diff --git a/configuration/environments/br_k8s_dev.yaml b/configuration/environments/br_k8s_dev.yaml deleted file mode 100644 index 7fba1dbb..00000000 --- a/configuration/environments/br_k8s_dev.yaml +++ /dev/null @@ -1,572 +0,0 @@ ---- -target: - app: 'br' - env: 'dev' - metadata: - azure: - default: - subscription: &defaultAzureSubscription 'c5f809dc-aa76-428e-a859-9e54a5510fb7' # Acuity Brands, Inc. Bedrock-Dev - location: &defaultAzureLocation 'centralus' - dns_subscription: &subscription_dns 'c5f809dc-aa76-428e-a859-9e54a5510fb7' # Acuity Brands, Inc. Bedrock-Dev - service_deployment: - tenant: &brDefaultTenant 'caadbe96-024e-4f67-82ec-fb28ff53d16d' # sponsored by Acuity Brands, Inc. - authn_tenant: &environmentTenant 'common' # allow all AD tenants to authenticate - app_registration: - bedrock_application_id: &bedrockApplicationID '24b765b5-8108-4374-8141-1a65c0fc42ab' # Acuity Brands, Inc. sponsored demo application - k8s_namespace: &brNamespace 'brk8s' - tags: &labels 'env=##app-env## role=##app-env##' - iaas: - location: *defaultAzureLocation - resource_groups: - # for naming conventions, see: https://docs.acuitynext.net/wiki/azure-naming-conventions/ - # ##app-env## resource groups - - name: &brWafRG 'Waf-##appenv##' - action: 'create' - - name: &brDbRG 'Data-##appenv##' - action: 'create' - - name: &brKeysRG 'Kv-##appenv##' - action: 'create' - - name: &brAcrRG 'Acr-##appenv##' - action: 'create' - - name: &brK8sRG 'K8S-##appenv##' - action: 'create' - - name: &brAuditLogEhRG 'AuditLog-Eh-##appenv##' - action: 'create' - networking: - public_ip: - - name: &waf_zone_redundant_IPV4 '##app-env##-waf-k8s-zrpipv4' - resource_group: *brWafRG - subscription: *defaultAzureSubscription - arm_type: 'Microsoft.Network/publicIPAddresses' - sku: 'Standard' - version: 'Ipv4' - # zone: '1' - allocation_method: 'Static' - action: 'create' - - name: &waf_zone_redundant_IPV6 '##app-env##-waf-k8s-zrpipv6' - resource_group: *brWafRG - subscription: *defaultAzureSubscription - arm_type: 'Microsoft.Network/publicIPAddresses' - sku: 'Standard' - version: 'Ipv6' - # zone: '1' - allocation_method: 'Static' - action: 'create' - dns_zones: - - name: 'bedrock.gneiss-tech.net' - resource_group: *brWafRG - subscription: *subscription_dns - action: 'create' - dns_a_records: - - zone: &dnsZone 'bedrock.gneiss-tech.net' - host: &dnsHost '##app-env##' - fqdn: &wafFqdn '##app-env##.bedrock.gneiss-tech.net.' - resource_group: *brWafRG - subscription: *subscription_dns - a_record_ttl: 3600 - a_record_public_ip: *waf_zone_redundant_IPV4 - action: 'create' - paas: - location: *defaultAzureLocation - keyvaults: - # ##app-env## Key Vault - - name: &kvName '##app-env##-master-kv' - resource_group: *brKeysRG - arm_type: 'Microsoft.KeyVault/vaults' - purge: 'false' - action: 'create' - service_principals: - # for K8S to call Azure APIs - - name: &spK8S '##app-env##-k8s-sp' - key_vault: - vault: *kvName - resource_group: *brKeysRG - secret_name: *spK8S - role: 'Contributor' - scopes: - - '/subscriptions/' - - *defaultAzureSubscription - - '/resourceGroups/' - - *brK8sRG - - ' ' - - '/subscriptions/' - - *defaultAzureSubscription - - '/resourceGroups/' - - *brWafRG - action: 'create' - databases: - servers: - - name: &brDefaultDbServer '##app-env##-sqls' - arm_type: 'Microsoft.Sql/servers' - subscription: *defaultAzureSubscription - resource_group: *brDbRG - admin_name: &brDefaultDBAdminName '##app-env##-sqls-admin-user' - admin_password_kv: - vault: *kvName - resource_group: *brKeysRG - secret_name: &brDefaultDBSecretName '##app-env##-sqls-admin-pw' - default_firewall_rule: - name: 'AllowAllWindowsAzureIps' - arm_type: 'Microsoft.Sql/servers/firewallRules' - start_ip_address: '0.0.0.0' - end_ip_address: '0.0.0.0' - action: 