Make changes to support tilt.dev local development (#264)

* add readiness probes to infra

* use rabbitmq ping over is_running

* add threshold to rabbitmq readiness probe

* use startupProbe over readinessProbe

* fix rabbitm startup

* add password to postgres autoupdate

* Escape slash in vhost

* Fix hydra secret length

* Clean up local secrets and mariadb init

* Remove null tlsStoreSecret

* Remove geoip license key

* Add values-local for traefik

* Fix init mariadb jobs and remove script

* Add postgres init job

* Add rabbitmq init jobs

* Add empty traefik object

* Fix typo

* Fix website oauth client ids

* Add mongodb init jobs and clean up init jobs and add nodebb local config

* Use postgres variables in init script

* Escape passwords and stop on errors in init jobs

* Remove $ from .Values access outside of range

* Fix postgres startup probing

---------

Co-authored-by: Brutus5000 <[email protected]>

Author: Sheikah45

apps/faf-api/templates/local-secret.yaml

@@ -12,14 +12,37 @@ stringData:
   GITHUB_WEBHOOK_SECRET: "banana"
   LEAGUE_DATABASE_PASSWORD: "banana"
   NODEBB_MASTER_TOKEN: "banana"
-  PUBLIC.KEY: "banana"
   RABBIT_PASSWORD: "banana"
   RECAPTCHA_SECRET: "banana"
-  S3_ACCESS_KEY: "banana"
-  S3_ENDPOINT: "banana"
-  S3_SECRET_KEY: "banana"
-  S3_USER_UPLOAD_BUCKET: "banana"
-  SECRET.KEY: "banana"
   STEAM_API_KEY: "banana"
   TESTING_EXE_UPLOAD_KEY: "banana"
+  PUBLIC.KEY: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNOkn/K0G7d2KHjVsSpGdyE1+TIKKAhYMetsFr7RLPDznc57AsnVnB7nCH0vyfFYPt/6lUODl0ApcAlpubHq+5eEmN6QjGsdMhF3F5s7aeiuEAr9A645ng0qKdKGlbDIuCY9wlloqrVM21Wbs2j/cJArle6AMnk0bZzVE0QB2TemTYSQGWGE5slba9Rj4qYn7id3Bkp7IkPgJOviwkrtxZF/Ye3ZFarqiYWWydCI8bI739VihhDPd9VOJd1/j7GDq2gFpW+6W3Rg9Ln+ObrXVGuwzAszhmlaRSXK3FH83z+gtv2sOc7345BkOkiwp813dkCqD/BlMchxvjvhQeNROJ [email protected]
