Use Kittyhawk for Deployment Config (#128)

* 🎉 Set-up

* 🐛 Rename DOMAIN -> DOMAINS

* ⬆️ Bump

* 🔥 Bye Jest

.github/cdk/package.json

@@ -13,13 +13,13 @@
     "upgrade-cdk": "yarn upgrade cdkactions@latest cdkactions-cli@latest"
   },
   "dependencies": {
-    "@pennlabs/kraken": "^0.6.3",
+    "@pennlabs/kraken": "^0.8.6",
     "cdkactions": "^0.2.3",
-    "constructs": "^3.3.147"
+    "constructs": "^3.2.109"
   },
   "devDependencies": {
-    "@types/node": "^16.9.2",
+    "@types/node": "^17.0.23",
     "cdkactions-cli": "^0.2.3",
-    "typescript": "^4.4.3"
+    "typescript": "^4.6.3"
   }
 }

.github/cdk/yarn.lock

@@ -2,19 +2,19 @@
 # yarn lockfile v1
 
 
-"@pennlabs/kraken@^0.6.3":
-  version "0.6.3"
-  resolved "https://registry.yarnpkg.com/@pennlabs/kraken/-/kraken-0.6.3.tgz#d346daa36146ee969544939175352e7f7e8a630b"
-  integrity sha512-7xPn5hIPVsyCQO0DjAMAkotrz9+m6qIBoto/zs7zzuWCj/UlirPn2OphG2GNUnqiDEbQMIXoIPEt1wASUSvSgg==
+"@pennlabs/kraken@^0.8.6":
+  version "0.8.6"
+  resolved "https://registry.yarnpkg.com/@pennlabs/kraken/-/kraken-0.8.6.tgz#79a9d10bed36b699c526556cd69b6d81341847d1"
+  integrity sha512-aBblQa/661DJ2GP3Dq1KEzCZ72ZV/Jw7z4HNZoWPxGWn+tSPwvaPkSNDpK7tT+nJmu427giGU8DLyciU79hKbA==
   dependencies:
-    cdkactions "^0.2.0"
+    cdkactions "^0.2.3"
     constructs "^3.2.80"
-    dedent-js "^1.0.1"
+    ts-dedent "^2.2.0"
 
-"@types/node@^16.9.2":
-  version "16.9.2"
-  resolved "https://registry.yarnpkg.com/@types/node/-/node-16.9.2.tgz#81f5a039d6ed1941f8cc57506c74e7c2b8fc64b9"
-  integrity sha512-ZHty/hKoOLZvSz6BtP1g7tc7nUeJhoCf3flLjh8ZEv1vFKBWHXcnMbJMyN/pftSljNyy0kNW/UqI3DccnBnZ8w==
+"@types/node@^17.0.23":
+  version "17.0.23"
+  resolved "https://registry.yarnpkg.com/@types/node/-/node-17.0.23.tgz#3b41a6e643589ac6442bdbd7a4a3ded62f33f7da"
+  integrity sha512-UxDxWn7dl97rKVeVS61vErvw086aCYhDLyvRQZ5Rk65rZKepaFdm53GeqXaKBuOhED4e9uWq34IC3TdSdJJ2Gw==
 
 ansi-regex@^5.0.0:
   version "5.0.1"
@@ -45,7 +45,7 @@ cdkactions-cli@^0.2.3:
     yaml "^1.10.0"
     yargs "^16.2.0"
 
-cdkactions@^0.2.0, cdkactions@^0.2.3:
+cdkactions@^0.2.3:
   version "0.2.3"
   resolved "https://registry.yarnpkg.com/cdkactions/-/cdkactions-0.2.3.tgz#aa27bf720962376d54f8ef95cdfb0ab46458b966"
   integrity sha512-/DYQ2qsT6fzgZB+cmQjtPqR4aAWCqAytWbFpJK+iJLQ4jQrl6l4uMf01TLiWY3mAILS0YGlwPcoBbGvq9Jnz5g==
@@ -74,16 +74,11 @@ color-name@~1.1.4:
   resolved "https://registry.yarnpkg.com/color-name/-/color-name-1.1.4.tgz#c2a09a87acbde69543de6f63fa3995c826c536a2"
   integrity sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==
 
