mozilla
/
pontoon
зеркало из https://github.com/mozilla/pontoon.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update: Removed docker/k8s-first-steps (#3280)

This commit is contained in:
JohnKagunda 2024-07-22 11:35:28 +03:00 коммит произвёл GitHub
Родитель 185a7e0b05
Коммит d310eab4b2
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
4 изменённых файлов: 0 добавлений и 402 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

226
docker/k8s-first-steps/k8s-pontoon-example.yaml
Просмотреть файл

@ -1,226 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: pontoon-prod
---
kind: Secret
apiVersion: v1
metadata:
name: sec-dockerhub
namespace: pontoon-prod
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: <docker auth config json, for private repo>
---
kind: Secret
apiVersion: v1
metadata:
name: sec-cert
namespace: pontoon-prod
data:
crt: <ssl cert for nginx>
key: <ssl cert key>
dhparam: <ssl cer dhparam>
---
kind: ConfigMap
apiVersion: v1
metadata:
name: cfg-nginx
namespace: pontoon-prod
data:
nginx.conf: |
worker_processes 3;
error_log /var/log/nginx/error.log warn;
pid /tmp/nginx.pid;
events {
worker_connections 1024;
}
http {
server {
listen 8080 ssl http2 default_server;
client_max_body_size 100M;
ssl_certificate /etc/nginx/cert/crt;
ssl_certificate_key /etc/nginx/cert/key;
ssl_dhparam /etc/nginx/cert/dhparam;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options sameorigin;
add_header X-Content-Type-Options nosniff;
location / {
proxy_redirect off;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header Connection 'Keep-Alive';
proxy_set_header Proxy-Connection 'Keep-Alive';
proxy_pass http://svc-pontoon:8000/;
}
}
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '{ "http": { '
' "version": "$server_protocol", '
' "request": { "method": "$request_method", "referrer": "$http_referer" }, '
' "response": { "bytes": $bytes_sent , "body": { "bytes": $body_bytes_sent }, "status_code": "$status" } '
' },'
' "user_agent": { "original": "$http_user_agent" },'
' "url": { "original": "$request_uri", "scheme": "$scheme", "query": "$query_string" } }';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: dep-nginx
namespace: pontoon-prod
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
version: v1
smef-logging: enabled
spec:
containers:
- name: con-nginx
image: reg-dhc.app.corpintra.net/i3-mirror/docker.io_nginxinc_nginx-unprivileged:1.17.8-alpine
ports:
- containerPort: 8080
resources:
limits:
memory: 1Gi
cpu: 0.3
volumeMounts:
- name: vol-nginx
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
readOnly: true
- name: vol-cert
mountPath: /etc/nginx/cert
readOnly: true
volumes:
- name: vol-nginx
configMap:
name: cfg-nginx
- name: vol-cert
secret:
secretName: sec-cert
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: dep-pontoon
namespace: pontoon-prod
spec:
replicas: 1
selector:
matchLabels:
app: pontoon
template:
metadata:
labels:
app: pontoon
spec:
containers:
- name: con-pontoon
imagePullPolicy: Always
image: <pontoon-prod image>
ports:
- protocol: TCP
containerPort: 3000
- protocol: TCP
containerPort: 8000
resources:
limits:
memory: 3Gi
cpu: 0.5
env:
- name: SECRET_KEY
value: '<the pontoon secret key>'
- name: DJANGO_LOGIN
value: 'true'
- name: DJANGO_DEV
value: 'false'
- name: DJANGO_DEBUG
value: 'true'
- name: CI
value: 'true'
- name: DATABASE_URL
value: '<pontoon database URL>'
- name: ALLOWED_HOSTS
value: '<comma seperated list of allowd hosts>'
- name: SITE_URL
value: 'http://127.0.0.10'
- name: SYNC_INTERVAL
value: '30'
- name: KNOWN_HOSTS
value: '<base64 encoded file content of .ssh/known_hosts>'
- name: SSH_KEY
value: '<base64 encoded ssh private key from .ssh/id_rsa>'
imagePullSecrets:
- name: sec-dockerhub
---
kind: Service
apiVersion: v1
metadata:
name: svc-nginx-ingress
namespace: 050-zna-dev
spec:
selector:
app: nginx
type: NodePort
ports:
- name: https-web
protocol: TCP
#the port is not really used but mandatory
port: 2049
targetPort: 8080
nodePort: <your assigned node port!>
---
kind: Service
apiVersion: v1
metadata:
name: svc-pontoon
namespace: pontoon-prod
spec:
selector:
app: pontoon
ports:
- name: http-deprecated
protocol: TCP
port: 3000
targetPort: 3000
- name: http-ui
protocol: TCP
port: 8000
targetPort: 8000