+  SECRET.KEY: |-
+    -----BEGIN RSA PRIVATE KEY-----
+    MIIEpgIBAAKCAQEAzTpJ/ytBu3dih41bEqRnchNfkyCigIWDHrbBa+0Szw853Oew
+    LJ1Zwe5wh9L8nxWD7f+pVDg5dAKXAJabmx6vuXhJjekIxrHTIRdxebO2norhAK/Q
+    OuOZ4NKinShpWwyLgmPcJZaKq1TNtVm7No/3CQK5XugDJ5NG2c1RNEAdk3pk2EkB
+    lhhObJW2vUY+KmJ+4ndwZKeyJD4CTr4sJK7cWRf2Ht2RWq6omFlsnQiPGyO9/VYo
+    YQz3fVTiXdf4+xg6toBaVvult0YPS5/jm611RrsMwLM4ZpWkUlytxR/N8/oLb9rD
+    nO9+OQZDpIsKfNd3ZAqg/wZTHIcb474UHjUTiQIDAQABAoIBAQCMuO1IZNbbvs72
+    97x9GfI8zH/6mKQU0HfKNbKHWLZO+LfKe6vXy8ViLydGWywRwWUHawkm0K7El4oH
+    Qz5LrUz9NjfpcOMtq32D8VlEBDCyobQLDoMP/kTjXktWzAECB6YZsHOh6ooHVU0A
+    jxjKHwlbSlzlcN3I4znv2tNVqqkdF9Gbg7wUmN9n0qpj+7kDtkixJy3jm9YLxKCS
+    pNZ1UUjGKtVgl/1871slNUtANHj/xCnkYrOncrIXf472pEeSxBU5JlI4fILcyTtG
+    B9btuYBk7Z239TWDEZTqIyst0QGteNRsjE+gkB9WV1ra9JPPWDiBYye4qqaIs3al
+    jd3lkMApAoGBAP+i1aJ/c8XV18eTMYLmQZRnkjrkxyQMhJ/x+6tow6p6A16lDwHh
+    tRoyQk0XdTpQegu+YtdBXSRk6zNzE2njWEVOMK4/Zqt5a1yMSE/8MMQVler1ChdF
+    PWhZCPb+CfKm1RHXpFMsmBZx+7MumLQwjCtZfQl8YMt34gfVcXRSZ50DAoGBAM2F
+    FVrTTUVaGv6zjdO7K+5eUj0VRR2nGId5nIWqouQryJaizeBZfWatjDYVbl0qHFy2
+    QnHA+3UEsVWOkJG90rZcP4UWcDy86e5T/3FR2Xfy3kW10Gfe6hrjjbjYflleD5Qg
+    uZ9ovk/TZjTjvMWisNBSW1FILz9SMLWHoCFPGOmDAoGBANKRb4X1lAiOt7n13d+k
+    CLrUgVgvoHVqNkiFi7dKiXnAHUx1i6ISKBoW8hQMUYyiQ5Wu0j3a4n0a/74WeRRM
+    pyYXXPP613hBgJTwHJR9+DFcUmwCQbifWRC93iuNX+ZXU8Tpqrq0TeaXJywWIsSy
+    BJOkl+EbaaPP8Qhg4Z5eTmi/AoGBAMzSDyA/acjuLe0cwQH8jaG3+rnJkuIkf3u0
+    pVtJXaGMSRJnGkq2pRVJbG0SGrVanH2BXuLDc1eB38HmnQnCZlc7xEo8vIqrs2/D
+    4tXqvpKeRwquUg7Sx/kYQ0uu5uzloxz7KENIPjKL+lZHiQBmTVSwXzW4fO3cWZLw
+    oZPQooFFAoGBAMVvhsOmlpwyyS9s/CVIMirvLQEuEIIS5fMcnmCmu8P49ZZ7YSVf
+    2OJOSGj+lWkEMf2qOW7kYl303GrESeJ36KmLbDthnH+p6RSq5NzN5CAucffA0tsa
+    keX0a6YHVu9doUPhUFJdbgg8FIL1FVEJROQckMAiDcYg2mFXmtaVTjqX
+    -----END RSA PRIVATE KEY-----
 {{- end}}

