Merge remote-tracking branch 'upstream/master' into development

ConductionNL · Dec 10, 2019 · 395e932 · 395e932
2 parents 047d072 + 4e1bffa
commit 395e932
Show file tree

Hide file tree

Showing 13 changed files with 159 additions and 14 deletions.
diff --git a/.env b/.env
@@ -27,6 +27,19 @@ APP_DESCRIPTION='Naast deze JSON rest API is er ook een [graphql](/graphql) inte
 TRUSTED_PROXIES=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
 TRUSTED_HOSTS=^(.+\.)?conduction\.nl$|^(.+\.)?huwelijksplanner\.online$|^(.+\.)?larping\.eu$|^(.+\.)?common-ground\.nl$|^(.+\.)?trouwplanner\.online$|^(.+\.)?zaakonline\.nl$|localhost
 
+##################################################
+# Orgization details
+##################################################
+
+# The following details describe your organisations and are used for both certificate creation and common-ground.dev
+
+ORGANIZATION_NAME=Conduction
+ORGANIZATION_EMAIL_ADDRESS=[email protected]
+ORGANIZATION_COUNTRY_NAME=Netherlands
+ORGANIZATION_STATE=Noord-Holland
+ORGANIZATION_LOCALITY=Amsterdam
+ORGANIZATION_UNIT_NAME=Common-Ground
+
 ##################################################
 # Documentation settings
 ##################################################

diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
@@ -63,6 +63,10 @@ jobs:
         run: docker-compose logs
       - name: Security Checks
         run: docker-compose exec -T php composer req sensiolabs/security-checker
+      - name: Database Update
+        run: docker-compose exec -T php bin/console doctrine:schema:update --force
+      - name: Database Check
+        run: docker-compose exec -T php bin/console doctrine:schema:validate
       - name: Chores
         run: docker-compose down
       - name: Login to DockerHub Registry

diff --git a/INSTALLATION.md b/INSTALLATION.md
@@ -35,10 +35,19 @@ Now that we've installed both Helm components, we're ready to use helm to instal
 ## Setting up ingress
 We need at least one nginx controller per kubernetes kluster, doh optionally we could set on up on a per namebase basis
 
-helm install stable/nginx-ingress --name loadbalancer --kubeconfig="kubeconfig.yaml"
+```CLI
+$ helm install stable/nginx-ingress --name loadbalancer --kubeconfig="kubeconfig.yaml"
+```
+
+We can check that out with 
+
+```CLI
+$ kubectl describe ingress pc-dev-ingress -n=kube-system --kubeconfig="kubeconfig.yaml"
+```
 
 ## Setting up Kubernetes Dashboard
 After we installed helm and tiller we can easily use both to install kubernetes dashboard
+
 ```CLI
 $ helm install stable/kubernetes-dashboard --name dashboard --kubeconfig="kubeconfig.yaml" --namespace="kube-system"
 ```
@@ -57,14 +66,37 @@ $ kubectl -n kube-system describe secrets tiller-token-xxxxx  --kubeconfig="kube
 This should return the token, copy it to somewhere save (just the token not the other returned information) and start up a dashboard connection
 
 ```CLI
-$kubectl proxy --kubeconfig="kubeconfig.yaml"
+$ kubectl proxy --kubeconfig="kubeconfig.yaml"
 ```
 
 This should proxy our dashboard to helm making it available trough our favorite browser and a simple link
 ```CLI
 http://localhost:8001/api/v1/namespaces/kube-system/services/https:dashboard-kubernetes-dashboard:https/proxy/#!/login
 ```
 
