Add helm chart

.gitlab-ci.yml

@@ -50,14 +50,8 @@ kubernetes:
   variables:
     KUBERNETES_SERVICE_ACCOUNT_OVERWRITE: gitlab-deploy
   script:
-    - curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl
+    - setup-kubectl
-    - chmod +x kubectl
+    - krane render -f kubernetes --current-sha "$CI_COMMIT_SHA" | krane deploy turniere-backend-dev local -f kubernetes/secrets.ejson -
-    - mv kubectl /usr/bin/kubectl 
-    - kubectl config set-cluster k8s --server="https://kubernetes.default.svc" --certificate-authority=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
-    - kubectl config set-credentials sa --token="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)"
-    - kubectl config set-context local --cluster=k8s --user=sa --namespace=turniere-backend
-    - gem install krane
-    - krane render -f kubernetes --current-sha "$CI_COMMIT_SHA" | krane deploy turniere-backend local -f kubernetes/secrets.ejson -
 
 deploy_watchtower:
   stage: deploy
@@ -74,3 +68,4 @@ deploy_watchtower:
     - docker pull $CI_REGISTRY_IMAGE/production/commits:$CI_COMMIT_SHA
     - docker tag $CI_REGISTRY_IMAGE/production/commits:$CI_COMMIT_SHA $CI_REGISTRY_IMAGE/production:deploy
     - docker push $CI_REGISTRY_IMAGE/production:deploy
+

chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

chart/Chart.yaml

@@ -0,0 +1,6 @@
+apiVersion: v2
+name: turniere-backend
+description: turnie.re backend
+type: application
+version: 0.1.0
+appVersion: "latest"

chart/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "chart.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "chart.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chart.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "chart.labels" -}}
+helm.sh/chart: {{ include "chart.chart" . }}
+{{ include "chart.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "chart.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "chart.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "chart.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "chart.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

chart/templates/deployment.yaml

@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "chart.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "chart.selectorLabels" . | nindent 8 }}
+    spec:
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          env:
+            - name: RAILS_MASTER_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: rails-master-key
+                  key: master.key
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

chart/templates/ingress.yaml

@@ -0,0 +1,17 @@
+{{- $fullName := include "chart.fullname" . -}}
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ $fullName }}
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`{{ .Values.ingress.host }}`)
+      kind: Rule
+      services:
+        - name: {{ $fullName }}
+          port: {{ .Values.service.port }}
+  tls:
+    certResolver: leresolver

chart/templates/secret.yaml

@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+  creationTimestamp: null
+  name: rails-master-key
+spec:
+  encryptedData:
+    master.key: AgBzhjABvgqp0gRdbY6JS2I5s0ir/p9xp8/KSGRZY6Gcl+saGjF6ZIFP9Tm84WwkDOujn6qW8h2Me5vxA943b8lOHXwrPXCjuM7FRt5pGlXjS08zLB08fD1mZ6btrs50AUih0YeB92pDJ7yup3eE7jJA+n1vTnNTNh62iCzLOdqHpr3IgJKvJueWcgQLjB5Lwden649QKCdpwd82el+xYLRuuS/teUANKCbLxypzp4A+Wmgcw1KmO9F29/XjiYCOJ0b1oFyI9oMhF+dyh0c3XUqNOA4TtD6a2nFtfDlVN57DmrcwAnzuXAWVDZ/RDEm5c2LVGCxAe463XDA4a+ruNYoAlbpUz2Zaqi+nISN98y2nTpWQOYICN+etps0k/o8qx8xTfPQMUG6T1D207LvzNl0Df/S2mOIWDvlEmAUZTr0PY+5e4n3cLvsemDo0/ea1+edK4eW+qbHDUTb9QswsYxysQuvHHhVv0G45887YGR/zEZLQ0yRHPyk6LwOXQ7MQc7YU/ZF3bms+93E7bgDVJVS/WneM3EEa0iTAIWre14VvOS3F4nMS5+2fcz5Nh+l1XER4F4+NllJRpINGF0wdBQDEDoyw25/6sPS/R7zheGNH32kpJx/7eEMh5LJzjA/ZseYo4t2TpD1U/OpGnfyzrQ+D/dM6p5C+WG7GD4P2M8Oqarl2YxbBf3rM0YDn0aMGc/PWN+M/TvsR5WAabQV9VRspEfoHcKEvHLqtbeeIflVd7w==
+  template:
+    data: null
+    metadata:
+      annotations:
+        sealedsecrets.bitnami.com/cluster-wide: "true"
+      creationTimestamp: null
+      name: rails-master-key

