diff --git a/AUTHORS b/AUTHORS deleted file mode 100644 index 01047f4f..00000000 --- a/AUTHORS +++ /dev/null @@ -1,4 +0,0 @@ -# This file lists all individuals having contributed content to the repository. -# For how it is generated, see `make AUTHORS`. - -Adam Shannon diff --git a/README.md b/README.md index 2db09299..5f31e5a6 100644 --- a/README.md +++ b/README.md @@ -1,78 +1,20 @@ ## moov-io/infra -This repository holds the configurion for [moov.io](https://github.com/moov-io)'s infrastructure. If you believe you have identified a security vulnerability please responsibly report the issue as via email to security@moov.io. Please do not post it to a public issue tracker. +This repository holds a few tools used by Moov. + +If you believe you have identified a security vulnerability please responsibly report the issue as via email to security@moov.io. Please do not post it to a public issue tracker. [![GoDoc](https://godoc.org/github.com/moov-io/infra?status.svg)](https://godoc.org/github.com/moov-io/infra) [![Build Status](https://github.com/moov-io/infra/workflows/Go/badge.svg)](https://github.com/moov-io/infra/actions) [![Apache 2 licensed](https://img.shields.io/badge/license-Apache2-blue.svg)](https://raw.githubusercontent.com/moov-io/infra/master/LICENSE) -Links: [Graphs](https://infra-oss.moov.io/grafana/) | [Logs](https://infra-oss.moov.io/grafana/explore) | [Metrics](https://infra-oss.moov.io/prometheus/) | [Alerts](https://infra-oss.moov.io/alertmanager/#/alerts) - -### Project Goals - -This project aims to be the structure and runtime for a fully automated hosting of moov.io services. - -### Getting started - -To get started working on this project, pull down (`git clone git@github.com:moov-io/infra`) the source code and setup some tools: Golang, Terraform, kubectl, etc. The following list consists of all tools used and expected by the infra repository. - -- [Golang](https://golang.org/dl) -- Terraform 0.12+ | [Download](https://www.terraform.io/downloads.html) | [Intro](https://www.terraform.io/intro/index.html) -- kubectl | [Download](https://kubernetes.io/docs/tasks/tools/install-kubectl/) | [Intro](https://www.digitalocean.com/community/tutorials/an-introduction-to-kubernetes) -- [Blackbox](https://github.com/StackExchange/blackbox#blackbox-) (Installed at `./lib/blackbox/bin`, add this to `PATH`) -- [gcloud CLI](docs/google-cloud.md) -- Docker for either [Linux](https://docs.docker.com/install/linux/docker-ce/ubuntu/) or [macOS](https://docs.docker.com/docker-for-mac/install/). - -On macOS these tools can be installed with the following homebrew command: - -``` -$ brew install gpg2 jq make terraform go -``` - -The project has the following directories: - -- [`cmd/`](https://github.com/moov-io/infra/tree/master/cmd) - Various command line utilities used in this project and as tests -- [`docs/`](https://github.com/moov-io/infra/tree/master/docs) - Human readable documentation. -- `envs/` - - [`envs/oss`](https://github.com/moov-io/infra/tree/master/envs/oss) - Our Open Source environment -- [`images/`](https://github.com/moov-io/infra/tree/master/images) - Docker images we create and manage -- [`lib/`](https://github.com/moov-io/infra/tree/master/lib) - Shared (Kubernetes) resources across environments - -### Local Development - -We support a local development environment to allow anyone the ability to run Moov's application stack locally on a machine. This currently requires a few tools to be installed, such as: - -- Docker - - [Docker for Mac](https://docs.docker.com/docker-for-mac/) - [Install Guide](https://docs.docker.com/docker-for-mac/install/) - - [Docker on Linux](https://docs.docker.com/install/) - - [Docker for Windows](https://docs.docker.com/docker-for-windows/) - [Install Guide](https://docs.docker.com/docker-for-windows/install/) - -### Testing - -We run several kinds of tests against this repository. Linters/validators (over Kubernetes, Terraform, Prometheus configs) as well as Docker image builds. To run all these: - -``` -$ make test -``` - -Note: To run these tests you need Docker installed. - -### Runbooks - -- [Alerting](docs/alerts.md) -- [Google Cloud (GKE)](docs/google-cloud.md) -- [In-repo Secrets (Blackbox)](docs/secrets.md) -- [Kubernetes](docs/kubernetes.md) -- [Load balancing / Routing (Traefik)](docs/traefik.md) -- [Downloading fuzz data](docs/fuzzing.md) - ### Getting Help channel | info ------- | ------- Twitter [@moov](https://twitter.com/moov) | You can follow Moov.io's Twitter feed to get updates on our project(s). You can also tweet us questions or just share blogs or stories. [GitHub Issue](https://github.com/moov-io) | If you are able to reproduce a problem please open a GitHub Issue under the specific project that caused the error. -[moov-io slack](https://slack.moov.io/) | Join our slack channel to have an interactive discussion about the development of the project. +[moov-io slack](https://slack.moov.io/) | Join our slack channel (`#infra`) to have an interactive discussion about the development of the project. ### Contributing diff --git a/TODO b/TODO deleted file mode 100644 index caaab64c..00000000 --- a/TODO +++ /dev/null @@ -1,17 +0,0 @@ -- somehow require git-secrets hook (or something similar) - -- document deployments/ naming - -- PoC k8s deployment (via terraform on GKE) - -- PoC ach-* deployment (what's all involved) - -- PoC infra deployment - - grafana - - monitoring - -- PoC mysql-ach deployment - -- status.moov.io - - can we terraform statuspage.io ? - - needs to be quick, i.e. slackbox diff --git a/cmd/cpfuzz/1-download.sh b/cmd/cpfuzz/1-download.sh deleted file mode 100755 index 5264fc08..00000000 --- a/cmd/cpfuzz/1-download.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash -set -e - -context=$(kubectl config get-contexts --output name | grep moov-oss) - -dir="fuzz-"$(date +"%Y-%m-%d") -containers=($(kubectl --context "$context" get pods -n apps | grep fuzz | cut -d' ' -f1)) -echo "found ${#containers[@]} fuzz containers" - -subdir="" -if [[ "$1" != "" ]]; -then - subdir="$1" -else - subdir="crashers" -fi - -for container in "${containers[@]}" -do - name=$(echo "$container" | grep -E -o -o '(.*)fuzz' | tr -d ' ' | rev | cut -c5- | rev) - echo "downloading $name fuzz data from $container" - mkdir -p "$dir"/"$name"/"$subdir" - - files=($(kubectl --context "$context" exec -n apps "$container" -- ls -1 /go/src/github.com/moov-io/"$name"/test/fuzz-reader/crashers/)) - echo "downloading ${#files[@]} files from $container" - for file in "${files[@]}" - do - kubectl --context "$context" cp apps/"$container":/go/src/github.com/moov-io/"$name"/test/fuzz-reader/crashers/"$file" "$dir"/"$name"/"$subdir"/"$file" - done -done - -echo "Saved files in $dir" diff --git a/cmd/cpfuzz/2-copy-crashers-to-projects.sh b/cmd/cpfuzz/2-copy-crashers-to-projects.sh deleted file mode 100755 index f20e06ae..00000000 --- a/cmd/cpfuzz/2-copy-crashers-to-projects.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -set -e - -# assume this is ran from the root of moov-io/infra - -last=$(ls -1 | grep fuzz | tail -n1) -if [ -n "$last" ]; -then - echo "Using fuzz findings from $last" - for dir in $(ls -1 "$last"); - do - # Copy input files over to wire project - find "$last"/"$dir"/crashers -not -name '*.output' -not -name '*.quoted' -mindepth 1 -type f | xargs -n1 -I '{}' cp {} ../"$dir"/test/testdata/crashers/ - done -else - echo "No fuzz-* directories found in moov-io/infra" -fi diff --git a/cmd/cpfuzz/3-package-crashers.sh b/cmd/cpfuzz/3-package-crashers.sh deleted file mode 100755 index 185c9dee..00000000 --- a/cmd/cpfuzz/3-package-crashers.sh +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -set -e - -# assume this is ran from the root of moov-io/infra - -last=$(ls -1 | grep fuzz | tail -n1) -if [ -n "$last" ]; -then - echo "Using fuzz findings from $last" - for dir in $(ls -1 "$last"); - do - # Create a .tar file of the crashing inputs and outputs - tar cf "$last"/"$dir".tar "$last"/"$dir"/crashers/* - done -else - echo "No fuzz-* directories found in moov-io/infra" -fi diff --git a/cmd/cpfuzz/5-roll-fuzz-pods.sh b/cmd/cpfuzz/5-roll-fuzz-pods.sh deleted file mode 100755 index 91ffac35..00000000 --- a/cmd/cpfuzz/5-roll-fuzz-pods.sh +++ /dev/null @@ -1,20 +0,0 @@ -#!/bin/bash -set -e - -context=$(kubectl config get-contexts --output name | grep automated-clearing-house) - -# assume this is ran from the root of moov-io/infra - -files=( - envs/oss/apps/10-achfuzz.yml - envs/oss/apps/17-imagecashletterfuzz.yml - envs/oss/apps/18-wirefuzz.yml - envs/oss/apps/19-metro2fuzz.yml - envs/oss/apps/20-iso8583fuzz.yml -) - -for file in "${files[@]}" -do - kubectl --context "$context" delete -f "$file" - kubectl --context "$context" apply -f "$file" -done diff --git a/cmd/cpfuzz/README.md b/cmd/cpfuzz/README.md deleted file mode 100644 index c3a72ce6..00000000 --- a/cmd/cpfuzz/README.md +++ /dev/null @@ -1,125 +0,0 @@ -## OSS Fuzzers Setup - -Fuzzing is a technique for sending arbitrary input into functions to see what happens. Typically this is done to weed out crashers/panics from software, or to detect bugs. In some cases all possible inputs are ran into the program (i.e. if a function accepts 16-bit integers it's trivial to try them all). - -We run fuzzers with [dvyukov/go-fuzz](https://github.com/dvyukov/go-fuzz) inside Docker containers so they can be deployed like any other long running service. - -### Context - -Each of our OSS projects has fuzzers that try and cause panics inside of the main `Read(..)` functions of the libraries. These functions consume arbitrary input and must not have vulnerabilities as our users depend on them to be very well hardened code paths. - -Each project has a Go test function which attempts to read a directory of files that have caused crashes before fixing underlying issues. These are kept around as regression tests to ensure hardened parsers going forward. - -- [ach](https://github.com/moov-io/ach/tree/master/test/fuzz-reader) -- [imagecashletter](https://github.com/moov-io/imagecashletter/tree/master/test/fuzz-reader) -- [iso8583](https://github.com/moov-io/iso8583/tree/master/test/fuzz-reader) -- [metro2](https://github.com/moov-io/metro2/tree/master/test/fuzz-reader) -- [wire](https://github.com/moov-io/wire/tree/master/test/fuzz-reader) - -### Deployment - -These fuzzer images are deployed with `kubectl` in the `envs/oss/` directory of this repository. It's assumed `kubectl` has a context for this GCP project. - -**Note**: This setup assumes the projects and this repository live in the same parent directory. Some scripts copy files outside of this repository based on relative paths. - -### Private Crasher Files - -This repository has a `.gitignore` entry for `fuzz-*` which will keep the crasher files out of the git tree. This is done because a crash in our libraries represents a possible security vulnerability and should be fixed following our security release guidelines. - -The fuzzer logic and setup is open source so the collection of results is also made open. - -### Data Collection and Analysis - -Crasher files are collected inside a `crashers/` directory from where the fuzz binary runs from. Files with the input that caused the crash are written alongside the stacktrace. - -#### Download Crashers - -The first step for our fuzzers is to collect the "crashers" files that are produced. Those are typically created as a result of timeouts when evaluating functions. Our fuzz containers have CPU limits so they often are throttled and I believe that's the cause of timeouts. - -``` -$ ./cmd/cpfuzz/1-download.sh -found 5 fuzz containers -downloading ach fuzz data from achfuzz-686d549866-xrlgq -downloading 3 files from achfuzz-686d549866-xrlgq -... -downloading imagecashletter fuzz data from imagecashletterfuzz-65767469f8-lv6rr -downloading 2 files from imagecashletterfuzz-65767469f8-lv6rr -... -downloading iso8583 fuzz data from iso8583fuzz-7c567d8855-z76l5 -downloading 3 files from iso8583fuzz-7c567d8855-z76l5 -... -downloading metro2 fuzz data from metro2fuzz-7dcd79bfc7-sktz4 -downloading 4 files from metro2fuzz-7dcd79bfc7-sktz4 -... -downloading wire fuzz data from wirefuzz-656c5d4d6b-2mpkh -downloading 1 files from wirefuzz-656c5d4d6b-2mpkh -... -Saved files in fuzz-2021-02-12 -``` - -This warning is outputted a lot when downloading the files. It's harmless. -``` -tar: Removing leading `/' from member names -``` - -#### Copy Crashers to Projects - -Each project (e.g. ACH, ICL, Wire) have a Go test function that attempts to parse these crashing files. - -``` -$ ./cmd/cpfuzz/2-copy-crashers-to-projects.sh -Using fuzz findings from fuzz-2021-02-12 -``` - -A folder named `fuzz-YYYY-MM-DD` should be created in the root directory of this repository. - -#### Prepare Packages - -Each project's crasher files can be packaged into `.tar` files for easier distribution to teams. - -``` -$ ./cmd/cpfuzz/3-package-crashers.sh -Using fuzz findings from fuzz-2021-02-12 -``` - -There will be `*.tar` files (e.g. `ach.tar`) created under the latest `fuzz-YYYY-MM-DD` directory. - -#### Roll Fuzz Pods - -After we've downloaded the crasher files deleting the existing pods so new instances are created helps to keep those directories clean. We should look at maintaining the additional corpus files across restarts. - -``` -$ ./cmd/cpfuzz/5-roll-fuzz-pods.sh -persistentvolumeclaim "achfuzz-data" deleted -deployment.apps "achfuzz" deleted -persistentvolumeclaim/achfuzz-data created -deployment.apps/achfuzz created -persistentvolumeclaim "imagecashletterfuzz-data" deleted -deployment.apps "imagecashletterfuzz" deleted -persistentvolumeclaim/imagecashletterfuzz-data created -deployment.apps/imagecashletterfuzz created -persistentvolumeclaim "wirefuzz-data" deleted -deployment.apps "wirefuzz" deleted -persistentvolumeclaim/wirefuzz-data created -deployment.apps/wirefuzz created -persistentvolumeclaim "metro2fuzz-data" deleted -deployment.apps "metro2fuzz" deleted -persistentvolumeclaim/metro2fuzz-data created -deployment.apps/metro2fuzz created -persistentvolumeclaim "iso8583fuzz-data" deleted -deployment.apps "iso8583fuzz" deleted -persistentvolumeclaim/iso8583fuzz-data created -deployment.apps/iso8583fuzz created -``` - -### Metrics - -We deploy [adamdecaf/gofuzz_exporter](https://github.com/adamdecaf/gofuzz_exporter) to scrape and parse the go-fuzz output which lets us generate graphs. - -![](../../docs/images/fuzz-stats.png) - -Source: [infra-oss.moov.io/grafana](https://infra-oss.moov.io/grafana/d/6I4G4jGGz/fuzz-statistics?orgId=1&refresh=1m) - -### Security Disclosures - -If you believe you have identified a security vulnerability please responsibly report the issue as via email to security@moov.io. Please do not post it to a public issue tracker. diff --git a/doc.go b/doc.go index 3f59a6ea..07b67c28 100644 --- a/doc.go +++ b/doc.go @@ -3,5 +3,5 @@ // license that can be found in the LICENSE file. // Package infra is a collection of libraries and CLI tools used to automate -// Moov.io's deployment and infrastructure services. +// Moov's deployment and infrastructure services. package infra diff --git a/docs/README.md b/docs/README.md deleted file mode 100644 index ead36d81..00000000 --- a/docs/README.md +++ /dev/null @@ -1,32 +0,0 @@ -## Infrastructure Documentation - -### Customers - -- [Hosting Onboarding](hosting-checklist.md) - -### Services - -- [Production Alerting](alerts.md) -- [Metrics with Prometheus](prometheus.md) -- [Load Balancing with Traefik](traefik.md) -- [Input Fuzzing](fuzzing.md) -- [MySQL](mysql.md) - -### Workstation Setup - -- [Go](golang.md) -- [Docker Tips](docker.md) -- [Google Cloud Authentication](google-cloud.md) -- [Secret Management](secrets.md) -- [Debugging Kubernetes](kubernetes.md) - -### Other Resources - -- [Legal Tasks](legal.md) - -## Getting Help - - channel | info - ------- | ------- -[GitHub Issue](https://github.com/moov-io) | If you are able to reproduce a problem please open a GitHub Issue under the specific project that caused the error. -[moov-io slack](https://slack.moov.io/) | Join our slack channel (`#infra`) to have an interactive discussion about the development of the project. diff --git a/docs/alerts.md b/docs/alerts.md deleted file mode 100644 index fb1a2479..00000000 --- a/docs/alerts.md +++ /dev/null @@ -1,17 +0,0 @@ -## Prometheus Alerts - -Prometheus support declaring conditions which, when met trigger "Alerts". These alerts can be used to notify humans in slack, PagerDuty, or even automated processes. Alerts are based off metric data and sliding time windows of observations. Refer to the [Prometheus docs for complete details](https://prometheus.io/docs/prometheus/latest/configuration/alerting_rules/). - -```yaml -# Example alert -groups: - - name: ./watchman.rules - rules: - - alert: StaleData - expr: (time() - last_watchman_data_refresh_success) > 60*60*24 - for: 1h - labels: - severity: warning - annotations: - description: "Data was last refreshed {{ humanizeTimestamp $value }} ago" -``` diff --git a/docs/docker.md b/docs/docker.md deleted file mode 100644 index 58867684..00000000 --- a/docs/docker.md +++ /dev/null @@ -1,7 +0,0 @@ -## Docker - -### Image building - -**References** - -- [Advanced Docker Image Build Patterns](https://speakerdeck.com/garethr/advanced-docker-image-build-patterns) by Gareth Rushgrove diff --git a/docs/fuzzing.md b/docs/fuzzing.md deleted file mode 100644 index d1917cd0..00000000 --- a/docs/fuzzing.md +++ /dev/null @@ -1,57 +0,0 @@ -## Fuzzing - -Fuzzing is a technique for sending arbitrary input into functions to see what happens. Typically this is done to weed out crashes/panics from software, or to detect bugs. In some cases all possible inputs are ran into the program (i.e. if a function accepts 16-bit integers it's trivial to try them all). - -Moov runs Docker containers of several applications which execute [go-fuzz](https://github.com/dvyukov/go-fuzz) inside of them. This is designed to automate fuzzing and ensure higher quality software. Right now analysis of fuzz results is manual. - -For example, if we're running fuzzing for `ach` the `Deployment` would be called `achfuzz`. We also run these fuzz containers as a low `PriorityClass` called `fuzz-low-priority` which pushes fuzzing cpu time down if production requests need more cpu or memory. - -After you [setup `kubectl`](kubernetes.md) and authenticate [with Google's Cloud](google-cloud.md) you can download the fuzz data. You'll need to run `1-download.sh` located at [`cmd/cpfuzz/1-download.sh`](../cmd/cpfuzz/1-download.sh) from the root of the infra repository. - -``` -$ ./cmd/cpfuzz/1-download.sh -downloading ach fuzz data from achfuzz-6b79569674-zbf67 -downloading imagecashletter fuzz data from imagecashletterfuzz-76d76f654f-gmczz -downloading wire fuzz data from wirefuzz-665478856d-8gpnr -Saves files in fuzz-2019-06-20 - -# List any files we downloaded from the Kubernetes cluster -$ ls -lR fuzz-2019-06-20 -total 0 -drwxr-xr-x 2 adam staff 64 Jun 20 13:13 ach -drwxr-xr-x 44 adam staff 1408 Jun 20 13:15 imagecashletter -drwxr-xr-x 5 adam staff 160 Jun 20 13:15 wire - -fuzz-2019-06-20/ach: - -fuzz-2019-06-20/imagecashletter: -total 336 --rw-r--r-- 1 adam staff 80 Jun 20 13:19 133c10731f259a744004b73de062f708f083a1ea --rw-r--r-- 1 adam staff 1215 Jun 20 13:19 133c10731f259a744004b73de062f708f083a1ea.output --rw-r--r-- 1 adam staff 102 Jun 20 13:19 133c10731f259a744004b73de062f708f083a1ea.quoted - -fuzz-2019-06-20/wire: -total 24 --rw-r--r-- 1 adam staff 6 Jun 20 13:21 57ae8dc36e862a59c605060bb6fc2ff14d9b6fa6 --rw-r--r-- 1 adam staff 1015 Jun 20 13:21 57ae8dc36e862a59c605060bb6fc2ff14d9b6fa6.output --rw-r--r-- 1 adam staff 10 Jun 20 13:21 57ae8dc36e862a59c605060bb6fc2ff14d9b6fa6.quoted -``` - -After downloading each `*.output` file contains the panic's trace and the other two files contain the input. Each crash should be verified correct with a test that passes in the respective project. - -### Copying crasher files - -We have a script (`./cmd/cpfuzz/2-copy-crashers-to-projects.sh`) that grabs the latest downloaded fuzz crashers and copies them to locally cloned moov-io projects. This script assumes a lot: that it is ran from moov-io/infra's root and that moov-io projects are on the same filesystem level as infra. - -``` -$ ./cmd/cpfuzz/2-copy-crashers-to-projects.sh -Using fuzz findings from fuzz-2019-08-28 -``` - -### Resetting fuzz pods - -Often it's useful to reset the fuzz pods (delete any data) after copying down any crasher files. To do this run `./cmd/cpfuzz/3-roll-fuzz-pods.sh` which will delete the fuzz Kubernetes manifests and reapply them. - -### Copying corpus files - -You can download the corpus files (go-fuzz creates additional files as it runs) with `./cmd/cpfuzz/1-download.sh corpus`. diff --git a/docs/golang.md b/docs/golang.md deleted file mode 100644 index dab470a6..00000000 --- a/docs/golang.md +++ /dev/null @@ -1,73 +0,0 @@ -## Go debugging - -### Code Coverage Thresholds - -When running tests (via `make check`) using our linting script you can specify a threshold for "code coverage" which is the percent of statements executed during testing. A higher value means more of your program/system is tested. Typically +80-85% is a good starting point. Very well tested codebases have +90-95% coverage. - -```yaml - - name: Check - env: - COVER_THRESHOLD: 85.0 - run: make check -``` - -### Linting - -We run a series of linters over all Go code in CI. This is done with the `./go/lint-project.sh` which runs linters such as: `go fmt`, misspell, staticcheck, nancy, golangci-lint, gocyclo, gitleaks (experimental), and exhaustive (experimental). Lastly `go test` is ran. - -The following variables can be used to configure the linters: - -- `GITLEAKS_DEPTH=10` -- `GOCYCLO_LIMIT=15` -- `IGNORED_CVES=CVE-XXXX-YYYY,CVE-ZZZZ-XXX` -- `MISSPELL_IGNORE="palestiniens,palestinians"` - -Experimental linters can be enabled: - -- `EXPERIMENTAL=gitleaks,exhaustive` - -### Production Debugging - -- [Profiling Go Programs](https://blog.golang.org/profiling-go-programs) -- [SRE: Debugging: Simple Memory Leaks in Go](https://medium.com/dm03514-tech-blog/sre-debugging-simple-memory-leaks-in-go-e0a9e6d63d4d) -- [Useful features of Go in Production Deployments](https://rakyll.org/go-cloud/) - -### Connect to remote pprof endpoint - -We use Go's support for `pprof` profiles to analyze running applications. This allows us insight into memory, cpu, and other metrics around a running application. Moov's [admin http.Handler](https://godoc.org/github.com/moov-io/base/admin#Handler) registers the standard Go pprof handles on the admin HTTP server. ([code](https://github.com/moov-io/base/blob/master/admin/admin.go#L121)) - -You can inspect the pprof endpoints of a running Kubernetes Pod like so: - -``` -$ kubectl get pods -n apps | grep paygate -paygate-78df74d69c-9pplb 1/1 Running 0 16h -``` - -Grab the unique Pod ID and use it to `port-forward` the admin port (`9090` on all deployed Pods) through `localhost:9090`. - -``` -$ kubectl port-forward -n apps paygate-78df74d69c-9pplb 9090 -Forwarding from [::1]:9090 -> 9090 -Forwarding from 127.0.0.1:9090 -> 9090 -``` - -Note: You can load a debug webpage to view all options: http://localhost:9090/debug/pprof/ - -Once you have the local port setup it's one more command to grab a profile. The `go tool pprof` will download and inspect a pprof sample on your machine. - -``` -$ go tool pprof http://localhost:9090/debug/pprof/profile -Fetching profile over HTTP from http://localhost:9090/debug/pprof/profile -Saved profile in /Users/adam/pprof/pprof.paygate.samples.cpu.001.pb.gz -File: paygate -Build ID: c11c257bc3201e469fdf0d33d136624265555959 -Type: cpu -Time: Aug 21, 2019 at 8:58am (PDT) -Duration: 30.01s, Total samples = 100ms ( 0.33%) -Entering interactive mode (type "help" for commands, "o" for options) -(pprof) web # type 'web' to open a SVG diagram in your browser -``` - -Running `web` in the interactive shell will create a SVG image much like this one (darker red used more CPU). - -![](images/profile.png) diff --git a/docs/google-cloud.md b/docs/google-cloud.md deleted file mode 100644 index e3af2d20..00000000 --- a/docs/google-cloud.md +++ /dev/null @@ -1,41 +0,0 @@ -## Google Cloud setup - -We currently deploy moov.io services on [Google Cloud Kubernetes Engine](https://console.cloud.google.com/apis/credentials/serviceaccountkey?project=automated-clearing-house) (GKE) which allows us to deploy on Kubernetes. - -**Links**: [GKE Dashboard](https://console.cloud.google.com/kubernetes/list) | [Google Cloud Status](https://status.cloud.google.com/) - -### Credentials - -1. Download your [Google Cloud credentials file](https://console.cloud.google.com/apis/credentials/serviceaccountkey) (JSON format) -1. Save this file in `~/.google/credentials.json` according to [Terraform's Google Cloud guide](https://www.terraform.io/docs/providers/google/index.html#configuration-reference) - 1. Prevent other users reading this file: `chmod 400 ~/.google/credentials.json` -1. [Optional] Install gcloud cli - - Quick start: [Linux](https://cloud.google.com/sdk/docs/quickstart-linux) | [macOS](https://cloud.google.com/sdk/docs/quickstart-macos) - - Requires Python 2.7 - - Install the *kubectl module* `gcloud components install kubectl` - - Note: You should update the gcloud tools: `gcloud components update` - - Login `gcloud auth login` - - Set the default project `gcloud config set project automated-clearing-house` -1. Download your [`kubectl` config](https://console.cloud.google.com/kubernetes/list) - - Run `gcloud container clusters get-credentials sbx --zone us-central1-a` - - You can also have terraform setup the credentials for you. - - You also need the following files `.google/credentials.json`, `envs/sbx/ca.crt`, and `envs/sbx/client.*`, which you can get from Adam. - - Then `terraform taint null_resource.kubectl_setup` and `terraform apply` (verifying only that resource changes) - -### Troubleshooting - -#### "cannot construct google default token source" - -Sometimes after a homebrew update `kubectl` breaks with the following error: - -``` -$ kubectl get pods -n infra | grep alertm -error: cannot construct google default token source: google: could not find default credentials. See https://developers.google.com/accounts/docs/application-default-credentials for more information. -``` - -**Solution** - -1. Update the gcloud components `gcloud components update` -1. Login `gcloud auth login` -1. Set the project (i.e. `gcloud config set project automated-clearing-house`) -1. Fetch the credentials again (i.e. `gcloud container clusters get-credentials sbx --zone us-central1-a`) diff --git a/docs/hosting-checklist.md b/docs/hosting-checklist.md deleted file mode 100644 index c42374f8..00000000 --- a/docs/hosting-checklist.md +++ /dev/null @@ -1,53 +0,0 @@ -## Hosting Checklist - -### Contract - -- [ ] SOC2 handoff, accepted -- [ ] SLA's, signed and accepted -- [ ] Hosting Agreement, signed - - [ ] Backups - - Credentials needed if external storage system - - [ ] Failover - - Credentials needed if external site used - -### Support - -- [ ] Emails, phone numbers, private slack room? - -### Infrastructure - -- [ ] DNS endpoint (e.g. api.bank.com) -- [ ] Private code storage of their configuration -- [ ] Isolated virtual environment - - [ ] Kubernetes (GKE), Hosted MySQL? -- [ ] Debugging and Monitoring - - [ ] OAuth2 Proxy - - [ ] infra-idx - - [ ] Prometheus - - [ ] Grafana - - [ ] kube-state-metrics - - [ ] CAdvisor - - [ ] node_exporter - - [ ] Loki - - [ ] promtail - - [ ] domain-exporter - - [ ] alertmanager - - [ ] polaris? - -### Load Balacing - -- [ ] Traefik - - [ ] SSL Certificates (skip if automated) - -### Applications - -- [ ] api (api.bank.com website and docs) -- [ ] ACH -- [ ] Accounts -- [ ] Auth -- [ ] Customers -- [ ] FED - -- [ ] PayGate -- [ ] Watchman - diff --git a/docs/images/fuzz-stats.png b/docs/images/fuzz-stats.png deleted file mode 100644 index 6d934126..00000000 Binary files a/docs/images/fuzz-stats.png and /dev/null differ diff --git a/docs/images/popular-metrics.png b/docs/images/popular-metrics.png deleted file mode 100644 index 61423667..00000000 Binary files a/docs/images/popular-metrics.png and /dev/null differ diff --git a/docs/images/profile.png b/docs/images/profile.png deleted file mode 100644 index d1b973a8..00000000 Binary files a/docs/images/profile.png and /dev/null differ diff --git a/docs/images/tilt.png b/docs/images/tilt.png deleted file mode 100644 index b76ce72a..00000000 Binary files a/docs/images/tilt.png and /dev/null differ diff --git a/docs/images/watchman-routes.png b/docs/images/watchman-routes.png deleted file mode 100644 index 7b18f7c2..00000000 Binary files a/docs/images/watchman-routes.png and /dev/null differ diff --git a/docs/kubernetes.md b/docs/kubernetes.md deleted file mode 100644 index e09a5013..00000000 --- a/docs/kubernetes.md +++ /dev/null @@ -1,67 +0,0 @@ -## Kubernetes Runbooks - -You should be [familiar with Kubernetes](https://kubernetes.io/docs/tutorials/kubernetes-basics/) (k8s). We use lots of `Service`, `Deployment`, `Ingress` and `PersistentVolumeClaim` objects along with a few others where needed. Our clusters run with [RBAC](https://kubernetes.io/docs/reference/access-authn-authz/rbac/) on Google's Kubernetes Engine (GKE). - -**Links**: [infra-oss.moov.io](https://infra-oss.moov.io) | [Google Cloud Status](https://status.cloud.google.com/) | [GKE Dashboard](https://console.cloud.google.com/kubernetes/list) - -There are also several community guides for troubleshooting Kubernetes problems: - -- [Kubernetes.io Guide](https://kubernetes.io/docs/tasks/debug-application-cluster/debug-cluster/) -- [Cloud.gov Guide](https://cloud.gov/docs/ops/runbook/troubleshooting-kubernetes/) -- [Codefresh.io Guide](https://codefresh.io/Kubernetes-Tutorial/recover-broken-kubernetes-cluster/) -- [Kubernetes Basics](https://www.youtube.com/playlist?list=PLLasX02E8BPCrIhFrc_ZiINhbRkYMKdPT) (Videos) - -**Useful Tools** - -- `kubespy`: Tool for observing Kubernetes resources in real time - [GitHub](https://github.com/pulumi/kubespy) - - [kubespy trace: a real-time view into the heart of a Kubernetes Service](https://blog.pulumi.com/kubespy-trace-a-real-time-view-into-the-heart-of-a-kubernetes-service) - -### Viewing Pod/Container logs - -``` -$ kubectl get pods -n infra | grep kube-ingress -kube-ingress-index-5cb86955ff-md64n 1/1 Running 0 18m -kube-ingress-index-5cb86955ff-xdb5m 1/1 Running 0 18m - -# --tail only shows the last N logs -# -f keeps tailing the pod/container stdout -$ kubectl logs -n infra [--tail 10] [-f] kube-ingress-index-5cb86955ff-xdb5m -... -``` - -See also: [Viewing logs in Kubernetes](https://medium.com/devopslinks/viewing-logs-in-kubernetes-e055f936e187) - -### Viewing Logs with Loki / Grafana - -[Loki](https://github.com/grafana/loki) is a new log aggregation platform which attempts to transform logs into metric streams (with log information as labels). This project is new, but Grafana allows exploring, building dashboards, and alerts. Checkout the [explore page showing paygate logs](https://infra-oss.moov.io/grafana/explore?left=%5B"now%2Fd","now%2Fd","Loki",%7B"expr":"%7Bapp%3D%5C"paygate%5C"%7D"%7D,%7B"ui":%5Btrue,true,true,"none"%5D%7D%5D) and the [basic usage guide](https://github.com/grafana/loki/blob/master/docs/usage.md#searching-with-labels-and-distributed-grep). - -- [Loki Troubleshooting Guide](https://github.com/grafana/loki/blob/master/docs/troubleshooting.md) -- [An early preview of Loki](https://itnext.io/grafana-logging-using-loki-45665916aec9) -- [Loki