nycmeshnet · james-otten · Apr 27, 2024 · Apr 28, 2024 · Apr 28, 2024 · Apr 28, 2024
diff --git a/.github/workflows/checkov.yaml b/.github/workflows/checkov.yaml
@@ -3,6 +3,8 @@ name: Checkov
 on:
   push:
     branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
   workflow_dispatch:
 
 permissions: read-all
@@ -24,14 +26,14 @@ jobs:
         id: checkov
         uses: bridgecrewio/checkov-action@0549dc60bddd4c55cb85c6c3a07072e3cf2ca48e
         with:
-          skip_check: CKV_DOCKER_2,CKV_DOCKER_3
+          skip_check: CKV_DOCKER_2,CKV_DOCKER_3,CKV_SECRET_6
           quiet: true
           output_format: cli,sarif
           output_file_path: console,results.sarif
           download_external_modules: true
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@d39d31e687223d841ef683f52467bd88e9b21c14 # v3
         if: success() || failure()
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/helm_lint.yaml b/.github/workflows/helm_lint.yaml
@@ -0,0 +1,47 @@
+name: Lint and Test Chart
+
+on: pull_request
+
+permissions: read-all
+
+jobs:
+  lint-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Set up Helm
+        uses: azure/setup-helm@20d2b4f98d41febe2bbca46408499dbb535b6258 # v3
+        with:
+          version: v3.14.0
+
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.12'
+          check-latest: true
+
+      - name: Set up chart-testing
+        uses: helm/chart-testing-action@e6669bcd63d7cb57cb4380c33043eebe5d111992 # v2.6.1
+
+      - name: Run chart-testing (list-changed)
+        id: list-changed
+        run: |
+          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
+          if [[ -n "$changed" ]]; then
+            echo "changed=true" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Run chart-testing (lint)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
+
+      - name: Create kind cluster
+        if: steps.list-changed.outputs.changed == 'true'
+        uses: helm/[email protected]
+
+      - name: Run chart-testing (install)
+        if: steps.list-changed.outputs.changed == 'true'
+        run: ct install --target-branch ${{ github.event.repository.default_branch }}
diff --git a/.github/workflows/publish-and-deploy.yaml b/.github/workflows/publish-and-deploy.yaml
@@ -51,3 +51,19 @@ jobs:
         if_key_exists: fail # replace / ignore / fail; optional (defaults to fail)
     - name: Pull new Docker image
       run: ssh ${{ secrets.GRANDSVC_SSH_TARGET }} "cd ${{ secrets.GRANDSVC_PROJECT_PATH }} && git pull && docker compose pull && docker compose up -d"
+
+  deploy_to_dev0:
+    name: Deploy to dev0
+    needs: push_to_registry
+    runs-on: ubuntu-latest
+    steps:
+    - name: Install SSH key
+      uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2
+      with:
+        key: ${{ secrets.DEV0_KEY }}
+        name: id_ed25519 # optional
+        known_hosts: ${{ secrets.DEV0_KNOWN_HOSTS }}
+        #config: ${{ secrets.CONFIG }} # ssh_config; optional
+        if_key_exists: fail # replace / ignore / fail; optional (defaults to fail)
+    - name: Pull new Docker image
+      run: ssh ${{ secrets.DEV0_SSH_TARGET }} "cd ${{ secrets.DEV0_PROJECT_PATH }} && git pull && cd infra/helm/meshdb && helm template . -f ../../../../values.yaml -f  ../../../../secret.values.yaml | kubectl apply -f -"
diff --git a/infra/.gitignore b/infra/.gitignore
@@ -0,0 +1,36 @@
+# Local .terraform directories
+**/.terraform/*
+
+# .tfstate files
+*.tfstate
+*.tfstate.*
+
+# Crash log files
+crash.log
+crash.*.log
+
+# Exclude all .tfvars files, which are likely to contain sensitive data, such as
+# password, private keys, and other secrets. These should not be part of version 
+# control as they are data points which are potentially sensitive and subject 
+# to change depending on the environment.