119
docker/k8s-first-steps/readme.md
Просмотреть файл

@ -1,119 +0,0 @@
# Pontoon
##### (Guide for building and deploying pontoon in a dev environment)
### Build the container under windows:
###### get code and prepare the build
- git checkout: C:\Projekte\pontoon\latest: https://github.com/mozilla/pontoon.git
- three files need to be replaced by those in this folder
###### build
- open a powershell in checkout folder and switch to wsl using the `wsl` command
- in WSL: connect windows local docker: `export DOCKER_HOST="tcp://localhost:2375"`
- run the build: `make build`
### The database setup:
For a first time setup we recommend starting the container, or at least the database migration script (python manage.py migrate) with a higher privilege user such as the "postgres" superuser. Then for all consecutive runs use the dedicated pontoon user which creation is described below.
- create a dedicated database
```
-- meant to be executed on the mandatory postgress database "postgres"
CREATE DATABASE pontoon;
```
- create a poonton database user and roll. Assign the user to its roll
```
-- meant to be executed on the mandatory postgress database "postgres"
CREATE USER "pontoon" WITH PASSWORD "h29xlKIN4nrTGyFLsKf1";
CREATE ROLE "pontoon-all";
GRANT "pontoon-all" TO "pontoon";
```
- additionally: add the database "postgres" superuser to this roll so he can see the tables easily in SQL-Clients such as pgAdmin.
```
-- meant to be executed on the mandatory postgress database "postgres"
GRANT "pontoon-all" TO "postgres";
```
- in case the "postgres" superuser or another higher privilege user was used to initially execute the migration script as mentioned above make sure to change the owner of each table within the poonton database:
```
-- meant to be executed on the postgress database "pontoon"
DO $$
DECLARE
tables CURSOR FOR
SELECT tablename
FROM pg_tables
WHERE tablename NOT LIKE 'pg_%' AND tablename NOT LIKE 'sql_%'
ORDER BY tablename;
BEGIN
FOR table_record IN tables LOOP
EXECUTE format('ALTER TABLE %s OWNER TO "pontoon-all"', table_record.tablename);
-- RAISE NOTICE 'Tablename: %', table_record.tablename;
END LOOP;
END$$;
```
### The container:
###### Test the container locally and init the database
- tag the container for easier usage:
- for testing run the container like this:
```
docker run -d -p 8000:8000 -p 3000:3000 -e DJANGO_LOGIN=true -e DJANGO_DEBUG=false -e DJANGO_DEV=false -e ALLOWED_HOSTS=127.0.0.1 -e CI=true -e DATABASE_URL=postgres://<postgres-user>:<password>@<db-ip-or-hostname>:5432/<pontoon-db-name> -e SECRET_KEY=a3cafccbafe39db54f2723f8a6f804c34753679a0f197b5b33050d784129d570 -e SITE_URL=http://127.0.0.1:8000 --name pontoon corp/imagename:pontoon-prod-31.01.20
```
The SSH_KEY and KNOWN_HOSTS environment variables are both base64 encoded, but may be omitted here and set/created manually (without base64 encoding) inside the running container. But for the prod environment they need to be passed to guarantee unattended deployment.
If the environment variable SYNC_INTERVAL is defined a shell script will call sync_projects using this interval in minutes.
- get a bash into the container: `docker exec -it pontoon bash`
useful commands:
- check open ports (8000 and 3000 should be open): `ss -lntu`
- check running processes: `ps -A`
- show simple startup log of server_run.sh: `cat /app/server_run.log`
##### first time only, with newly created database:
create an admin user: `python ./manage.py createsuperuser --user=<username> --email=<yourEmail@address>`
##### for each project:
- create project using the web ui, see: https://mozilla-l10n.github.io/documentation/tools/pontoon/adding_new_project.html
- further **administration** via Django: http://127.0.0.1:8000/__a/__
#### NOTES:
- don't try to run pontoon in a subfolder domain, like apigee does. (e.g. https://mydomain.com/pontoon/). It seems only to support running on domain level: **https://mydomain.com/~~pontoon/~~**
you may use subdomains --> https://pontoon.mydomain.com/
### deployment on k8s:
For a k8s deplyoment example yaml see the k8s-pontoon-example.yaml in this folder
#### TODO:
- "_Pontoon sends email when users request projects to be enabled for teams, or teams to be added to projects_"
**e-mails are not yet tested in the image**
---
### Useful commands
- for git access you need to create the _SSH_KEY_: `ssh-keygen -t rsa -b 4096 -C "<yourEmail@address>"`
- find the public key to be entered in guthub: `cat /root/.ssh/id_rsa.pub`
- the private key to be base64 encoded as _SSH_KEY_: `cat /root/.ssh/id_rsa`
- after the first git sync you also geht the _known_hosts_ file:
- to be base64 encoded as _KNOWN_HOSTS_: `cat /root/.ssh/known_hosts`
* first manually sync a single project by reading locales from git source code only: `python manage.py sync_projects --projects=<projectname> --no-commit`
* syncing all projects with writing changes to the soruce code `python manage.py sync_projects`.
This is done by shell script every 30 minutes (evn var SYNC_INTERVAL)
* to see if the sync works look at: http://127.0.0.1:8000/__sync/log/__

