fix: move secrets to a k8s secret

Signed-off-by: Ameya Shenoy <shenoy.ameya@gmail.com>

README.md

@@ -90,12 +90,19 @@ The recommended way for deploy is on Kubernetes. You can find the related files
 
 in `k8s` directory.
 
+Before deploy create a `secret.yaml` file in `k8s/app`, with base 64 encoded
+secrets. A sample file named `sample-secret.yaml` has been committed listing all
+the required variables. Change the secrets preset in the file before using it.
+
 - One time deploy
 
 ```sh
 # Deploy ingress
 kubectl apply -f k8s/ingress/ingress-https.yaml
 
+# Deploy secrets
+kubectl apply -f k8s/app/secret.yaml
+
 # Deploy Postgres and Redis DB
 kubectl apply -f k8s/app/redis.yaml
 kubectl apply -f k8s/app/postgres.yaml
@@ -109,7 +116,7 @@ kubectl apply -f k8s/app/rqscheduler.yaml
 kubectl apply -f k8s/app/frontend.yaml
 ```
 
-- Subsequent deploys can be done by rolloing out a restart since all pods have a `imagePullPolicy` set to Always
+- Subsequent deploys can be done by rolloing out a restart since all pods have a `imagePullPolicy` set to `Always`
 
 ```sh
 # Push containers to Docker Hub and Deploy to K8s

k8s/app/.gitignore

@@ -0,0 +1 @@
+secret.yaml

k8s/app/backend.yaml

@@ -22,39 +22,9 @@ spec:
       containers:
         - name: bullish-backend
           image: codingcoffee/bullish-backend
-          env:
-            - name: POSTGRES_USER
-              value: bullish
-            - name: POSTGRES_PASSWORD
-              value: password
-            - name: POSTGRES_DB
-              value: bullish
-            - name: PGDATA
-              value: /var/lib/postgresql/data/pgdata
-            - name: SECRET_KEY
-              value: sample
-            - name: ALLOWED_HOSTS
-              value: api.bullish.codingcoffee.me
-            - name: CORS_ALLOWED_ORIGINS
-              value: https://bullish.codingcoffee.me
-            - name: REDIS_HOST
-              value: bullish-redis
-            - name: REDIS_PORT
-              value: "6379"
-            - name: REDIS_CACHE_DB
-              value: "1"
-            - name: REDIS_QUEUE_DB
-              value: "0"
-            - name: POSTGRES_SERVER
-              value: bullish-database
-            - name: POSTGRES_USER
-              value: bullish
-            - name: POSTGRES_PASSWORD
-              value: password
-            - name: POSTGRES_DB
-              value: bullish
-            - name: POSTGRES_PORT
-              value: "5432"
+          envFrom:
+            - secretRef:
+                name: bullish-secret
 
 ---
 

k8s/app/postgres.yaml

@@ -28,15 +28,9 @@ spec:
       containers:
         - name: postgres
           image: postgres:13.1-alpine
-          env:
-            - name: POSTGRES_USER
-              value: bullish
-            - name: POSTGRES_PASSWORD
-              value: password
-            - name: POSTGRES_DB
-              value: bullish
-            - name: PGDATA
-              value: /var/lib/postgresql/data/pgdata
+          envFrom:
+            - secretRef:
+                name: bullish-secret
           volumeMounts:
             - name: postgres-data
               mountPath: /var/lib/postgresql/data/pgdata

k8s/app/rqscheduler.yaml

@@ -26,38 +26,8 @@ spec:
             - "/bin/sh"
             - "-c"
             - "python manage.py rqscheduler"
-          env:
-            - name: POSTGRES_USER
-              value: bullish
-            - name: POSTGRES_PASSWORD
-              value: password
-            - name: POSTGRES_DB
-              value: bullish
-            - name: PGDATA
-              value: /var/lib/postgresql/data/pgdata
-            - name: SECRET_KEY
-              value: sample
-            - name: ALLOWED_HOSTS
-              value: api.bullish.codingcoffee.me
-            - name: CORS_ALLOWED_ORIGINS
-              value: https://bullish.codingcoffee.me
-            - name: REDIS_HOST
-              value: bullish-redis
-            - name: REDIS_PORT
-              value: "6379"
-            - name: REDIS_CACHE_DB
-              value: "1"
-            - name: REDIS_QUEUE_DB
-              value: "0"
-            - name: POSTGRES_SERVER
-              value: bullish-database
-            - name: POSTGRES_USER
-              value: bullish
-            - name: POSTGRES_PASSWORD
-              value: password
-            - name: POSTGRES_DB
-              value: bullish
-            - name: POSTGRES_PORT
-              value: "5432"
+          envFrom:
+            - secretRef:
+                name: bullish-secret
 
 ...

k8s/app/rqworker.yaml

@@ -26,38 +26,8 @@ spec:
             - "/bin/sh"
             - "-c"
             - "python manage.py rqworker default"
-          env:
-            - name: POSTGRES_USER
-              value: bullish
-            - name: POSTGRES_PASSWORD
-              value: password
-            - name: POSTGRES_DB
-              value: bullish
-            - name: PGDATA
-              value: /var/lib/postgresql/data/pgdata
-            - name: SECRET_KEY
-              value: sample
-            - name: ALLOWED_HOSTS
-              value: api.bullish.codingcoffee.me
-            - name: CORS_ALLOWED_ORIGINS
-              value: https://bullish.codingcoffee.me
-            - name: REDIS_HOST
-              value: bullish-redis
-            - name: REDIS_PORT
-              value: "6379"
-            - name: REDIS_CACHE_DB
-              value: "1"
-            - name: REDIS_QUEUE_DB
-              value: "0"
-            - name: POSTGRES_SERVER
-              value: bullish-database
-            - name: POSTGRES_USER
-              value: bullish
-            - name: POSTGRES_PASSWORD
-              value: password
-            - name: POSTGRES_DB
-              value: bullish
-            - name: POSTGRES_PORT
-              value: "5432"
+          envFrom:
+            - secretRef:
+                name: bullish-secret
 
 ...

k8s/app/sample-secret.yaml

@@ -0,0 +1,24 @@
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: bullish-secret
+type: Opaque
+data:
+  # You can include additional key value pairs as you do with Opaque Secrets
+  POSTGRES_USER: YnVsbGlzaA==
+  POSTGRES_PASSWORD: cGFzc3dvcmQ=
+  POSTGRES_DB: YnVsbGlzaA==
+  PGDATA: L3Zhci9saWIvcG9zdGdyZXNxbC9kYXRhL3BnZGF0YQ==
+  SECRET_KEY: c2FtcGxl
+  ALLOWED_HOSTS: YXBpLmJ1bGxpc2guY29kaW5nY29mZmVlLm1l
+  CORS_ALLOWED_ORIGINS: aHR0cHM6Ly9idWxsaXNoLmNvZGluZ2NvZmZlZS5tZQ==
+  REDIS_HOST: YnVsbGlzaC1yZWRpcw==
+  REDIS_PORT: NjM3OQ==
+  REDIS_CACHE_DB: MQ==
+  REDIS_QUEUE_DB: MA==
+  POSTGRES_SERVER: YnVsbGlzaC1kYXRhYmFzZQ==
+  POSTGRES_PORT: NTQzMg==
+
+...