Helm chart (#71)

* DATABASE_URL instead of PG_URL * helm charts for deploying rustlemania * Deployed to kubernetes cluster successfully * cargo fmt * Deployed ssl * Update audio encoder * Adding some docs for helm deploy * use wss * do not install clippy * whatever * add default * override * remove default config * trying with lower quality audio to try reduce latency --------- Co-authored-by: Griffin Obeid <[email protected]>
security-union · Jun 19, 2023 · 5c07def · 5c07def
1 parent f6ff054
commit 5c07def
Show file tree

Hide file tree

Showing 42 changed files with 760 additions and 37 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,2 @@
+**/target
+**/dist
diff --git a/.github/workflows/cargo-lint.yaml b/.github/workflows/cargo-lint.yaml
@@ -12,7 +12,7 @@ env:
   OAUTH_CLIENT_SECRET: blah
   OAUTH_REDIRECT_URL: http://localhost:8080/login/callback
   RUST_LOG: info
-  PG_URL: postgres://postgres:docker@postgres:5432/actix-api-db?sslmode=disable
+  DATABASE_URL: postgres://postgres:docker@postgres:5432/actix-api-db?sslmode=disable
 
 jobs:
   fmt:
@@ -26,7 +26,7 @@ jobs:
           toolchain: stable
           override: true
           components: rustfmt
-      - uses: actions-rs/cargo@v1        
+      - uses: actions-rs/cargo@v1
         with:
           command: fmt
-          args: --manifest-path ./actix-api/Cargo.toml --all -- --check 
+          args: --manifest-path ./actix-api/Cargo.toml --all -- --check
diff --git a/.github/workflows/cargo-test.yaml b/.github/workflows/cargo-test.yaml
@@ -6,15 +6,14 @@ name: cargo test
 
 env:
   ACTIX_PORT: 8080
-  TRUNK_SERVE_PORT: 80
-  TRUNK_SERVE_HOST: localhost
+  UI_ENDPOINT: localhost:80
   OAUTH_CLIENT_ID: blah
   OAUTH_AUTH_URL: blah
   OAUTH_TOKEN_URL: blah
   OAUTH_CLIENT_SECRET: blah
   OAUTH_REDIRECT_URL: http://localhost:8080/login/callback
   RUST_LOG: info
-  PG_URL: postgres://postgres:docker@postgres:5432/actix-api-db?sslmode=disable
+  DATABASE_URL: postgres://postgres:docker@postgres:5432/actix-api-db?sslmode=disable
 
 jobs:
 
