From 3a1b08b4d6e41d39790b5c36c712ec188cd679a4 Mon Sep 17 00:00:00 2001 From: Brutus5000 Date: Sat, 9 Nov 2024 16:28:09 +0100 Subject: [PATCH 01/10] Transition to Ory Hydra 2 (in parallel) --- .../templates/config-hydra2.yaml | 26 +++++++++ .../templates/deployment-hydra2.yaml | 56 +++++++++++++++++++ apps/faf-user-service/templates/ingress.yaml | 6 ++ .../templates/service-hydra2.yaml | 13 +++++ apps/ory-hydra2/Chart.yaml | 3 + apps/ory-hydra2/templates/config.yaml | 16 ++++++ apps/ory-hydra2/templates/deployment.yaml | 35 ++++++++++++ apps/ory-hydra2/templates/ingress.yaml | 13 +++++ .../templates/migration-cronjob.yaml | 35 ++++++++++++ apps/ory-hydra2/templates/secret.yaml | 19 +++++++ apps/ory-hydra2/templates/service.yaml | 17 ++++++ scripts/init-postgres.sh | 1 + 12 files changed, 240 insertions(+) create mode 100644 apps/faf-user-service/templates/config-hydra2.yaml create mode 100644 apps/faf-user-service/templates/deployment-hydra2.yaml create mode 100644 apps/faf-user-service/templates/service-hydra2.yaml create mode 100644 apps/ory-hydra2/Chart.yaml create mode 100644 apps/ory-hydra2/templates/config.yaml create mode 100644 apps/ory-hydra2/templates/deployment.yaml create mode 100644 apps/ory-hydra2/templates/ingress.yaml create mode 100644 apps/ory-hydra2/templates/migration-cronjob.yaml create mode 100644 apps/ory-hydra2/templates/secret.yaml create mode 100644 apps/ory-hydra2/templates/service.yaml diff --git a/apps/faf-user-service/templates/config-hydra2.yaml b/apps/faf-user-service/templates/config-hydra2.yaml new file mode 100644 index 00000000..a92d5cec --- /dev/null +++ b/apps/faf-user-service/templates/config-hydra2.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: faf-user-service-hydra2 + labels: + app: faf-user-service-hydra2 +data: + # Only for testing environments + FAF_ENVIRONMENT: {{ eq .Values.environment "prod" | ternary "" .Values.environment }} + REAL_IP_HEADER: "Cf-Connecting-Ip" + PASSWORD_RESET_URL: "https://www.{{.Values.baseDomain}}/account/password/reset" + REGISTER_ACCOUNT_URL: "https://www.{{.Values.baseDomain}}/account/register" + ACTIVATION_URL_FORMAT: "https://user.{{.Values.baseDomain}}/register/activate?token=%s" + FAILED_LOGIN_ACCOUNT_THRESHOLD: "5" + FAILED_LOGIN_ATTEMPT_THRESHOLD: "10" + FAILED_LOGIN_THROTTLING_MINUTES: "5" + FAILED_LOGIN_DAYS_TO_CHECK: "1" + HYDRA_TOKEN_ISSUER: "https://login.{{.Values.baseDomain}}" + HYDRA_JWKS_URL: "https://login.{{.Values.baseDomain}}/.well-known/jwks.json" + HYDRA_BASE_ADMIN_URL: "http://ory-hydra2:4445" + DB_URL: "jdbc:mariadb://mariadb:3306/faf_lobby?ssl=false" + DB_USERNAME: "faf-user-service" + DB_DATABASE: "faf_lobby" # for mariadb init script + LOBBY_URL: "wss://ws.{{.Values.baseDomain}}" + IRC_TOKEN_TTL: "300" + JAVA_OPTS: "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=5005" \ No newline at end of file diff --git a/apps/faf-user-service/templates/deployment-hydra2.yaml b/apps/faf-user-service/templates/deployment-hydra2.yaml new file mode 100644 index 00000000..0128bd8c --- /dev/null +++ b/apps/faf-user-service/templates/deployment-hydra2.yaml @@ -0,0 +1,56 @@ +# This is for temporary running Ory Hydra 1.10 and 2.x in parallel. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: faf-user-service-hydra2 + labels: + app: faf-user-service-hydra2 + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: faf-user-service-hydra2 + template: + metadata: + labels: + app: faf-user-service-hydra2 + annotations: + prometheus.io/scrape: 'true' + prometheus.io/port: '8081' + prometheus.io/path: '/actuator/prometheus' + spec: + containers: + - image: faforever/faf-user-service:3.2.0-RC2 + imagePullPolicy: Always + name: faf-user-service + envFrom: + - configMapRef: + name: faf-user-service-hydra2 + - secretRef: + name: faf-user-service + volumeMounts: + - name: mail-templates + mountPath: /config/mail/ + readOnly: true + ports: + - containerPort: 8080 + startupProbe: + httpGet: + port: 8080 + path: /q/health + failureThreshold: 10 + periodSeconds: 3 + livenessProbe: + httpGet: + port: 8080 + path: /q/health + failureThreshold: 3 + periodSeconds: 10 + restartPolicy: Always + volumes: + - name: mail-templates + configMap: + name: faf-user-service-mail-templates diff --git a/apps/faf-user-service/templates/ingress.yaml b/apps/faf-user-service/templates/ingress.yaml index eb6236b5..afb9fae6 100644 --- a/apps/faf-user-service/templates/ingress.yaml +++ b/apps/faf-user-service/templates/ingress.yaml @@ -11,3 +11,9 @@ spec: services: - name: faf-user-service port: 8080 + # This is for temporary running Ory Hydra 1.10 and 2.x in parallel. + - match: Host(`user-nx.{{.Values.baseDomain}}`) + kind: Rule + services: + - name: faf-user-service-hydra2 + port: 8080 diff --git a/apps/faf-user-service/templates/service-hydra2.yaml b/apps/faf-user-service/templates/service-hydra2.yaml new file mode 100644 index 00000000..2af5d455 --- /dev/null +++ b/apps/faf-user-service/templates/service-hydra2.yaml @@ -0,0 +1,13 @@ +# This is for temporary running Ory Hydra 1.10 and 2.x in parallel. +apiVersion: v1 +kind: Service +metadata: + name: faf-user-service-hydra2 + labels: + app: faf-user-service-hydra2 +spec: + selector: + app: faf-user-service-hydra2 + ports: + - port: 8080 + targetPort: 8080 diff --git a/apps/ory-hydra2/Chart.yaml b/apps/ory-hydra2/Chart.yaml new file mode 100644 index 00000000..48025b92 --- /dev/null +++ b/apps/ory-hydra2/Chart.yaml @@ -0,0 +1,3 @@ +apiVersion: v2 +name: ory-hydra2 +version: 1.0.0 diff --git a/apps/ory-hydra2/templates/config.yaml b/apps/ory-hydra2/templates/config.yaml new file mode 100644 index 00000000..a9034af4 --- /dev/null +++ b/apps/ory-hydra2/templates/config.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: ory-hydra2 + namespace: faf-apps + labels: + app: ory-hydra2 +data: + URLS_SELF_ISSUER: "https://login.{{.Values.baseDomain}}" + URLS_LOGIN: "https://user-nx.{{.Values.baseDomain}}/oauth2/login" + URLS_CONSENT: "https://user-nx.{{.Values.baseDomain}}/oauth2/consent" + STRATEGIES_ACCESS_TOKEN: "jwt" + OAUTH2_CLIENT_CREDENTIALS_DEFAULT_GRANT_ALLOWED_SCOPE: "true" + # These are only used for postgres init script, it is redundant in the DSN secret! Don't forget to also create a secret for DB_PASSWORD + DB_USER: "hydra" + DB_NAME: "ory-hydra" diff --git a/apps/ory-hydra2/templates/deployment.yaml b/apps/ory-hydra2/templates/deployment.yaml new file mode 100644 index 00000000..97809c29 --- /dev/null +++ b/apps/ory-hydra2/templates/deployment.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ory-hydra2 + namespace: faf-apps + labels: + app: ory-hydra2 + annotations: + reloader.stakater.com/auto: "true" +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + app: ory-hydra2 + template: + metadata: + labels: + app: ory-hydra2 + annotations: + prometheus.io/scrape: 'false' + spec: + containers: + - image: oryd/hydra:v2.2.0 + imagePullPolicy: Always + name: ory-hydra2 + envFrom: + - configMapRef: + name: ory-hydra2 + - secretRef: + name: ory-hydra2 + ports: + - containerPort: 4444 + - containerPort: 4445 + restartPolicy: Always \ No newline at end of file diff --git a/apps/ory-hydra2/templates/ingress.yaml b/apps/ory-hydra2/templates/ingress.yaml new file mode 100644 index 00000000..b0b2343d --- /dev/null +++ b/apps/ory-hydra2/templates/ingress.yaml @@ -0,0 +1,13 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: ory-hydra2 +spec: + entryPoints: + - websecure + routes: + - match: Host(`login.