Metrics](https://github.com/grafana/loki/blob/master/docs/operations/observability.md#observing-loki) - -### Rolling Pods / Containers - -If you need to restart a Pod/Container simply list out the pods and issue `kubectl delete`: - -``` -$ kubectl get pods -n infra | grep kube-ingress -kube-ingress-index-5cb86955ff-md64n 1/1 Running 0 18m -kube-ingress-index-5cb86955ff-xdb5m 1/1 Running 0 18m - -$ kubectl delete pod -n infra kube-ingress-index-5cb86955ff-rtdms -pod "kube-ingress-index-5cb86955ff-rtdms" deleted -``` - -### Node Sizing / Availability - -Currently our Kubernetes cluster runs on preemptible instances which can terminate themselves in under 60s. We largely do this for cost savings before having a product, but will likely run a combination of permanent and preemptible nodes going forward. It's important to remember several guidelines: ([Source](https://learnk8s.io/blog/kubernetes-spot-instances)) - -- Have a backup plan (permanent node pool) -- Find unpopular instance sizes - - If a new family comes out (i.e. m5) m4's might become cheaper and less requested. -- Set a maximum bid price -- Run multi-zone setups to avoid shortages in a single GCP zone - -### Emacs - -[chrisbarrett/kubernetes-el](https://github.com/chrisbarrett/kubernetes-el) works with our setup. Talk to @adamdecaf for help. diff --git a/docs/legal.md b/docs/legal.md deleted file mode 100644 index 5ae951a9..00000000 --- a/docs/legal.md +++ /dev/null @@ -1,11 +0,0 @@ -# Legal - -## Update Copyright Headers - -Each source file needs to have a header mentioning the associated Apache 2 license in it. Some projects include the Copyright year as part of this header. - -To update this run the following command to move Copyright years ahead one. - -``` -$ set -x; find . -type f -name '*.go' | xargs -n1 sed -i '' "s/Copyright $(($(date +%Y)-1)) The Moov Authors/Copyright $(date +%Y) The Moov Authors/g" -``` diff --git a/docs/mysql.md b/docs/mysql.md deleted file mode 100644 index a803d90c..00000000 --- a/docs/mysql.md +++ /dev/null @@ -1,40 +0,0 @@ -## MySQL - -### Viewing Logs - -To view logs in [Grafana / Loki](https://infra-oss.moov.io/grafana/explore) you can run a query like the following: - -``` -{app="paygate-mysql"} -``` - -Also, if you have a unique ID (example: `e404c20a-e74a-4360-8ed3-7381d76b7b6a`) you can filter results with the following query. - -``` -{app="paygate"} |= "e404c20a-e74a-4360-8ed3-7381d76b7b6a" -``` - -Note: We have a more comprehensive guide to [viewing logs](https://github.com/moov-io/infra/blob/master/docs/kubernetes.md#viewing-logs-with-loki--grafana). - -### Dashboards - -We host several dashboards to monitor MySQL statistics on our Grafana instance. - -- [MySQL Overview](https://infra-oss.moov.io/grafana/d/MQWgroiiz/mysql-overview) - -### Backups - -To view the backups if you have `gsutil` setup and authorized to view Google Storage buckets for Moov you can run the following command. - -``` -$ gsutil ls -r gs://moov-production-mysql-backups/apps/ - -gs://moov-production-mysql-backups/apps/customers/: -gs://moov-production-mysql-backups/apps/customers/customers_2020_01_15.sql - -gs://moov-production-mysql-backups/apps/paygate/: -gs://moov-production-mysql-backups/apps/paygate/paygate_2020_01_15.sql - -gs://moov-production-mysql-backups/apps/watchman/: -gs://moov-production-mysql-backups/apps/watchman/watchman_2020_01_15.sql -``` diff --git a/docs/prometheus.md b/docs/prometheus.md deleted file mode 100644 index d7ffc930..00000000 --- a/docs/prometheus.md +++ /dev/null @@ -1,33 +0,0 @@ -## Prometheus - -### Finding most popular metric series - -Prometheus can run out of memory if there are too many series for it to track and the memory given is too low for initialization in memory. To inspect the most popular series run the following: - -``` -topk(10, count by (__name__, job)({__name__=~".+"})) - -kube_pod_container_status_waiting_reason{job="kubernetes-pods"} 595 -container_tasks_state{job="kubernetes-pods"} 525 -kube_pod_container_status_last_terminated_reason{job="kubernetes-pods"} 425 -``` - -![](images/popular-metrics.png) - -Source: https://www.robustperception.io/which-are-my-biggest-metrics - -### Response Durations - -We recommend showing the [Apdex Score](https://prometheus.io/docs/practices/histograms/#apdex-score) for any HTTP server to show the service's performance relative to your SLA. For a Moov application this Grafana query gives a graph broken down by HTTP route: - -``` - sum(rate(http_response_duration_seconds_bucket{app="watchman", le="0.25"}[5m])) by (route) -/ - sum(rate(http_response_duration_seconds_count{app="watchman"}[5m])) by (route) -``` - -![](images/watchman-routes.png) - -### Links - -- [Prometheus for Beginners](https://itnext.io/prometheus-for-beginners-5f20c2e89b6c) diff --git a/docs/secrets.md b/docs/secrets.md deleted file mode 100644 index 76cf93b3..00000000 --- a/docs/secrets.md +++ /dev/null @@ -1,67 +0,0 @@ -## secrets - -> "I know that's a secret, for it's whispered everywhere." -- William Congreve - -We store secrets a couple of ways inside this repository. For kubernetes resources we're just [using StackExchange/blackbox](https://github.com/StackExchange/blackbox) to encrypt the files and for terraform state we're storing that inside google cloud storage. - -### Need to access secrets? - -Generate a GPG keypair and send it to Adam (or someone on the Infra team). - -``` -# Create a passphrase protected 4096bit key -$ gpg --gen-key - -# Send this file to Adam / Infra team -$ gpg --export > ${USER}-moov.pub -``` - -### Export / Backup - -You'll need a GPG key specific for Moov to use with blackbox. Add a passphrase and make it 4096bit. - -Once created you can export it somewhere safe (Lastpass), but this key needs to be physically and/or digitally secure. (Flash drive inside a safe, LastPass) - -``` -# Create a passphrase protected 4096bit key -$ gpg --gen-key - -# (Optional) Export key material (lastpass, offline storage) -$ gpg --export > ${USER}-moov.pub -$ gpg --export-secret-key > ${USER}-moov.pem -``` - -### Adding a new blackbox admin - -The following steps can be used to add a new blackbox admin. - -``` -# Import the new public key into your system's keyring -$ gpg --import person-moov.pub -gpg: key 95206224ACC92821: public key "Jane Doe " imported -gpg: Total number processed: 1 -gpg: imported: 1 - -$ gpg --list-keys -/home/adam/.gnupg/pubring.gpg ------------------------------ -pub 4096R/700D183B 2018-09-26 -uid Adam Shannon (moov.io) -sub 4096R/CBA93839 2018-09-26 - -$ ./blackbox/bin/blackbox_addadmin 700D183B -gpg: keyring `/home/adam/code/src/github.com/moov-io/infra/keyrings/live/secring.gpg' created -gpg: keyring `/home/adam/code/src/github.com/moov-io/infra/keyrings/live/pubring.gpg' created -gpg: /home/adam/code/src/github.com/moov-io/infra/keyrings/live/trustdb.gpg: trustdb created -gpg: key 700D183B: public key "Adam Shannon (moov.io) " imported -gpg: Total number processed: 1 -gpg: imported: 1 (RSA: 1) - - -NEXT STEP: You need to manually check these in: - git commit -m'NEW ADMIN: 700D183B' keyrings/live/pubring.gpg keyrings/live/trustdb.gpg keyrings/live/blackbox-admins.txt - -$ git commit -m'NEW ADMIN: 700D183B' keyrings/live/pubring.gpg keyrings/live/trustdb.gpg keyrings/live/blackbox-admins.txt - -$ git push origin master -``` diff --git a/docs/traefik.md b/docs/traefik.md deleted file mode 100644 index c9aa5b50..00000000 --- a/docs/traefik.md +++ /dev/null @@ -1,24 +0,0 @@ -## traefik - -[Traefik](https://docs.traefik.io/) is a "cloud native" load balancer. We chose this project because it has Kubernetes and Let's Encrypt integration. Traefik can watch `Ingress` objects and reload routing rules. Make sure to [understand the Traefik basics](https://docs.traefik.io/basics/) and the Kubernetes [configuration](https://docs.traefik.io/configuration/backends/kubernetes/) and [user guide](https://docs.traefik.io/user-guide/kubernetes/). - -Note: We deploy traefik as two deployments, "alpha" and "beta" (along with their `PersistentVolumeClaim`) such that: - -1. The traefik `ConfigMap` can be reloaded per-side first (and not accidently drop all traffic) -1. We can help isolate failure. - - We've been having our preemptible nodes die and taking traefik with. (Issue: [#20](https://github.com/moov-io/infra/issues/20)) - - The PVC has to (maybe) move, re-mount, and then traefik can start... - -### Authentication - -#### Infra auth proxy - -We run the [pusher/oauth2_proxy](https://github.com/pusher/oauth2_proxy) to handle auth infront of our infra-oss.moov.io resources. You just need to authorize our Github OAuth2 application (oauth creds are in `11-secrets.yml`) to be granted access. This [blog post](https://www.digitalocean.com/community/tutorials/how-to-protect-private-kubernetes-services-behind-a-github-login-with-oauth2_proxy) from DigitalOcean covers a similar setup to how we've deployed oauth2_proxy. - -### Certificates - -We use [Let's Encrypt](https://letsencrypt.org/) integration in Traefik to [dynamically generate certificates](https://docs.traefik.io/configuration/acme/) according to hostnames specified in `Ingress` objects. Each certificate is stored in a `PersistentVolume` and rotated automatically by Traefik. For configuration parameters checkout the `ConfigMap` called `traefik-config` in the `lb` namespace. - -Also, we monitor the [Certificate Transparency](https://www.certificate-transparency.org/) logs for `moov.io` (and any future domains) [with CertSpotter](https://sslmate.com/certspotter/). - -Read over the [https.dev ACME Operations](https://docs.https.dev/acme-ops#introduction) tips and tricks for in-depth technical knowledge of certificate gathering. diff --git a/envs/oss/README.md b/envs/oss/README.md deleted file mode 100644 index 5e15a0ec..00000000 --- a/envs/oss/README.md +++ /dev/null @@ -1,36 +0,0 @@ -## envs/oss - -`oss` is our only environment currently. It's organized with terraform to setup a Kubernetes cluster and then `kubectl` object files laid out in the directories (by each namespace). - -- `gcp.tf`: Our Google Cloud project setup. Contains enabled APIs, cluster admins, and zone setup. -- `kubernetes.tf`: Kubernetes cluster setup - - Contains node counts, memory, cpu, storage, and kubernetes version -- `moov.io.tf`: DNS records for `moov.io` and `*.moov.io`. -- `terraform.tf`: Terraform (Google Cloud Storage) GCS backend config (for [Terraform remote state](https://www.terraform.io/docs/state/remote.html)) - -Terraform state is stored in a Google Storage Bucket, which gives us: - -1. State Locking (so only one `terraform apply` at a time, only allow newer versions) -1. Encryption of terraform state (and keeping secrets out of this git repo) - -Make sure your [Google Cloud credentials.json is setup](../../docs/google-cloud.md) - -### Decrypting secrets - -You'll need to [decrypt the files with blackbox](../../docs/secrets.md). Run `blackbox_decrypt_all_files` at the root of this repository. - -Note: The `oss` environment is a testing ground. Never put production secrets into this repository. - -### Kubernetes Namespaces - -- `apps/`: Kubernetes Service, Deployment, and Ingress for each application -- `infra/`: `infra-oss.moov.io` setup, contains Grafana, prometheus, and oauth2_proxy (for infra resources) -- `lb/`: Load Balancer (Traefik) setup and configuration - -### infra-oss.moov.io - -[`infra-oss.moov.io`](https://infra-oss.moov.io/) is our VPN-less portal for Grafana, Prometheus and other infra services. It requires being part of the [`moov-io` Github organization](https://github.com/moov-io) and uses OAuth2 auth via Github. - -The index page is generated with [Banno/kube-ingress-index](https://github.com/Banno/kube-ingress-index), which scans Ingress objects and generates a dynamic table of contents. - -Note: The traefik link currently doesn't work, use the [infra README's link](https://github.com/moov-io/infra#moovio-infra). diff --git a/envs/oss/apps/00-namespace.yml b/envs/oss/apps/00-namespace.yml deleted file mode 120000 index d68e100d..00000000 --- a/envs/oss/apps/00-namespace.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/00-namespace.yml \ No newline at end of file diff --git a/envs/oss/apps/00-priorities.yml b/envs/oss/apps/00-priorities.yml deleted file mode 120000 index 1e739cf3..00000000 --- a/envs/oss/apps/00-priorities.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/00-priorities.yml \ No newline at end of file diff --git a/envs/oss/apps/10-achwebui.yml b/envs/oss/apps/10-achwebui.yml deleted file mode 120000 index 033b1312..00000000 --- a/envs/oss/apps/10-achwebui.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/10-achwebui.yml \ No newline at end of file diff --git a/envs/oss/apps/12-paygate-mysql.yml b/envs/oss/apps/12-paygate-mysql.yml deleted file mode 120000 index 4fb20ba2..00000000 --- a/envs/oss/apps/12-paygate-mysql.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/12-paygate-mysql.yml \ No newline at end of file diff --git a/envs/oss/apps/13-watchman-example.yml b/envs/oss/apps/13-watchman-example.yml deleted file mode 120000 index 78b447d4..00000000 --- a/envs/oss/apps/13-watchman-example.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/13-watchman-example.yml \ No newline at end of file diff --git a/envs/oss/apps/13-watchman-mysql.yml b/envs/oss/apps/13-watchman-mysql.yml deleted file mode 120000 index cb678909..00000000 --- a/envs/oss/apps/13-watchman-mysql.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/13-watchman-mysql.yml \ No newline at end of file diff --git a/envs/oss/apps/13-watchman-secrets.yml.gpg b/envs/oss/apps/13-watchman-secrets.yml.gpg deleted file mode 100644 index 0bcd4ec8..00000000 Binary files a/envs/oss/apps/13-watchman-secrets.yml.gpg and /dev/null differ diff --git a/envs/oss/apps/13-watchman.yml b/envs/oss/apps/13-watchman.yml deleted file mode 120000 index efc482a7..00000000 --- a/envs/oss/apps/13-watchman.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/13-watchman.yml \ No newline at end of file diff --git a/envs/oss/apps/13-watchmantest.yml b/envs/oss/apps/13-watchmantest.yml deleted file mode 120000 index 9f9668a5..00000000 --- a/envs/oss/apps/13-watchmantest.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/13-watchmantest.yml \ No newline at end of file diff --git a/envs/oss/apps/17-imagecashletterfuzz.yml b/envs/oss/apps/17-imagecashletterfuzz.yml deleted file mode 120000 index d736a9fc..00000000 --- a/envs/oss/apps/17-imagecashletterfuzz.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/17-imagecashletterfuzz.yml \ No newline at end of file diff --git a/envs/oss/apps/17-imagecashletterwebui.yml b/envs/oss/apps/17-imagecashletterwebui.yml deleted file mode 120000 index 49b10012..00000000 --- a/envs/oss/apps/17-imagecashletterwebui.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/17-imagecashletterwebui.yml \ No newline at end of file diff --git a/envs/oss/apps/18-wirefuzz.yml b/envs/oss/apps/18-wirefuzz.yml deleted file mode 120000 index 9c0693b8..00000000 --- a/envs/oss/apps/18-wirefuzz.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/18-wirefuzz.yml \ No newline at end of file diff --git a/envs/oss/apps/18-wirewebui.yml b/envs/oss/apps/18-wirewebui.yml deleted file mode 120000 index 21dca50c..00000000 --- a/envs/oss/apps/18-wirewebui.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/18-wirewebui.yml \ No newline at end of file diff --git a/envs/oss/apps/19-metro2fuzz.yml b/envs/oss/apps/19-metro2fuzz.yml deleted file mode 120000 index 99ab6384..00000000 --- a/envs/oss/apps/19-metro2fuzz.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/19-metro2fuzz.yml \ No newline at end of file diff --git a/envs/oss/apps/20-iso8583fuzz.yml b/envs/oss/apps/20-iso8583fuzz.yml deleted file mode 120000 index 72f66c77..00000000 --- a/envs/oss/apps/20-iso8583fuzz.