@@ -39,4 +38,4 @@ jobs:
         continue-on-error: false  # WARNING: only for this example, remove it!
         with:
           command: test
-          args: --manifest-path ./actix-api/Cargo.toml
+          args: --manifest-path ./actix-api/Cargo.toml
diff --git a/Dockerfile.actix b/Dockerfile.actix
@@ -0,0 +1,24 @@
+FROM rust:1.70-slim-bullseye as development
+
+RUN apt-get --yes update && apt-get --yes install curl git pkg-config libssl-dev
+RUN curl https://github.com/amacneil/dbmate/releases/download/v2.4.0/dbmate-linux-amd64 -L -o /usr/bin/dbmate && chmod +x /usr/bin/dbmate
+RUN cargo install cargo-watch
+RUN rustup component add clippy-preview
+RUN rustup component add rustfmt
+
+FROM development as build
+
+COPY . /app
+WORKDIR /app/actix-api
+RUN cargo build --release
+
+FROM debian:bullseye-slim as production
+
+COPY --from=build /usr/bin/dbmate /usr/bin/dbmate
+COPY --from=build /app/actix-api/target/release/actix-api /usr/bin/actix-api
+COPY --from=build /app/actix-api/startup.sh /usr/bin/startup.sh
+COPY --from=build /app/dbmate /app/dbmate
+
+STOPSIGNAL SIGINT
+
+CMD [ "startup.sh" ]
diff --git a/Dockerfile.yew b/Dockerfile.yew
@@ -0,0 +1,25 @@
+FROM --platform=linux/amd64  rust:1.65-slim-bullseye as development
+
+RUN rustup default nightly-2022-10-21
+RUN apt-get --yes update && apt-get --yes install git pkg-config libssl-dev
+RUN cargo install wasm-bindgen-cli --version 0.2.78
+RUN cargo install trunk --version 0.16.0
+RUN rustup target add wasm32-unknown-unknown
+
+FROM --platform=linux/amd64  development as build
+
+# TODO - this is a hack to get around the fact that the yew-ui crate is not bundled with the backend
+ENV ENABLE_OAUTH=false
+ENV LOGIN_URL=""
+ENV ACTIX_UI_BACKEND_URL="wss://api.rustlemania.com"
+WORKDIR /app
+COPY . .
+WORKDIR /app/yew-ui
+
+RUN trunk build --release
+
+FROM --platform=linux/amd64 nginx:1.21.5-alpine as production
+
+COPY nginx.conf /etc/nginx/nginx.conf
+
+COPY --from=build /app/yew-ui/dist /usr/share/nginx/html
diff --git a/actix-api/src/db/mod.rs b/actix-api/src/db/mod.rs
@@ -8,7 +8,7 @@ pub type PostgresPool = Pool<PostgresConnectionManager<NoTls>>;
 pub type PostgresConnection = PooledConnection<PostgresConnectionManager<NoTls>>;
 
 pub fn get_database_url() -> String {
-    env::var("PG_URL").unwrap()
+    env::var("DATABASE_URL").unwrap()
 }
 
 pub fn get_pool() -> PostgresPool {

diff --git a/actix-api/src/main.rs b/actix-api/src/main.rs
@@ -20,6 +20,7 @@ use actix_web::{
 };
 use actix_web_actors::ws::{handshake, WebsocketContext};
 use log::{debug, info};
+use models::AppConfig;
 
 use crate::{
     actors::{chat_server::ChatServer, chat_session::WsChatSession},
@@ -32,18 +33,10 @@ use crate::{
 };
 use reqwest::header::LOCATION;
 
-const OAUTH_CLIENT_ID: &str = std::env!("OAUTH_CLIENT_ID");
-const OAUTH_AUTH_URL: &str = std::env!("OAUTH_AUTH_URL");
-const OAUTH_TOKEN_URL: &str = std::env!("OAUTH_TOKEN_URL");
-const OAUTH_SECRET: &str = std::env!("OAUTH_CLIENT_SECRET");
-const OAUTH_REDIRECT_URL: &str = std::env!("OAUTH_REDIRECT_URL");
-const SCOPE: &str = "email%20profile%20openid";
-const ACTIX_PORT: &str = std::env!("ACTIX_PORT");
-const AFTER_LOGIN_URL: &str = concat!("http://localhost:", std::env!("TRUNK_SERVE_PORT"));
-
 pub mod auth;
 pub mod db;
 
+const SCOPE: &str = "email%20profile%20openid";
 /**
  * Function used by the Web Application to initiate OAuth.
  *
@@ -52,7 +45,10 @@ pub mod db;
  * The server implements PKCE (Proof Key for Code Exchange) to protect itself and the users.
  */
 #[get("/login")]
-async fn login(pool: web::Data<PostgresPool>) -> Result<HttpResponse, Error> {
+async fn login(
+    pool: web::Data<PostgresPool>,
+    cfg: web::Data<AppConfig>,
+) -> Result<HttpResponse, Error> {
     // TODO: verify if user exists in the db by looking at the session cookie, (if the client provides one.)
     let pool2 = pool.clone();
 
@@ -68,9 +64,9 @@ async fn login(pool: web::Data<PostgresPool>) -> Result<HttpResponse, Error> {
 
