Merge pull request #50 from nautible/release/2022.3

Release/2022.3

README.md

@@ -20,7 +20,7 @@ Kubernetesへエコシステムやアプリケーションを導入するため
 |metrics-server|メトリクスサーバーの導入||AWSのみ必要|
 |observation|Grafana,Prometheusによる監視|metrics-server（AWSのみ）||
 |pod-autoscaler|KEDAの導入|||
-|secrets|kubernetes-external-secretsの導入|||
+|secrets|external-secrets-operatorの導入|||
 |service-mesh|Istioの導入|albc（AWSのみ）||
 
 ※依存関係のあるものは、依存先のプラグインを先に導入しておく必要があります。

app-ms/README.md

@@ -1,4 +1,3 @@
-
 # app-ms
 
 ## 1. 概要
@@ -27,22 +26,43 @@ overlays
 
 ## 2. 導入
 
-aws
+### クラウドサービスへシークレットを登録する
 
-```
-$ kubectl apply -f app-ms/overlays/aws/application.yaml
-```
+app-msの稼働に必要なシークレットを登録する。AWSの場合はSecretsManager、Azureの場合はAzureKeyvaultに登録する。
+
+| name | value | aws/azure | 備考 |
+| ---- | ---- | ---- | ---- |
+| nautible-app-ms-product-db-user | 商品サービスDBのユーザー | aws/azure | |
+| nautible-app-ms-product-db-password | 商品サービスDBのパスワード | aws/azure | |
+| nautible-app-ms-order-dapr-statestore-password | 注文サービスelasticacheのパスワード（Token） | aws/azure | |
+| nautible-app-ms-cosmosdb-user | Cosmosdbのアクセスユーザー | azure | |
+| nautible-app-ms-cosmosdb-password | Cosmosdbのパスワード | azure | |
+| nautible-app-ms-servicebus-connectionstring| Azure Servicebus 接続文字列  | azure | Azureの管理コンソール＞Service Bus＞共有アクセスポリシー＞RootManageSharedAccessKey 参照 |
+
+※AzureのKeyvaultのシークレット編集方法については[こちら](../docs/azure/keyvault/README.md)を参照してください
+### SecretStoreの導入
 
-azure
+手順は[secretsのドキュメント](../secrets/README.md)を参照
 
+### アプリケーションの導入
+
+AWS
+
+```bash
+kubectl apply -f app-ms/overlays/aws/application.yaml
 ```
-$ kubectl apply -f app-ms/overlays/azure/application.yaml
+
+Azure
+
+```bash
+kubectl apply -f app-ms/overlays/azure/application.yaml
 ```
 
 ## 3. 確認
 
-```
-$ kubectl get deploy -n nautible-app-ms
+```bash
+kubectl get deploy -n nautible-app-ms
+
 NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
 nautible-app-ms-customer              2/2     2            2           18d
 nautible-app-ms-order                 2/2     2            2           18d
@@ -56,14 +76,14 @@ nautible-app-ms-stock                 2/2     2            2           18d
 
 ## 4. 削除
 
-aws
+### アプリケーションの削除
 
-```
-$ kubectl delete -f app-ms/overlays/aws/application.yaml
-```
+ArgoCDのコンソールより各アプリケーションおよびapplication-rootを削除
 
-azure
+### ExternalSecretsおよびSecretの削除
 
-```
-$ kubectl delete -f app-ms/overlays/azure/application.yaml
-```
+ArgoCDのコンソールよりsecret-app-msを削除
+
+### SecretStoreの削除
+
+手順は[secretsのドキュメント](../secrets/README.md)を参照

app-ms/base/kustomization.yaml

@@ -7,5 +7,4 @@ resources:
   - product/application.yaml
   - stock/application.yaml
   - order/application.yaml
-  - payment/payment/application.yaml
-  - payment/credit/application.yaml
+  - payment/application.yaml

app-ms/overlays/aws/kustomization.yaml

@@ -2,6 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 bases:
   - ../../base
+
+resources:
+- ./secret-parameter/application.yaml
+
 patches:
 - path: patch.json
   target:

secrets/secret-parameter/aws/application.yaml → app-ms/overlays/aws/secret-parameter/application.yaml