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/20-iso8583fuzz.yml \ No newline at end of file diff --git a/envs/oss/apps/21-fincen-webui.yml b/envs/oss/apps/21-fincen-webui.yml deleted file mode 120000 index 36d25e6c..00000000 --- a/envs/oss/apps/21-fincen-webui.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/apps/21-fincen-webui.yml \ No newline at end of file diff --git a/envs/oss/apps/database-backups.yml.gpg b/envs/oss/apps/database-backups.yml.gpg deleted file mode 100644 index 6c4de1d6..00000000 Binary files a/envs/oss/apps/database-backups.yml.gpg and /dev/null differ diff --git a/envs/oss/apps/slack-secrets.yml.gpg b/envs/oss/apps/slack-secrets.yml.gpg deleted file mode 100644 index 162eef8d..00000000 Binary files a/envs/oss/apps/slack-secrets.yml.gpg and /dev/null differ diff --git a/envs/oss/ca.crt.gpg b/envs/oss/ca.crt.gpg deleted file mode 100644 index 3263983a..00000000 Binary files a/envs/oss/ca.crt.gpg and /dev/null differ diff --git a/envs/oss/client.crt.gpg b/envs/oss/client.crt.gpg deleted file mode 100644 index 52353dab..00000000 Binary files a/envs/oss/client.crt.gpg and /dev/null differ diff --git a/envs/oss/client.key.gpg b/envs/oss/client.key.gpg deleted file mode 100644 index ead2ba41..00000000 Binary files a/envs/oss/client.key.gpg and /dev/null differ diff --git a/envs/oss/gcp.tf b/envs/oss/gcp.tf deleted file mode 100644 index 272c4ee2..00000000 --- a/envs/oss/gcp.tf +++ /dev/null @@ -1,130 +0,0 @@ -// Configure the Google Cloud provider -provider "google" { - credentials = file(var.gcp_creds_filepath) - project = var.gcp_project - region = var.gcp_region - version = "~> 2.20" -} - -resource "google_project" "ach" { - name = "automated clearing house" - project_id = var.gcp_project - org_id = "513355466794" - - lifecycle { - prevent_destroy = true - } -} - -# Enable all our needed Google API's -resource "google_project_service" "ach" { - for_each = toset([ - "bigquery.googleapis.com", - "bigquerystorage.googleapis.com", - "cloudkms.googleapis.com", - "cloudresourcemanager.googleapis.com", - "compute.googleapis.com", - "container.googleapis.com", - "containerregistry.googleapis.com", - "dns.googleapis.com", - "iam.googleapis.com", - "iamcredentials.googleapis.com", - "iap.googleapis.com", - "maps-android-backend.googleapis.com", - "maps-backend.googleapis.com", - "maps-embed-backend.googleapis.com", - "maps-ios-backend.googleapis.com", - "oslogin.googleapis.com", - "pubsub.googleapis.com", - "serviceusage.googleapis.com", - "static-maps-backend.googleapis.com", - "storage-api.googleapis.com", - "street-view-image-backend.googleapis.com", - "streetviewpublish.googleapis.com", - ]) - - service = each.key - - project = var.gcp_project - disable_on_destroy = true -} - -variable "gcp_creds_filepath" { - default = "~/.google/credentials.json" - description = "Local filepath for Google Cloud credentials" -} - -variable "gcp_project" { - default = "automated-clearing-house" - description = "Google Cloud project name" -} - -variable "gcp_region" { - default = "us-central1" -} - -variable "gcp_zones" { - type = list(string) - - default = [ - "us-central1-a", - "us-central1-b", - "us-central1-c", - ] -} - -// All projects have this (default storage service account) -// We need to add a policy to the bucket created. -data "google_storage_project_service_account" "gcs_account" { -} - -locals { - project_service_account_email = "serviceAccount:${data.google_storage_project_service_account.gcs_account.email_address}" - project_service_account_emails = [local.project_service_account_email] -} - -resource "random_shuffle" "zones" { - input = var.gcp_zones - - lifecycle { - prevent_destroy = true - } -} - -locals { - # random_shuffle.zones returns with one of the original zones removed, - # which becomes our primary zone. - primary_gcp_zone = element(random_shuffle.zones.result, 0) -} - -// ClusterRole on GKE/K8S 1.6+ (with RBAC) won't let you create roles right away. -// See the following links: -// -// https://github.com/terraform-providers/terraform-provider-kubernetes/pull/1#issuecomment-307940033 -// https://github.com/terraform-providers/terraform-provider-kubernetes/pull/73 -// -// https://cloud.google.com/container-engine/docs/role-based-access-control -// https://github.com/coreos/prometheus-operator/blob/master/Documentation/troubleshooting.md -// -// To work around this, let's just shell out and create the CRB's ourself. -resource "null_resource" "rbac_setup" { - count = 0 - - # kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org - # kubectl create clusterrolebinding myname-cluster-admin-binding --clusterrole=cluster-admin --user=myname@example.org - provisioner "local-exec" { - command = "kubectl create clusterrolebinding ${var.cluster_name}-admin-binding --clusterrole=cluster-admin --user=${element(var.cluster_admins, count.index)}" - } -} - -variable "cluster_admins" { - default = [ - "adam@moov.io", - "brandon@moov.io", - ] - # "wade@moov.io", -} - -locals { - gcp_cluster_admin_emails = formatlist("user:%s", var.cluster_admins) -} diff --git a/envs/oss/infra/11-secrets.yml.gpg b/envs/oss/infra/11-secrets.yml.gpg deleted file mode 100644 index 7f2d60fe..00000000 Binary files a/envs/oss/infra/11-secrets.yml.gpg and /dev/null differ diff --git a/envs/oss/infra/22-alertmanager-config.yml.gpg b/envs/oss/infra/22-alertmanager-config.yml.gpg deleted file mode 100644 index 013adc54..00000000 Binary files a/envs/oss/infra/22-alertmanager-config.yml.gpg and /dev/null differ diff --git a/envs/oss/kubernetes.tf b/envs/oss/kubernetes.tf deleted file mode 100644 index f5d22a7e..00000000 --- a/envs/oss/kubernetes.tf +++ /dev/null @@ -1,164 +0,0 @@ -provider "kubernetes" { - host = google_container_cluster.primary.endpoint - - username = var.username - password = var.password - # client_certificate = base64decode(file("client.crt")) - # client_key = base64decode(file("client.key")) - cluster_ca_certificate = base64decode(file("ca.crt")) -} - -variable "cluster_name" { - default = "sbx" -} - -variable "username" { -} - -variable "password" { -} - -variable "permanent_pool_node_count" { - default = 3 -} - -variable "permanent_node_disk_size_gb" { - default = 25 -} - -variable "permanent_node_disk_type" { - default = "pd-standard" -} - -variable "permanent_node_machine_type" { - default = "n1-standard-2" -} - -variable "preemptible_pool_node_count" { - default = 0 -} - -variable "preemptible_node_disk_size_gb" { - default = 25 -} - -variable "preemptible_node_disk_type" { - default = "pd-standard" -} - -variable "preemptible_node_machine_type" { - default = "n1-standard-1" -} - -variable "min_master_version" { - # Note: Update the root makefile kubeval Kubernetes version when this changes - default = "1.15.11-gke.5" -} - -# Setup for a GCP kubernetes cluster. -resource "google_container_cluster" "primary" { - name = var.cluster_name - location = local.primary_gcp_zone - initial_node_count = 1 - - min_master_version = var.min_master_version - - lifecycle { - create_before_destroy = true - prevent_destroy = true - } - - maintenance_policy { - daily_maintenance_window { - start_time = "03:00" - } - } - - master_auth { - username = var.username - password = var.password - } - - node_config { - disk_size_gb = 25 - disk_type = "pd-standard" - machine_type = "g1-small" - preemptible = true - - oauth_scopes = [ - "compute-rw", - "storage-ro", - "logging-write", - "monitoring", - ] - } -} - -resource "google_container_node_pool" "permanent" { - name = "${var.cluster_name}-permanent-nodes" - location = local.primary_gcp_zone - cluster = google_container_cluster.primary.name - - lifecycle { - prevent_destroy = true - } - - node_count = var.permanent_pool_node_count - node_config { - disk_size_gb = var.permanent_node_disk_size_gb - disk_type = var.permanent_node_disk_type - machine_type = var.permanent_node_machine_type - preemptible = false - - oauth_scopes = [ - "compute-rw", - "storage-ro", - "logging-write", - "monitoring", - ] - } -} - -resource "google_container_node_pool" "preemptible" { - name = "${var.cluster_name}-preemptible-nodes" - location = local.primary_gcp_zone - cluster = google_container_cluster.primary.name - - lifecycle { - prevent_destroy = true - } - - node_count = var.preemptible_pool_node_count - node_config { - disk_size_gb = var.preemptible_node_disk_size_gb - disk_type = var.preemptible_node_disk_type - machine_type = var.preemptible_node_machine_type - preemptible = true - - oauth_scopes = [ - "compute-rw", - "storage-ro", - "logging-write", - "monitoring", - ] - } -} - -resource "null_resource" "kubectl_setup" { - # Call out to gcloud, which writes kubectl configs - provisioner "local-exec" { - command = "gcloud container clusters get-credentials ${google_container_cluster.primary.name} --zone ${google_container_cluster.primary.zone} --project ${var.gcp_project}" - } -} - -resource "null_resource" "kubernetes_config_save" { - provisioner "local-exec" { - command = "echo '${google_container_cluster.primary.master_auth[0].client_certificate}' > client.crt" - } - provisioner "local-exec" { - command = "echo '${google_container_cluster.primary.master_auth[0].client_key}' > client.key" - } - provisioner "local-exec" { - command = "echo '${google_container_cluster.primary.master_auth[0].cluster_ca_certificate}' > ca.crt" - } -} diff --git a/envs/oss/lb/00-namespace.yaml b/envs/oss/lb/00-namespace.yaml deleted file mode 120000 index 3a2becf2..00000000 --- a/envs/oss/lb/00-namespace.yaml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/lb/00-namespace.yaml \ No newline at end of file diff --git a/envs/oss/lb/10-traefik-alpha.yml b/envs/oss/lb/10-traefik-alpha.yml deleted file mode 120000 index 2f3fb702..00000000 --- a/envs/oss/lb/10-traefik-alpha.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/lb/10-traefik-alpha.yml \ No newline at end of file diff --git a/envs/oss/lb/10-traefik-beta.yml b/envs/oss/lb/10-traefik-beta.yml deleted file mode 120000 index 32f87fdb..00000000 --- a/envs/oss/lb/10-traefik-beta.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/lb/10-traefik-beta.yml \ No newline at end of file diff --git a/envs/oss/lb/10-traefik-config.yml b/envs/oss/lb/10-traefik-config.yml deleted file mode 120000 index e01b1ee3..00000000 --- a/envs/oss/lb/10-traefik-config.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/lb/10-traefik-config.yml \ No newline at end of file diff --git a/envs/oss/lb/10-traefik-rbac.yml b/envs/oss/lb/10-traefik-rbac.yml deleted file mode 120000 index 5b54be85..00000000 --- a/envs/oss/lb/10-traefik-rbac.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/lb/10-traefik-rbac.yml \ No newline at end of file diff --git a/envs/oss/lb/10-traefik-service.yml b/envs/oss/lb/10-traefik-service.yml deleted file mode 120000 index 86f22c27..00000000 --- a/envs/oss/lb/10-traefik-service.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/lb/10-traefik-service.yml \ No newline at end of file diff --git a/envs/oss/moov.io.tf b/envs/oss/moov.io.tf deleted file mode 100644 index 3e655f4b..00000000 --- a/envs/oss/moov.io.tf +++ /dev/null @@ -1,130 +0,0 @@ -resource "google_dns_managed_zone" "moov-io" { - name = "moov-io" - dns_name = "moov.io." - description = "moov.io root zone" - - lifecycle { - prevent_destroy = true - } -} - -// pro tip: 'host -a moov.io' lists all records - -// moov.io -resource "google_dns_record_set" "moov-A" { - name = google_dns_managed_zone.moov-io.dns_name - managed_zone = google_dns_managed_zone.moov-io.name - type = "A" - ttl = 60 - - # rrdatas = ["104.198.14.52"] # Netlify - rrdatas = ["75.2.60.5"] # Netlify fix 2021-03-25 outage - -} - -resource "google_dns_record_set" "moov-TXT" { - name = google_dns_managed_zone.moov-io.dns_name - managed_zone = google_dns_managed_zone.moov-io.name - type = "TXT" - ttl = 60 - - rrdatas = [ - "\"v=spf1 include:_spf.google.com ip4:35.225.30.173/32 ~all\"", - "google-site-verification=U9kk8AwHytRgjkIfMp_6WYZP5f4IlMqlYuqF5MmUxPk" - ] -} - -resource "google_dns_record_set" "moov-MX" { - name = google_dns_managed_zone.moov-io.dns_name - managed_zone = google_dns_managed_zone.moov-io.name - type = "MX" - ttl = 60 - - rrdatas = [ - "5 alt2.aspmx.l.google.com.", - "10 alt4.aspmx.l.google.com.", - "5 alt1.aspmx.l.google.com.", - "1 aspmx.l.google.com.", - "10 alt3.aspmx.l.google.com.", - ] -} - -resource "google_dns_record_set" "moov-CAA" { - name = google_dns_managed_zone.moov-io.dns_name - managed_zone = google_dns_managed_zone.moov-io.name - type = "CAA" - ttl = 60 - - rrdatas = [ - // Cloudflare - // https://support.cloudflare.com/hc/en-us/articles/115000310832-Certification-Authority-Authorization-CAA-FAQ - "0 issue \"comodoca.com\"", - "0 issuewild \"comodoca.com\"", - "0 issue \"digicert.com\"", - "0 issuewild \"digicert.com\"", - "0 issue \"globalsign.com\"", - "0 issuewild \"globalsign.com\"", - - // future google ca - "0 issue \"google.com\"", - "0 issuewild \"google.com\"", - - // Let's Encrypt - "0 issue \"letsencrypt.org\"", - "0 issuewild \"letsencrypt.org\"", - - // notify us - "0 iodef \"mailto:security@moov.io\"", - ] -} - -data "kubernetes_service" "traefik" { - metadata { - name = "traefik" - namespace = "lb" - } -} - -resource "google_dns_record_set" "infra-oss" { - name = "infra-oss.${google_dns_managed_zone.moov-io.dns_name}" - managed_zone = google_dns_managed_zone.moov-io.name - type = "A" - ttl = 60 - - rrdatas = [data.kubernetes_service.traefik.load_balancer_ingress[0].ip] -} - -resource "google_dns_record_set" "local" { - name = "local.${google_dns_managed_zone.moov-io.dns_name}" - managed_zone = google_dns_managed_zone.moov-io.name - type = "A" - ttl = 60 - - rrdatas = ["127.0.0.1"] -} - -resource "google_dns_record_set" "oss" { - name = "oss.${google_dns_managed_zone.moov-io.dns_name}" - managed_zone = google_dns_managed_zone.moov-io.name - type = "A" - ttl = 60 - - rrdatas = [data.kubernetes_service.traefik.load_balancer_ingress[0].ip] -} - -resource "google_dns_record_set" "slack" { - name = "slack.${google_dns_managed_zone.moov-io.dns_name}" - managed_zone = google_dns_managed_zone.moov-io.name - type = "A" - ttl = 60 - - rrdatas = [data.kubernetes_service.traefik.load_balancer_ingress[0].ip] -} - -resource "google_dns_record_set" "www" { - name = "www.${google_dns_managed_zone.moov-io.dns_name}" - managed_zone = google_dns_managed_zone.moov-io.name - type = "CNAME" - ttl = 60 - rrdatas = ["moov-io.netlify.app."] -} diff --git a/envs/oss/mysql-backup.tf b/envs/oss/mysql-backup.tf deleted file mode 100644 index 7ec3c519..00000000 --- a/envs/oss/mysql-backup.tf +++ /dev/null @@ -1,84 +0,0 @@ -resource "google_service_account" "mysql_backup" { - account_id = "mysql-production-backups" - display_name = "mysql production backups" -} - -resource "google_kms_key_ring" "mysql_backup" { - name = "moov-mysql-backup-key" - project = var.gcp_project - location = var.gcp_region - - depends_on = [google_project_service.ach] -} - -resource "google_kms_key_ring_iam_binding" "mysql_backup_key_ring" { - key_ring_id = google_kms_key_ring.mysql_backup.self_link - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = sort( - flatten( - [ - local.project_service_account_emails, - local.gcp_cluster_admin_emails, - ], - ), - ) -} - -resource "google_kms_crypto_key" "mysql_backup" { - name = "moov-mysql-backup" - key_ring = google_kms_key_ring.mysql_backup.self_link - rotation_period = "100000s" - - lifecycle { - prevent_destroy = true - } -} - -# Attach the key to our IAM users -# Docs: https://cloud.google.com/kms/docs/iam#granting_permissions_to_use_keys -resource "google_kms_crypto_key_iam_binding" "mysql_backup_crypto_key" { - crypto_key_id = google_kms_crypto_key.mysql_backup.self_link - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = sort( - flatten( - [ - local.project_service_account_emails, - local.gcp_cluster_admin_emails, - ], - ), - ) -} - -resource "google_storage_bucket" "mysql_backups" { - name = "moov-production-mysql-backups" - location = var.gcp_region - - force_destroy = false - project = var.gcp_project - storage_class = "REGIONAL" - - versioning { - enabled = true - } - - encryption { - default_kms_key_name = google_kms_crypto_key.mysql_backup.self_link - } - - lifecycle { - prevent_destroy = true - } -} - -resource "google_storage_bucket_iam_binding" "mysql_backup" { - bucket = google_storage_bucket.tf-state-storage.name - role = "roles/storage.objectAdmin" - members = sort( - flatten( - [ - local.project_service_account_emails, - local.gcp_cluster_admin_emails, - ], - ), - ) -} diff --git a/envs/oss/sales/00-namespace.yml b/envs/oss/sales/00-namespace.yml deleted file mode 120000 index 10c450e2..00000000 --- a/envs/oss/sales/00-namespace.