     // 3. Craft OAuth Login URL
     let oauth_login_url = format!("{oauth_url}?client_id={client_id}&redirect_uri={redirect_url}&response_type=code&scope={scope}&prompt=select_account&pkce_challenge={pkce_challenge}&state={state}&access_type=offline",
-                                    oauth_url=OAUTH_AUTH_URL,
-                                    redirect_url=OAUTH_REDIRECT_URL,
-                                    client_id=OAUTH_CLIENT_ID,
+                                    oauth_url=cfg.oauth_auth_url,
+                                    redirect_url=cfg.oauth_redirect_url,
+                                    client_id=cfg.oauth_client_id,
                                     scope=SCOPE,
                                     pkce_challenge=pkce_challenge.as_str(),
                                     state=&csrf_token.secret()
@@ -94,6 +90,7 @@ async fn login(pool: web::Data<PostgresPool>) -> Result<HttpResponse, Error> {
 async fn handle_google_oauth_callback(
     pool: web::Data<PostgresPool>,
     info: web::Query<AuthRequest>,
+    cfg: web::Data<AppConfig>,
 ) -> Result<HttpResponse, Error> {
     let state = info.state.clone();
 
@@ -109,11 +106,11 @@ async fn handle_google_oauth_callback(
 
     // 2. Request token from OAuth provider.
     let (oauth_response, claims) = request_token(
-        OAUTH_REDIRECT_URL,
-        OAUTH_CLIENT_ID,
-        OAUTH_SECRET,
+        &cfg.oauth_auth_url,
+        &cfg.oauth_client_id,
+        &cfg.oauth_secret,
         &oauth_request.pkce_verifier,
-        OAUTH_TOKEN_URL,
+        &cfg.oauth_token_url,
         &info.code,
     )
     .await
@@ -142,7 +139,7 @@ async fn handle_google_oauth_callback(
 
     // 5. Send cookie and redirect browser to AFTER_LOGIN_URL
     let mut response = HttpResponse::Found();
-    response.append_header((LOCATION, AFTER_LOGIN_URL));
+    response.append_header((LOCATION, cfg.after_login_url.clone()));
     response.cookie(cookie);
     Ok(response.finish())
 }
@@ -181,6 +178,13 @@ async fn main() -> std::io::Result<()> {
     env_logger::init();
     info!("start");
     let chat = ChatServer::new().start();
+    let oauth_client_id: String = std::env::var("OAUTH_CLIENT_ID").unwrap_or(String::from(""));
+    let oauth_auth_url: String = std::env::var("OAUTH_AUTH_URL").unwrap_or(String::from(""));
+    let oauth_token_url: String = std::env::var("OAUTH_TOKEN_URL").unwrap_or(String::from(""));
+    let oauth_secret: String = std::env::var("OAUTH_CLIENT_SECRET").unwrap_or(String::from(""));
+    let oauth_redirect_url: String =
+        std::env::var("OAUTH_REDIRECT_URL").unwrap_or(String::from(""));
+    let after_login_url: String = std::env::var("UI_ENDPOINT").unwrap_or(String::from(""));
 
