secret management done

deployement/.gitignore

@@ -1,2 +1,3 @@
 .terraform*
-k8s/credentials.yaml
+.env
+body.json

deployement/README.md

@@ -1,137 +1,193 @@
-RUN  
+# JOB IMAGE REQUIREMENT
+az  
+terraform  
+python3 => pip install pynacl  
+kubectl  
+jq  
+
+# LOCAL ENV VARIABLES
+- export $(grep -v '^#' .env | xargs)
+
+# ENABLE AN AZURE STORAGE TFSTATE 
+
+
+# FOR DEPLOYING DATASTORE
+Already actions secret:
+  - ACCESS_TOKEN
+  - ORG_NAME
+  - REPO_NAME
 
-FOR DEPLOYING DATASTORE (once)
 - az login
 - terraform init
-- terraform plan -out main.tfplan
-- terraform apply main.tfplan
-- az acr show --name rtwcr1 --query "id" --output tsv                       # ACR id to link to AKS to change
-- echo "$(terraform output connection_string)" > ./outputs/cosmos.txt
-- echo "$(terraform output posgresql_fqdn)" > ./outputs/posgresql_fqdn.txt
-- deploy images to azure container registry from GitHub (change username and password)
-
-FOR DEPLOYING AKS
+- terraform plan -out datastore.tfplan
+- terraform apply datastore.tfplan
+- MONGODB_URI=$(terraform output -raw cosmos_connection_string)
+- POSTGRESQL_FQDN=$(terraform output -raw posgresql_fqdn)
+- POSTGRESQL_ROOT_USERNAME=$(terraform output -raw posgresql_admin_username)
+- POSTGRESQL_ROOT_PASSWORD=$(terraform output -raw posgresql_admin_password)
+- REPOSITORY_TOKEN=$(terraform output -raw acr_token)
+- ACR_ID=$(terraform output -raw acr_id)
+
+## create github actions secrets  
+// change folder
+- cd ..
+// get the public key of the repo
+- public_key_info=$(curl -H "Authorization: token $ACCESS_TOKEN" -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/public-key)
+- public_key_value=$(echo "$public_key_info" | jq -r '.key')
+- public_key_id=$(echo "$public_key_info" | jq -r '.key_id')
+// encrypt and upload all credentials
+- MONGODB_URI=$(python3 encrypt-secret.py $MONGODB_URI $public_key_value)
+- echo '{"encrypted_value":"'$MONGODB_URI'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/MONGODB_URI -d @body.json
+
+- POSTGRESQL_FQDN=$(python3 encrypt-secret.py $POSTGRESQL_FQDN $public_key_value)
+- echo '{"encrypted_value":"'$POSTGRESQL_FQDN'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/POSTGRESQL_FQDN -d @body.json
+
+- POSTGRESQL_ROOT_USERNAME=$(python3 encrypt-secret.py $POSTGRESQL_ROOT_USERNAME $public_key_value)
+- echo '{"encrypted_value":"'$POSTGRESQL_ROOT_USERNAME'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/POSTGRESQL_ROOT_USERNAME -d @body.json
+
+- POSTGRESQL_ROOT_PASSWORD=$(python3 encrypt-secret.py $POSTGRESQL_ROOT_PASSWORD $public_key_value)
+- echo '{"encrypted_value":"'$POSTGRESQL_ROOT_PASSWORD'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/POSTGRESQL_ROOT_PASSWORD -d @body.json
+
+- REPOSITORY_TOKEN=$(python3 encrypt-secret.py $REPOSITORY_TOKEN $public_key_value)
+- echo '{"encrypted_value":"'$REPOSITORY_TOKEN'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/REPOSITORY_TOKEN -d @body.json
+
+- ACR_ID=$(python3 encrypt-secret.py $ACR_ID $public_key_value)
+- echo '{"encrypted_value":"'$ACR_ID'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/ACR_ID -d @body.json
+
+
+
+# deploy images to azure container registry from GitHub
+
+
+# FOR DEPLOYING AKS
 - az login
+
+- echo -n $ACR_ID > ./acr_id.txt 
 - terraform init
-- terraform plan -out main.tfplan
-- terraform apply main.tfplan  
-// echo "$(terraform output kube_config)" > ./outputs/azurek8s.yaml
-// remove EOT in ./outputs/azurek8s.yaml
-// export KUBECONFIG=./outputs/azurek8s.yaml
-
-Move to k8s
-- $kubernetes_cluster_name=$(terraform output kubernetes_cluster_name)
-- $resource_group_name=$(terraform output resource_group_name)
-- az aks get-credentials --resource-group $resource_group_name --name $kubernetes_cluster_name
+- terraform plan -out aks.tfplan
+- terraform apply aks.tfplan  
+- KUBERNETES_CLUSTER_NAME=$(terraform output -raw kubernetes_cluster_name)
+- AKS_RESOURCE_GROUP_NAME=$(terraform output -raw resource_group_name)
+- AKS_RESOURCE_GROUP_LOCATION=$(terraform output -raw resource_group_location)
+- public_ip_resource_group_name=MC_${AKS_RESOURCE_GROUP_NAME}_${KUBERNETES_CLUSTER_NAME}_${AKS_RESOURCE_GROUP_LOCATION}
+- APP_IP=$(az network public-ip list --resource-group $public_ip_resource_group_name --query '[0].ipAddress' --output tsv)
+- az aks get-credentials --resource-group $AKS_RESOURCE_GROUP_NAME --name $KUBERNETES_CLUSTER_NAME
+- kubectl get nodes
+
+## create github actions secrets  
+// change folder
+- cd ..
+// get the public key of the repo
+- public_key_info=$(curl -H "Authorization: token $ACCESS_TOKEN" -H "Accept: application/vnd.github.v3+json" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/public-key)
+- public_key_value=$(echo "$public_key_info" | jq -r '.key')
+- public_key_id=$(echo "$public_key_info" | jq -r '.key_id')
+// encrypt and upload all credentials
+- KUBERNETES_CLUSTER_NAME=$(python3 encrypt-secret.py $KUBERNETES_CLUSTER_NAME $public_key_value)
+- echo '{"encrypted_value":"'$KUBERNETES_CLUSTER_NAME'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/KUBERNETES_CLUSTER_NAME -d @body.json
+
+- AKS_RESOURCE_GROUP_NAME=$(python3 encrypt-secret.py $AKS_RESOURCE_GROUP_NAME $public_key_value)
+- echo '{"encrypted_value":"'$AKS_RESOURCE_GROUP_NAME'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/AKS_RESOURCE_GROUP_NAME -d @body.json
+
+- AKS_RESOURCE_GROUP_LOCATION=$(python3 encrypt-secret.py $AKS_RESOURCE_GROUP_LOCATION $public_key_value)
+- echo '{"encrypted_value":"'$AKS_RESOURCE_GROUP_LOCATION'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/AKS_RESOURCE_GROUP_LOCATION -d @body.json
+
+- APP_IP=$(python3 encrypt-secret.py $APP_IP $public_key_value)
+- echo '{"encrypted_value":"'$APP_IP'","key_id":"'$public_key_id'"}' > body.json
+- curl -L -X PUT -H "Accept: application/vnd.github+json" -H "Authorization: Bearer $ACCESS_TOKEN" -H "X-GitHub-Api-Version: 2022-11-28" https://api.github.com/repos/$ORG_NAME/$REPO_NAME/actions/secrets/APP_IP -d @body.json
+
+# K8S fusionauth (deploy from scratch)
+Already actions secret:
+  - FUSIONAUTH_DATABASE_USERNAME
+  - FUSIONAUTH_DATABASE_PASSWORD
+
+- az aks get-credentials --resource-group $AKS_RESOURCE_GROUP_NAME --name $KUBERNETES_CLUSTER_NAME
 - kubectl get nodes
-- kubectl create secret generic cosmos --from-file=MONGODB_URI=../datastore-deployment/outputs/cosmos.txt
+- DATABASE_URL=jdbc:postgresql://${POSTGRESQL_FQDN}:5432/fusionauth
+- kubectl create secret generic posgresqlurl --from-literal=DATABASE_URL=$DATABASE_URL
+- kubectl create secret generic posgresqlrootusername --from-literal=DATABASE_ROOT_USERNAME=$POSTGRESQL_ROOT_USERNAME
+- kubectl create secret generic posgresqlrootpassword --from-literal=DATABASE_ROOT_PASSWORD=$POSTGRESQL_ROOT_PASSWORD
+- kubectl create secret generic fusionauthdatabaseusername --from-literal=DATABASE_USERNAME=$FUSIONAUTH_DATABASE_USERNAME
+- kubectl create secret generic fusionauthdatabasepassword --from-literal=DATABASE_PASSWORD=$FUSIONAUTH_DATABASE_PASSWORD
 - kubectl apply -f fusionauth.yaml
-- kubectl get service fusionauth --output jsonpath='{.status.loadBalancer.ingress[0].ip}' > some file.txt
-- create secret with the public ip
-- kubectl apply allfiles.yaml (except ingress)
+- FUSION_AUTH_PUBLIC_IP=$(kubectl get service fusionauth --output jsonpath='{.status.loadBalancer.ingress[0].ip}')
+- create github actions secrets
+- apply kicktstart
+
+# K8S services (deploy from scratch)
+Already actions secret:
+  - default_clientSecret
+
+- az aks get-credentials --resource-group $AKS_RESOURCE_GROUP_NAME --name $KUBERNETES_CLUSTER_NAME
+- kubectl get nodes
+
+- fusionAuthURL=http://${FUSION_AUTH_PUBLIC_IP}:9011
+- internalFusionAuthURL=http://${FUSION_AUTH_PUBLIC_IP}:9011
+- appURL=http://${APP_IP}
+- VITE_BACKEND_URL=http://${APP_IP}/api
+
+- kubectl create secret generic mongodburi --from-literal=MONGODB_URI=$MONGODB_URI
+- kubectl create secret generic fusionauthurl --from-literal=fusionAuthURL=$fusionAuthURL
+- kubectl create secret generic internalfusionauthurl --from-literal=internalFusionAuthURL=$internalFusionAuthURL
+- kubectl create secret generic appurl --from-literal=appURL=$appURL
+- kubectl create secret generic vitebackendurl --from-literal=VITE_BACKEND_URL=$VITE_BACKEND_URL
+- kubectl create secret generic defaultclientsecret --from-literal=default_clientSecret=$default_clientSecret
+
+- kubectl apply -f analytics.yaml
+- kubectl apply -f auth.yaml
+- kubectl apply -f frontend.yaml
+- kubectl apply -f heatmap.yaml
+- kubectl apply -f pin.yaml
+- kubectl apply -f update.yaml
+
 - helm install ingress-nginx ingress-nginx/ingress-nginx \
     --set controller.replicaCount=1 \
     --set controller.nodeSelector."kubernetes\.io/os"=linux \
     --set defaultBackend.nodeSelector."kubernetes\.io/os"=linux \
     --set controller.service.externalTrafficPolicy=Local \
-    --set controller.service.loadBalancerIP="20.118.177.37"
-- kubectl get service --namespace default ingress-nginx-controller --output wide --watch
-- kubectl apply ingress.yaml
-
-
-====================================  
-Send image to container registry (sudo)
-- az acr login --name rtwcr1
-- docker tag <local-image-name> rtwcr1.azurecr.io/<remote image name>:<version>
-- docker push rtwcr1.azurecr.io/<remote image name>:<version>
-
-List image container registy
-- az acr repository list --name rtwcr1 --output table
-
-====================================  
-If needed
-- terraform plan -destroy -out main.destroy.tfplan 
-- terraform plan main.destroy.tfplan
-- docker rm -f $(docker ps -a -q)
-- docker rmi -f $(docker images -q)
-
-
-- Step by step explained -
-### 1. Create a Docker image:
-
-```Dockerfile
-FROM nginx:alpine
-COPY ./path/to/your/site /usr/share/nginx/html
-EXPOSE 80
-CMD ["nginx", "-g", "daemon off;"]
-```
-
-Build the image:
-```bash
-docker build -t your_image_name:tag .
-```
-
-### 2. Deploy the Docker image to Azure Container Registry (ACR):
-
-1. Log in to Azure using the command:
-   ```bash
-   az login
-   ```
-
-2. Authenticate to your ACR:
-   ```bash
-   az acr login --name your_acr_name
-   ```
-
-3. Tag your Docker image with your ACR registry URL:
-   ```bash
-   docker tag your_image_name:tag your_acr_name.azurecr.io/your_image_name:tag
-   ```
-
-4. Push the image to your ACR:
-   ```bash
-   docker push your_acr_name.azurecr.io/your_image_name:tag
-   ```
-
-### 3. Kubernetes YAML file to deploy the static website:
-
-```yaml
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: deployment_name
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: application_name
-  template:
-    metadata:
-      labels:
-        app: application_name
-    spec:
-      containers:
-      - name: container_name
-        image: your_acr_name.azurecr.io/your_image_name:tag
-        ports:
-        - containerPort: 80
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: service_name
-spec:
-  selector:
-    app: application_name
-  ports:
-    - protocol: TCP
-      port: 80
-      targetPort: 80
-  type: LoadBalancer
-```
-
-Deploy to Kubernetes with the command:
-```bash
-kubectl apply -f deployment.yaml
-```
+    --set controller.service.loadBalancerIP=$APP_IP
+- kubectl get service --namespace default ingress-nginx-controller --output wide
+- kubectl apply -f ingress.yaml
+
+# K8S services update after image only (execpt ingress and fusionauth)
+- az aks get-credentials --resource-group $AKS_RESOURCE_GROUP_NAME --name $KUBERNETES_CLUSTER_NAME
+- kubectl get nodes
+
+- fusionAuthURL=http://${FUSION_AUTH_PUBLIC_IP}:9011
+- internalFusionAuthURL=http://${FUSION_AUTH_PUBLIC_IP}:9011
+- appURL=http://${APP_IP}
+- VITE_BACKEND_URL=http://${APP_IP}/api
+
+- kubectl create secret generic mongodburi --from-literal=MONGODB_URI=$MONGODB_URI
+- kubectl create secret generic fusionauthurl --from-literal=fusionAuthURL=$fusionAuthURL
+- kubectl create secret generic internalfusionauthurl --from-literal=internalFusionAuthURL=$internalFusionAuthURL
+- kubectl create secret generic appurl --from-literal=appURL=$appURL
+- kubectl create secret generic vitebackendurl --from-literal=VITE_BACKEND_URL=$VITE_BACKEND_URL
+
+- kubectl rollout restart deploy servicename
+
+# K8S services update after K8S yaml file update (execpt ingress and fusionauth)
+- az aks get-credentials --resource-group $AKS_RESOURCE_GROUP_NAME --name $KUBERNETES_CLUSTER_NAME
+- kubectl get nodes
+
+- fusionAuthURL=http://${FUSION_AUTH_PUBLIC_IP}:9011
+- internalFusionAuthURL=http://${FUSION_AUTH_PUBLIC_IP}:9011
+- appURL=http://${APP_IP}
+- VITE_BACKEND_URL=http://${APP_IP}/api
+
+- kubectl create secret generic mongodburi --from-literal=MONGODB_URI=$MONGODB_URI
+- kubectl create secret generic fusionauthurl --from-literal=fusionAuthURL=$fusionAuthURL
+- kubectl create secret generic internalfusionauthurl --from-literal=internalFusionAuthURL=$internalFusionAuthURL
+- kubectl create secret generic appurl --from-literal=appURL=$appURL
+- kubectl create secret generic vitebackendurl --from-literal=VITE_BACKEND_URL=$VITE_BACKEND_URL
+
+- kubectl apply -f <filename>.yaml
+

deployement/aks-deployment/.gitignore

@@ -2,4 +2,5 @@
 terraform.tfstate*
 *.tfplan
 outputs
-aks-test-app
+aks-test-app
+acr_id.txt

deployement/aks-deployment/main.tf

@@ -47,6 +47,6 @@ resource "azurerm_kubernetes_cluster" "k8s" {
 resource "azurerm_role_assignment" "link_k8s_cr1" {
   principal_id                     = azurerm_kubernetes_cluster.k8s.kubelet_identity[0].object_id
   role_definition_name             = "AcrPull"
-  scope                            = "/subscriptions/b12f2641-0be6-48bf-af5d-4c5ec041d5f8/resourceGroups/rg-rtw-data-store/providers/Microsoft.ContainerRegistry/registries/rtwcr1"
+  scope                            = file("./acr_id.txt")
   skip_service_principal_aad_check = true
 }

deployement/aks-deployment/outputs.tf

@@ -1,6 +1,9 @@
 output "resource_group_name" {
   value = azurerm_resource_group.rgaks.name
 }
+output "resource_group_location" {
+  value = azurerm_resource_group.rgaks.location
+}
 
 # K8S cluster
 output "kubernetes_cluster_name" {