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/sales/00-namespace.yml \ No newline at end of file diff --git a/envs/oss/sales/20-stargazers-secrets.yml.gpg b/envs/oss/sales/20-stargazers-secrets.yml.gpg deleted file mode 100644 index 029b219a..00000000 Binary files a/envs/oss/sales/20-stargazers-secrets.yml.gpg and /dev/null differ diff --git a/envs/oss/sales/20-stargazers.yml b/envs/oss/sales/20-stargazers.yml deleted file mode 120000 index 26b7f832..00000000 --- a/envs/oss/sales/20-stargazers.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/sales/20-stargazers.yml \ No newline at end of file diff --git a/envs/oss/sales/30-slackin-extended.yml b/envs/oss/sales/30-slackin-extended.yml deleted file mode 120000 index 72f96a67..00000000 --- a/envs/oss/sales/30-slackin-extended.yml +++ /dev/null @@ -1 +0,0 @@ -../../../lib/sales/30-slackin-extended.yml \ No newline at end of file diff --git a/envs/oss/sales/30-slackin-secrets.yml.gpg b/envs/oss/sales/30-slackin-secrets.yml.gpg deleted file mode 100644 index ccfd9097..00000000 Binary files a/envs/oss/sales/30-slackin-secrets.yml.gpg and /dev/null differ diff --git a/envs/oss/terraform.tf b/envs/oss/terraform.tf deleted file mode 100644 index 740527c5..00000000 --- a/envs/oss/terraform.tf +++ /dev/null @@ -1,101 +0,0 @@ -# Create a KMS key -resource "google_kms_key_ring" "moov-terraform-state" { - name = "moov-terraform-state-keys" - project = var.gcp_project - location = var.gcp_region - - depends_on = [google_project_service.ach] -} - -resource "google_kms_key_ring_iam_binding" "key_ring" { - key_ring_id = google_kms_key_ring.moov-terraform-state.self_link - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = sort( - flatten( - [ - local.project_service_account_emails, - local.gcp_cluster_admin_emails, - ], - ), - ) -} - -resource "google_kms_crypto_key" "moov-terraform-state" { - name = "moov-terraform-state" - key_ring = google_kms_key_ring.moov-terraform-state.self_link - rotation_period = "100000s" - - lifecycle { - prevent_destroy = true - } -} - -# Attach the key to our IAM users -# Docs: https://cloud.google.com/kms/docs/iam#granting_permissions_to_use_keys -resource "google_kms_crypto_key_iam_binding" "crypto_key" { - crypto_key_id = google_kms_crypto_key.moov-terraform-state.self_link - role = "roles/cloudkms.cryptoKeyEncrypterDecrypter" - members = sort( - flatten( - [ - local.project_service_account_emails, - local.gcp_cluster_admin_emails, - ], - ), - ) -} - -# Create our bucket -resource "google_storage_bucket" "tf-state-storage" { - name = "moov-terraform-state" - location = var.gcp_region - - force_destroy = false - project = var.gcp_project - storage_class = "REGIONAL" - - versioning { - enabled = true - } - - encryption { - default_kms_key_name = google_kms_crypto_key.moov-terraform-state.self_link - } - - lifecycle { - prevent_destroy = true - } -} - -# Add bucket to IAM -resource "google_storage_bucket_iam_binding" "tf-state-storage" { - bucket = google_storage_bucket.tf-state-storage.name - role = "roles/storage.objectAdmin" - members = sort( - flatten( - [ - local.project_service_account_emails, - local.gcp_cluster_admin_emails, - ], - ), - ) -} - -# Setup GCS backend -# TODO(adam): module out to break cyclic dep (if we re-created from scratch) -terraform { - backend "gcs" { - bucket = "moov-terraform-state" - prefix = "sbx/terraform/state" - credentials = "~/.google/credentials.json" - # encryption_key = "" - } - required_providers { - aws = ">= 2.13" - google = "~> 2.7" - kubernetes = ">= 1.7, < 2.0.0" - random = "> 2.1" - null = "> 2.1" - } - required_version = ">= 0.12" -} diff --git a/envs/oss/terraform.tfvars.gpg b/envs/oss/terraform.tfvars.gpg deleted file mode 100644 index b2576971..00000000 Binary files a/envs/oss/terraform.tfvars.gpg and /dev/null differ diff --git a/images/infra-idx/Dockerfile b/images/infra-idx/Dockerfile deleted file mode 100644 index f31b1045..00000000 --- a/images/infra-idx/Dockerfile +++ /dev/null @@ -1,13 +0,0 @@ -FROM nginx:1.25 -LABEL maintainer="Moov " -USER nginx - -COPY nginx/nginx.conf /opt/nginx/nginx.conf -COPY nginx/default.conf /opt/nginx/conf.d/default.conf -COPY nginx/metrics /opt/nginx/www/metrics - -COPY index.html /opt/nginx/www/index.html - -EXPOSE 8080 -ENTRYPOINT ["nginx"] -CMD ["-c", "/opt/nginx/nginx.conf"] diff --git a/images/infra-idx/index.html b/images/infra-idx/index.html deleted file mode 100644 index fbc1ce61..00000000 --- a/images/infra-idx/index.html +++ /dev/null @@ -1,54 +0,0 @@ - - - - Moov Infra -- Index - - - - -

Moov Infra

- -

Services / Endpoints

- - -

Sales / Marketing

- - -

Application Ping Routes

- - - -

Infra Services

- - - - diff --git a/images/infra-idx/makefile b/images/infra-idx/makefile deleted file mode 100644 index 3cf72a89..00000000 --- a/images/infra-idx/makefile +++ /dev/null @@ -1,15 +0,0 @@ -VERSION := v0.3.1 - -.PHONY: docker release - -docker: - docker build --pull -t moov/infra-idx:$(VERSION) . - docker tag moov/infra-idx:$(VERSION) moov/infra-idx:latest - -.PHONY: run -run: - mkdir -p ./nginx/cache/ ./nginx/run/ - docker run --read-only -p 8080:8080 -v $(shell pwd)/nginx/cache/:/var/cache/nginx -v $(shell pwd)/nginx/run/:/var/run moov/infra-idx:$(VERSION) - -release: - docker push moov/infra-idx:$(VERSION) diff --git a/images/infra-idx/nginx/default.conf b/images/infra-idx/nginx/default.conf deleted file mode 100644 index ec63000d..00000000 --- a/images/infra-idx/nginx/default.conf +++ /dev/null @@ -1,28 +0,0 @@ -server { - listen 8080; - server_tokens off; - - root /opt/nginx/www/; - index index.html; - - location / { - root /opt/nginx/www/; - index index.html; - } - - location ~ \.css { - add_header Content-Type text/css; - root /opt/nginx/www/; - } - - location ~ \.js { - add_header Content-Type application/javascript; - root /opt/nginx/www/; - } - - location = /stub_status { - stub_status; - allow 127.0.0.0/24; - deny all; - } -} diff --git a/images/infra-idx/nginx/metrics b/images/infra-idx/nginx/metrics deleted file mode 100644 index c64faa83..00000000 --- a/images/infra-idx/nginx/metrics +++ /dev/null @@ -1 +0,0 @@ -# empty prometheus metrics response \ No newline at end of file diff --git a/images/infra-idx/nginx/nginx.conf b/images/infra-idx/nginx/nginx.conf deleted file mode 100644 index 0b8a8869..00000000 --- a/images/infra-idx/nginx/nginx.conf +++ /dev/null @@ -1,27 +0,0 @@ -daemon off; -worker_processes 1; -# error_log /var/log/nginx/error.log warn; -error_log /dev/stdout warn; - -pid /var/run/nginx.pid; - -events { - worker_connections 1024; -} - -http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - # access_log /var/log/nginx/access.log main; - access_log /dev/stdout main; - sendfile on; - #tcp_nopush on; - keepalive_timeout 65; - gzip on; - include /opt/nginx/conf.d/*.conf; - server_tokens off; -} diff --git a/keyrings/live/.gitattributes b/keyrings/live/.gitattributes deleted file mode 100644 index 96029590..00000000 --- a/keyrings/live/.gitattributes +++ /dev/null @@ -1,2 +0,0 @@ -blackbox-admins.txt text eol=lf -blackbox-files.txt text eol=lf diff --git a/keyrings/live/blackbox-admins.txt b/keyrings/live/blackbox-admins.txt deleted file mode 100644 index e24c03bd..00000000 --- a/keyrings/live/blackbox-admins.txt +++ /dev/null @@ -1,5 +0,0 @@ -700D183B -75771E136D76239CAE25117649E49246DA417066 -A284797C37CC04A14681125995206224ACC92821 -A460A5C1FEA1A605256095A91667330123254DF4 -FD0AA536DCF6973FE782AC13615F265AB4B5AC2B diff --git a/keyrings/live/blackbox-files.txt b/keyrings/live/blackbox-files.txt deleted file mode 100644 index f6df790c..00000000 --- a/keyrings/live/blackbox-files.txt +++ /dev/null @@ -1,11 +0,0 @@ -envs/oss/apps/13-watchman-secrets.yml -envs/oss/apps/database-backups.yml -envs/oss/apps/slack-secrets.yml -envs/oss/ca.crt -envs/oss/client.crt -envs/oss/client.key -envs/oss/infra/11-secrets.yml -envs/oss/infra/22-alertmanager-config.yml -envs/oss/sales/20-stargazers-secrets.yml -envs/oss/sales/30-slackin-secrets.yml -envs/oss/terraform.tfvars diff --git a/keyrings/live/pubring.gpg b/keyrings/live/pubring.gpg deleted file mode 100644 index aa9ffa3b..00000000 Binary files a/keyrings/live/pubring.gpg and /dev/null differ diff --git a/keyrings/live/trustdb.gpg b/keyrings/live/trustdb.gpg deleted file mode 100644 index e188de89..00000000 Binary files a/keyrings/live/trustdb.gpg and /dev/null differ diff --git a/lib/apps/00-namespace.yml b/lib/apps/00-namespace.yml deleted file mode 100644 index 4af5362a..00000000 --- a/lib/apps/00-namespace.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: apps ---- diff --git a/lib/apps/00-priorities.yml b/lib/apps/00-priorities.yml deleted file mode 100644 index 091d6253..00000000 --- a/lib/apps/00-priorities.yml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass -metadata: - name: high-priority -value: 100 -globalDefault: false ---- -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass -metadata: - name: normal-priority -value: 10 -globalDefault: true ---- -apiVersion: scheduling.k8s.io/v1beta1 -kind: PriorityClass -metadata: - name: fuzz-low-priority -value: -1000 -globalDefault: false ---- diff --git a/lib/apps/10-achwebui.yml b/lib/apps/10-achwebui.yml deleted file mode 100644 index 3e7733b1..00000000 --- a/lib/apps/10-achwebui.yml +++ /dev/null @@ -1,82 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: ach-webui - namespace: apps -spec: - type: ClusterIP - selector: - app: ach-webui - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 - - name: metrics - protocol: TCP - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: ach-webui - namespace: apps - labels: - app: ach-webui -spec: - replicas: 1 - selector: - matchLabels: - app: ach-webui - template: - metadata: - labels: - app: ach-webui - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - containers: - - image: moov/ach-webui:v1.33.3 - imagePullPolicy: Always - name: ach-webui - args: - - -http.addr=:8080 - - -base-path=/ach - ports: - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 9090 - name: metrics - protocol: TCP - resources: - limits: - cpu: 200m - memory: 400Mi - requests: - cpu: 100m - memory: 200Mi - readinessProbe: - httpGet: - path: /ach/wasm_exec.js - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - livenessProbe: - httpGet: - path: /ach/wasm_exec.js - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - restartPolicy: Always ---- diff --git a/lib/apps/12-paygate-mysql.yml b/lib/apps/12-paygate-mysql.yml deleted file mode 100644 index 03071e3a..00000000 --- a/lib/apps/12-paygate-mysql.yml +++ /dev/null @@ -1,224 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: paygate-mysql - namespace: apps -spec: - type: ClusterIP - selector: - app: paygate-mysql - ports: - - name: mysql - protocol: TCP - port: 3306 - targetPort: 3306 - - name: metrics - protocol: TCP - port: 9090 - targetPort: 9090 ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: paygate-mysql-data - namespace: apps -spec: - accessModes: - - ReadWriteOnce # mountable only to a single node - resources: - requests: - storage: 10Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: paygate-mysql - namespace: apps - labels: - app: paygate-mysql -spec: - replicas: 1 - selector: - matchLabels: - app: paygate-mysql - template: - metadata: - labels: - app: paygate-mysql - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - volumes: - - name: paygate-mysql-data - persistentVolumeClaim: - claimName: paygate-mysql-data - containers: - - image: mysql:8.0 - name: mysql - args: - - --default-authentication-plugin=mysql_native_password - env: - - name: MYSQL_DATABASE - valueFrom: - secretKeyRef: - name: paygate-mysql-secrets - key: database - - name: MYSQL_USER - valueFrom: - secretKeyRef: - name: paygate-mysql-secrets - key: username - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: paygate-mysql-secrets - key: password - - name: MYSQL_RANDOM_ROOT_PASSWORD - value: "yes" - ports: - - containerPort: 3306 - name: mysql - readinessProbe: - tcpSocket: - port: 3306 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 3306 - initialDelaySeconds: 5 - periodSeconds: 10 - volumeMounts: - - name: paygate-mysql-data - mountPath: /var/lib/mysql - - image: prom/mysqld-exporter:v0.12.1 - name: exporter - env: - - name: DATA_SOURCE_NAME - valueFrom: - secretKeyRef: - name: paygate-mysql-secrets - key: exporter_dsn - args: - - --collect.auto_increment.columns - - --collect.binlog_size - - --collect.engine_innodb_status - # - --collect.engine_tokudb_status - - --collect.global_status - # - --collect.global_variables - # - --collect.heartbeat - # - --collect.heartbeat.database="heartbeat" - # - --collect.heartbeat.table="heartbeat" - - --collect.info_schema.clientstats - # - --collect.info_schema.innodb_cmp - # - --collect.info_schema.innodb_cmpmem - # - --collect.info_schema.innodb_metrics - # - --collect.info_schema.innodb_tablespaces - # - --collect.info_schema.processlist - # - --collect.info_schema.processlist.min_time=0 - # - --collect.info_schema.processlist.processes_by_host - # - --collect.info_schema.processlist.processes_by_user - - --collect.info_schema.query_response_time - # - --collect.info_schema.schemastats - - --collect.info_schema.tables - - --collect.info_schema.tables.databases=* - - --collect.info_schema.tablestats - - --collect.info_schema.userstats - # - --collect.mysql.user - # - --collect.mysql.user.privileges - # - --collect.perf_schema.eventsstatements - # - --collect.perf_schema.eventsstatements.digest_text_limit=120 - # - --collect.perf_schema.eventsstatements.limit=250 - # - --collect.perf_schema.eventsstatements.timelimit=86400 - # - --collect.perf_schema.eventsstatementssum - # - --collect.perf_schema.eventswaits - # - --collect.perf_schema.file_events - # - --collect.perf_schema.file_instances - # - --collect.perf_schema.file_instances.filter=".