apps/faf-icebreaker/templates/local-secret.yaml

@@ -10,9 +10,46 @@ stringData:
   DB_PASSWORD: "banana"
   GEOIPUPDATE_ACCOUNT_ID: "banana"
   GEOIPUPDATE_LICENSE_KEY: "banana"
-  JWT_PRIVATE_KEY_PATH: "banana"
-  JWT_PUBLIC_KEY_PATH: "banana"
   RABBITMQ_PASSWORD: "banana"
   XIRSYS_IDENT: "banana"
   XIRSYS_SECRET: "banana"
+  JWT_PRIVATE_KEY_PATH: |-
+    -----BEGIN PRIVATE KEY-----
+    MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDXsCsl9W0vnW2k
+    5GaNOVoZ6LPFYu60Y1Cd4ERRXvt8KzKTm2HHZeLKd77OLeIHR4RvJ2Q76SFwfDBM
+    35F5eEx1mjPua2ljxbObsgz/bA9yBwO1RugpNOe+GoGUhPyZvmmZwqRnnQsT/SHV
+    ZvRq7ej6k+KkJf09IIOxfWrGUj8SajW3iEpkuKdNpjp1dRnJdZAZ8mV1LgnwHCAf
+    osL3t3+PElBSxnRQNW9iYVwB9wQAWK+aivx5warhuCeyKVtDaR0x96bOUTaKL4i/
+    Uihn0CElGt5ZA907wHa6/N4Z8ssXjY+/vizYB2VYxuAG/MVkkbwWUUTGjzEEX6Ww
+    h5icvVm1AgMBAAECggEAAZYYGyVc8ja0MbxETNGZKgueFtuNaeI5G5AksHyEWPtw
+    WcmQxIipTFfpHVcVDHyoKrEdeZtTVaJ0MHyMc1pBJbRGoYBEvCkeEw0SL2a6Dlqi
+    2lh1KKhs8+b6AP+hY/gUir71upVbGYCJGSqyrX6mcgFYb2CgJizxCwMjH+ZG9Hm0
+    CkGeh4g0VDOWmx4uCChXSyoaPzD4yTJts/EOpSD61KqS+cNcnRD8PVUxwwSH+4DY
+    ZSuaAUC/kFvD4qQq2lY/eia2CQi2R1Ff2TCxcbNZ34yW8IR1UBdrOPo3orQK5vSf
+    iT5++MYJmTZJ8/QxY5M1nZqiyJEjTvaBQNGv8abKWQKBgQDxd/5lJkc13x8jPFJm
+    EnmPvxrJaYk3MLW3dtxz1HtjHDQAvCmjXy7Ss13WhLJv9nHJDtQlSRr+l+7eNPTP
+    QtiwDsqv9COfbPbvH2qcNJuNoINQ2YSKYvR0j+QlMz2dHroWEyXL4oyOfXAJ3ZrU
+    lyWn/a2BD3uiJAj4p8YzJgfgnwKBgQDkqwGC6AMLPbVmhCMnUd+cxFMkYymdi8R4
+    ZXMkjJiMLAOt8tkp8T0nqxC/zMfD0jnPKw1R9MP7XlM/tonLeAM/P8GUMwJnTCTc
+    PvP1JxkvMG3do+7y9AbLyJsNZDkbYj1wLzvZYUrXQV/HKU4balDj3QVI6yr+W6ha
+    idlsMDYBKwKBgBeuF9GdlmAvGGOhN8dwymERcbQM2HsEGN38FxR44vzOOD9WNJMj
+    83iQRISUENewCGqaPK3HZJFRHwjFkrh8qrlhSflFbPTmf7TllNPqyNJzykz0d+4G
+    VEjWD56iTsmIyOD/UbaT6grTPFiLVfLBO90koI5GkW5OMF8KPQKpGR6rAoGAU5NQ
+    1RiZbDVcpKBs/MUG1pRG0wjPP/7Ci0KBB/2/D5RSr/QPfS3nrSTv1ToyVRbz/Az/
+    LFIqgyghgyrjSBOQFEDoLpNKMJj66+iyX4qvwLiRny14eyHHjhm+2fEkkiagz+zj
+    kfrmULBbIj6thoWgFPhGIzWYnCjB6n1xkwI36ssCgYACiZNHvqld4Om2IChCjIV6
+    UPNLUDOvr7V1qsEy+y0dp2RQH9Es121n/v30GYfsUUYmH35CQYR0aOEqU17Qm2V7
+    1auC1ZD9UeE9dy2LpW635uYf16D5FejAcmxyf/MRSBBnvFauGdS2vZ7Pf05u9Zpw
+    i8UgZE7+lTYKv7+4ujmgHw==
+    -----END PRIVATE KEY-----
+  JWT_PUBLIC_KEY_PATH: |-
+    -----BEGIN PUBLIC KEY-----
+    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA17ArJfVtL51tpORmjTla
+    GeizxWLutGNQneBEUV77fCsyk5thx2Xiyne+zi3iB0eEbydkO+khcHwwTN+ReXhM
+    dZoz7mtpY8Wzm7IM/2wPcgcDtUboKTTnvhqBlIT8mb5pmcKkZ50LE/0h1Wb0au3o
+    +pPipCX9PSCDsX1qxlI/Emo1t4hKZLinTaY6dXUZyXWQGfJldS4J8BwgH6LC97d/
+    jxJQUsZ0UDVvYmFcAfcEAFivmor8ecGq4bgnsilbQ2kdMfemzlE2ii+Iv1IoZ9Ah
+    JRreWQPdO8B2uvzeGfLLF42Pv74s2AdlWMbgBvzFZJG8FlFExo8xBF+lsIeYnL1Z
+    tQIDAQAB
+    -----END PUBLIC KEY-----
 {{- end}}

