Staging redis/resque stood up

jkctl

@@ -70,6 +70,13 @@ class Jkctl
     ns_file = File.join(manifest_dir, "namespace.yaml")
     execute("kubectl apply -f #{ns_file}")
 
+    # Special handling for external-dns (Kustomize)
+    if scope == 'infra'
+      env_dir = @options[:env] == 'stg' ? 'staging' : 'production'
+      ext_dns_dir = File.join(@repo_root, 'video-iac', 'k8s', 'external-dns', 'overlays', env_dir)
+      execute("kubectl apply -k #{ext_dns_dir}")
+    end
+
     # Apply all yaml files in the directory (except namespace which we just did)
     Dir.glob(File.join(manifest_dir, "*.yaml")).each do |file|
       next if file.end_index?("namespace.yaml")

k8s/external-dns/overlays/staging/configuration.yaml

@@ -12,6 +12,7 @@
     - --provider=aws
     - --registry=txt
     - --source=ingress
+    - --source=service
     - --txt-prefix=staging_ # Random string for hardener TXT entries
 - op: replace
   path: /spec/template/spec/containers/0/env

k8s/external-dns/overlays/staging/kustomization.yaml

@@ -3,21 +3,44 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: external-dns
 
-bases:
+resources:
-- ../../base
+  - ../../base
 
-patchesJson6902:
+patches:
-  - path: configuration.yaml
+  - target:
-    target:
       group: apps
       version: v1
       kind: Deployment
       name: external-dns
-
-patches:
-  - target:
-      kind: Deployment
     patch: |-
+      - op: replace
+        path: /spec/template/spec/containers/0/args
+        value:
+          - --aws-api-retries=3
+          - --domain-filter=jamkazam.com
+          - --interval=1m
+          - --log-format=text
+          - --log-level=warning
+          - --no-aws-evaluate-target-health
+          - --policy=sync
+          - --provider=aws
+          - --registry=txt
+          - --source=ingress
+          - --source=service
+          - --txt-prefix=staging_
+      - op: replace
+        path: /spec/template/spec/containers/0/env
+        value:
+          - name: AWS_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: aws-user-external-dns
+                key: username
+          - name: AWS_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: aws-user-external-dns
+                key: password
       - op: add
         path: /spec/template/spec/nodeSelector
         value:

k8s/jam-cloud-infra/network-policy.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-infra-from-authorized-ips
+  namespace: jam-cloud-infra
+spec:
+  podSelector: {} # apply to all pods in jam-cloud-infra
+  policyTypes:
+  - Ingress
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 72.14.184.26/32
+    - ipBlock:
+        cidr: 173.255.192.5/32
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: jam-cloud # allow apps in jam-cloud to talk to infra
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: ingress-nginx # allow ingress controller to reach infra
+  - ports: # Optional: Keep management UI reachable from everywhere? Or also restrict? 
+    - protocol: TCP
+      port: 15672

k8s/jam-cloud-infra/postgres.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: db
+  namespace: jam-cloud-infra
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: db.staging.video.jamkazam.com
+spec:
+  ports:
+    - protocol: TCP
+      port: 5432
+      targetPort: 5432
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: db
+  namespace: jam-cloud-infra
+subsets:
+  - addresses:
+      - ip: 72.14.176.182
+    ports:
+      - port: 5432

k8s/jam-cloud-infra/rabbitmq.yaml

@@ -41,8 +41,11 @@ metadata:
   namespace: jam-cloud-infra
   annotations:
     external-dns.alpha.kubernetes.io/hostname: rabbitmq.staging.video.jamkazam.com
+    external-dns.alpha.kubernetes.io/target: 45.79.62.230
+    service.beta.kubernetes.io/linode-loadbalancer-throttle: "4"
 spec:
   type: LoadBalancer
+  externalTrafficPolicy: Cluster
   loadBalancerSourceRanges:
   - 72.14.184.26/32
   - 173.255.192.5/32

k8s/jam-cloud-infra/redis.yaml

@@ -33,8 +33,11 @@ metadata:
   namespace: jam-cloud-infra
   annotations:
     external-dns.alpha.kubernetes.io/hostname: redis.staging.video.jamkazam.com
+    external-dns.alpha.kubernetes.io/target: 45.79.63.240
+    service.beta.kubernetes.io/linode-loadbalancer-throttle: "4"
 spec:
   type: LoadBalancer
+  externalTrafficPolicy: Cluster
   loadBalancerSourceRanges:
   - 72.14.184.26/32
   - 173.255.192.5/32