+
+## Cert Manager
+https://cert-manager.io/docs/installation/kubernetes/
+
+```CLI
+$ kubectl apply --validate=false -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml --kubeconfig="kubeconfig.yaml"
+$ kubectl create namespace cert-manager --kubeconfig="kubeconfig.yaml"
+```
+
+ The we need tp deploy the cert manager to our cluster
+
+```CLI
+$ helm repo add jetstack https://charts.jetstack.io
+$ helm install --name cert-manager --namespace cert-manager --version v0.12.0 \ jetstack/cert-manager --kubeconfig="kubeconfig.yaml"
+```
+
+lets check if everything is working
+
+```CLI
+$ kubectl get pods --namespace cert-manager --kubeconfig="kubeconfig.yaml"
+$ kubectl describe certificate -n dev --kubeconfig="kubeconfig.yaml"
+```
+
 ## Deploying trough helm
 First we always need to update our dependencies
 ```CLI

diff --git a/api/config/packages/twig.yaml b/api/config/packages/twig.yaml
@@ -8,6 +8,13 @@ twig:
 
         container_registry_base: '%env(CONTAINER_REGISTRY_BASE)%'   
         container_project_name: '%env(CONTAINER_PROJECT_NAME)%'
+
+        organization_name: '%env(ORGANIZATION_NAME)%'
+        organization_email: '%env(ORGANIZATION_EMAIL_ADDRESS)%'
+        organization_country: '%env(ORGANIZATION_COUNTRY_NAME)%'
+        organization_state: '%env(ORGANIZATION_STATE)%'
+        organization_locality: '%env(ORGANIZATION_LOCALITY)%'
+        organization_unit: '%env(ORGANIZATION_UNIT_NAME)%'
 
         app_name: '%env(APP_NAME)%'
         app_title: '%env(APP_TITLE)%'

diff --git a/api/helm/templates/cert-issuer.yaml b/api/helm/templates/cert-issuer.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: {{ include "name" . }}-{{ .Values.settings.env }}-letsencrypt
+spec:
+  acme:
+    email: {{ .Values.settings.email }}
+    http01: {}
+    privateKeySecretRef:
+      name: letsencrypt-private-key
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+    - selector: {}
+      http01:
+        ingress:
+          class: nginx
diff --git a/api/helm/templates/certificate.yaml b/api/helm/templates/certificate.yaml
@@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: {{ include "name" . }}-acme-cert
+spec:
+  secretName: {{ include "name" . }}-tls-cert
+  duration: 24h
+  renewBefore: 12h
+  {{- if eq .Values.settings.env "prod" }}
+  commonName: {{ .Values.settings.name }}.{{ .Values.settings.domain }}    
+  {{- else }}      
+  commonName: {{ .Values.settings.name }}.{{ .Values.settings.env }}.{{ .Values.settings.domain }}    
+  {{- end }}
+  dnsNames:
+  {{- if eq .Values.settings.env "prod" }}
+  - {{ .Values.settings.name }}.{{ .Values.settings.domain }}    
+  {{- else }}      
+  - {{ .Values.settings.name }}.{{ .Values.settings.env }}.{{ .Values.settings.domain }}    
+  {{- end }}
+  issuerRef:
+    name: {{ include "name" . }}-{{ .Values.settings.env }}-letsencrypt
+    kind: ClusterIssuer
diff --git a/api/helm/templates/configmap.yaml b/api/helm/templates/configmap.yaml
@@ -25,6 +25,13 @@ data:
   app-health: {{ .Values.settings.healthEnabled | quote }}
   app-archive: {{ .Values.settings.archiveEnabled | quote }}
 
+  organization-name: {{ .Values.settings.organisationMame | quote }}
+  organization-email: {{ .Values.settings.email | quote }}
+  organization-country: {{ .Values.settings.country | quote }}
+  organization-state: {{ .Values.settings.state | quote }}
+  organization-locality: {{ .Values.settings.locality | quote }}
+  organization-unit: {{ .Values.settings.unit | quote }}
+
   env: {{ .Values.settings.env | quote }}
   debug: {{ .Values.settings.debug | quote }}
   cors-allow-origin: {{ .Values.settings.corsAllowOrigin | quote }}

diff --git a/api/helm/templates/ingress.yaml b/api/helm/templates/ingress.yaml
@@ -1,6 +1,10 @@
 apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
+  annotations:
+    # add an annotation indicating the issuer to use.
+    cert-manager.io/acme-challenge-type: http01
+    cert-manager.io/cluster-issuer: {{ include "name" . }}-{{ .Values.settings.env }}-letsencrypt
   name: {{ include "name" . }}-{{ .Values.settings.env }}-ingress
   labels:
     app.kubernetes.io/name: {{ include "name" . }}-ingress
@@ -13,14 +17,10 @@ metadata:
     {{- toYaml . | nindent 4 }}
   {{- end }}
 spec:
-  tls:
+  tls: 
   - hosts:
-    {{- if eq .Values.settings.env "prod" }}
     - {{ .Values.settings.domain }}