+*.tfvars
+*.tfvars.json
+
+# Ignore override files as they are usually used to override resources locally and so
+# are not checked in
+override.tf
+override.tf.json
+*_override.tf
+*_override.tf.json
+
+# Include override files you do wish to add to version control using negated pattern
+# !example_override.tf
+
+# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan
+# example: *tfplan*
+
+# Ignore CLI configuration files
+.terraformrc
+terraform.rc
+
+.terraform.lock.hcl
diff --git a/infra/README.md b/infra/README.md
@@ -0,0 +1,72 @@
+# Meshdb Environment Setup
+
+These instructions will set up a 4 node k3s cluster on proxmox.
+- 1 "manager" node for control plane and to be used for deployments.
+- 3 "agent" nodes to run services.
+
+1. Clone this repository
+
+2. Set up tfvars. See [proxmox provider](https://registry.terraform.io/providers/Telmate/proxmox/latest/docs). Create an API key in Proxmox, and disable Privilege Separation.
+```
+cd meshdb/infra/tf/
+cp example.tfvars your_env.tfvars
+# Modify your_env.tfvars to meet your needs
+bash gen_ssh_key.sh dev0
+```
+
+3. Create the k3s cluster
+```
+terraform init -var-file=your_env.tfvars
+terraform plan -var-file=your_env.tfvars
+terraform apply -var-file=your_env.tfvars
+```
+
+4. Setup ansible, build the inventory, run the playbook using the keyfile generated in 2.
+```
+cd meshdb/infra/ansible
+ansible-galaxy collection install cloud.terraform
+ansible-playbook -i inventory.yaml install_packages.yaml -v --key-file ../tf/meshdbdev0
+ansible-playbook -i inventory.yaml k8s_lb.yaml -v --key-file ../tf/meshdbdev0
+```
+
+<!-- 5. Install the `meshdb-cluster` chart.
+
+```
+cd meshdb/infra/helm/meshdb-cluster
+# Modify values.yaml to meet your needs
+helm template . -f values.yaml > meshdb-cluster.yaml
+kubectl apply -f meshdb-cluster.yaml
+``` -->
+
+5. Create and update values + secrets in `values.yaml` and `secret.values.yaml`
+
+
+```
+cd meshdb/infra/helm/meshdb/
+cp example.secret.values.yaml secret.values.yaml
+cp example.values.yaml values.yaml
+nano secret.values.yaml
+nano values.yaml
+```
+
+6. Render the helm chart
+
+<!--TODO: Use helm install for everything-->
+<!-- helm install --kubeconfig='../../tf/k3s.yaml' -f values.yaml -f secret.values.yaml meshdb ./ -->
+
+```
+cd meshdb/infra/helm/meshdb
+helm template . -f values.yaml -f secret.values.yaml > meshdb.yaml
+```
+
+<!--TODO: Have helm create NS and update instns to kubectl apply file-->
+
+7. Deploy MeshDB!
+
+```
+cd meshdb/infra/meshdb
+terraform init
+terraform apply
+```
+
+8. If you need a superuser: `kubectl exec -it -n meshdbdev0 service/meshdb-meshweb bash` and `python manage.py createsuperuser`
diff --git a/infra/ansible/ansible.cfg b/infra/ansible/ansible.cfg
@@ -0,0 +1,5 @@
+[defaults]
+host_key_checking = False
+
+[ssh_connection]
+ssh_args = '-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o CheckHostIP=no'
diff --git a/infra/ansible/create_inventory.yaml b/infra/ansible/create_inventory.yaml
@@ -0,0 +1,3 @@
+- name: Create inventory
+  plugin: cloud.terraform.terraform_provider
+  project_path: ../tf
diff --git a/infra/ansible/install_packages.yaml b/infra/ansible/install_packages.yaml
@@ -0,0 +1,10 @@
+- name: Install packages on each node 
+  hosts: mgrs:workers 
+  tasks:
+    - name: Install packages on each node
+      ansible.builtin.apt:
+        pkg:
+          - open-iscsi
+          - nfs-common
+        update_cache: true
+      become: true
diff --git a/infra/ansible/inventory.yaml b/infra/ansible/inventory.yaml