     HttpServer::new(move || {
         let cors = Cors::permissive();
@@ -190,12 +194,26 @@ async fn main() -> std::io::Result<()> {
         App::new()
             .app_data(web::Data::new(pool))
             .app_data(web::Data::new(AppState { chat: chat.clone() }))
+            .app_data(web::Data::new(AppConfig {
+                oauth_client_id: oauth_client_id.clone(),
+                oauth_auth_url: oauth_auth_url.clone(),
+                oauth_token_url: oauth_token_url.clone(),
+                oauth_secret: oauth_secret.clone(),
+                oauth_redirect_url: oauth_redirect_url.clone(),
+                after_login_url: after_login_url.clone(),
+            }))
             .wrap(cors)
             .service(handle_google_oauth_callback)
             .service(login)
             .service(ws_connect)
     })
-    .bind(("0.0.0.0", ACTIX_PORT.parse::<u16>().unwrap()))?
+    .bind((
+        "0.0.0.0",
+        std::env::var("ACTIX_PORT")
+            .unwrap_or(String::from("8080"))
+            .parse::<u16>()
+            .unwrap(),
+    ))?
     .run()
     .await
 }
diff --git a/actix-api/src/models/mod.rs b/actix-api/src/models/mod.rs
@@ -5,3 +5,12 @@ use crate::actors::chat_server::ChatServer;
 pub struct AppState {
     pub chat: Addr<ChatServer>,
 }
+
+pub struct AppConfig {
+    pub oauth_client_id: String,
+    pub oauth_secret: String,
+    pub oauth_redirect_url: String,
+    pub oauth_auth_url: String,
+    pub oauth_token_url: String,
+    pub after_login_url: String,
+}
diff --git a/actix-api/startup.sh b/actix-api/startup.sh
@@ -0,0 +1,3 @@
+#!/bin/bash -e
+/app/dbmate/startup.sh
+actix-api
diff --git a/dbmate/startup.sh b/dbmate/startup.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -e
 pushd /app/dbmate
 dbmate wait
 dbmate up

diff --git a/docker/StateFile.yml b/docker/StateFile.yml
@@ -35,7 +35,6 @@ Cargoes:
           - ${{ Envs.HOME }}/.cargo/registry:/usr/local/cargo/registry
       Env:
       - ACTIX_HOST=api.zoom.rs
-      - ACTIX_PORT=8080
       - ACTIX_UI_BACKEND_URL=ws://api.zoom.rs
       - TRUNK_SERVE_PORT=8081
       - ENABLE_OAUTH=false
@@ -72,7 +71,6 @@ Cargoes:
         - OAUTH_CLIENT_SECRET=${{Envs.OAUTH_CLIENT_SECRET}}
         - OAUTH_REDIRECT_URL=http://api.zoom.rs/login/callback
         - RUST_LOG=debug
-        - PG_URL=postgres://postgres:[email protected]:5432/actix-api-db?sslmode=disable
         - NATS_URL=nats.zoom.rs
         - DATABASE_URL=postgres://postgres:[email protected]:5432/actix-api-db?sslmode=disable
 

diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
@@ -12,8 +12,6 @@ services:
     working_dir: /app/yew-ui
     command: bash -c "trunk serve --address 0.0.0.0 --port ${TRUNK_SERVE_PORT:-80}"
     environment:
-      - ACTIX_HOST=${ACTIX_HOST:-localhost}
-      - ACTIX_PORT=${ACTIX_PORT:-8080}
       - ACTIX_UI_BACKEND_URL=${ACTIX_UI_BACKEND_URL:-ws://localhost:8080}
       - TRUNK_SERVE_PORT=${TRUNK_SERVE_PORT:-80}
       - ENABLE_OAUTH=false
@@ -30,16 +28,14 @@ services:
     command: bash -c "/app/dbmate/startup.sh && cargo watch -x \"run -r\""
     environment:
       - ACTIX_PORT=${ACTIX_PORT:-8080}
-      - TRUNK_SERVE_PORT=${TRUNK_SERVE_PORT:-80}
-      - TRUNK_SERVE_HOST=localhost
+      - UI_ENDPOINT=${UI_ENDPOINT:-http://localhost:80}
       - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
       - OAUTH_AUTH_URL=${OAUTH_AUTH_URL}
       - OAUTH_TOKEN_URL=${OAUTH_TOKEN_URL}
       - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
       - OAUTH_REDIRECT_URL=http://localhost:${ACTIX_PORT:-8080}/login/callback
       - RUST_LOG=info
       - DATABASE_URL=postgres://postgres:docker@postgres:5432/actix-api-db?sslmode=disable
-      - PG_URL=postgres://postgres:docker@postgres:5432/actix-api-db?sslmode=disable
       - NATS_URL=nats:4222
     ports:
       - "${ACTIX_PORT:-8080}:${ACTIX_PORT:-8080}"