*" - # - --collect.perf_schema.file_instances.remove_prefix="/var/lib/mysql/" - # - --collect.perf_schema.indexiowaits - # - --collect.perf_schema.replication_applier_status_by_worker - # - --collect.perf_schema.replication_group_member_stats - # - --collect.perf_schema.tableiowaits - # - --collect.perf_schema.tablelocks - # - --collect.slave_hosts - # - --collect.slave_status - - --config.my-cnf=/dev/null - - --exporter.lock_wait_timeout=2 - # - --exporter.log_slow_filter - - --log.format=logger:stderr - - --log.level=debug - - --timeout-offset=0.25 - - --web.listen-address=:9090 - - --web.telemetry-path=/metrics - ports: - - containerPort: 9090 - name: metrics - restartPolicy: Always ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: paygate-mysql-backup - namespace: apps - labels: - app: paygate-mysql-backup -spec: - schedule: "@daily" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/benjamin-maynard/kubernetes-cloud-mysql-backup:v2.5.0 - name: backup - imagePullPolicy: Always - env: - - name: GCP_GCLOUD_AUTH - valueFrom: - secretKeyRef: - name: database-backups - key: gcp_auth_string - - name: BACKUP_PROVIDER - value: "gcp" - - name: GCP_BUCKET_NAME - value: "moov-production-mysql-backups" - - name: GCP_BUCKET_BACKUP_PATH - value: "/apps/paygate" - - name: TARGET_DATABASE_HOST - value: "paygate-mysql.apps.svc.cluster.local" - - name: TARGET_DATABASE_PORT - value: "3306" - - name: TARGET_DATABASE_NAMES - valueFrom: - secretKeyRef: - name: paygate-mysql-secrets - key: database - - name: TARGET_DATABASE_USER - valueFrom: - secretKeyRef: - name: paygate-mysql-secrets - key: username - - name: TARGET_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: paygate-mysql-secrets - key: password - - name: BACKUP_TIMESTAMP - value: "_%Y_%m_%d" - - name: SLACK_ENABLED - value: "true" - - name: SLACK_CHANNEL - value: "#auto-backups" - - name: SLACK_WEBHOOK_URL - valueFrom: - secretKeyRef: - name: slack-secrets - key: webhook_url - restartPolicy: OnFailure ---- diff --git a/lib/apps/13-watchman-example.yml b/lib/apps/13-watchman-example.yml deleted file mode 100644 index 04a4ce26..00000000 --- a/lib/apps/13-watchman-example.yml +++ /dev/null @@ -1,49 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: watchman-webhook-example - namespace: apps - labels: - app: watchman-webhook-example -spec: - replicas: 1 - selector: - matchLabels: - app: watchman-webhook-example - template: - metadata: - labels: - app: watchman-webhook-example - spec: - containers: - - image: moov/watchman-webhook-example:v0.24.0-m4 - imagePullPolicy: Always - name: watchman-webhook-example - args: - - -http.addr=:8080 - ports: - - containerPort: 8080 - name: http - protocol: TCP - resources: - limits: - cpu: 100m - memory: 50Mi - requests: - cpu: 25m - memory: 10Mi - readinessProbe: - httpGet: - path: /ping - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /ping - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 10 - restartPolicy: Always ---- diff --git a/lib/apps/13-watchman-mysql.yml b/lib/apps/13-watchman-mysql.yml deleted file mode 100644 index e631e4c7..00000000 --- a/lib/apps/13-watchman-mysql.yml +++ /dev/null @@ -1,232 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: watchman-mysql - namespace: apps -spec: - type: ClusterIP - selector: - app: watchman-mysql - ports: - - name: mysql - protocol: TCP - port: 3306 - targetPort: 3306 - - name: metrics - protocol: TCP - port: 9090 - targetPort: 9090 ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: watchman-mysql-data - namespace: apps -spec: - accessModes: - - ReadWriteOnce # mountable only to a single node - resources: - requests: - storage: 10Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: watchman-mysql - namespace: apps - labels: - app: watchman-mysql -spec: - replicas: 1 - selector: - matchLabels: - app: watchman-mysql - template: - metadata: - labels: - app: watchman-mysql - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - volumes: - - name: watchman-mysql-data - persistentVolumeClaim: - claimName: watchman-mysql-data - containers: - - image: mysql:8.0 - name: mysql - args: - - --default-authentication-plugin=mysql_native_password - env: - - name: MYSQL_DATABASE - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: database - - name: MYSQL_USER - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: username - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: password - - name: MYSQL_RANDOM_ROOT_PASSWORD - value: "yes" - ports: - - containerPort: 3306 - name: mysql - readinessProbe: - tcpSocket: - port: 3306 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 3306 - initialDelaySeconds: 5 - periodSeconds: 10 - volumeMounts: - - name: watchman-mysql-data - mountPath: /var/lib/mysql - - image: prom/mysqld-exporter:v0.12.1 - name: exporter - env: - - name: DATA_SOURCE_NAME - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: exporter_dsn - args: - - --collect.auto_increment.columns - - --collect.binlog_size - - --collect.engine_innodb_status - # - --collect.engine_tokudb_status - - --collect.global_status - # - --collect.global_variables - # - --collect.heartbeat - # - --collect.heartbeat.database="heartbeat" - # - --collect.heartbeat.table="heartbeat" - - --collect.info_schema.clientstats - # - --collect.info_schema.innodb_cmp - # - --collect.info_schema.innodb_cmpmem - # - --collect.info_schema.innodb_metrics - # - --collect.info_schema.innodb_tablespaces - # - --collect.info_schema.processlist - # - --collect.info_schema.processlist.min_time=0 - # - --collect.info_schema.processlist.processes_by_host - # - --collect.info_schema.processlist.processes_by_user - - --collect.info_schema.query_response_time - # - --collect.info_schema.schemastats - - --collect.info_schema.tables - - --collect.info_schema.tables.databases=* - - --collect.info_schema.tablestats - - --collect.info_schema.userstats - # - --collect.mysql.user - # - --collect.mysql.user.privileges - # - --collect.perf_schema.eventsstatements - # - --collect.perf_schema.eventsstatements.digest_text_limit=120 - # - --collect.perf_schema.eventsstatements.limit=250 - # - --collect.perf_schema.eventsstatements.timelimit=86400 - # - --collect.perf_schema.eventsstatementssum - # - --collect.perf_schema.eventswaits - # - --collect.perf_schema.file_events - # - --collect.perf_schema.file_instances - # - --collect.perf_schema.file_instances.filter=".*" - # - --collect.perf_schema.file_instances.remove_prefix="/var/lib/mysql/" - # - --collect.perf_schema.indexiowaits - # - --collect.perf_schema.replication_applier_status_by_worker - # - --collect.perf_schema.replication_group_member_stats - # - --collect.perf_schema.tableiowaits - # - --collect.perf_schema.tablelocks - # - --collect.slave_hosts - # - --collect.slave_status - - --config.my-cnf=/dev/null - - --exporter.lock_wait_timeout=2 - # - --exporter.log_slow_filter - - --log.format=logger:stderr - - --log.level=debug - - --timeout-offset=0.25 - - --web.listen-address=:9090 - - --web.telemetry-path=/metrics - ports: - - containerPort: 9090 - name: metrics - restartPolicy: Always ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: watchman-mysql-backup - namespace: apps - labels: - app: watchman-mysql-backup -spec: - suspend: true - schedule: "@daily" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/benjamin-maynard/kubernetes-cloud-mysql-backup:v2.5.0 - imagePullPolicy: Always - name: backup - env: - - name: AGE_PUBLIC_KEY - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: public_key - - name: GCP_GCLOUD_AUTH - valueFrom: - secretKeyRef: - name: database-backups - key: gcp_auth_string - - name: BACKUP_PROVIDER - value: "gcp" - - name: GCP_BUCKET_NAME - value: "moov-production-mysql-backups" - - name: GCP_BUCKET_BACKUP_PATH - value: "/oss/watchman" - - name: TARGET_DATABASE_HOST - value: "watchman-mysql.apps.svc.cluster.local" - - name: TARGET_DATABASE_PORT - value: "3306" - - name: TARGET_DATABASE_NAMES - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: database - - name: TARGET_DATABASE_USER - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: username - - name: TARGET_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: password - - name: BACKUP_TIMESTAMP - value: "_%Y_%m_%d" - - name: SLACK_ENABLED - value: "true" - - name: SLACK_USERNAME - value: "oss-watchman-mysql-backup" - - name: SLACK_CHANNEL - value: "#auto-backups" - - name: SLACK_WEBHOOK_URL - valueFrom: - secretKeyRef: - name: slack-secrets - key: webhook_url - restartPolicy: OnFailure ---- diff --git a/lib/apps/13-watchman.yml b/lib/apps/13-watchman.yml deleted file mode 100644 index 63629030..00000000 --- a/lib/apps/13-watchman.yml +++ /dev/null @@ -1,106 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: watchman - namespace: apps -spec: - type: ClusterIP - selector: - app: watchman - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 - - name: metrics - protocol: TCP - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: watchman - namespace: apps - labels: - app: watchman -spec: - replicas: 2 - selector: - matchLabels: - app: watchman - template: - metadata: - labels: - app: watchman - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - containers: - - image: moov/watchman:v0.24.2 - imagePullPolicy: Always - name: watchman - args: - - -workers=2048 - - -http.addr=:8080 - - -admin.addr=:9090 - env: - - name: LOG_FORMAT - value: plain - - name: DATABASE_TYPE - value: mysql - - name: MYSQL_ADDRESS - value: 'tcp(watchman-mysql.apps.svc.cluster.local:3306)' - - name: MYSQL_DATABASE - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: database - - name: MYSQL_USER - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: username - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: watchman-mysql-secrets - key: password - ports: - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 9090 - name: metrics - protocol: TCP - resources: - limits: - cpu: 200m - memory: 400Mi - requests: - cpu: 100m - memory: 200Mi - readinessProbe: - httpGet: - path: /ping - port: 8080 - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 10 - livenessProbe: - httpGet: - path: /ping - port: 8080 - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 10 - restartPolicy: Always - terminationGracePeriodSeconds: 60 ---- diff --git a/lib/apps/13-watchmantest.yml b/lib/apps/13-watchmantest.yml deleted file mode 100644 index e8ad4b3b..00000000 --- a/lib/apps/13-watchmantest.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: watchmantest - namespace: apps -spec: - suspend: false - concurrencyPolicy: Forbid - schedule: "*/2 * * * *" - jobTemplate: - spec: - template: - spec: - containers: - - name: watchmantest - image: moov/watchmantest:v0.24.0-m4 - args: - # Stay internal to avoid auth requirement - # There isn't a great way to create an OAuth token for this test binary right now. - - -address=http://watchman.apps.svc.cluster.local:8080 - env: - - name: OAUTH_TOKEN - value: moov # dummy value since we're hitting an internal k8s address without auth - restartPolicy: OnFailure ---- diff --git a/lib/apps/16-customers-mysql.yml b/lib/apps/16-customers-mysql.yml deleted file mode 100644 index 2985a659..00000000 --- a/lib/apps/16-customers-mysql.yml +++ /dev/null @@ -1,224 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: customers-mysql - namespace: apps -spec: - type: ClusterIP - selector: - app: customers-mysql - ports: - - name: mysql - protocol: TCP - port: 3306 - targetPort: 3306 - - name: metrics - protocol: TCP - port: 9090 - targetPort: 9090 ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: customers-mysql-data - namespace: apps -spec: - accessModes: - - ReadWriteOnce # mountable only to a single node - resources: - requests: - storage: 10Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: customers-mysql - namespace: apps - labels: - app: customers-mysql -spec: - replicas: 1 - selector: - matchLabels: - app: customers-mysql - template: - metadata: - labels: - app: customers-mysql - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - volumes: - - name: customers-mysql-data - persistentVolumeClaim: - claimName: customers-mysql-data - containers: - - image: mysql:8.0 - name: mysql - args: - - --default-authentication-plugin=mysql_native_password - env: - - name: MYSQL_DATABASE - valueFrom: - secretKeyRef: - name: customers-mysql-secrets - key: database - - name: MYSQL_USER - valueFrom: - secretKeyRef: - name: customers-mysql-secrets - key: username - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: customers-mysql-secrets - key: password - - name: MYSQL_RANDOM_ROOT_PASSWORD - value: "yes" - ports: - - containerPort: 3306 - name: mysql - readinessProbe: - tcpSocket: - port: 3306 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 3306 - initialDelaySeconds: 5 - periodSeconds: 10 - volumeMounts: - - name: customers-mysql-data - mountPath: /var/lib/mysql - - image: prom/mysqld-exporter:v0.12.1 - name: exporter - env: - - name: DATA_SOURCE_NAME - valueFrom: - secretKeyRef: - name: customers-mysql-secrets - key: exporter_dsn - args: - - --collect.auto_increment.columns - - --collect.binlog_size - - --collect.engine_innodb_status - # - --collect.engine_tokudb_status - - --collect.global_status - # - --collect.global_variables - # - --collect.heartbeat - # - --collect.heartbeat.database="heartbeat" - # - --collect.heartbeat.table="heartbeat" - - --collect.info_schema.clientstats - # - --collect.info_schema.innodb_cmp - # - --collect.info_schema.innodb_cmpmem - # - --collect.info_schema.innodb_metrics - # - --collect.info_schema.innodb_tablespaces - # - --collect.info_schema.processlist - # - --collect.info_schema.processlist.min_time=0 - # - --collect.info_schema.processlist.processes_by_host - # - --collect.info_schema.processlist.processes_by_user - - --collect.info_schema.query_response_time - # - --collect.info_schema.schemastats - - --collect.info_schema.tables - - --collect.info_schema.tables.databases=* - - --collect.info_schema.tablestats - - --collect.info_schema.userstats - # - --collect.mysql.user - # - --collect.mysql.user.privileges - # - --collect.perf_schema.eventsstatements - # - --collect.perf_schema.eventsstatements.digest_text_limit=120 - # - --collect.perf_schema.eventsstatements.limit=250 - # - --collect.perf_schema.eventsstatements.timelimit=86400 - # - --collect.perf_schema.eventsstatementssum - # - --collect.perf_schema.eventswaits - # - --collect.perf_schema.file_events - # - --collect.perf_schema.file_instances - # - --collect.perf_schema.file_instances.filter=".*" - # - --collect.perf_schema.file_instances.remove_prefix="/var/lib/mysql/" - # - --collect.perf_schema.indexiowaits - # - --collect.perf_schema.replication_applier_status_by_worker - # - --collect.perf_schema.replication_group_member_stats - # - --collect.perf_schema.tableiowaits - # - --collect.perf_schema.tablelocks - # - --collect.slave_hosts - # - --collect.slave_status - - --config.my-cnf=/dev/null - - --exporter.lock_wait_timeout=2 - # - --exporter.log_slow_filter - - --log.format=logger:stderr - - --log.level=debug - - --timeout-offset=0.25 - - --web.listen-address=:9090 - - --web.telemetry-path=/metrics - ports: - - containerPort: 9090 - name: metrics - restartPolicy: Always - ---- -apiVersion: batch/v1beta1 -kind: CronJob -metadata: - name: customers-mysql-backup - namespace: apps - labels: - app: customers-mysql-backup -spec: - schedule: "@daily" - jobTemplate: - spec: - template: - spec: - containers: - - image: ghcr.io/benjamin-maynard/kubernetes-cloud-mysql-backup:v2.5.0 - name: backup - env: - - name: GCP_GCLOUD_AUTH - valueFrom: - secretKeyRef: - name: database-backups - key: gcp_auth_string - - name: BACKUP_PROVIDER - value: "gcp" - - name: GCP_BUCKET_NAME - value: "moov-production-mysql-backups" - - name: GCP_BUCKET_BACKUP_PATH - value: "/apps/customers" - - name: TARGET_DATABASE_HOST - value: "customers-mysql.apps.svc.cluster.local" - - name: TARGET_DATABASE_PORT - value: "3306" - - name: TARGET_DATABASE_NAMES - valueFrom: - secretKeyRef: - name: customers-mysql-secrets - key: database - - name: TARGET_DATABASE_USER - valueFrom: - secretKeyRef: - name: customers-mysql-secrets - key: username - - name: TARGET_DATABASE_PASSWORD - valueFrom: - secretKeyRef: - name: customers-mysql-secrets - key: password - - name: BACKUP_TIMESTAMP - value: "_%Y_%m_%d" - - name: SLACK_ENABLED - value: "true" - - name: SLACK_CHANNEL - value: "#auto-backups" - - name: SLACK_WEBHOOK_URL - valueFrom: - secretKeyRef: - name: slack-secrets - key: webhook_url - restartPolicy: OnFailure ---- diff --git a/lib/apps/17-imagecashletterfuzz.yml b/lib/apps/17-imagecashletterfuzz.yml deleted file mode 100644 index 7cd6990d..00000000 --- a/lib/apps/17-imagecashletterfuzz.