apps/faf-lobby-server/templates/local-secret.yaml

@@ -6,6 +6,5 @@ metadata:
 type: Opaque
 stringData:
   DB_PASSWORD: "banana"
-  GEO_IP_LICENSE_KEY: "banana"
   MQ_PASSWORD: "banana"
 {{- end}}

apps/faf-website/templates/local-secret.yaml

@@ -5,9 +5,9 @@ metadata:
   name: {{ .Chart.Name }}
 type: Opaque
 stringData:
-  OAUTH_CLIENT_ID: "banana"
+  OAUTH_CLIENT_ID: "c5613672-0ee5-4956-8b03-c7951ef25640"
   OAUTH_CLIENT_SECRET: "banana"
-  OAUTH_M2M_CLIENT_ID: "banana"
+  OAUTH_M2M_CLIENT_ID: "b9f62a18-faae-43cc-a9b7-e15613e00273"
   OAUTH_M2M_CLIENT_SECRET: "banana"
   RECAPTCHA_SITE_KEY: "banana"
   SESSION_SECRET_KEY: "banana"

apps/nodebb/templates/local-secret.yaml

@@ -7,5 +7,26 @@ type: Opaque
 stringData:
   MONGO_NODEBB_PASSWORD: "banana"
   OAUTH_SECRET: "banana"
-  config.json: "banana" # TODO: Fix this
+  "config.json": |
+    {
+      "url": "https://forum.localhost",
+      "secret": "banana",
+      "database": "mongo",
+      "port": 4567,
+      "mongo": {
+          "host": "mongodb.faf-infra.svc",
+          "port": "27017",
+          "username": "nodebb",
+          "password": "banana",
+          "database": "nodebb"
+      },
+      "oauth": {
+        "authorizationURL": "http://ory-hydra:4444/oauth2/auth",
+        "tokenURL": "http://ory-hydra:4444/oauth2/token",
+        "fafApiProfileURL": "http://faf-api:8010/me",
+        "id": "97853a31-d7fc-424b-a4c2-f8cd053d10d2",
+        "secret": "banana",
+        "scope": "public_profile lobby"
+      }
+    }
 {{- end}}

apps/ory-hydra/templates/local-secret.yaml

@@ -9,5 +9,5 @@ stringData:
   DB_PASSWORD: "banana"
   DSN: "postgres://hydra:banana@postgres:5432/ory-hydra"
   FAF_QAI_SECRET: "banana"
-  SECRETS_SYSTEM: "banana"
+  SECRETS_SYSTEM: "bananabananabananabanana"
 {{- end}}

apps/rabbitmq/templates/config.yaml

@@ -7,3 +7,6 @@ metadata:
 data:
   ADMIN_USER: "faf-admin"
   "enabled_plugins": "[rabbitmq_management,rabbitmq_prometheus]."
+  "rabbitmq_conf": |-
+    default_user = $(ADMIN_USER)
+    default_pass = $(ADMIN_PASSWORD)