-constructs@^3.2.109, constructs@^3.2.80, constructs@^3.3.147:
+constructs@^3.2.109, constructs@^3.2.80:
   version "3.3.147"
   resolved "https://registry.yarnpkg.com/constructs/-/constructs-3.3.147.tgz#0616cb1aeb7a916665a74ceae0a1b34b38386937"
   integrity sha512-xTSA87W5hscsHdFC2NcbJWALeMt8QWoCvVXRHPIuoBDDXdvBuNoqL2a5kY1yEWSMLQvBPnrDyinfz3twTX6dAw==
 
-dedent-js@^1.0.1:
-  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/dedent-js/-/dedent-js-1.0.1.tgz#bee5fb7c9e727d85dffa24590d10ec1ab1255305"
-  integrity sha1-vuX7fJ5yfYXf+iRZDRDsGrElUwU=
-
 emoji-regex@^8.0.0:
   version "8.0.0"
   resolved "https://registry.yarnpkg.com/emoji-regex/-/emoji-regex-8.0.0.tgz#e818fd69ce5ccfcb404594f842963bf53164cc37"
@@ -158,15 +153,15 @@ strip-ansi@^6.0.0:
   dependencies:
     ansi-regex "^5.0.0"
 
-ts-dedent@^2.0.0:
+ts-dedent@^2.0.0, ts-dedent@^2.2.0:
   version "2.2.0"
   resolved "https://registry.yarnpkg.com/ts-dedent/-/ts-dedent-2.2.0.tgz#39e4bd297cd036292ae2394eb3412be63f563bb5"
   integrity sha512-q5W7tVM71e2xjHZTlgfTDoPF/SmqKG5hddq9SzR49CH2hayqRKJtQ4mtRlSxKaJlR/+9rEM+mnBHf7I2/BQcpQ==
 
-typescript@^4.4.3:
-  version "4.4.3"
-  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.4.3.tgz#bdc5407caa2b109efd4f82fe130656f977a29324"
-  integrity sha512-4xfscpisVgqqDfPaJo5vkd+Qd/ItkoagnHpufr+i2QCHBsNYp+G7UAoyFl8aPtx879u38wPV65rZ8qbGZijalA==
+typescript@^4.6.3:
+  version "4.6.3"
+  resolved "https://registry.yarnpkg.com/typescript/-/typescript-4.6.3.tgz#eefeafa6afdd31d725584c67a0eaba80f6fc6c6c"
+  integrity sha512-yNIatDa5iaofVozS/uQJEl3JRWLKKGJKh6Yaiv0GLGSuhpFJe7P3SbHZ8/yjAHRQwKRoA6YZqlfjXWmVzoVSMw==
 
 universalify@^0.1.0:
   version "0.1.2"

.github/workflows/cdkactions_build-and-deploy.yaml

@@ -157,46 +157,40 @@ jobs:
     needs: react-check
   deploy:
     runs-on: ubuntu-latest
-    container:
-      image: pennlabs/helm-tools:39b60af248944898fcbc58d1fe5b0f1995420aef
     if: github.ref == 'refs/heads/master'
     steps:
       - uses: actions/checkout@v2
-      - name: Deploy
+      - id: synth
+        name: Synth cdk8s manifests
         run: |-
-          aws eks --region us-east-1 update-kubeconfig --name production --role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/kubectl
+          cd k8s
+          yarn install --frozen-lockfile
 
           # get repo name (by removing owner/organization)
-          RELEASE_NAME=${REPOSITORY#*/}
+          export RELEASE_NAME=${REPOSITORY#*/}
+
+          # Export RELEASE_NAME as an output
+          echo "::set-output name=RELEASE_NAME::$RELEASE_NAME"
 