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: imagecashletterfuzz-data - namespace: apps -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: imagecashletterfuzz - namespace: apps - labels: - app: imagecashletterfuzz -spec: - replicas: 0 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - selector: - matchLabels: - app: imagecashletterfuzz - template: - metadata: - labels: - app: imagecashletterfuzz - spec: - volumes: - - name: imagecashletterfuzz-data - persistentVolumeClaim: - claimName: imagecashletterfuzz-data - priorityClassName: fuzz-low-priority - initContainers: - - name: volume-permissions - image: busybox - command: ['sh', '-c', 'chmod -R g+rwX /go/src/github.com/moov-io/imagecashletter/test/fuzz-reader/crashers/'] - volumeMounts: - - mountPath: /go/src/github.com/moov-io/imagecashletter/test/fuzz-reader/crashers/ - name: imagecashletterfuzz-data - containers: - - image: moov/imagecashletterfuzz:v0.9.2 - imagePullPolicy: Always - name: imagecashletterfuzz - volumeMounts: - - name: imagecashletterfuzz-data - mountPath: /go/src/github.com/moov-io/imagecashletter/test/fuzz-reader/crashers/ - resources: - limits: - cpu: 400m - memory: 300Mi - requests: - cpu: 200m - memory: 50Mi - securityContext: - allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - restartPolicy: Always - ---- diff --git a/lib/apps/17-imagecashletterwebui.yml b/lib/apps/17-imagecashletterwebui.yml deleted file mode 100644 index ca900ade..00000000 --- a/lib/apps/17-imagecashletterwebui.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: imagecashletter-webui - namespace: apps -spec: - type: ClusterIP - selector: - app: imagecashletter-webui - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 - - name: metrics - protocol: TCP - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: imagecashletter-webui - namespace: apps - labels: - app: imagecashletter-webui -spec: - replicas: 1 - selector: - matchLabels: - app: imagecashletter-webui - template: - metadata: - labels: - app: imagecashletter-webui - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - containers: - - image: moov/imagecashletter-webui:v0.9.2 - imagePullPolicy: Always - name: imagecashletter-webui - args: - - -http.addr=:8080 - - -admin.addr=:9090 - - -base-path=/x9 - env: - - name: READER_BUFFER_SIZE - value: "15728640" # 15MB to support image data - ports: - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 9090 - name: metrics - protocol: TCP - resources: - limits: - cpu: 200m - memory: 400Mi - requests: - cpu: 100m - memory: 200Mi - readinessProbe: - httpGet: - path: /x9/wasm_exec.js - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - livenessProbe: - httpGet: - path: /x9/wasm_exec.js - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - restartPolicy: Always ---- diff --git a/lib/apps/18-wirefuzz.yml b/lib/apps/18-wirefuzz.yml deleted file mode 100644 index 543b3544..00000000 --- a/lib/apps/18-wirefuzz.yml +++ /dev/null @@ -1,70 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: wirefuzz-data - namespace: apps -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - ---- - -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wirefuzz - namespace: apps - labels: - app: wirefuzz -spec: - replicas: 0 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - selector: - matchLabels: - app: wirefuzz - template: - metadata: - labels: - app: wirefuzz - spec: - volumes: - - name: wirefuzz-data - persistentVolumeClaim: - claimName: wirefuzz-data - priorityClassName: fuzz-low-priority - initContainers: - - name: volume-permissions - image: busybox - command: ['sh', '-c', 'chmod -R g+rwX /go/src/github.com/moov-io/wire/test/fuzz-reader/crashers/'] - volumeMounts: - - mountPath: /go/src/github.com/moov-io/wire/test/fuzz-reader/crashers/ - name: wirefuzz-data - containers: - - image: moov/wirefuzz:v0.13.3 - imagePullPolicy: Always - name: wirefuzz - volumeMounts: - - name: wirefuzz-data - mountPath: /go/src/github.com/moov-io/wire/test/fuzz-reader/crashers/ - resources: - limits: - cpu: 400m - memory: 300Mi - requests: - cpu: 200m - memory: 50Mi - securityContext: - allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - restartPolicy: Always - ---- diff --git a/lib/apps/18-wirewebui.yml b/lib/apps/18-wirewebui.yml deleted file mode 100644 index 35f0f2a2..00000000 --- a/lib/apps/18-wirewebui.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: wire-webui - namespace: apps -spec: - type: ClusterIP - selector: - app: wire-webui - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 - - name: metrics - protocol: TCP - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wire-webui - namespace: apps - labels: - app: wire-webui -spec: - replicas: 1 - selector: - matchLabels: - app: wire-webui - template: - metadata: - labels: - app: wire-webui - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - containers: - - image: moov/wire-webui:v0.13.3 - imagePullPolicy: Always - name: wire-webui - args: - - -http.addr=:8080 - - -admin.addr=:9090 - - -base-path=/wire - ports: - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 9090 - name: metrics - protocol: TCP - resources: - limits: - cpu: 200m - memory: 400Mi - requests: - cpu: 100m - memory: 200Mi - readinessProbe: - httpGet: - path: /wire/wasm_exec.js - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - livenessProbe: - httpGet: - path: /wire/wasm_exec.js - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - restartPolicy: Always ---- diff --git a/lib/apps/19-metro2fuzz.yml b/lib/apps/19-metro2fuzz.yml deleted file mode 100644 index c0a09754..00000000 --- a/lib/apps/19-metro2fuzz.yml +++ /dev/null @@ -1,67 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: metro2fuzz-data - namespace: apps -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: metro2fuzz - namespace: apps - labels: - app: metro2fuzz -spec: - replicas: 0 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - selector: - matchLabels: - app: metro2fuzz - template: - metadata: - labels: - app: metro2fuzz - spec: - volumes: - - name: metro2fuzz-data - persistentVolumeClaim: - claimName: metro2fuzz-data - priorityClassName: fuzz-low-priority - initContainers: - - name: volume-permissions - image: busybox - command: ['sh', '-c', 'chmod -R g+rwX /go/src/github.com/moov-io/metro2/test/fuzz-reader/crashers/'] - volumeMounts: - - mountPath: /go/src/github.com/moov-io/metro2/test/fuzz-reader/crashers/ - name: metro2fuzz-data - containers: - - image: moov/metro2fuzz:v0.3.3 - imagePullPolicy: Always - name: metro2fuzz - volumeMounts: - - name: metro2fuzz-data - mountPath: /go/src/github.com/moov-io/metro2/test/fuzz-reader/crashers/ - resources: - limits: - cpu: 400m - memory: 300Mi - requests: - cpu: 200m - memory: 50Mi - securityContext: - allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - restartPolicy: Always ---- diff --git a/lib/apps/20-iso8583fuzz.yml b/lib/apps/20-iso8583fuzz.yml deleted file mode 100644 index 8d9ca506..00000000 --- a/lib/apps/20-iso8583fuzz.yml +++ /dev/null @@ -1,69 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: iso8583fuzz-data - namespace: apps -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1Gi - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: iso8583fuzz - namespace: apps - labels: - app: iso8583fuzz -spec: - replicas: 0 - strategy: - type: RollingUpdate - rollingUpdate: - maxUnavailable: 1 - selector: - matchLabels: - app: iso8583fuzz - template: - metadata: - labels: - app: iso8583fuzz - spec: - volumes: - - name: iso8583fuzz-data - persistentVolumeClaim: - claimName: iso8583fuzz-data - priorityClassName: fuzz-low-priority - initContainers: - - name: volume-permissions - image: busybox - command: ['sh', '-c', 'chmod -R g+rwX /go/src/github.com/moov-io/iso8583/test/fuzz-reader/crashers/'] - volumeMounts: - - mountPath: /go/src/github.com/moov-io/iso8583/test/fuzz-reader/crashers/ - name: iso8583fuzz-data - containers: - - image: moov/iso8583fuzz:v0.6.0 - imagePullPolicy: Always - name: iso8583fuzz - volumeMounts: - - name: iso8583fuzz-data - mountPath: /go/src/github.com/moov-io/iso8583/test/fuzz-reader/crashers/ - resources: - limits: - cpu: 400m - memory: 300Mi - requests: - cpu: 200m - memory: 50Mi - securityContext: - allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - restartPolicy: Always - ---- diff --git a/lib/apps/21-fincen-webui.yml b/lib/apps/21-fincen-webui.yml deleted file mode 100644 index 0df7ebf1..00000000 --- a/lib/apps/21-fincen-webui.yml +++ /dev/null @@ -1,83 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: fincen-webui - namespace: apps -spec: - type: ClusterIP - selector: - app: fincen-webui - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 - - name: metrics - protocol: TCP - port: 9090 - targetPort: 9090 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: fincen-webui - namespace: apps - labels: - app: fincen-webui -spec: - replicas: 1 - selector: - matchLabels: - app: fincen-webui - template: - metadata: - labels: - app: fincen-webui - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - containers: - - image: moov/fincen-webui:v0.3.5 - imagePullPolicy: Always - name: fincen-webui - args: - - -http.addr=:8080 - - -admin.addr=:9090 - - -base-path=/fincen - ports: - - containerPort: 8080 - name: http - protocol: TCP - - containerPort: 9090 - name: metrics - protocol: TCP - resources: - limits: - cpu: 200m - memory: 400Mi - requests: - cpu: 100m - memory: 200Mi - readinessProbe: - httpGet: - path: /fincen/wasm_exec.js - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - livenessProbe: - httpGet: - path: /fincen/wasm_exec.js - port: 8080 - initialDelaySeconds: 10 - periodSeconds: 20 - timeoutSeconds: 5 - failureThreshold: 5 - restartPolicy: Always ---- diff --git a/lib/blackbox b/lib/blackbox deleted file mode 160000 index dc9fa326..00000000 --- a/lib/blackbox +++ /dev/null @@ -1 +0,0 @@ -Subproject commit dc9fa326f468953d735d692dd42de74a16ee9163 diff --git a/lib/lb/00-namespace.yaml b/lib/lb/00-namespace.yaml deleted file mode 100644 index 88a78ea6..00000000 --- a/lib/lb/00-namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: lb ---- diff --git a/lib/lb/10-traefik-alpha.yml b/lib/lb/10-traefik-alpha.yml deleted file mode 100644 index 6d7a9da5..00000000 --- a/lib/lb/10-traefik-alpha.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -# Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/persistent-volumes -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: traefik-acme-alpha - namespace: lb -spec: - accessModes: - - ReadWriteOnce # read-write to a single node - resources: - requests: - storage: 1Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: traefik-alpha - namespace: lb - labels: - app: traefik -spec: - replicas: 1 - selector: - matchLabels: - app: traefik - template: - metadata: - labels: - app: traefik - spec: - affinity: - podAntiAffinity: - # Don't put this deployment on node where a pod already has 'app: traefik' - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - traefik - topologyKey: "kubernetes.io/hostname" - serviceAccountName: traefik - containers: - - image: traefik:v2.4 - imagePullPolicy: Always - name: traefik - args: - - --configfile=/etc/traefik/traefik.yaml - volumeMounts: - - name: traefik-config - mountPath: /etc/traefik/ - - name: traefik-acme-alpha - mountPath: /opt/traefik/ - ports: - - containerPort: 80 - name: proxy - protocol: TCP - - containerPort: 8081 - name: dashboard - protocol: TCP - volumes: - - name: traefik-config - configMap: - name: traefik-config - items: - - key: traefik.yaml - path: traefik.yaml - - name: traefik-acme-alpha - persistentVolumeClaim: - claimName: traefik-acme-alpha - restartPolicy: Always ---- diff --git a/lib/lb/10-traefik-beta.yml b/lib/lb/10-traefik-beta.yml deleted file mode 100644 index f6920159..00000000 --- a/lib/lb/10-traefik-beta.yml +++ /dev/null @@ -1,73 +0,0 @@ ---- -# Docs: https://cloud.google.com/kubernetes-engine/docs/concepts/persistent-volumes -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: traefik-acme-beta - namespace: lb -spec: - accessModes: - - ReadWriteOnce # read-write to a single node - resources: - requests: - storage: 1Gi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: traefik-beta - namespace: lb - labels: - app: traefik -spec: - replicas: 1 - selector: - matchLabels: - app: traefik - template: - metadata: - labels: - app: traefik - spec: - affinity: - podAntiAffinity: - # Don't put this deployment on node where a pod already has 'app: traefik' - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - traefik - topologyKey: "kubernetes.io/hostname" - serviceAccountName: traefik - containers: - - image: traefik:v2.4 - imagePullPolicy: Always - name: traefik - args: - - --configfile=/etc/traefik/traefik.yaml - volumeMounts: - - name: traefik-config - mountPath: /etc/traefik/ - - name: traefik-acme-beta - mountPath: /opt/traefik/ - ports: - - containerPort: 80 - name: proxy - protocol: TCP - - containerPort: 8081 - name: dashboard - protocol: TCP - volumes: - - name: traefik-config - configMap: - name: traefik-config - items: - - key: traefik.yaml - path: traefik.yaml - - name: traefik-acme-beta - persistentVolumeClaim: - claimName: traefik-acme-beta - restartPolicy: Always ---- diff --git a/lib/lb/10-traefik-config.yml b/lib/lb/10-traefik-config.yml deleted file mode 100644 index adbf5df6..00000000 --- a/lib/lb/10-traefik-config.yml +++ /dev/null @@ -1,370 +0,0 @@ -# TODO(adam): notes from docs -# - store certs in kv? (Why not k8s Secret?) -# - https://docs.traefik.io/configuration/acme/#as-a-key-value-store-entry -# - https://docs.traefik.io/configuration/commons/#custom-error-pages -apiVersion: v1 -kind: ConfigMap -metadata: - name: traefik-config - namespace: lb -data: - traefik.yaml: | - global: - checkNewVersion: true - sendAnonymousUsage: true - entryPoints: - http: - address: ":80" - https: - address: ":443" - forwardedHeaders: - trustedIPs: - - "10.0.0.0/8" - traefik: - address: ":8081" - tls: - options: - default: - minVersion: VersionTLS12 - sniStrict: false - preferServerCipherSuites: true - providers: - providersThrottleDuration: 2s - file: - filename: "/etc/traefik/traefik.yaml" - watch: true - # kubernetesIngress: - # namespaces: [apps, infra, lb] - http: - services: - slackin: - loadBalancer: - servers: - - url: 'http://slackin.sales.svc.cluster.local:3000/' - healthCheck: - path: "/" - interval: "30s" - timeout: "5s" - scheme: http - ossmoovio: - loadBalancer: - servers: - - url: "https://example.com" - watchman: - loadBalancer: - servers: - - url: 'http://watchman.apps.svc.cluster.local:8080/' - healthCheck: - path: "/ping" - interval: "30s" - timeout: "5s" - scheme: http - achwebui: - loadBalancer: - servers: - - url: 'http://ach-webui.apps.svc.cluster.local:8080/' - healthCheck: - path: "/ach/wasm_exec.js" - interval: "30s" - timeout: "5s" - scheme: http - fincenwebui: - loadBalancer: - servers: - - url: 'http://fincen-webui.apps.svc.cluster.local:8080/' - healthCheck: - path: "/fincen/wasm_exec.js" - interval: "30s" - timeout: "5s" - scheme: http - imagecashletterwebui: - loadBalancer: - servers: - - url: 'http://imagecashletter-webui.apps.svc.cluster.local:8080/' - healthCheck: - path: "/x9/wasm_exec.js" - interval: "30s" - timeout: "5s" - scheme: http - wirewebui: - loadBalancer: - servers: - - url: 'http://wire-webui.apps.svc.cluster.local:8080/' - healthCheck: - path: "/wire/wasm_exec.js" - interval: "30s" - timeout: "5s" - scheme: http - oauth2-proxy: - loadBalancer: - servers: - - url: 'http://oauth2-proxy.infra.svc.cluster.local:4180/' - - middlewares: - cors: - headers: - accessControlAllowCredentials: true - accessControlAllowMethods: [GET, OPTIONS, PUT, POST, DELETE] - accessControlAllowOrigin: "*" - accessControlMaxAge: 600 - remote-addr: - headers: - hostsProxyHeaders: - - X-Forwarded-For - infra-moov-io-http: - redirectScheme: - scheme: https - permanent: true - slack-moovio-http: - redirectScheme: - scheme: https - permanent: true - oss-moovio-http: - redirectScheme: - scheme: https - permanent: true - moov-io-http: - redirectScheme: - scheme: https - permanent: true - moovio-github: - redirectRegex: - regex: "^(.