apps/rabbitmq/templates/init-rabbitmq-with-user.yaml

@@ -0,0 +1,99 @@
+# =======================================
+# Jesus, what the fuck is happening here?
+# =======================================
+#
+# 1. Create a service account
+# 2. Permit it to read configmaps and secrets in the faf-apps namespace
+# 3. Iterate over the databasesAndUsers list and create a job for each database
+#    a) initContainer: Load the configmap and secret into environment variables. This must happen via k8s api, as we can't directly reference cm/secrets cross-namespace.
+#    b) actual container: Load the env from file and create the database and user
+
+{{- $wave := 1 }}
+{{- range .Values.users }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: rabbitmq-sync-user-{{ $wave }}
+  labels:
+    app: rabbitmq-sync-user
+    argocd.argoproj.io/instance: rabbitmq
+  annotations:
+    argocd.argoproj.io/hook: PostSync
+    argocd.argoproj.io/hook-delete-policy: HookSucceeded
+    argocd.argoproj.io/sync-wave: '{{ $wave }}'
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: init-apps
+      volumes:
+        - name: config # We will store the apps config for database, username and password here
+          emptyDir: {}
+      initContainers:
+        - name: load-config
+          image: alpine/kubectl
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -e
+
+              mkdir -p /config
+
+              echo -n "SYNC_USERNAME=" >> /config/env
+              kubectl get cm {{ .configMapRef }} \
+                -n faf-apps \
+                -o jsonpath='{.data.{{ .usernameKey }}}' >> /config/env
+              echo >> /config/env
+
+              echo -n "SYNC_PASSWORD=" >> /config/env
+              kubectl get secret {{ .secretRef }} \
+                -n faf-apps \
+                -o jsonpath='{.data.{{ .passwordKey }}}' \
+                | base64 -d >> /config/env
+              echo >> /config/env
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      containers:
+        - name: rabbitmq-sync-db-user
+          image: {{ $.Values.image.repository }}:{{ $.Values.image.tag }}
+          imagePullPolicy: Always
+          envFrom:
+            - secretRef:
+                name: rabbitmq
+            - configMapRef:
+                name: rabbitmq
+          command: ["/bin/sh", "-c"]
+          args: 
+            - |
+              set -a
+              . /config/env
+              set +a
+
+              vhost="/faf-core"
+
+              rabbitmq_admin_exec() {
+                rabbitmqadmin --format=bash --host=rabbitmq-0.rabbitmq.faf-apps.svc.cluster.local --username=$ADMIN_USER --password=$ADMIN_PASSWORD "$@"
+              }
+
+              if rabbitmq_admin_exec list vhosts | grep -q "$vhost"; then
+                echo "$vhost vhost already exists"
+              else
+                rabbitmq_admin_exec declare vhost name="$vhost" 
+              fi
+
+              if rabbitmq_admin_exec list users | grep -q "$SYNC_USERNAME"; then
+                echo "$SYNC_USERNAME user alerady exists"
+              else
+                rabbitmq_admin_exec declare user name="$SYNC_USERNAME" password="$SYNC_PASSWORD" tags=""
+              fi
+
+              rabbitmq_admin_exec declare permission vhost="$vhost" user="$SYNC_USERNAME" configure=".*" read=".*" write=".*"
+
+          volumeMounts:
+            - name: config
+              mountPath: /config
+      restartPolicy: Never
+{{- $wave = add $wave 1 }}
+{{- end }}

apps/rabbitmq/templates/statefulset.yaml

@@ -30,12 +30,26 @@ spec:
             - containerPort: 15692
               name: prometheus
               protocol: TCP
+          startupProbe:
+            exec:
+              command: ["rabbitmq-diagnostics", "-q", "ping"]
+            initialDelaySeconds: 15
+            timeoutSeconds: 15
+            periodSeconds: 5
+          envFrom:
+            - secretRef:
+                name: rabbitmq
+            - configMapRef:
+                name: rabbitmq
           volumeMounts:
             - name: rabbitmq-pvc
               mountPath: /var/lib/rabbitmq
             - name: config
               mountPath: /etc/rabbitmq/enabled_plugins
               subPath: enabled_plugins
+            - name: config
+              mountPath: /etc/rabbitmq/rabbitmq.conf
+              subPath: rabbitmq_conf
       restartPolicy: Always
       volumes:
         - name: config

apps/rabbitmq/values.yaml

@@ -1,2 +1,28 @@
+image:
+  repository: rabbitmq
+  tag: 3.13.7-management-alpine
+
 infisical-secret:
   name: rabbitmq
+
+users:
+  - configMapRef: faf-lobby-server
+    secretRef: faf-lobby-server
+    usernameKey: MQ_USER
+    passwordKey: MQ_PASSWORD
+  - configMapRef: faf-api
+    secretRef: faf-api
+    usernameKey: RABBIT_USERNAME
+    passwordKey: RABBIT_PASSWORD
+  - configMapRef: faf-league-service
+    secretRef: faf-league-service
+    usernameKey: MQ_USER
+    passwordKey: MQ_PASSWORD
+  - configMapRef: debezium
+    secretRef: debezium
+    usernameKey: RABBITMQ_USER
+    passwordKey: RABBITMQ_PASSWORD
+  - configMapRef: faf-icebreaker
+    secretRef: faf-icebreaker
+    usernameKey: RABBITMQ_USER
+    passwordKey: RABBITMQ_PASSWORD