Update demo deploy - in line with development

ministryofjustice · Jul 12, 2024 · f380199 · f380199
1 parent a9ac52f
commit f380199
Show file tree

Hide file tree

Showing 5 changed files with 70 additions and 7 deletions.
diff --git a/.github/README.md b/.github/README.md
@@ -313,6 +313,7 @@ To verify that S3 & CloudFront are working correctly.
 - [Ministry of Justice | Overview](https://portal.azure.com/#view/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/~/Overview)
 - App [MOJ-Local-Intranet-v2](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/appId/73ed65a5-e879-4027-beab-f5e64de803b7/isMSAApp~/false)
 - App [MOJ-Dev-Intranet-V2](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/quickStartType~/null/sourceType/Microsoft_AAD_IAM/appId/1dac3cbf-91d2-4c0e-9c80-0bf3f8fabd75)
+- App [MOJ-Demo-Intranet-V2](https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationMenuBlade/~/Overview/quickStartType~/null/sourceType/Microsoft_AAD_IAM/appId/8d928bcf-c45e-41ec-aedf-059828aa6e3f)
 
 ### Register an application
 

diff --git a/deploy/demo/config.yml b/deploy/demo/config.yml
@@ -9,3 +9,13 @@ data:
   WP_SITEURL: 'https://demo.intranet.justice.gov.uk/wp'
   AWS_CLOUDFRONT_HOST: 'cdn.demo.intranet.justice.gov.uk'
   SENTRY_DEV_ID: '-demo'
+  # See Azure Setup for more information on how to get these values.
+  OAUTH_CLIENT_ID: "8d928bcf-c45e-41ec-aedf-059828aa6e3f"
+  OAUTH_TENANT_ID: "c6874728-71e6-41fe-a9e1-2e8c36776ad8"
+  # IP addresses, with optional CIDR notation. Separated by newlines and using # for comments.
+  ALLOWED_IPS: |
+    # Global Protect
+    18.169.147.172
+    35.176.93.186
+    18.130.148.126
+    35.176.148.126
diff --git a/deploy/demo/deployment.tpl b/deploy/demo/deployment.tpl
@@ -6,7 +6,7 @@ metadata:
   labels:
     app: ${KUBE_NAMESPACE}
 spec:
-  replicas: 2
+  replicas: 1
   strategy:
     type: RollingUpdate
     rollingUpdate:
@@ -23,28 +23,46 @@ spec:
       volumes:
         - name: uploads
           emptyDir: { }
+        - name: php-socket
+          emptyDir: { }
       terminationGracePeriodSeconds: 35
       serviceAccountName: ${KUBE_NAMESPACE}-service
       containers:
         - name: nginx
           image: ${ECR_URL}:${IMAGE_TAG_NGINX}
           ports:
             - containerPort: 8080
+          volumeMounts:
+            - name: uploads
+              mountPath: /var/www/html/public/app/uploads
+            - name: php-socket
+              mountPath: /sock
+
+        - name: cron
+          image: ${ECR_URL}:${IMAGE_TAG_CRON}
+          securityContext:
+            runAsUser: 3001
+
         - name: fpm
           image: ${ECR_URL}:${IMAGE_TAG_FPM}
-          ports:
-            - containerPort: 9000
           volumeMounts:
             - name: uploads
               mountPath: /var/www/html/public/app/uploads
+            - name: php-socket
+              mountPath: /sock
           securityContext:
-              runAsUser: 82
+            runAsUser: 101
           env:
             - name: AWS_S3_BUCKET
               valueFrom:
                 secretKeyRef:
                   name: s3-bucket-output
                   key: bucket_name
+            - name: AWS_CLOUDFRONT_PUBLIC_KEYS_OBJECT
+              valueFrom:
+                secretKeyRef:
+                  name: cloudfront-output
+                  key: cloudfront_public_keys
             - name: DB_HOST
               valueFrom:
                 secretKeyRef:
@@ -65,8 +83,20 @@ spec:
                 secretKeyRef:
                   name: rds-output
                   key: database_password
+            - name: OPENSEARCH_URL
+              valueFrom:
+                secretKeyRef:
+                  name: opensearch-output
+                  key: proxy_url
+            - name: BASIC_AUTH
+              valueFrom:
+                secretKeyRef:
+                  name: intranet-basic-auth
+                  key: auth          
           envFrom:
             - configMapRef:
                 name: ${KUBE_NAMESPACE}
             - secretRef:
                 name: ${KUBE_NAMESPACE}-secrets
+            - secretRef:
+                name: ${KUBE_NAMESPACE}-base64-secrets
diff --git a/deploy/demo/ingress.yml b/deploy/demo/ingress.yml
@@ -7,7 +7,7 @@ metadata:
     external-dns.alpha.kubernetes.io/set-identifier: intranet-demo-ingress-intranet-demo-green
     external-dns.alpha.kubernetes.io/aws-weight: "100"
     nginx.ingress.kubernetes.io/auth-type: basic
-    nginx.ingress.kubernetes.io/auth-secret: basic-auth-secret
+    nginx.ingress.kubernetes.io/auth-secret: intranet-basic-auth
     nginx.ingress.kubernetes.io/auth-realm: 'Demo User | Authentication Required'
     nginx.ingress.kubernetes.io/server-snippet: |
       location = /health {
@@ -25,9 +25,10 @@ spec:
   ingressClassName: default
   tls:
   - hosts:
-    - demo-intranet.apps.live.cloud-platform.service.justice.gov.uk
+    - demo.intranet.justice.gov.uk
+    secretName: intranet-demo-cert-secret
   rules:
-  - host: demo-intranet.apps.live.cloud-platform.service.justice.gov.uk
+  - host: demo.intranet.justice.gov.uk
     http:
       paths:
       - path: /

diff --git a/deploy/demo/secret.tpl b/deploy/demo/secret.tpl
@@ -15,3 +15,24 @@ stringData:
   NONCE_SALT: "${NONCE_SALT}"
   SECURE_AUTH_KEY: "${SECURE_AUTH_KEY}"
   SECURE_AUTH_SALT: "${SECURE_AUTH_SALT}"
+  JWT_SECRET: "${JWT_SECRET}"
+  OAUTH_CLIENT_SECRET: "${OAUTH_CLIENT_SECRET}"
+  BASIC_AUTH_USER: "${BASIC_AUTH_USER}"
+  BASIC_AUTH_PASS: "${BASIC_AUTH_PASS}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: intranet-dev-base64-secrets
+type: Opaque
+data:
+  AWS_CLOUDFRONT_PRIVATE_KEY: "${AWS_CLOUDFRONT_PRIVATE_KEY_BASE64}"
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudfront-input
+type: Opaque
+data:
+  AWS_CLOUDFRONT_PUBLIC_KEY: "${AWS_CLOUDFRONT_PUBLIC_KEY_BASE64}"
+  # AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING: "${AWS_CLOUDFRONT_PUBLIC_KEY_EXPIRING_BASE64}"