'preserve' - db_template: &dbTemplate - arm_type: 'Microsoft.Sql/servers/databases' - resource_group: *brDbRG - server: *brDefaultDbServer - license_type: 'LicenseIncluded' - max_size: '250GB' - auto_pause_delay: -1 - zone_redundant: false - catalog_collation: 'SQL_Latin1_General_CP1_CI_AS' - collation: 'SQL_Latin1_General_CP1_CI_AS' - capacity: 2 - min_capacity: 0.5 - tier: 'GeneralPurpose' - family: 'Gen5' - service_objective: 'GP_S_Gen5' - action: 'preserve' - instances: - # https://docs.microsoft.com/en-us/azure/azure-sql/database/resource-limits-vcore-single-databases - - name: &brDefault '##app-env##-br-default' - <<: *dbTemplate - container_registries: - - name: &primaryACR '##appenv##registry' - arm_type: 'Microsoft.ContainerRegistry/registries' - resource_group: *brAcrRG - uri: &uriPrimaryACR 'https://##appenv##registry.azurecr.io' - sku: 'Premium' - admin_enabled: true - action: 'create' - # storage accounts - for data that must persist longer than a cluster lifetime (survives cluster rebuild) - storage: - accounts: - - name: &sa001name '##appenv##cmsa001abl' - resource_group: *brDbRG - location: *defaultAzureLocation - encryption_services: 'file' - https_only: true - kind: 'StorageV2' - sku: 'Standard_ZRS' - tags: *labels - arm_type: 'Microsoft.Storage/storageAccounts' - action: 'create' - - name: &auditsa001name '##appenv##auditsa001abl' - resource_group: *brAuditLogEhRG - location: *defaultAzureLocation - encryption_services: 'file' - https_only: true - kind: 'StorageV2' - sku: 'Standard_GRS' - tags: *labels - arm_type: 'Microsoft.Storage/storageAccounts' - action: 'create' - # azure files - for data that must persist longer than a cluster lifetime (survives cluster rebuild) - azure_files: - - name: &certbotState 'certbot-state' - quota: '10' - storage_account_name: *sa001name - metadata: 'env=##appenv## role=##appenv##' - pv: - create: "true" - pvc: - create: "false" - action: 'create' - # blob store - for data that must persist longer than a cluster lifetime (survives cluster rebuild) - blob_store: - - name: &auditLogBlobContainerName 'audit-log-history' - storage_account_name: *auditsa001name - metadata: 'env=##appenv## role=##appenv##' - action: 'create' - # event hub namespaces - data that must persist longer than a cluster lifetime (survives cluster rebuild) - event_hub_namespaces: - eh_namespace_template: &eh_namespace_template - name: &eh_ns_template_namespace 'fixme-eh-name-placeholder' - resource_group: &eh_ns_template_resource_group 'fixme-eh-resource-group-placeholder' - capacity: 'fixme-eh-capacity-placeholder' - auto_inflate: 'true' - enable_kafka: 'true' - location: *defaultAzureLocation - maximum_throughput_units: '0' # 0 when auto_inflate is 'false' - sku: 'Standard' - tags: *labels - network_rules_default_action: 'Allow' - subscription: *defaultAzureSubscription - arm_type: 'Microsoft.EventHub/Namespaces' - action: 'Preserve' - topics: - - name: &eh_topic_name 'fixme-eventub-topic-name' - namespace: *eh_ns_template_namespace - resource_group: *eh_ns_template_resource_group - enable_capture: 'false' - message_retention: 7 - partition_count: 32 - status: 'Active' - arm_type: 'Microsoft.EventHub/Namespaces/EventHubs' - action: 'Preserve' - capture: - skip_empty_archives: 'true' - capture_interval: 60 - capture_size_limit: 524288000 - archive_name_format: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' - blob_container: 'fixme-eh-topic-blob-container-name' # Blob container Name - destination_name: 'fixme-eh-topic-destination-name' # Name for capture destination. - storage_account: 'fixme-eh-topic-storage-account' # name or ARM resource id - consumer_groups: - - name: &eh_consumer_group_template - topic_name: *eh_topic_name - namespace: *eh_ns_template_namespace - resource_group: *eh_ns_template_resource_group - user_metadata: 'fixme-user-meta-data-1024-bytes' - authorization_rules: - - name: &eh_authorization_rule_template 'fixme-eventhub-authorization-rule-name' - topic_name: *eh_topic_name - namespace: *eh_ns_template_namespace - resource_group: *eh_ns_template_resource_group - rights: 'Send' # Space-separated list of Authorization rule rights. Allowed values: Listen, Manage, Send. - key_store: - vault: *kvName - secret_name_001: '' - secret_name_002: '' - authorized_managed_identities: - - id: 'fixme-authorized-managed-identity-001' - roles: - - 'fixme-role-writer' - - id: 'fixme-authorized-managed-identity-002' - roles: - - 'fixme-role-writer' - instances: - - <<: *eh_namespace_template - name: &brAuditEhNamespace '##app-env##-audit-log-eh-namespace' - resource_group: *brAuditLogEhRG - capacity: '1' - auto_inflate: 'true' - enable_kafka: 'true' - location: *defaultAzureLocation - maximum_throughput_units: '20' - sku: 'Standard' - tags: *labels - network_rules_default_action: 'Allow' - subscription: *defaultAzureSubscription - arm_type: 'Microsoft.EventHub/Namespaces' - action: 'create' - topics: - - name: &brAuditEhTopic '##app-env##-audit-log-eh-topic' - namespace: *brAuditEhNamespace - resource_group: *brAuditLogEhRG - enable_capture: 'true' - message_retention: 7 - partition_count: 32 - status: 'Active' - arm_type: 'Microsoft.EventHub/Namespaces/EventHubs' - action: 'create' - capture: - skip_empty_archives: 'true' - capture_interval: 60 - capture_size_limit: 524288000 - archive_name_format: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' - blob_container: *auditLogBlobContainerName # Blob container Name - destination_name: 'EventHubArchive.AzureBlockBlob' # Name for capture destination. - storage_account: *auditsa001name # name or ARM resource id - consumer_groups: - - name: &audit_log_eh_assets_consumer_group '##app-env##-audit-log-eventhub-audit-logs-cg' - topic_name: *brAuditEhTopic - namespace: *brAuditEhNamespace - resource_group: *brAuditLogEhRG - user_metadata: 'Bedrock -- sample message stream in canonical format for assets tag consumers' - authorization_rules: - - name: &br_audit_log_eh_producer_rule '##app-env##-audit-log-eventhub-producer' - topic_name: *brAuditEhTopic - namespace: *brAuditEhNamespace - resource_group: *brAuditLogEhRG - rights: 'Send' - key_store: - vault: *kvName - secret_name_001: &br_audit_log_eh_producer_key_001 '##app-env##-audit-log-eventhub-producer-key-001' - secret_name_002: &br_audit_log_eh_producer_key_002 '##app-env##-audit-log-eventhub-producer-key-002' - authorized_managed_identities: - - id: 'fixme-authorized-managed-identity-001' - roles: - - 'fixme-role-writer' - - id: 'fixme-authorized-managed-identity-002' - roles: - - 'fixme-role-reader' - k8s: - clusters: - - name: '##app-env##-k8s-001' - resource_group: *brK8sRG - location: *defaultAzureLocation - aad_tenant_id: *environmentTenant - admin_username: 'br-admin-user' - attach_acr: *primaryACR - client_secret: - - '##secure_secret={"vault":"' - - *kvName - - '","secret_name":"' - - *spK8S - - '-secret' - - '"}' - - '##' - enable_cluster_autoscaler: 'true' - enable_managed_identity: 'false' - enable_private_cluster: 'false' - generate_ssh_keys: 'true' - kubernetes_version: '1.19.6' - load_balancer_sku: 'standard' - max_count: 100 - max_pods: 30 - min_count: 3 - network_plugin: 'azure' - network_policy: 'calico' - node_count: 3 - node_osdisk_size: '60' - node_vm_size: 'Standard_DS2_v2' - nodepool_labels: *labels - nodepool_name: 'brnp001' - nodepool_tags: *labels - service_principal: - - '##secure_secret={"vault":"' - - *kvName - - '","secret_name":"' - - *spK8S - - '-app-id' - - '"}' - - '##' - ssh_key_value: '~/.ssh/id_##app_env##_k8s.pub' - tags: *labels - vm_set_type: 'VirtualMachineScaleSets' - zones: '1 2 3' - subscription: *defaultAzureSubscription - action: 'create' - secrets: - names: - - &dataDogApiKeySecretName '##app-env##-datadog-api-key' - - &neuvectorLicenseKeyName '##app-env##-neuvector-license-key' - values: - datadog_api_key: &datadogApiKey - - '##secure_secret={"vault":"' - - *kvName - - '","secret_name":"' - - *dataDogApiKeySecretName - - '"}' - - '##' - neuvector_license_key: &neuvectorLicenseKey - - '##secure_secret={"vault":"' - - *kvName - - '","secret_name":"' - - *neuvectorLicenseKeyName - - '"}' - - '##' - datadog: - agents: - rbac: - create: true - containers: - agent: - env: - - name: 'DD_KUBELET_TLS_VERIFY' - value: 'false' - systemProbe: - env: - - name: 'DD_KUBELET_TLS_VERIFY' - value: 'false' - traceAgent: - env: - - name: 'DD_KUBELET_TLS_VERIFY' - value: 'false' - processAgent: - env: - - name: 'DD_KUBELET_TLS_VERIFY' - value: 'false' - clusterChecksRunner: - env: - - name: 'DD_KUBELET_TLS_VERIFY' - value: 'false' - rbac: - create: true - datadog: - apiKey: *datadogApiKey - leaderElection: true - collectEvents: true - clusterAgent: - enabled: true - clusterAgent: - metricsProvider: - enabled: true - clusterChecks: - enabled: false - dogstatsd: - port: 8125 - useHostPort: true - nonLocalTraffic: true - kubeStateMetricsEnabled: true - logs: - enabled: true - containerCollectAll: true - containerCollectUsingFiles: false - env: - - name: 'DD_KUBELET_TLS_VERIFY' - value: 'false' - clusterAgent: - rbac: - create: true - kube-state-metrics: - rbac: - create: true - collectors: - verticalpodautoscalers: null - saas: - helm: - default_values: - jwt: - issuers: &trustedIdProviders - - 'https://sts.windows.net/caadbe96-024e-4f67-82ec-fb28ff53d16d/' - - '=' - - 'https://management.core.windows.net/' - secrets: - names: - - &oauth2ProxyClientSecretName '##app-env##-oauth2-proxy-client-secret' - - &oauth2ProxyCookieSecretName '##app-env##-oauth2-proxy-cookie-secret' - - &wafTLSSecret 'waf-tls-secret' - values: - oauth2_proxy_client_secret: &oauth2ProxyClientSecret - - '##secure_secret={"vault":"' - - *kvName - - '","secret_name":"' - - *oauth2ProxyClientSecretName - - '"}' - - '##' - oauth2_proxy_cookie_secret: &oauth2ProxyCookieSecret - - '##secure_secret={"vault":"' - - *kvName - - '","secret_name":"' - - *oauth2ProxyCookieSecretName - - '"}' - - '##' - seed_values: - - source: - secret_name: '##app-env##-datadog-api-key' - vault_name: *kvName - subscription: *defaultAzureSubscription - dest: *dataDogApiKeySecretName - - source: - secret_name: '##app-env##-neuvector-license-key' - vault_name: *kvName - subscription: *defaultAzureSubscription - dest: *neuvectorLicenseKeyName - service_principals: - service_values: - br-http-https-echo: - replicaCount: 1 - br-tls-certificate-manager-svc-docker: - enabled: true - replicaCount: 1 - yaml_values: - - &leCertificateDir '/etc/letsencrypt' - config: - environment: - ACTIVE_TLS_PUBLISH: 'true' - CERTIFICATE_CREATED_FLAG: - - *leCertificateDir - - "/" - - *dnsHost - - '.' - - *dnsZone - - '.' - - "certificate_created.flag" - DEV_CERTIFICATE_DIR: - - *leCertificateDir - - "/" - - *dnsHost - - '.' - - *dnsZone - - '.' - - "dev-cert" - DEVELOPER_CERTIFICATE_REQUIRED_FLAG: - - *leCertificateDir - - "/" - - *dnsHost - - '.' - - *dnsZone - - '.' - - "developer_certificate_required.flag" - HOST_DOMAIN: - - *dnsHost - - '.' - - *dnsZone - IS_PRODUCTION: 'production' - PRIVATE_TLS: 'false' - RENEWAL_FAILED_FLAG: - - *leCertificateDir - - "/" - - *dnsHost - - '.' - - *dnsZone - - '.' - - "renewal_failed.flag" - TLS_SECRET_NAME: *wafTLSSecret - secrets: - TLS_PEM: '' - br-oauth-proxy-docker: - enabled: true - replicaCount: 1 - config: - environment: - OAUTH2_PROXY_AZURE_TENANT: 'common' - OAUTH2_PROXY_CLIENT_ID: *bedrockApplicationID - OAUTH2_PROXY_COOKIE_EXPIRE: '4320h' - OAUTH2_PROXY_COOKIE_NAME: 'Bedrock_AUTHN_##app_env##_v2__utm' - OAUTH2_PROXY_COOKIE_PATH: '/' - OAUTH2_PROXY_COOKIE_REFRESH: '1h' - OAUTH2_PROXY_EMAIL_DOMAINS: '*' - OAUTH2_PROXY_EXTRA_JWT_ISSUERS: *trustedIdProviders - OAUTH2_PROXY_HTTP_ADDRESS: '0.0.0.0:4180' - OAUTH2_PROXY_PASS_ACCESS_TOKEN: 'true' - OAUTH2_PROXY_PASS_AUTHORIZATION_HEADER: 'true' - OAUTH2_PROXY_PING_PATH: '/' - OAUTH2_PROXY_PROVIDER: 'azure' - OAUTH2_PROXY_REDIRECT_URL: - - 'https://' - - *dnsHost - - '.' - - *dnsZone - - '/oauth2/callback' - OAUTH2_PROXY_RESOURCE: *bedrockApplicationID - OAUTH2_PROXY_SET_AUTHORIZATION_HEADER: 'true' - OAUTH2_PROXY_SET_XAUTHREQUEST: 'true' - OAUTH2_PROXY_SILENCE_PING_LOGGING: 'true' - OAUTH2_PROXY_SKIP_AUTH_REGEX: '^/br-self-healing-api/api/v1/process,^/br-lights-map/distech-eclypse' - OAUTH2_PROXY_SKIP_JWT_BEARER_TOKENS: 'true' - OAUTH2_PROXY_SKIP_PROVIDER_BUTTON: 'true' - secrets: - OAUTH2_PROXY_CLIENT_SECRET: *oauth2ProxyClientSecret - OAUTH2_PROXY_COOKIE_SECRET: *oauth2ProxyCookieSecret - br-waf-ingress-default-backend: - replicaCount: 1 - enabled: true - br-waf-ingress: - enabled: true - controller: - replicaCount: 1 - extraArgs: - 'default-ssl-certificate': - - *brNamespace - - '/' - - *wafTLSSecret - service: - loadBalancerIP: - - '##ip_address={"ip_resource_id":"' - - '/subscriptions/' - - *defaultAzureSubscription - - '/resourceGroups/' - - *brWafRG - - '/providers/Microsoft.Network/publicIPAddresses/' - - *waf_zone_redundant_IPV4 - - '"}' - - '##' - annotations: - 'service.beta.kubernetes.io/azure-load-balancer-resource-group': *brWafRG - # 'service.beta.kubernetes.io/azure-dns-label-name': 'FIXME-DNS' - defaultBackend: - replicaCount: 1 diff --git a/configuration/environments/br_k8s_ci.yaml b/configuration/environments/template.yaml similarity index 100% rename from configuration/environments/br_k8s_ci.yaml rename to configuration/environments/template.yaml diff --git a/configuration/environments/yaml_filler.py b/configuration/environments/yaml_filler.py new file mode 100755 index 00000000..e84061e2 --- /dev/null +++ b/configuration/environments/yaml_filler.py @@ -0,0 +1,45 @@ +#!/usr/bin/python3 +import sys +import yaml + +#Grab the first argument +template_option = sys.argv[1] if len(sys.argv) == 2 else '' +if template_option not in ['ci', 'dev']: + print("""Invalid option or number of arguments. + +Usage: yaml_filler.py [OPTION] +Fill in the template.yaml with values depending on deployment option. + +Options: + ci fill out the template using the ci values + dev fill out the template using the dev values + """) + +template = yaml.safe_load(open('template.yaml')) + +env = 'dev' +resource_group = {'name': "&brWafRG 'Waf-brdev'", 'action': 'read'} +paas_purge = 'true' +keyvault = {'name': "&persistentKVName '##app##-dev-master-kv'", + 'action': 'read'} +seed_value = '*persistentKVName' + +if template_option == 'ci': + env = 'ci' + resource_group = {'name': "&brWafRG 'Waf-##appenv##'", 'action': 'create'} + paas_purge = 'false' + keyvault = None + seed_value = '*kvName' + + +template['target']['env'] = env +template['target']['iaas']['resource_groups'].insert(0, resource_group) +template['target']['paas']['keyvaults'][0]['purge'] = paas_purge +if keyvault: template['target']['paas']['keyvaults'].append(keyvault) +seed_values = template['target']['saas']['helm']['default_values']['secrets']['seed_values'] +for seed_val in seed_values: + seed_val['source']['vault_name'] = seed_value + +filename = 'br_k8s_ci.yaml' if template_option == 'ci' else 'br_k8s_dev.yaml' +with open(filename, 'w') as out_file: + out_file.write(yaml.dump(template))