34
docker/k8s-first-steps/server_run.sh
Просмотреть файл

@ -1,34 +0,0 @@
#!/bin/bash
echo "out/logs is going into '/app/server_run.log'"
#user pontoon stuff --> get enc vars
(echo ">>> running as user: " && whoami) >> /app/server_run.log
if [ ! -z "$SSH_KEY" ]; then
echo ">>> loading ssh key and kown_hosts for default user pontoon..." >> /app/server_run.log
mkdir /home/pontoon/.ssh
chmod 700 /home/pontoon/.ssh
# To preserve newlines, the env var is base64 encoded. Flip it back.
echo $SSH_KEY | base64 -d > /home/pontoon/.ssh/id_rsa
chmod 400 /home/pontoon/.ssh/id_rsa
# do the same to known_hosts
echo $KNOWN_HOSTS | base64 -d > /home/pontoon/.ssh/known_hosts
chmod 400 /home/pontoon/.ssh/known_hosts
chown -R pontoon:pontoon /home/pontoon/.ssh/
echo "...done." >> /app/server_run.log
fi
echo ">>> Setting up the db for Django" >> /app/server_run.log
python manage.py migrate >> /app/server_run.log
echo ">>> Starting translate & tag-admin builds in the background" >> /app/server_run.log
npm start -w translate &
npm start -w tag-admin &
# syncing projects if env SYNC_INTERVAL is set, if it is set and you need to "work" on the bash, kill the process syncprojects.sh
echo ">>> starting continuos syncing projects" >> /app/server_run.log
/app/docker/syncprojects.sh &
echo ">>> Starting local server as user pontoon" >> /app/server_run.log
python manage.py runserver 0.0.0.0:8000

23
docker/k8s-first-steps/syncprojects.sh
Просмотреть файл

@ -1,23 +0,0 @@
#!/bin/bash
# a recommended value for SYNC_INTERVAL is 30 --> 30 minutes
if [ ! -z "$SYNC_INTERVAL" ]; then
syncInterval=$SYNC_INTERVAL
echo "syncInterval=$SYNC_INTERVAL"
echo "SYNC_INTERVAL=$SYNC_INTERVAL for syncing projects" >> /app/server_run.log
if((syncInterval > 5)); then
echo "doing startup delay of 60 seconds..."
sleep 60
echo "running loop"
while true
do
echo "calling sync_projects for user pontoon"
python /app/manage.py sync_projects > /app/lastSync.log
# multiply by 60 to have minutes in the env var
sleep $((syncInterval*60))
done
fi
fi
echo "SYNC_INTERVAL is not defined or <5, doing nothing."
echo "SYNC_INTERVAL is not defined or <5, doing nothing." >> /app/server_run.log