-          # this specifies what tag of icarus to pull down
-          DEPLOY_TAG=$(yq r k8s/values.yaml deploy_version)
-          if [ "$DEPLOY_TAG" = "null" ]; then
-              echo "Could not find deploy tag"
-              exit 1
-          fi
+          yarn build
+        env:
+          GIT_SHA: ${{ github.sha }}
+          REPOSITORY: ${{ github.repository }}
+          AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
+      - name: Deploy
+        run: |-
+          aws eks --region us-east-1 update-kubeconfig --name production --role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/kubectl
 
-          helm repo add pennlabs https://helm.pennlabs.org/
-          for i in {1..10}; do
-            # This is bash soup, but it'll do.
-            # 1. Attempt to install with helm
-            # 2. If this succeeds, exit with a success status code
-            # 3. If it fails, mark the command as succeeded so that '-e' doesn't kick us out
-            # 4. Wait 10s and try again
-            helm upgrade --install --atomic --set=image_tag=$IMAGE_TAG -f k8s/values.yaml --version "${DEPLOY_TAG}" $RELEASE_NAME pennlabs/icarus && exit 0 || true
-            sleep 10s
-            echo "Retrying deploy for $i times"
-          done
+          # get repo name from synth step
+          RELEASE_NAME=${{ steps.synth.outputs.RELEASE_NAME }}
 
-          # If we get here, all helm installs failed so our command should fail
-          exit 1
+          # Deploy
+          kubectl apply -f k8s/dist/ -l app.kubernetes.io/component=certificate
+          kubectl apply -f k8s/dist/ --prune -l app.kubernetes.io/part-of=$RELEASE_NAME
         env:
-          IMAGE_TAG: ${{ github.sha }}
           AWS_ACCOUNT_ID: ${{ secrets.AWS_ACCOUNT_ID }}
           AWS_ACCESS_KEY_ID: ${{ secrets.GH_AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.GH_AWS_SECRET_ACCESS_KEY }}
-          DO_AUTH_TOKEN: ${{ secrets.DO_AUTH_TOKEN }}
-          REPOSITORY: ${{ github.repository }}
     needs:
       - publish-backend
       - publish-frontend

backend/Platform/settings/base.py

@@ -15,7 +15,7 @@
 import dj_database_url
 
 
-DOMAIN = os.environ.get("DOMAIN", "example.com")
+DOMAINS = os.environ.get("DOMAINS", "example.com").split(",")
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))

backend/Platform/settings/production.py

@@ -5,7 +5,7 @@
 from sentry_sdk.integrations.django import DjangoIntegration
 
 from Platform.settings.base import *  # noqa
-from Platform.settings.base import DOMAIN
+from Platform.settings.base import DOMAINS
 
 
 DEBUG = False
@@ -14,7 +14,7 @@
 SECURE_PROXY_SSL_HEADER = ("HTTP_X_FORWARDED_PROTO", "https")
 
