost-primary"
}
]
}
Expand Down Expand Up @@ -64,9 +69,9 @@ resource "google_project_iam_binding" "iam-binding-iam-applier" {
}

resource "google_project_iam_binding" "iam-binding-k8s-operation" {
role = "roles/container.developer"
project = "mitou-jr"
members = local.admin-access
role = "roles/container.developer"
project = "mitou-jr"
members = local.admin-access
}

variable "basic-sa-iam-roles" {
Expand Down Expand Up @@ -103,9 +108,17 @@ resource "google_service_account_iam_binding" "wi-bindings" {
}

resource "google_project_iam_binding" "monitoring-pubsub" {
role = "roles/pubsub.publisher"
project = "mitou-jr"
role = "roles/pubsub.publisher"
project = "mitou-jr"
members = [
"serviceAccount:service-233207969476@gcp-sa-monitoring-notification.iam.gserviceaccount.com"
]
}

resource "google_service_account_iam_binding" "secret-manager" {
service_account_id = google_service_account.wi-secret-mattermost-primary.id
role = "roles/secretmanager.secretAccessor"
members = [
"serviceAccount:mitou-jr.svc.id.goog[mattermost/mattermost-primary]"
]
}
7 changes: 6 additions & 1 deletion terraform/iam/sa.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,9 @@ resource "google_service_account" "sa-ga-planner" {
resource "google_service_account" "wi-mattermost-primary" {
account_id = "wi-mattermost-primary"
display_name = "Mattermostのワークロードで使うWorkload Identity"
}
}

resource "google_service_account" "wi-secret-mattermost-primary" {
account_id = "wi-secret-mattermost-primary"
display_name = "MattermostのExternalSecretOperatorで使うWorkload Identity"
}
Loading