chart/templates/service.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "chart.fullname" . }}
+  labels:
+    {{- include "chart.labels" . | nindent 4 }}
+spec:
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "chart.selectorLabels" . | nindent 4 }}

chart/values.yaml

@@ -0,0 +1,20 @@
+replicaCount: 1
+
+image:
+  repository: registry.gitlab.com/turniere/turniere-backend/production/commits
+  pullPolicy: IfNotPresent
+  tag: ""
+
+podAnnotations: {}
+
+securityContext: {}
+#  runAsNonRoot: true
+#  runAsUser: 1000
+
+service:
+  port: 8080
+
+ingress:
+  host: ""
+
+resources: {}

kubernetes/deployment.yml.erb

@@ -1,28 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: backend-deployment
-  namespace: turniere-backend
-  labels:
-    app: turniere-backend
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: turniere-backend
-  template:
-    metadata:
-      labels:
-        app: turniere-backend
-    spec:
-      containers:
-      - name: backend-container
-        image: registry.gitlab.com/turniere/turniere-backend/production/commits:<%= current_sha %>
-        ports:
-        - containerPort: 3000
-        env:
-        - name: RAILS_MASTER_KEY
-          valueFrom:
-            secretKeyRef:
-              name: turniere-secret
-              key: master.key

kubernetes/rolebinding.yml

@@ -1,13 +0,0 @@
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: gitlab-deploy-rb
-  namespace: turniere-backend
-subjects:
-  - kind: ServiceAccount
-    name: gitlab-deploy
-    namespace: gitlab
-roleRef:
-  kind: ClusterRole
-  name: gitlab-deploy-role
-  apiGroup: rbac.authorization.k8s.io

kubernetes/secrets.ejson

@@ -1,11 +0,0 @@
-{
-  "_public_key": "c837fba31b5cd2adb6809c23818e9ee1bc7a85f585f8bf9bca767f6e6e71db39",
-  "kubernetes_secrets": {
-    "turniere-secret": {
-      "_type": "Opaque",
-      "data": {
-        "master.key": "EJ[1:QEauT9a+p+4WLCIpVRIVafEN6KemhM544B3bx67Gyg4=:/2xjJ3RseqBy6JORX9vkaFv3pnhWYELB:KQvFX2W4aLBquluKJikYeO/sp2TOUROxGU8qj941EMk0vxapeGEh9CdQ9Rit1B+e]"
-      }
-    }
-  }
-}

kubernetes/service.yml

@@ -1,46 +0,0 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: backend-service
-  namespace: turniere-backend
-spec:
-  selector:
-    app: turniere-backend
-  ports:
-    - name: http
-      port: 3000
-      targetPort: 3000
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: backend-ingress-http
-  namespace: turniere-backend
-spec:
-  entryPoints:
-    - http
-  routes:
-    - match: Host(`api01.turnie.re`)
-      kind: Rule
-      services:
-        - name: backend-service
-          port: 3000
-      middlewares:
-        - name: redirect
----
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: backend-ingress-https
-  namespace: turniere-backend
-spec:
-  entryPoints:
-    - https
-  routes:
-    - match: Host(`api01.turnie.re`)
-      kind: Rule
-      services:
-        - name: backend-service
-          port: 3000
-  tls:
-    certResolver: default