Skip to content

Commit c90afd8

Browse files
mc-jonesmc-jones
committed
chore: use vault for secrets
1 parent 7c6e07f commit c90afd8

File tree

4 files changed

+226
-5
lines changed

4 files changed

+226
-5
lines changed

Dockerfile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -30,5 +30,5 @@ ARG COMMIT_HASH
3030
RUN test -n "$COMMIT_HASH" && \
3131
echo $COMMIT_HASH > COMMIT_HASH.txt
3232

33-
ENTRYPOINT ["/usr/bin/dumb-init", "--"]
33+
ENTRYPOINT ["/usr/bin/dumb-init", "./scripts/load_secrets_and_run.sh"]
3434
CMD ["yarn", "start"]

hokusai/production.yml

Lines changed: 106 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -28,14 +28,36 @@ spec:
2828
app.kubernetes.io/version: production
2929
name: positron-web
3030
spec:
31+
initContainers:
32+
- name: setenv
33+
image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/fortress:production
34+
imagePullPolicy: Always
35+
command:
36+
- python
37+
- src/load/load.py
38+
- kubernetes
39+
- production
40+
- positron
41+
envFrom:
42+
- configMapRef:
43+
name: secrets-config
44+
volumeMounts:
45+
- name: secrets
46+
mountPath: /secrets
3147
containers:
3248
- name: positron-web
3349
args:
3450
- yarn
3551
- production
3652
envFrom:
53+
- configMapRef:
54+
name: secrets-config
3755
- configMapRef:
3856
name: positron-environment
57+
volumeMounts:
58+
- name: secrets
59+
mountPath: /secrets
60+
readOnly: true
3961
env:
4062
- name: PORT
4163
value: '8080'
@@ -82,6 +104,7 @@ spec:
82104
options:
83105
- name: ndots
84106
value: '1'
107+
serviceAccountName: positron
85108
affinity:
86109
nodeAffinity:
87110
requiredDuringSchedulingIgnoredDuringExecution:
@@ -91,6 +114,9 @@ spec:
91114
operator: In
92115
values:
93116
- foreground
117+
volumes:
118+
- name: secrets
119+
emptyDir: {}
94120
---
95121
apiVersion: autoscaling/v1
96122
kind: HorizontalPodAutoscaler
@@ -121,18 +147,41 @@ spec:
121147
annotations:
122148
cluster-autoscaler.kubernetes.io/safe-to-evict: 'false'
123149
spec:
150+
initContainers:
151+
- name: setenv
152+
image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/fortress:production
153+
imagePullPolicy: Always
154+
command:
155+
- python
156+
- src/load/load.py
157+
- kubernetes
158+
- production
159+
- positron
160+
envFrom:
161+
- configMapRef:
162+
name: secrets-config
163+
volumeMounts:
164+
- name: secrets
165+
mountPath: /secrets
124166
containers:
125167
- name: positron-scheduled-posts-cron
126168
image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/positron:production
127-
command:
169+
args:
128170
- yarn
129171
- task
130172
- scripts/scheduled_posts.js
131173
imagePullPolicy: Always
132174
envFrom:
133175
- configMapRef:
134176
name: positron-environment
177+
- configMapRef:
178+
name: secrets-config
179+
volumeMounts:
180+
- name: secrets
181+
mountPath: /secrets
182+
readOnly: true
135183
restartPolicy: Never
184+
serviceAccountName: positron
136185
affinity:
137186
nodeAffinity:
138187
requiredDuringSchedulingIgnoredDuringExecution:
@@ -142,6 +191,9 @@ spec:
142191
operator: In
143192
values:
144193
- background
194+
volumes:
195+
- name: secrets
196+
emptyDir: {}
145197
---
146198
apiVersion: batch/v1
147199
kind: CronJob
@@ -158,18 +210,41 @@ spec:
158210
annotations:
159211
cluster-autoscaler.kubernetes.io/safe-to-evict: 'false'
160212
spec:
213+
initContainers:
214+
- name: setenv
215+
image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/fortress:production
216+
imagePullPolicy: Always
217+
command:
218+
- python
219+
- src/load/load.py
220+
- kubernetes
221+
- production
222+
- positron
223+
envFrom:
224+
- configMapRef:
225+
name: secrets-config
226+
volumeMounts:
227+
- name: secrets
228+
mountPath: /secrets
161229
containers:
162230
- name: positron-unqueue-cron
163231
image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/positron:production
164-
command:
232+
args:
165233
- yarn
166234
- task
167235
- scripts/unqueue.js
168236
imagePullPolicy: Always
169237
envFrom:
170238
- configMapRef:
171239
name: positron-environment
240+
- configMapRef:
241+
name: secrets-config
242+
volumeMounts:
243+
- name: secrets
244+
mountPath: /secrets
245+
readOnly: true
172246
restartPolicy: Never
247+
serviceAccountName: positron
173248
affinity:
174249
nodeAffinity:
175250
requiredDuringSchedulingIgnoredDuringExecution:
@@ -179,6 +254,9 @@ spec:
179254
operator: In
180255
values:
181256
- background
257+
volumes:
258+
- name: secrets
259+
emptyDir: {}
182260
---
183261
apiVersion: batch/v1
184262
kind: CronJob
@@ -195,6 +273,22 @@ spec:
195273
annotations:
196274
cluster-autoscaler.kubernetes.io/safe-to-evict: 'false'
197275
spec:
276+
initContainers:
277+
- name: setenv
278+
image: 585031190124.dkr.ecr.us-east-1.amazonaws.com/fortress:production
279+
imagePullPolicy: Always
280+
command:
281+
- python
282+
- src/load/load.py
283+
- kubernetes
284+
- production
285+
- positron
286+
envFrom:
287+
- configMapRef:
288+
name: secrets-config
289+
volumeMounts:
290+
- name: secrets
291+
mountPath: /secrets
198292
containers:
199293
- name: positron-data-export-cron
200294
image: artsy/mongo-data-sync
@@ -205,11 +299,18 @@ spec:
205299
envFrom:
206300
- configMapRef:
207301
name: positron-environment
302+
- configMapRef:
303+
name: secrets-config
304+
volumeMounts:
305+
- name: secrets
306+
mountPath: /secrets
307+
readOnly: true
208308
args:
209309
- sh
210310
- ./export-db.sh
211311
- production
212312
restartPolicy: Never
313+
serviceAccountName: positron
213314
affinity:
214315
nodeAffinity:
215316
requiredDuringSchedulingIgnoredDuringExecution:
@@ -219,6 +320,9 @@ spec:
219320
operator: In
220321
values:
221322
- background
323+
volumes:
324+
- name: secrets
325+
emptyDir: {}
222326
---
223327
apiVersion: v1
224328
kind: Service

0 commit comments

Comments
 (0)