 # Allow production host headers
-ALLOWED_HOSTS = [DOMAIN]
+ALLOWED_HOSTS = DOMAINS
 
 # Make sure SECRET_KEY is set to a secret in production
 SECRET_KEY = os.environ.get("SECRET_KEY", None)

k8s/.gitignore

@@ -0,0 +1,4 @@
+*.d.ts
+*.js
+node_modules
+dist/

k8s/cdk8s.yaml

@@ -0,0 +1,2 @@
+language: typescript
+app: node main.js

k8s/main.ts

@@ -0,0 +1,102 @@
+import { Construct } from 'constructs';
+import { App } from 'cdk8s';
+import { CronJob, DjangoApplication, PennLabsChart, ReactApplication } from '@pennlabs/kittyhawk';
+
+const cronTime = require('cron-time-generator');
+
+export class MyChart extends PennLabsChart {
+  constructor(scope: Construct) {
+    super(scope);
+
+    const domain = "platform.pennlabs.org"
+    const devDomain = "platform-dev.pennlabs.org"
+
+    const frontendImage = "pennlabs/platform-frontend"
+    const backendImage = "pennlabs/platform-backend"
+    const devImage = "pennlabs/platform-dev"
+
+    const secret = "platform"
+    const devSecret = "platform-dev"
+
+    new DjangoApplication(this, 'django', {
+      port: 443,
+      deployment: {
+        image: backendImage,
+        secret,
+        secretMounts: [
+          {
+            name: "platform",
+            subPath: "SHIBBOLETH_CERT",
+            mountPath: "/etc/shibboleth/sp-cert.pem",
+          },
+          {
+            name: "platform",
+            subPath: "SHIBBOLETH_KEY",
+            mountPath: "/etc/shibboleth/sp-key.pem",
+          }
+        ]
+      },
+      domains: [{ 
+        host: domain, 
+        paths: [
+          "/admin",
+          "/accounts",
+          "/assets",
+          "/identity",
+          "/s",
+          "/options",
+          "/openapi",
+          "/documentation",
+          "/Shibboleth.sso",
+        ],
+        isSubdomain: true,
+      }],
+      ingressProps: {
+        annotations: {
+          ["ingress.kubernetes.io/protocol"]: "http"
+        },
+      },
+      djangoSettingsModule: 'Platform.settings.production',
+    });
+
+    new ReactApplication(this, 'react', {
+      deployment: {
+        image: frontendImage,
+        replicas: 2,
+      },
+      domain: {
+        host: domain,
+        paths: ["/"]
+      },
+    })
+
+    new DjangoApplication(this, 'dev', {
+      port: 8080,
+      deployment: {
+        image: devImage,
+        secret: devSecret,
+        env: [{
+          name: "DEV_LOGIN",
+          value: "true"
+        }]
+      },
+      domains: [{ 
+        host: devDomain, 
+        paths: ["/"],
+        isSubdomain: true,
+      }],
+      djangoSettingsModule: 'Platform.settings.production',
+    });
+
+    new CronJob(this, 'clear-expired-tokens', {
+      schedule: cronTime.everySundayAt(5),
+      image: backendImage,
+      secret,
+      cmd: ["python3", "manage.py", "cleartokens"],
+    });
+  }
+}
+
+const app = new App();
+new MyChart(app);
+app.synth();

k8s/package.json

@@ -0,0 +1,29 @@
+{
+  "name": "k8s",
+  "version": "1.0.0",
+  "main": "main.js",
+  "types": "main.ts",
+  "license": "Apache-2.0",
+  "private": true,
+  "scripts": {
+    "import": "cdk8s import",
+    "synth": "cdk8s synth",
+    "compile": "tsc",
+    "watch": "tsc -w",
+    "build": "npm run compile && npm run synth",
+    "upgrade": "npm i cdk8s@latest cdk8s-cli@latest",
+    "upgrade:next": "npm i cdk8s@next cdk8s-cli@next"
+  },
+  "dependencies": {
+    "@pennlabs/kittyhawk": "^1.1.4",
+    "cdk8s": "^2.2.63",
+    "constructs": "^10.0.119"
+  },
+  "devDependencies": {
+    "@types/jest": "^26.0.24",
+    "@types/node": "^14.18.12",
+    "jest": "^26.6.3",
+    "ts-jest": "^26.5.6",
+    "typescript": "^4.6.3"
+  }
+}

k8s/tsconfig.json

@@ -0,0 +1,33 @@
+{
+  "compilerOptions": {
+    "alwaysStrict": true,
+    "charset": "utf8",
+    "declaration": true,
+    "experimentalDecorators": true,
+    "inlineSourceMap": true,
+    "inlineSources": true,
+    "lib": [
+      "es2016"
+    ],
+    "module": "CommonJS",
+    "noEmitOnError": true,
+    "noFallthroughCasesInSwitch": true,
+    "noImplicitAny": true,
+    "noImplicitReturns": true,
+    "noImplicitThis": true,
+    "noUnusedLocals": true,
+    "noUnusedParameters": true,
+    "resolveJsonModule": true,
+    "strict": true,
+    "strictNullChecks": true,
+    "strictPropertyInitialization": true,
+    "stripInternal": true,
+    "target": "ES2017"
+  },
+  "include": [
+    "**/*.ts"
+  ],
+  "exclude": [
+    "node_modules"
+  ]
+}