diff --git a/helm/.gitignore b/helm/.gitignore
@@ -0,0 +1,3 @@
+charts
+issuer.yaml
+secret.yaml
diff --git a/helm/README.md b/helm/README.md
@@ -0,0 +1,10 @@
+# Deploying with helm to kubernetes
+
+1. Create a cluster
+1. Deploy ingress-nginx
+1. Setup DNS records with the ingress-nginx external IP
+1. Deploy internal nats and postgres
+1. Deploy rustlemania without SSL
+1. Deploy cert-manager
+1. Create a cert-manager issuer
+1. Upgrade rustlemania to include SSL
diff --git a/helm/cert-manager/Chart.lock b/helm/cert-manager/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.12.2
+digest: sha256:e6bf98d4441b0fd59de1af1d0699137396520bfe1f50f36d092a676ce6395c26
+generated: "2023-06-16T16:31:58.732255816-04:00"
diff --git a/helm/cert-manager/Chart.yaml b/helm/cert-manager/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: rustlemania-cert-manager
+version: 1.0.0
+
+dependencies:
+  - name: cert-manager
+    version: 1.12.2
+    repository: https://charts.jetstack.io
diff --git a/helm/cert-manager/values.yaml b/helm/cert-manager/values.yaml
@@ -0,0 +1,2 @@
+cert-manager:
+  installCRDs: true
diff --git a/helm/ingress-nginx/Chart.lock b/helm/ingress-nginx/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: ingress-nginx
+  repository: https://kubernetes.github.io/ingress-nginx
+  version: 4.7.0
+digest: sha256:6dfa18d4071adbb07799d25c0612b2406666d72df9b7006c498ad0c6737f20e1
+generated: "2023-06-16T16:28:45.72699788-04:00"
diff --git a/helm/ingress-nginx/Chart.yaml b/helm/ingress-nginx/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: rustlemania-ingress-nginx
+version: 1.0.0
+
+dependencies:
+  - name: ingress-nginx
+    version: 4.7.0
+    repository: https://kubernetes.github.io/ingress-nginx
diff --git a/helm/nats/Chart.lock b/helm/nats/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: nats
+  repository: https://nats-io.github.io/k8s/helm/charts/
+  version: 0.19.15
+digest: sha256:068e4c9258b50decadb4bc245b16a7036613591d64f1138fa7715c2af09aec1b
+generated: "2023-06-16T15:39:38.310776778-04:00"
diff --git a/helm/nats/Chart.yaml b/helm/nats/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: rustlemania-nats
+version: 0.1.0
+
+dependencies:
+  - name: nats
+    version: 0.19.15
+    repository: https://nats-io.github.io/k8s/helm/charts/
diff --git a/helm/nats/values.yaml b/helm/nats/values.yaml
@@ -0,0 +1,8 @@
+nats:
+  nats:
+    natsbox:
+      enabled: true
+    cluster:
+      enabled: true
+      replicas: 5
+      noAdvertise: true
diff --git a/helm/postgres/Chart.lock b/helm/postgres/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: postgresql
+  repository: https://charts.bitnami.com/bitnami
+  version: 12.5.7
+digest: sha256:b81e4b8537abfe5f8a5fbbd93ee3eb9b7396eb145d52bf717e1c81f286260993
+generated: "2023-06-16T15:46:17.792158524-04:00"
diff --git a/helm/postgres/Chart.yaml b/helm/postgres/Chart.yaml
@@ -0,0 +1,8 @@
+apiVersion: v2
+name: rustlemania-postgres
+version: 1.0.0
+
+dependencies:
+  - name: postgresql
+    version: 12.5.7
+    repository: https://charts.bitnami.com/bitnami
diff --git a/helm/postgres/values.yaml b/helm/postgres/values.yaml
@@ -0,0 +1,3 @@
+postgresql:
+  auth:
+    existingSecret: rustlemania