{{.Values.baseDomain}}`) + kind: Rule + services: + - name: ory-hydra2 + port: 4444 diff --git a/apps/ory-hydra2/templates/migration-cronjob.yaml b/apps/ory-hydra2/templates/migration-cronjob.yaml new file mode 100644 index 00000000..253226d9 --- /dev/null +++ b/apps/ory-hydra2/templates/migration-cronjob.yaml @@ -0,0 +1,35 @@ +kind: CronJob +apiVersion: batch/v1 +metadata: + name: ory-hydra2-migration + namespace: faf-apps + labels: + app: ory-hydra-migration +spec: + # Disabled because triggered manually + schedule: "0 0 31 2 *" + suspend: true + concurrencyPolicy: Forbid + jobTemplate: + metadata: + labels: + app: ory-hydra2-migration + annotations: + prometheus.io/scrape: 'false' + spec: + template: + spec: + containers: + - image: oryd/hydra:v2.2.0 + imagePullPolicy: Always + name: ory-hydra + envFrom: + - configMapRef: + name: ory-hydra2 + - secretRef: + name: ory-hydra2 + ports: + - containerPort: 4444 + - containerPort: 4445 + args: [ "migrate", "sql", "--read-from-env", "--yes"] + restartPolicy: Never diff --git a/apps/ory-hydra2/templates/secret.yaml b/apps/ory-hydra2/templates/secret.yaml new file mode 100644 index 00000000..83c53349 --- /dev/null +++ b/apps/ory-hydra2/templates/secret.yaml @@ -0,0 +1,19 @@ +apiVersion: secrets.infisical.com/v1alpha1 +kind: InfisicalSecret +metadata: + name: ory-hydra2 + namespace: faf-apps +spec: + authentication: + universalAuth: + credentialsRef: + secretName: infisical-machine-identity + secretNamespace: faf-ops + secretsScope: + projectSlug: {{.Values.infisical.projectSlug}} + envSlug: {{.Values.infisical.envSlug}} + secretsPath: "/ory-hydra2" + managedSecretReference: + secretName: ory-hydra2 + secretNamespace: faf-apps + creationPolicy: "Owner" diff --git a/apps/ory-hydra2/templates/service.yaml b/apps/ory-hydra2/templates/service.yaml new file mode 100644 index 00000000..55f65f0d --- /dev/null +++ b/apps/ory-hydra2/templates/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: ory-hydra2 + namespace: faf-apps + labels: + app: ory-hydra2 +spec: + selector: + app: ory-hydra2 + ports: + - name: public-port + port: 4444 + targetPort: 4444 + - name: admin-port + port: 4445 + targetPort: 4445 diff --git a/scripts/init-postgres.sh b/scripts/init-postgres.sh index 30de1d9e..55ef788d 100755 --- a/scripts/init-postgres.sh +++ b/scripts/init-postgres.sh @@ -50,5 +50,6 @@ create_user_and_db() { } create_user_and_db faf-apps wikijs DB_USER DB_PASS DB_NAME +create_user_and_db faf-apps ory-hydra2 DB_USER DB_PASSWORD DB_NAME echo "All users and databases have been processed." From 764b7409cec1ea34c3a7d520637ec9cfa01872ba Mon Sep 17 00:00:00 2001 From: Brutus5000 Date: Sat, 9 Nov 2024 19:44:39 +0100 Subject: [PATCH 02/10] Add telepresence --- cluster/telepresence/Chart.yaml | 7 +++++++ cluster/telepresence/values.yaml | 3 +++ 2 files changed, 10 insertions(+) create mode 100644 cluster/telepresence/Chart.yaml create mode 100644 cluster/telepresence/values.yaml diff --git a/cluster/telepresence/Chart.yaml b/cluster/telepresence/Chart.yaml new file mode 100644 index 00000000..2596ffc2 --- /dev/null +++ b/cluster/telepresence/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: telepresence +version: 1.0.0 +dependencies: + - name: telepresence-oss + version: 2.21.3 + repository: oci://ghcr.io/telepresenceio \ No newline at end of file diff --git a/cluster/telepresence/values.yaml b/cluster/telepresence/values.yaml new file mode 100644 index 