@@ -1,15 +1,15 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: secret-parameter
+  name: secret-app-ms
   namespace: argocd
 spec:
   destination:
-    namespace: default
+    namespace: nautible-app-ms
     server: https://kubernetes.default.svc
   project: application
   source:
-    path: secrets/secret-parameter/aws
+    path: app-ms/overlays/aws/secret-parameter
     repoURL: https://github.com/nautible/nautible-plugin
     targetRevision: HEAD
   syncPolicy:

app-ms/overlays/aws/secret-parameter/github.yaml

@@ -0,0 +1,26 @@
+#
+#   For AWS SecretsManager
+#   Githubをプライベートリポジトリで運用している場合に利用する
+#
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: secret-github
+  namespace: nautible-app-ms
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: nautible-app-ms-secretstore
+  target:
+    name: secret-github            # Secret Resource
+    creationPolicy: Owner
+  data:
+    - secretKey: github-user       # SecretResource key
+      remoteRef:
+        key: nautible-infra-github # SecretsManager Name
+        property: user             # SecretsManager key
+    - secretKey: github-token      # SecretResource key
+      remoteRef:
+        key: nautible-infra-github # SecretsManager Name
+        property: token            # SecretsManager key

app-ms/overlays/aws/secret-parameter/order.yaml

@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: secret-nautible-app-ms-order
+  namespace: nautible-app-ms
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: secret-app-ms
+  target:
+    name: secret-nautible-app-ms-order             # Secret Resource
+    creationPolicy: Owner
+  data:
+    - secretKey: DAPR_STATESTORE_PW                # SecretResource key
+      remoteRef:
+        key: nautible-app-ms-order-dapr-statestore # SecretsManager Name
+        property: password                         # SecretsManager key

app-ms/overlays/aws/secret-parameter/product-db.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: secret-nautible-app-ms-product-db
+  namespace: nautible-app-ms
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: secret-app-ms
+  target:
+    name: secret-nautible-app-ms-product-db # Secret Resource
+    creationPolicy: Owner
+  data:
+    - secretKey: DATABASE_USER              # SecretResource key
+      remoteRef:
+        key: nautible-app-ms-product-db     # SecretsManager Name
+        property: user                      # SecretsManager key
+    - secretKey: DATABASE_PW                # SecretResource key
+      remoteRef:
+        key: nautible-app-ms-product-db     # SecretsManager Name
+        property: password                  # SecretsManager key

app-ms/overlays/aws/secretstore.yaml

@@ -0,0 +1,22 @@
+ apiVersion: v1
+ kind: ServiceAccount
+ metadata:
+   annotations:
+     eks.amazonaws.com/role-arn: arn:aws:iam::${ACCOUNT_ID}:role/nautible-app-dev-app-secret-access-role
+   name: secretstore
+   namespace: nautible-app-ms
+---
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: secret-app-ms
+  namespace: nautible-app-ms
+spec:
+  provider:
+    aws:
+      service: SecretsManager
+      region: ap-northeast-1
+      auth:
+        jwt:
+          serviceAccountRef:
+            name: secretstore

app-ms/overlays/azure/kustomization.yaml

@@ -4,6 +4,9 @@ kind: Kustomization
 bases:
 - ../../base
 
+resources:
+- ./secret-parameter/application.yaml
+
 patches:
 - path: patch.json
   target:

secrets/secret-parameter/azure/application.yaml → app-ms/overlays/azure/secret-parameter/application.yaml

@@ -1,15 +1,15 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: secret-parameter
+  name: secret-app-ms
   namespace: argocd
 spec:
   destination:
-    namespace: default
+    namespace: nautible-app-ms
     server: https://kubernetes.default.svc
   project: application
   source:
-    path: secrets/secret-parameter/azure
+    path: app-ms/overlays/azure/secret-parameter
     repoURL: https://github.com/nautible/nautible-plugin
     targetRevision: HEAD
   syncPolicy:

app-ms/overlays/azure/secret-parameter/common.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: secret-nautible-app-ms-common
+  namespace: nautible-app-ms
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: secret-app-ms
+  target:
+    name: secret-nautible-app-ms-common                         # Secret Resource
+    creationPolicy: Owner
+  data:
+    - secretKey: SERVICE_BUS_CONNECTION_STRING                  # SecretResource key
+      remoteRef:
+        key: secret/nautible-app-ms-servicebus-connectionstring # KeyVault SecretName

app-ms/overlays/azure/secret-parameter/cosmosdb.yaml

@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: secret-nautible-app-ms-cosmosdb
+  namespace: nautible-app-ms
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: secret-app-ms
+  target:
+    name: secret-nautible-app-ms-cosmosdb             # Secret Resource
+    creationPolicy: Owner
+  data:
+    - secretKey: DATABASE_USER                        # SecretResource key
+      remoteRef:
+        key: secret/nautible-app-ms-cosmosdb-user     # KeyVault SecretName
+    - secretKey: DATABASE_PW                          # SecretResource key
+      remoteRef:
+        key: secret/nautible-app-ms-cosmosdb-password # KeyVault SecretName

app-ms/overlays/azure/secret-parameter/github.yaml

@@ -0,0 +1,24 @@
+#
+#   For Azure key Vault
+#   Githubをプライベートリポジトリで運用している場合に利用する
+#
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: secret-github
+  namespace: nautible-app-ms
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: secret-app-ms
+  target:
+    name: secret-github                         # Secret Resource
+    creationPolicy: Owner
+  data:
+    - secretKey: github-user                    # SecretResource key
+      remoteRef:
+        key: secret/nautible-infra-github-user  # KeyVault SecretName
+    - secretKey: github-token                   # SecretResource key
+      remoteRef:
+        key: secret/nautible-infra-github-token # KeyVault SecretName

app-ms/overlays/azure/secret-parameter/order.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: secret-nautible-app-ms-order
+  namespace: nautible-app-ms
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: secret-app-ms
+  target:
+    name: secret-nautible-app-ms-order                             # Secret Resource
+    creationPolicy: Owner
+  data:
+    - secretKey: DAPR_STATESTORE_PW                                # SecretResource key
+      remoteRef:
+        key: secret/nautible-app-ms-order-dapr-statestore-password # KeyVault SecretName

app-ms/overlays/azure/secret-parameter/product-db.yaml

@@ -0,0 +1,20 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: secret-nautible-app-ms-product-db
+  namespace: nautible-app-ms
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: SecretStore
+    name: secret-app-ms
+  target:
+    name: secret-nautible-app-ms-product-db             # Secret Resource
+    creationPolicy: Owner
+  data:
+    - secretKey: DATABASE_USER                          # SecretResource key
+      remoteRef:
+        key: secret/nautible-app-ms-product-db-user     # KeyVault SecretName
+    - secretKey: DATABASE_PW                            # SecretResource key
+      remoteRef:
+        key: secret/nautible-app-ms-product-db-password # KeyVault SecretName

app-ms/overlays/azure/secretstore.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: SecretStore
+metadata:
+  name: secret-app-ms
+  namespace: nautible-app-ms
+spec:
+  provider:
+    azurekv:
+      tenantId: ${TENANT_ID}
+      vaultUrl: ${APP_MS_VAULT_URL}
+      authSecretRef:
+        clientId:
+          name: external-secrets-azure-credentials
+          key: clientid
+        clientSecret:
+          name: external-secrets-azure-credentials
+          key: clientsecret