@@ -0,0 +1,4 @@
+---
+plugin: cloud.terraform.terraform_provider
+project_path: "../tf"
+
diff --git a/infra/ansible/k8s_lb.yaml b/infra/ansible/k8s_lb.yaml
@@ -0,0 +1,104 @@
+- name: Setup k8s-lb
+  hosts: lb
+  tasks:
+    - name: Install deps
+      ansible.builtin.apt:
+        update_cache: true
+        pkg:
+          - iptables-persistent
+      become: true
+
+    - name: dummy0 interface
+      ansible.builtin.template:
+        src: ./lb_config/netplan_dummy0.yaml.j2
+        dest: /etc/netplan/dummy0.yaml
+        mode: "600"
+      become: true
+
+    - name: eth0 interface
+      ansible.builtin.template:
+        src: ./lb_config/netplan_50_cloud_init.yaml.j2
+        dest: /etc/netplan/50-cloud-init.yaml
+        mode: "600"
+      become: true
+
+    - name: Install frr
+      ansible.builtin.apt:
+        update_cache: true
+        pkg:
+          - frr
+      become: true
+
+    - name: Enable ospfd
+      ansible.builtin.lineinfile:
+        path: /etc/frr/daemons
+        search_string: ospfd=no
+        line: "ospfd=yes"
+      become: true
+
+    - name: Config template frr
+      ansible.builtin.template:
+        src: ./lb_config/frr.conf.j2
+        dest: /etc/frr/frr.conf
+      become: true
+
+    - name: Install haproxy
+      ansible.builtin.apt:
+        update_cache: true
+        pkg:
+          - haproxy
+      become: true
+
+    - name: Config template haproxy
+      ansible.builtin.template:
+        src: ./lb_config/haproxy.cfg
+        dest: /etc/haproxy/haproxy.cfg
+      become: true
+
+    - name: Iptables rules
+      ansible.builtin.template:
+        src: ./lb_config/iptables.j2
+        dest: /etc/iptables/rules.v4
+      become: true
+
+    - name: Restore iptables rules
+      ansible.builtin.command:
+        cmd: "bash -c '/sbin/iptables-restore < /etc/iptables/rules.v4 && touch /tmp/firewall_set'"
+        creates: /tmp/firewall_set
+      become: true
+
+    - name: Netplan apply
+      ansible.builtin.command:
+        cmd: "bash -c 'netplan apply && touch /tmp/netplan_applied'"
+        creates: /tmp/netplan_applied
+      become: true
+
+    - name: Restart and enable iptables service
+      ansible.builtin.service:
+        name: netfilter-persistent
+        state: restarted
+        enabled: true
+      become: true
+
+    - name: Restart and enable frr service
+      ansible.builtin.service:
+        name: frr
+        state: restarted
+        enabled: true
+      become: true
+
+    - name: Restart and enable haproxy service
+      ansible.builtin.service:
+        name: haproxy
+        state: restarted
+        enabled: true
+      become: true
+
+    - name: net.ipv4.ip_forward
+      ansible.posix.sysctl:
+        name: net.ipv4.ip_forward
+        value: '1'
+        sysctl_set: true
+        state: present
+        reload: true
+      become: true
diff --git a/infra/ansible/k8s_lb_config.yaml b/infra/ansible/k8s_lb_config.yaml
@@ -0,0 +1,4 @@
+LB_HOSTNAME: k8s-lb
+EXTERNAL_LISTEN_IP: "something"
+INTERNAL_NETWORK_RANGE: 24
+INTERNAL_NETWORK_MAC_ADDRESS: "something"
diff --git a/infra/ansible/lb_config/frr.conf.j2 b/infra/ansible/lb_config/frr.conf.j2
@@ -0,0 +1,17 @@
+frr version 8.4.4
+frr defaults traditional
+hostname {{ LB_HOSTNAME }}
+log syslog informational
+no ip forwarding
+no ipv6 forwarding
+service integrated-vtysh-config
+!
+interface eth0
+ ip ospf cost 10
+exit
+!
+router ospf
+ network {{ INTERNAL_NETWORK_BLOCK }} area 0
+ network {{ EXTERNAL_LISTEN_IP }}/32 area 0
+exit
+!