-    {{- else }}      
-    - {{ .Values.settings.env }}.{{ .Values.settings.domain }}     
-    {{- end }}    
-    secretName: {{ include "name" . }}-certs
+    secretName: {{ include "name" . }}-tls-cert
   rules:
 #    - host: {{ .Values.settings.name }}.{{ .Values.settings.env }}.{{ .Values.settings.domain }}
 #      http:

diff --git a/api/helm/templates/php-deployment.yaml b/api/helm/templates/php-deployment.yaml
@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/managed-by: {{ .Release.Service }}
 spec:
-  replicas: {{ .Values.php.replicaCount }}
+  replicas: 3
   template:
     metadata:
       labels:
@@ -82,11 +82,37 @@ spec:
                 configMapKeyRef:
                   name: {{ template "fullname" . }}
                   key: app-domain
-            - name: APP_REPRO
+            # organization
+            - name: ORGANIZATION_NAME
               valueFrom:
                 configMapKeyRef:
                   name: {{ template "fullname" . }}
-                  key: app-repro
+                  key: organization-name
+            - name: ORGANIZATION_EMAIL_ADDRESS
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ template "fullname" . }}
+                  key: organization-email
+            - name: ORGANIZATION_COUNTRY_NAME
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ template "fullname" . }}
+                  key: organization-country
+            - name: ORGANIZATION_STATE
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ template "fullname" . }}
+                  key: organization-state
+            - name: ORGANIZATION_LOCALITY
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ template "fullname" . }}
+                  key: organization-locality
+            - name: ORGANIZATION_UNIT_NAME
+              valueFrom:
+                configMapKeyRef:
+                  name: {{ template "fullname" . }}
+                  key: organization-unit
             # config
             - name: AUTH_ENABLED
               valueFrom:

diff --git a/api/helm/values.yaml b/api/helm/values.yaml
@@ -12,6 +12,12 @@ settings:
   repro: 'https://github.com/ConductionNL/Proto-component-commonground'
   domain: test.conduction.nl
   demo: test.conduction.nl
+  unit: Common-Ground  
+  locality: Amsterdam
+  state: Noord-Holland
+  email: [email protected]
+  country: Netherlands
+  organisationName: Conduction
   env: dev
   debug: 1
   replicaCount: 1

diff --git a/api/src/Repository/ExampleEntityRepository.php b/api/src/Repository/ExampleEntityRepository.php
@@ -4,7 +4,7 @@
 
 use App\Entity\ExampleEntity;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
-use Symfony\Bridge\Doctrine\RegistryInterface;
+use Doctrine\Common\Persistence\ManagerRegistry;
 
 /**
  * @method ExampleEntity|null find($id, $lockMode = null, $lockVersion = null)
@@ -14,7 +14,7 @@
  */
 class ExampleEntityRepository extends ServiceEntityRepository
 {
-    public function __construct(RegistryInterface $registry)
+    public function __construct(ManagerRegistry $registry)
     {
         parent::__construct($registry, ExampleEntity::class);
     }

diff --git a/api/templates/helm/Values.yaml.twig b/api/templates/helm/Values.yaml.twig
@@ -10,7 +10,13 @@ settings:
   version: {{ app_version }}
   description: '{{ app_description }}'
   repro: '{{ app_repro }}'
-  domain: {{ app_domain }}
+  domain: {{ app_domain }}  
+  organisationName: {{ organization_name }}
+  email: {{ organization_email }}
+  country: {{ organization_country }}
+  state: {{ organization_state }}
+  locality: {{ organization_locality }}
+  unit: {{ organization_unit }}  
   demo: {{ app_demo }}
   env: {{ app_env }}
   debug: {{ app_debug }}

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -40,6 +40,12 @@ services:
       - APP_DEMO=${APP_DEMO}
       - APP_REPRO=${APP_REPRO}
       - APP_DESCRIPTION=${APP_DESCRIPTION}
+      - ORGANIZATION_NAME=${ORGANIZATION_NAME}
+      - ORGANIZATION_EMAIL_ADDRESS=${ORGANIZATION_EMAIL_ADDRESS}
+      - ORGANIZATION_COUNTRY_NAME=${ORGANIZATION_COUNTRY_NAME}
+      - ORGANIZATION_STATE=${ORGANIZATION_STATE}
+      - ORGANIZATION_LOCALITY=${ORGANIZATION_LOCALITY}
+      - ORGANIZATION_UNIT_NAME=${ORGANIZATION_UNIT_NAME}
       - TRUSTED_PROXIES=${TRUSTED_PROXIES}
       - TRUSTED_HOSTS=${TRUSTED_HOSTS}
       - AUTH_ENABLED=${AUTH_ENABLED}