00000000..72fa2a8d --- /dev/null +++ b/cluster/telepresence/values.yaml @@ -0,0 +1,3 @@ +namespace: telepresence +telepresence: + releaseName: traffic-manager \ No newline at end of file From 059eafe228fe32e34236e8e1b8a9cac9786f024a Mon Sep 17 00:00:00 2001 From: Sheikah45 <66929319+Sheikah45@users.noreply.github.com> Date: Sun, 23 Mar 2025 15:18:33 -0400 Subject: [PATCH 03/10] Add replays old to content (#204) * Update values.yaml * Update deployment.yaml --- apps/faf-content/templates/deployment.yaml | 7 +++++++ cluster/storage/values.yaml | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/apps/faf-content/templates/deployment.yaml b/apps/faf-content/templates/deployment.yaml index a00667d3..7e3438ab 100644 --- a/apps/faf-content/templates/deployment.yaml +++ b/apps/faf-content/templates/deployment.yaml @@ -30,6 +30,9 @@ spec: - name: faf-replays-pvc mountPath: /data/replays readOnly: true + - name: faf-replays-old-pvc + mountPath: /data/replays-old + readOnly: true - name: faf-maps-pvc mountPath: /data/maps readOnly: true @@ -66,6 +69,10 @@ spec: persistentVolumeClaim: claimName: faf-replays-pvc readOnly: true + - name: faf-replays-old-pvc + persistentVolumeClaim: + claimName: faf-replays-old-pvc + readOnly: true - name: faf-maps-pvc persistentVolumeClaim: claimName: faf-maps-pvc diff --git a/cluster/storage/values.yaml b/cluster/storage/values.yaml index 374e8dd4..5abc8e17 100644 --- a/cluster/storage/values.yaml +++ b/cluster/storage/values.yaml @@ -24,6 +24,12 @@ managedStorages: size: 500Gi pvc: namespace: faf-apps + - pv: + name: faf-replays-old + folderName: replays-old + size: 500Gi + pvc: + namespace: faf-apps - pv: name: faf-maps folderName: maps From f191d0c7f6422090d6e0760d8868c953085915dd Mon Sep 17 00:00:00 2001 From: Sheikah45 <66929319+Sheikah45@users.noreply.github.com> Date: Sun, 23 Mar 2025 15:30:29 -0400 Subject: [PATCH 04/10] take faf-content to 0 --- apps/faf-content/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/faf-content/templates/deployment.yaml b/apps/faf-content/templates/deployment.yaml index 7e3438ab..d6e4b1cd 100644 --- a/apps/faf-content/templates/deployment.yaml +++ b/apps/faf-content/templates/deployment.yaml @@ -7,7 +7,7 @@ metadata: annotations: reloader.stakater.com/auto: "true" spec: - replicas: 1 + replicas: 0 revisionHistoryLimit: 10 selector: matchLabels: From 618b38f0a4beed688cae306d4a1433c494d6156a Mon Sep 17 00:00:00 2001 From: Sheikah45 <66929319+Sheikah45@users.noreply.github.com> Date: Sun, 23 Mar 2025 15:30:52 -0400 Subject: [PATCH 05/10] back to 1 --- apps/faf-content/templates/deployment.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/apps/faf-content/templates/deployment.yaml b/apps/faf-content/templates/deployment.yaml index d6e4b1cd..7e3438ab 100644 --- a/apps/faf-content/templates/deployment.yaml +++ b/apps/faf-content/templates/deployment.yaml @@ -7,7 +7,7 @@ metadata: annotations: reloader.stakater.com/auto: "true" spec: - replicas: 0 + replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: From 4f45145dfac90f6f53fc18cabd5935158c56f151 Mon Sep 17 00:00:00 2001 From: Sheikah45 <66929319+Sheikah45@users.noreply.github.com> Date: Sun, 23 Mar 2025 15:32:58 -0400 Subject: [PATCH 06/10] not read only attempy --- apps/faf-content/templates/deployment.