*)$" - replacement: "https://github.com/moov-io" - oss-moovio-watchman: - stripPrefix: - prefixes: - - "/watchman" - watchman: - stripPrefix: - prefixes: - - "/v1/watchman" - oss-moovio-ach-redirect: - redirectRegex: - regex: "/ach$" - replacement: "/ach/" - oss-moovio-fincenwebui-redirect: - redirectRegex: - regex: "/fincen$" - replacement: "/fincen/" - oss-moovio-imagecashletterwebui-redirect: - redirectRegex: - regex: "/x9$" - replacement: "/x9/" - oss-moovio-wirewebui-redirect: - redirectRegex: - regex: "/wire$" - replacement: "/wire/" - routers: - "slack-moovio": - entryPoints: [https] - service: slackin - rule: "Host(`slack.moov.io`)" - tls: - certResolver: default - domains: - - main: "slack.moov.io" - "slack-moovio-http": - entryPoints: [http] - service: slackin - rule: "Host(`slack.moov.io`)" - middlewares: - - slack-moovio-http - "oss-moovio-http": - entryPoints: [http] - service: slackin - rule: "Host(`oss.moov.io`)" - middlewares: - - oss-moovio-http - "oss-moovio": - entryPoints: [https] - service: slackin - rule: "Host(`oss.moov.io`) && Path(`/`)" - middlewares: - - moovio-github - tls: - certResolver: default - domains: - - main: "oss.moov.io" - "oss-moovio-watchman": - entryPoints: [https] - service: watchman - rule: "Host(`oss.moov.io`) && PathPrefix(`/watchman`)" - middlewares: - - oss-moovio-watchman - tls: - certResolver: default - domains: - - main: "oss.moov.io" - "oss-moovio-achwebui": - entryPoints: [https] - service: achwebui - rule: "Host(`oss.moov.io`) && PathPrefix(`/ach`)" - middlewares: - - oss-moovio-ach-redirect - tls: - certResolver: default - domains: - - main: "oss.moov.io" - "oss-moovio-fincenwebui": - entryPoints: [https] - service: fincenwebui - rule: "Host(`oss.moov.io`) && PathPrefix(`/fincen`)" - middlewares: - - oss-moovio-fincenwebui-redirect - tls: - certResolver: default - domains: - - main: "oss.moov.io" - "oss-moovio-imagecashletterwebui": - entryPoints: [https] - service: imagecashletterwebui - rule: "Host(`oss.moov.io`) && PathPrefix(`/x9`)" - middlewares: - - oss-moovio-imagecashletterwebui-redirect - tls: - certResolver: default - domains: - - main: "oss.moov.io" - "oss-moovio-wirewebui": - entryPoints: [https] - service: wirewebui - rule: "Host(`oss.moov.io`) && PathPrefix(`/wire`)" - middlewares: - - oss-moovio-wirewebui-redirect - tls: - certResolver: default - domains: - - main: "oss.moov.io" - "infra-oauth2": - entryPoints: [https] - service: oauth2-proxy - rule: "Host(`infra-oss.moov.io`) && PathPrefix(`/oauth2`)" - tls: - certResolver: default - domains: - - main: "infra-oss.moov.io" - "infra-moov-io-http": - entryPoints: [http] - service: oauth2-proxy - rule: "Host(`infra-oss.moov.io`)" - middlewares: - - infra-moov-io-http - "infra-idx": - entryPoints: [https] - service: oauth2-proxy - rule: "Host(`infra-oss.moov.io`) && Path(`/`)" - tls: - certResolver: default - domains: - - main: "infra-oss.moov.io" - alertmanager: - entryPoints: [https] - service: oauth2-proxy - rule: "Host(`infra-oss.moov.io`) && PathPrefix(`/alertmanager/`)" - tls: - certResolver: default - domains: - - main: "infra-oss.moov.io" - traefik: - entryPoints: [https] - service: oauth2-proxy - rule: "Host(`infra-oss.moov.io`) && PathPrefix(`/traefik/`)" - tls: - certResolver: default - domains: - - main: "infra-oss.moov.io" - prometheus: - entryPoints: [https] - service: oauth2-proxy - rule: "Host(`infra-oss.moov.io`) && PathPrefix(`/prometheus/`)" - tls: - certResolver: default - domains: - - main: "infra-oss.moov.io" - grafana: - entryPoints: [https] - service: oauth2-proxy - rule: "Host(`infra-oss.moov.io`) && PathPrefix(`/grafana/`)" - tls: - certResolver: default - domains: - - main: "infra-oss.moov.io" - polaris: - entryPoints: [https] - service: oauth2-proxy - rule: "Host(`infra-oss.moov.io`) && PathPrefix(`/polaris/`)" - tls: - certResolver: default - domains: - - main: "infra-oss.moov.io" - stargazers: - entryPoints: [https] - service: oauth2-proxy - rule: "Host(`infra-oss.moov.io`) && PathPrefix(`/stargazers`)" - tls: - certResolver: default - domains: - - main: "infra-oss.moov.io" - api: - insecure: true - dashboard: true - metrics: - prometheus: {} - ping: - entryPoint: https - log: - level: DEBUG - accessLog: {} - certificatesResolvers: - default: - acme: - email: security@moov.io - caServer: "https://acme-v02.api.letsencrypt.org/directory" - storage: /opt/traefik/letsencrypt.json - keyType: EC384 - httpChallenge: - entryPoint: http - tlsChallenge: {} # Uses TLS-ALPN-01 - nginx.conf: | - daemon off; - worker_processes 1; - error_log /var/log/nginx/error.log warn; - # error_log /dev/stdout warn; - pid /var/run/nginx.pid; - events { - worker_connections 1024; - } - http { - include /etc/nginx/mime.types; - default_type application/octet-stream; - log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - '$status $body_bytes_sent "$http_referer" ' - '"$http_user_agent" "$http_x_forwarded_for"'; - - access_log /var/log/nginx/access.log main; - # access_log /dev/stdout main; - sendfile on; - #tcp_nopush on; - keepalive_timeout 65; - gzip on; - include /opt/nginx/conf.d/*.conf; - } - default.conf: | - server { - listen 8080; - root /usr/share/nginx/www; - index index.html index.htm; - stub_status; - location /traefik/ { - rewrite /traefik/(.*) /$1 break; - proxy_pass http://localhost:8081/; - } - } - # metrics is for prometheus metrics scraping - # (avoid error logs) - metrics: | - # no content - index.html: | - nginx - traefik ---- diff --git a/lib/lb/10-traefik-rbac.yml b/lib/lb/10-traefik-rbac.yml deleted file mode 100644 index e731231a..00000000 --- a/lib/lb/10-traefik-rbac.yml +++ /dev/null @@ -1,38 +0,0 @@ ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik -rules: - - apiGroups: - - "" - resources: - - services - - endpoints - - secrets - verbs: - - get - - list - - watch - - apiGroups: - - extensions - resources: - - ingresses - verbs: - - get - - list - - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1beta1 -metadata: - name: traefik -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: traefik -subjects: - - kind: ServiceAccount - name: traefik - namespace: lb ---- diff --git a/lib/lb/10-traefik-service.yml b/lib/lb/10-traefik-service.yml deleted file mode 100644 index c091539e..00000000 --- a/lib/lb/10-traefik-service.yml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: traefik - namespace: lb -spec: - type: LoadBalancer - externalTrafficPolicy: Local - selector: - app: traefik - ports: - - name: http - protocol: TCP - port: 80 - targetPort: 80 - - name: proxy - protocol: TCP - port: 443 - targetPort: 443 ---- -apiVersion: v1 -kind: Service -metadata: - name: traefik-dashboard - namespace: lb -spec: - type: ClusterIP - selector: - app: traefik - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 - ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: traefik - namespace: lb - ---- diff --git a/lib/sales/00-namespace.yml b/lib/sales/00-namespace.yml deleted file mode 100644 index c5e047fc..00000000 --- a/lib/sales/00-namespace.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: sales ---- diff --git a/lib/sales/20-stargazers.yml b/lib/sales/20-stargazers.yml deleted file mode 100644 index 34f8cdf5..00000000 --- a/lib/sales/20-stargazers.yml +++ /dev/null @@ -1,126 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: stargazers - namespace: sales -spec: - type: ClusterIP - selector: - app: stargazers - ports: - - name: http - protocol: TCP - port: 8080 - targetPort: 8080 ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: stargazers-config - namespace: sales -data: - repos.txt: | - # One repository per line - moov-io/1120x - moov-io/ach - moov-io/ach-node-sdk - moov-io/base - moov-io/charts - moov-io/customers - moov-io/fed - moov-io/imagecashletter - moov-io/infra - moov-io/irs - moov-io/iso20022 - moov-io/iso8583 - moov-io/metro2 - moov-io/moov-slack-code-of-conduct - moov-io/paygate - moov-io/ruby-ach-demo - moov-io/watchman - moov-io/wire - # Community Repositories - afrunt/jach - glenselle/nACH2 - jm81/ach - mosscode/ach - openach/openach - travishathaway/python-ach ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: stargazers - namespace: sales - labels: - app: stargazers -spec: - replicas: 1 - selector: - matchLabels: - app: stargazers - template: - metadata: - labels: - app: stargazers - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - containers: - - image: adamdecaf/stargazers:v0.5.5 - imagePullPolicy: Always - name: stargazers - args: - - "-http.addr=:8080" - - "-http.base-path=/stargazers/" - - "-repositories=/config/repos.txt" - env: - - name: STARGAZERS_ACCESS_TOKEN - valueFrom: - secretKeyRef: - name: stargazers-secrets - key: token - ports: - - containerPort: 8080 - name: http - protocol: TCP - volumeMounts: - - name: stargazers-config - mountPath: /config/ - resources: - limits: - cpu: 25m - memory: 25Mi - requests: - cpu: 10m - memory: 10Mi - readinessProbe: - httpGet: - path: /stargazers/ping - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - httpGet: - path: /stargazers/ping - port: 8080 - initialDelaySeconds: 5 - periodSeconds: 10 - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - volumes: - - name: stargazers-config - configMap: - name: stargazers-config - items: - - key: repos.txt - path: repos.txt - restartPolicy: Always ---- diff --git a/lib/sales/30-slackin-extended.yml b/lib/sales/30-slackin-extended.yml deleted file mode 100644 index a19d04de..00000000 --- a/lib/sales/30-slackin-extended.yml +++ /dev/null @@ -1,96 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: slackin - namespace: sales -spec: - type: ClusterIP - selector: - app: slackin - ports: - - name: http - protocol: TCP - port: 3000 - targetPort: 3000 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: slackin - namespace: sales - labels: - app: slackin -spec: - replicas: 1 - selector: - matchLabels: - app: slackin - template: - metadata: - labels: - app: slackin - spec: - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - topologyKey: "kubernetes.io/hostname" - weight: 1 - containers: - - image: emedvedev/slackin-extended@sha256:8bd1c83d4c236fa0456f2e103347e0cfaead74d19e54626a0c3ee7723dc34705 - name: slackin - env: - - name: SLACK_SUBDOMAIN - value: "moov-io" - - name: SLACK_API_TOKEN - valueFrom: - secretKeyRef: - name: slackin-secrets - key: slack_api_token - - name: SLACKIN_PORT - value: "3000" - - name: SLACKIN_HOSTNAME - value: "0.0.0.0" - - name: SLACKIN_PROXY - value: "true" - - name: SLACKIN_INTERVAL - value: "60000" - - name: SLACKIN_CORS - value: "true" - - name: SLACKIN_PATH - value: "/" - - name: RECAPTCHA_SECRET - valueFrom: - secretKeyRef: - # API keys from https://www.google.com/u/1/recaptcha/admin/site/349018097 - name: slackin-secrets - key: recaptcha_secret - - name: RECAPTCHA_SITEKEY - valueFrom: - secretKeyRef: - name: slackin-secrets - key: recaptcha_sitekey - - name: RECAPTCHA_INVISIBLE - value: "true" - - name: SLACKIN_THEME - value: "light" - - name: SLACKIN_ACCENT - value: "#000000" - - name: SLACKIN_COC - value: "https://github.com/moov-io/moov-slack-code-of-conduct" - ports: - - containerPort: 3000 - name: http - readinessProbe: - tcpSocket: - port: 3000 - initialDelaySeconds: 5 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 3000 - initialDelaySeconds: 5 - periodSeconds: 10 - restartPolicy: Always ---- diff --git a/makefile b/makefile index d6f22720..a87ab853 100644 --- a/makefile +++ b/makefile @@ -10,60 +10,15 @@ check: PROFILE_GOTEST='yes' \ ./go/lint-project.sh -.PHONY: clean -clean: - rm -f kubeval - -# From https://github.com/genuinetools/img -.PHONY: AUTHORS -AUTHORS: - @$(file >$@,# This file lists all individuals having contributed content to the repository.) - @$(file >>$@,# For how it is generated, see `make AUTHORS`.) - @echo "$(shell git log --format='\n%aN <%aE>' | LC_ALL=C.UTF-8 sort -uf)" >> $@ - -.PHONY: release -release: AUTHORS - .PHONY: docker docker: go run ./cmd/dockertest -.PHONY: install -install: - @mkdir -p ./bin/ -ifeq ($(PLATFORM),linux) - wget -O prometheus.tar.gz https://github.com/prometheus/prometheus/releases/download/v2.15.2/prometheus-2.15.2.linux-amd64.tar.gz - wget -O ./bin/promtool-configmap https://github.com/adamdecaf/promtool-configmap/releases/download/v0.3.0/promtool-configmap-linux -endif -ifeq ($(PLATFORM),darwin) - wget -O prometheus.tar.gz https://github.com/prometheus/prometheus/releases/download/v2.15.2/prometheus-2.15.2.darwin-amd64.tar.gz - wget -O ./bin/promtool-configmap https://github.com/adamdecaf/promtool-configmap/releases/download/v0.3.0/promtool-configmap-macos -endif -ifneq ($(OS),Windows_NT) - tar xf prometheus.tar.gz && cp -r ./prometheus-*/promtool ./bin/promtool - rm -rf prometheus-2.15.2.darwin-amd64/ prometheus.tar.gz - chmod +x ./bin/promtool-configmap -endif - -.PHONY: test test-docker test-kubeval test-mysql -test: check test-docker test-kubeval +.PHONY: test test-docker +test: check test-docker test-docker: @go run ./cmd/dockertest -test-kubeval: -ifneq ($(OS),Windows_NT) - wget -nc https://github.com/instrumenta/kubeval/releases/download/0.15.0/kubeval-$(PLATFORM)-amd64.tar.gz - tar -xf kubeval-$(PLATFORM)-amd64.tar.gz kubeval && chmod +x ./kubeval - find lib/* -type f -name *.yml | grep -v blackbox | grep -v '19-etcd' | grep -v '20-vault' | xargs -n1 -I {} ./kubeval $(shell pwd)/'{}' --strict -v 1.18.1 -else - @echo "Skipping kubeval tests on TravisCI" -endif - test-shell: shellcheck ./go/lint-project.sh - -test-mysql: - @for dir in $(shell ls -1 ./tests/); do \ - cd ./tests/"$$dir" && ./test.sh && cd ../; \ - done diff --git a/tests/mysql-backups/customers-check.sql b/tests/mysql-backups/customers-check.sql deleted file mode 100644 index aa66588a..00000000 --- a/tests/mysql-backups/customers-check.sql +++ /dev/null @@ -1 +0,0 @@ --- select count(*) from customers; diff --git a/tests/mysql-backups/docker-compose.yml b/tests/mysql-backups/docker-compose.yml deleted file mode 100644 index 0474c651..00000000 --- a/tests/mysql-backups/docker-compose.yml +++ /dev/null @@ -1,11 +0,0 @@ -version: '3' -services: - mysql: - image: mysql:8 - ports: - - "3306:3306" - environment: - MYSQL_DATABASE: "$DB" - MYSQL_USER: "infra" - MYSQL_PASSWORD: "password" - MYSQL_RANDOM_ROOT_PASSWORD: "yes" diff --git a/tests/mysql-backups/paygate-check.sql b/tests/mysql-backups/paygate-check.sql deleted file mode 100644 index 92806f52..00000000 --- a/tests/mysql-backups/paygate-check.sql +++ /dev/null @@ -1 +0,0 @@ -select count(*) from depositories; diff --git a/tests/mysql-backups/test.sh b/tests/mysql-backups/test.sh deleted file mode 100755 index c57b8719..00000000 --- a/tests/mysql-backups/test.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -# set -x -set -e - -docker-compose kill && docker-compose rm -f -v - -apps=($(gsutil ls gs://moov-production-mysql-backups/apps/)) - -for app in "${apps[@]}" -do - DB=$(basename "$app") docker-compose up -d mysql - sleep 20 - - line=$(gsutil ls "$app" | tail -n1) - gsutil cp "$line" $(basename "$line") - cat $(basename "$line") | mysql -h 127.0.0.1 -u infra --password=password $(basename "$app") - - result=$(cat $(basename "$app")-check.sql | mysql -h 127.0.0.1 -u infra --password=password --silent $(basename "$app")) - - if [ "$result" == "0" ] - then - echo "no rows found" - exit 1 - fi - - result=$(echo 'select count(*) from migrations' | mysql -h 127.0.0.1 -u infra --password=password --silent $(basename "$app")) - - if [ "$result" == "0" ] - then - echo "no rows found" - exit 1 - fi - - docker-compose kill && docker-compose rm -f -v -done diff --git a/tests/mysql-backups/watchman-check.sql b/tests/mysql-backups/watchman-check.sql deleted file mode 100644 index 43d8e50b..00000000 --- a/tests/mysql-backups/watchman-check.sql +++ /dev/null @@ -1 +0,0 @@ -select count(*) from download_stats;