infra needed for bot

JacobCoffee · JacobCoffee · commit a9f6fc2af050 · 2026-02-09T18:21:37.000-06:00
diff --git a/infra/k8s/README.md b/infra/k8s/README.md
@@ -0,0 +1,45 @@
+# miss-islington k8s infra
+
+Kubernetes manifests for running miss-islington on cabotage instead of Heroku.
+
+## What's here
+
+`redis.yaml` and `cert.yaml` provision a standalone Redis instance in the `redis` namespace using the OpsTree Redis Operator (already running cluster-wide).
+The cert is issued by the internal `operators-ca-issuer` ClusterIssuer, ECDSA P-256, 90-day rotation.
+
+`ingress.yaml` goes in the `python` namespace where cabotage deploys the app. It's a standard nginx ingress with backend-protocol 
+HTTPS because cabotage serves on 8443/TLS behind a Service on port 443.
+
+`generate-secrets.sh` creates the Redis password Secret and prints the full connection URI you need to set as `REDIS_URL` in cabotage.
+
+## Setup
+
+Generate the Redis password (once per cluster):
+
+```
+./infra/k8s/generate-secrets.sh
+```
+
+Apply the Redis CR and TLS cert:
+
+```
+kubectl apply -k infra/k8s -n redis
+```
+
+After cabotage has deployed the app and the Service exists, apply the ingress:
+
+```
+kubectl apply -f infra/k8s/ingress.yaml
+```
+
+## Cabotage env vars
+
+Set these in the cabotage UI for the miss-islington application:
+
+- `GH_SECRET` - GitHub webhook secret
+- `GH_APP_ID` - GitHub App ID
+- `GH_PRIVATE_KEY` - GitHub App private key
+- `GH_AUTH` - GitHub auth token (used by the celery worker to clone cpython)
+- `SENTRY_DSN` - Sentry DSN for error tracking
+- `REDIS_URL` - printed by `generate-secrets.sh`, looks 
+ like `rediss://:<password>@miss-islington.redis.svc.cluster.local:6379/0?ssl_ca_certs=/var/run/secrets/cabotage.io/ca.crt&ssl_cert_reqs=required`
diff --git a/infra/k8s/cert.yaml b/infra/k8s/cert.yaml
@@ -0,0 +1,40 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: miss-islington-certmanager
+spec:
+  secretName: miss-islington-tls
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  subject:
+    organizations:
+    - miss-islington-org
+  commonName: miss-islington
+  isCA: false
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  usages:
+    - digital signature
+    - key encipherment
+  dnsNames:
+  - miss-islington
+  - miss-islington.redis
+  - miss-islington.redis.svc
+  - miss-islington.redis.svc.cluster.local
+  - miss-islington-0
+  - miss-islington-0.redis
+  - miss-islington-0.redis.svc
+  - miss-islington-0.redis.svc.cluster.local
+  - miss-islington-1
+  - miss-islington-1.redis
+  - miss-islington-1.redis.svc
+  - miss-islington-1.redis.svc.cluster.local
+  - miss-islington-2
+  - miss-islington-2.redis
+  - miss-islington-2.redis.svc
+  - miss-islington-2.redis.svc.cluster.local
+  issuerRef:
+    name: operators-ca-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
diff --git a/infra/k8s/generate-secrets.sh b/infra/k8s/generate-secrets.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# Generate Redis password secret for miss-islington
+# Run once per cluster setup
+set -e
+
+NAMESPACE="redis"
+SECRET_NAME="miss-islington-password"
+
+echo "=== Miss Islington Redis Secret ==="
+
+if kubectl get secret -n "$NAMESPACE" "$SECRET_NAME" &>/dev/null; then
+    echo "Secret '$SECRET_NAME' already exists in namespace '$NAMESPACE'."
+    echo "Delete it first if you want to regenerate: kubectl delete secret -n $NAMESPACE $SECRET_NAME"
+    exit 1
+fi
+
+PASSWORD=$(openssl rand -hex 24)
+
+kubectl create secret -n "$NAMESPACE" generic "$SECRET_NAME" --from-literal=password="$PASSWORD"
+
+echo ""
+echo "Secret '$SECRET_NAME' created in namespace '$NAMESPACE'."
+echo ""
+echo "Redis connection URI (set as REDIS_URL in cabotage):"
+echo "rediss://:${PASSWORD}@miss-islington.redis.svc.cluster.local:6379/0?ssl_ca_certs=/var/run/secrets/cabotage.io/ca.crt&ssl_cert_reqs=required"
+echo ""
+echo "=== Done ==="
diff --git a/infra/k8s/ingress.yaml b/infra/k8s/ingress.yaml
@@ -0,0 +1,42 @@
+# Miss Islington - Cabotage Ingress
+# Apply manually: kubectl apply -f infra/k8s/ingress.yaml
+#
+# Exposes the Cabotage-deployed app via nginx-ingress
+# with Let's Encrypt TLS certificates via cert-manager.
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: python-miss-islington-miss-islington-web
+  namespace: python
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: 10s
+    nginx.ingress.kubernetes.io/proxy-next-upstream: error
+    nginx.ingress.kubernetes.io/proxy-read-timeout: 60s
+    nginx.ingress.kubernetes.io/proxy-request-buffering: "on"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: 60s
+    nginx.ingress.kubernetes.io/service-upstream: "true"
+  labels:
+    app: python-miss-islington-miss-islington
+    process: web
+    resident-service.cabotage.io: "true"
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: python-miss-islington-miss-islington-web.ingress.us-east-2.psfhosted.computer
+    http:
+      paths:
+      - backend:
+          service:
+            name: python-miss-islington-miss-islington-web
+            port:
+              number: 443
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - python-miss-islington-miss-islington-web.ingress.us-east-2.psfhosted.computer
+    secretName: ingress-python-miss-islington-miss-islington-web
diff --git a/infra/k8s/kustomization.yaml b/infra/k8s/kustomization.yaml
@@ -0,0 +1,5 @@
+namespace: redis
+
+resources:
+- cert.yaml
+- redis.yaml
diff --git a/infra/k8s/redis.yaml b/infra/k8s/redis.yaml
@@ -0,0 +1,44 @@
+---
+apiVersion: redis.redis.opstreelabs.in/v1beta1
+kind: Redis
+metadata:
+  name: miss-islington
+spec:
+  TLS:
+    secret:
+      secretName: miss-islington-tls
+      optional: false
+  securityContext:
+    runAsUser: 1000
+    fsGroup: 1000
+  kubernetesConfig:
+    image: quay.io/opstree/redis:v7.0.15
+    imagePullPolicy: IfNotPresent
+    redisSecret:
+      name: miss-islington-password
+      key: password
+    resources:
+      requests:
+        cpu: 100m
+        memory: 128Mi
+      limits:
+        cpu: 100m
+        memory: 128Mi
+  redisExporter:
+    enabled: false
+    image: quay.io/opstree/redis-exporter:v1.44.0
+    imagePullPolicy: Always
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        cpu: 100m
+        memory: 256Mi
+  storage:
+    volumeClaimTemplate:
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