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/apps/faf-content/templates/deployment.yaml b/apps/faf-content/templates/deployment.yaml index 7e3438ab..db9a2aa8 100644 --- a/apps/faf-content/templates/deployment.yaml +++ b/apps/faf-content/templates/deployment.yaml @@ -32,7 +32,6 @@ spec: readOnly: true - name: faf-replays-old-pvc mountPath: /data/replays-old - readOnly: true - name: faf-maps-pvc mountPath: /data/maps readOnly: true @@ -72,7 +71,6 @@ spec: - name: faf-replays-old-pvc persistentVolumeClaim: claimName: faf-replays-old-pvc - readOnly: true - name: faf-maps-pvc persistentVolumeClaim: claimName: faf-maps-pvc From 3bc27a89302ec359bd40738bbfdfa5d71ae4baf6 Mon Sep 17 00:00:00 2001 From: Sheikah45 <66929319+Sheikah45@users.noreply.github.com> Date: Sun, 23 Mar 2025 15:33:46 -0400 Subject: [PATCH 07/10] remove replays-old mount to nginx --- apps/faf-content/templates/deployment.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/apps/faf-content/templates/deployment.yaml b/apps/faf-content/templates/deployment.yaml index db9a2aa8..a00667d3 100644 --- a/apps/faf-content/templates/deployment.yaml +++ b/apps/faf-content/templates/deployment.yaml @@ -30,8 +30,6 @@ spec: - name: faf-replays-pvc mountPath: /data/replays readOnly: true - - name: faf-replays-old-pvc - mountPath: /data/replays-old - name: faf-maps-pvc mountPath: /data/maps readOnly: true @@ -68,9 +66,6 @@ spec: persistentVolumeClaim: claimName: faf-replays-pvc readOnly: true - - name: faf-replays-old-pvc - persistentVolumeClaim: - claimName: faf-replays-old-pvc - name: faf-maps-pvc persistentVolumeClaim: claimName: faf-maps-pvc From 85a88d86948c8781a5f510366fa90577fc807e4a Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 6 Apr 2025 23:30:32 +0200 Subject: [PATCH 08/10] Update Helm release argo-cd to v7.8.23 (#201) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- cluster/argocd/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/argocd/Chart.yaml b/cluster/argocd/Chart.yaml index eeb26ea4..8ed055e2 100644 --- a/cluster/argocd/Chart.yaml +++ b/cluster/argocd/Chart.yaml @@ -3,5 +3,5 @@ name: argocd version: 1.0.0 dependencies: - name: argo-cd - version: 7.8.7 + version: 7.8.23 repository: https://argoproj.github.io/argo-helm From 26c1fb5b1ea5f57d8c0a527c182988e78db9dd26 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 6 Apr 2025 23:30:40 +0200 Subject: [PATCH 09/10] Update Helm release traefik to v34.5.0 (#197) * Transition to Ory Hydra 2 (in parallel) * Add telepresence * Update faforever/faf-icebreaker Docker tag to v1.1.0 * Add replays old to content (#204) * Update values.yaml * Update deployment.yaml * take faf-content to 0 * back to 1 * not read only attempy * remove replays-old mount to nginx * Update icebreaker to 1.1.2 * Update Helm release traefik to v34.5.0 --------- Co-authored-by: Brutus5000 Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Sheikah45 <66929319+Sheikah45@users.noreply.github.com> --- cluster/traefik/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/traefik/Chart.yaml b/cluster/traefik/Chart.yaml index 54db93e8..99d51580 100644 --- a/cluster/traefik/Chart.yaml +++ b/cluster/traefik/Chart.yaml @@ -3,5 +3,5 @@ name: traefik version: 1.0.0 dependencies: - name: traefik - version: 34.3.0 + version: 34.5.0 repository: https://traefik.github.io/charts From 856f8c68e83d467c308b5b9245f40d1d9357427e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 6 Apr 2025 21:40:28 +0000 Subject: [PATCH 10/10] Update postgres Docker tag to v17.4 --- infra/postgres/templates/statefulset.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/infra/postgres/templates/statefulset.yaml b/infra/postgres/templates/statefulset.yaml index 0548d82f..eac26aa0 100644 --- a/infra/postgres/templates/statefulset.yaml +++ b/infra/postgres/templates/statefulset.yaml @@ -33,7 +33,7 @@ spec: restartPolicy: Always containers: - - image: postgres:17.2-alpine3.20 + - image: postgres:17.4-alpine3.20 imagePullPolicy: Always name: postgres ports: