Skip to content

Commit

Permalink
Merge branch 'master' into feature/imagepullsecret
Browse files Browse the repository at this point in the history
  • Loading branch information
@Rade333
Rade333 authored Oct 16, 2024
2 parents f348eaa + 396dfc3 commit 6ff5412
Show file tree
Hide file tree
Showing 13 changed files with 408 additions and 46 deletions.
4 changes: 2 additions & 2 deletions docs/anatomy_of_a_silta_project.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ This file is located in the project root at `.circleci/config.yml` and uses the
version: 2.1

orbs:
silta: silta/silta@0.1
silta: silta/silta@1

workflows:
version: 2
Expand Down Expand Up @@ -58,7 +58,7 @@ We use version 2.1 of the CircleCI API. If your project configured to use an old
```yaml
orbs:
silta: silta/silta@0.1
silta: silta/silta@1
```
CircleCI has a packaging system called [orbs](https://circleci.com/docs/2.0/orb-intro/#section=configuration).
We have published our own orb called `silta/silta`, which enables you to use predefined jobs and commands.
Expand Down
23 changes: 23 additions & 0 deletions docs/compatibility_matrix.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
Component \\ Vendor |GKE (Google) |AKS (Azure) |EKS (Amazon) |UKS (UpCloud) |microk8s (self-hosted) |minikube (local)
------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------|----------------------------------------------------------------|----------------------------------------------------------------
Container Image Registry |[Artifact Registry](https://cloud.google.com/artifact-registry) |[Azure Container Registry](https://azure.microsoft.com/en-us/products/container-registry/) |[Elastic Container Registry](https://aws.amazon.com/ecr/) |Missing** |[docker-registry](https://github.com/twuni/docker-registry.helm)*|[docker-registry](https://github.com/twuni/docker-registry.helm)*
Read-write many storage |[Filestore](https://cloud.google.com/filestore) |[Azure Files](https://azure.microsoft.com/en-us/products/storage/files) (azurefile-csi) |[Amazon S3 File Gateway (untested)](https://docs.aws.amazon.com/filegateway/latest/files3/what-is-file-s3.html)*** |Missing** |nfs-server* |nfs-server*
Silta-shared storage backend (rwx) |[Google Cloud Storage](https://cloud.google.com/storage/docs/buckets) |[Blob Storage](https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blobs-introduction) |[Amazon S3](https://aws.amazon.com/s3/) |Missing** |[MinIO](https://github.com/minio/minio)* |[MinIO](https://github.com/minio/minio)*
Load Balancer |[GKE Ingress](https://cloud.google.com/kubernetes-engine/docs/concepts/ingress) |[Standard Load Balancer](https://learn.microsoft.com/en-us/azure/aks/load-balancer-standard) |[ELB\* & ALB](https://aws.amazon.com/elasticloadbalancing/features/) |[CCM](https://github.com/UpCloudLtd/uks-instructions/tree/main/ccm)|metallb* |metallb*
Static, reserved Ingress IP |Yes |Yes |Untested*** | |Yes |Yes
Static, reserved Egress IP |[CloudNAT](https://cloud.google.com/nat/docs/overview) (private clusters only), silta-proxy\* |Yes |Yes | |Yes |Yes
Network Policy |[Calico](https://cloud.google.com/kubernetes-engine/docs/how-to/network-policy#enabling_network_policy_enforcement)|[Calico or Network Policy Manager](https://learn.microsoft.com/en-us/azure/aks/use-network-policies) |Have to install* |[Cilium](https://cilium.io/) |Have to install* / Untested*** |Have to install* / Untested***
Managed DBs |[CloudSQL](https://cloud.google.com/sql?hl=en) |[Azure Database for MySQL](https://azure.microsoft.com/en-us/products/mysql) |RDS*** |[Managed Databases](https://upcloud.com/products/managed-databases)| |
K8s versions |Multiple |Multiple |Multiple |1.26 |Multiple |Multiple
Web Application Firewall\* |[Cloud Armor (only for GKE ingress)](https://cloud.google.com/armor/) |[Application Gateway](https://azure.microsoft.com/en-us/products/application-gateway) (only for azure/application-gateway ingress) |AWS WAF*** | | |

___
Notes:
- Load Balancing - all vendors support installing own ingress controller (Ingress-Nginx, Traefik)
- Web Application Firewall - all vendors support [Signal Sciences WAF](https://www.signalsciences.com/) (in cluster agent)
- ELB provides client ip via PROXY protocol
- silta-proxy - requires separate nodepool and taints, does not work with all applications
___
*Have to install
**Missing
***Untested
2 changes: 1 addition & 1 deletion docs/creating_a_new_project.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,5 +16,5 @@ title: Creating a new project
## Frontend project guidelines

- Make a copy of Wunder's [frontend-project](https://github.com/wunderio/frontend-project), and push it as a new repository within the wunderio Github organisation.
- Log in to CircleCI with your Github credentials, select "wunderio" and [enable your project](https://circleci.com/add-projects/gh/wunderio).
- Log in to CircleCI with your Github credentials and [enable your project](https://circleci.com/docs/getting-started/).
- Watch your project build, the CircleCI output has a link to your deployed environment.
2 changes: 1 addition & 1 deletion docs/gcp_filestore_migration.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,7 +87,7 @@ If you run out of free space on volume, contact cluster administrator for its ex
```
Dockerfile example of a project
```dockerfile
FROM wunderio/silta-php-fpm:8.0-fpm-v0.1
FROM wunderio/silta-php-fpm:8.0-fpm-v1
COPY --chown=www-data:www-data . /app
Expand Down
6 changes: 0 additions & 6 deletions docs/migrating_existing_project.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,6 @@
id: migrating-an-existing-drupal-project
title: Migrating an existing Drupal project
---
## General tips

- We automate as much as possible, but many projects have project-specific differences.
- When in doubt, ask for advice.
- Ask any questions in our #dev-silta slack channel.

## Step by step instructions

1. Make sure you have a clean, up-to-date checkout of your repository.
Expand Down
60 changes: 34 additions & 26 deletions docs/silta-examples.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,25 @@ Note that storage can only be increased, not decreased.
Note 2: If you change it for existing deployment, You'll need to run special comands in cluster to expand the storage or deployment will fail (see [Mariadb or Elasticsearch running out of disk space](troubleshooting.md#mariadb-or-elasticsearch-running-out-of-disk-space) in troubleshooting page).
## Using different version of MariaDB than provided in chart defaults.
While it's normally not advised, it's possible to adjust MariaDB image version -
_Drupal chart and Frontend chart_:
```yaml
mariadb:
image:
# Available image tags listed at https://hub.docker.com/r/bitnami/mariadb/tags. Use debian images.
# tag: 10.10.6-debian-11-r25
# tag: 10.11.5-debian-11-r24
tag: 11.0.3-debian-11-r25
```
It's highly suggested to create mysql data backup before image change.
Note: Do not change image to an earlier version, it may break the data.
## Mount Drupal public files to a different location
_Drupal chart_:
Expand Down Expand Up @@ -465,15 +484,12 @@ If the `smtp` is configured and enabled, but it does not appear to send anything

## Domain names and SSL certificates

All environments are given a hostname by default. It is possible to attach a custom domain name to environment by configuring `exposeDomains` configuration parameter. All hostnames attached to environment are printed in release notes.

Note: You can also use `letsencrypt-staging` issuer to avoid hitting `letsencrypt` [rate limits](https://letsencrypt.org/docs/rate-limits/).
All environments are given a hostname by default. It is possible to attach a custom domain name to environment by configuring `exposeDomains` configuration parameter. All hostnames attached to environment are printed in release notes.
You can also use `letsencrypt-staging` issuer to avoid hitting `letsencrypt` [rate limits](https://letsencrypt.org/docs/rate-limits/).

Note 2: For custom certificates it's advised to add CA root certificate to `exposeDomains[].ssl.crt` value. Having it under `exposeDomains[].ssl.ca` is not enough.
!NB Deploy `exposeDomains` entries only when DNS entries are changed or are soon to be changed. Otherwise, Letsencrypt validation might eventually get stuck due to retries.

Note 3: Deploy `exposeDomains` entries only when DNS entries are changed or are soon to be changed. Otherwise, Letsencrypt validation might eventually get stuck due to retries.

Note 4: Put `exposeDomains` in a dedicated configuration yaml file, so only one environment (branch) would be assigned this hostname. Having multiple environments with the same domain will act as a round robin load balancer for all environments and unexpected responses might be returned.
!NB Put `exposeDomains` in a dedicated configuration yaml file, so only one environment (branch) would be assigned this hostname. Having multiple environments with the same domain will act as a round robin load balancer for all environments and unexpected responses might be returned.

_Drupal chart and Frontend chart_:

Expand All @@ -491,43 +507,35 @@ exposeDomains:
enabled: true
issuer: custom
# Encrypt key and certificate. See: docs/encrypting_sensitive_configuration.md
ca: |
-----BEGIN CERTIFICATE-----
< CA CHAIN ROOT >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< CA CHAIN RCA >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< CA CERTIFICATE >
-----END CERTIFICATE-----
key: |
-----BEGIN RSA PRIVATE KEY-----
<KEY>
-----END RSA PRIVATE KEY-----
crt: |
-----BEGIN CERTIFICATE-----
< CERTIFICATE >
< DOMAIN CERTIFICATE >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< CA CHAIN ROOT >
< INTERMEDIATE CERTIFICATE >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< CA CHAIN RCA >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< CA CERTIFICATE >
< ROOT CA CERTIFICATE >
-----END CERTIFICATE-----
```
`key` value is certificates private key.
`crt` value is full chain of certificate.
`ca` value is not required anymore for exposed domains.
[See more information on how to convert and prepare SSL certificate for exposed domains](ssl_certificates.md)

If you have same SSL certificate for multiple domains You can reuse `ssl` block.
```yaml
exposeDomains:
example-customcert: &shared-ssl
example-domain1: &shared-ssl
ssl:
[....]
example-anothercert:
example-domain2:
<<: *shared-ssl
example-domain3:
<<: *shared-ssl
```

Expand Down
78 changes: 78 additions & 0 deletions docs/ssl_certificates.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,78 @@
## Basics

Full chain consists of 3 parts.
`End-Entity (Server) Certificate:` This is your server's SSL/TLS certificate, also known as the end-entity certificate. It is the certificate that identifies your server's domain.
`Intermediate Certificates:` These are the certificates of intermediate Certificate Authorities (CAs) that form the chain between your end-entity certificate and the root CA certificate. Intermediate certificates help build the trust chain between your certificate and a root CA. They are necessary because root CA certificates are typically not distributed widely due to security reasons.
`Root CA Certificate:` This is the certificate of the root Certificate Authority. This certificate is the ultimate trust anchor in the chain. The root CA certificate establishes trust in the entire chain.

You can have multiple Intermediate Certificates in chain.
```yaml
exposeDomains:
example-customcert:
hostname: ssl-custom.example.com
ssl:
enabled: true
issuer: custom
key: |
-----BEGIN RSA PRIVATE KEY-----
<KEY>
-----END RSA PRIVATE KEY-----
crt: |
-----BEGIN CERTIFICATE-----
< DOMAIN CERTIFICATE >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< INTERMEDIATE CERTIFICATE 1 >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< INTERMEDIATE CERTIFICATE 2 >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< INTERMEDIATE CERTIFICATE N >
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
< ROOT CA CERTIFICATE >
-----END CERTIFICATE-----
```
## PFX to PEM
Extraction (legacy flag is required if older version of PKCS#12 was used to create PFX file):
`openssl pkcs12 -legacy -in custom_cert.pfx -nocerts -nodes | sed -ne '/-BEGIN PRIVATE KEY-/,/-END PRIVATE KEY-/p' > private.key`
`openssl pkcs12 -legacy -in custom_cert.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ca.crt`
`openssl pkcs12 -legacy -in custom_cert.pfx -clcerts -nokeys | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > domain.crt`

Creating full chain:
`cat domain.crt ca.crt > fullchain.crt`

You can also use [this script](../scripts/pfx-ready.sh).

## SSL certificate verification

You can verify full chain part:
`openssl verify -CAfile fullchain.crt domain.crt`
And then matching with private key
`openssl x509 -noout -modulus -in fullchain.crt | openssl md5`
`openssl rsa -noout -modulus -in private.key | openssl md5`
Output values should match.

Testing certificate on live server can be done only on different cluster/environment.
*!NB Do not try to test it on Production cluster/environment where production hostname is in use already.*
#### Steps to test SSL certificate on Development cluster
* Make a new Git branch
* Add SSL certificates domain to Exposed domains in `stila.yml`
* Create secrets file, put relevant structure and encrypt it with cluster's secret key
* Modify `.circleci/config.yml` to decrypt secret and use it in `silta_config` part
* Push branch to trigger deployment
* Verify SSL certificate with `openssl s_client -connect [IP]:443 -servername [hostname]`. Expected result
`SSL handshake has read 7583 bytes and written 408 bytes Verification: OK`. If something is wrong You'll get
`Verification error: unable to verify the first certificate` and/or `Verify return code: 21 (unable to verify the first certificate)`
* You can also change `/etc/hosts` to resolve hostname and verify SSL certificate via browser
* When everything looks good delete the testing branch and proceed with production release.


## Tips

PEM strings can be encoded in different formats. Both cases are valid
`-----BEGIN RSA PRIVATE KEY-----`
`-----BEGIN PRIVATE KEY-----`
`openssl` will take care of correct decoding. [List of all supported formats](https://git.openssl.org/?p=openssl.git;a=blob;f=include/openssl/pem.h;hb=HEAD#l35).
Loading

0 comments on commit 6ff5412

Please sign in to comment.