Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

K8s setup for reNgine #1457

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

K8s setup for reNgine #1457

wants to merge 10 commits into from

Conversation

0xtejas
Copy link
Contributor

@0xtejas 0xtejas commented Oct 21, 2024

This pull request introduces several Kubernetes configurations for deploying various services, including Celery, Nginx, PostgreSQL, Redis, and a web application. The changes include deployment configurations, persistent volume claims, services, and secrets.

Deployment Configurations:

  • k8s/celery-beat/deployment.yml: Added deployment configuration for celery-beat with environment variables and volume mounts.
  • k8s/celery/deployment.yml: Added deployment configuration for celery with environment variables, resource requests, and volume mounts.
  • k8s/nginx/deployment.yml: Added deployment configuration for nginx with volume mounts for configuration, certificates, and static files.
  • k8s/ollama/deployment.yml: Added deployment configuration for ollama with volume mounts.
  • k8s/web/deployment.yml: Added deployment configuration for web with environment variables, ports, and init containers for database migration and static file collection.

Persistent Volume Claims:

  • k8s/celery-beat/pvc.yml: Added persistent volume claims for celery-beat including github-repos-pvc, wordlist-pvc, scan-results-pvc, gf-patterns-pvc, nuclei-templates-pvc, and tool-config-pvc.
  • k8s/pvc.yml: Added persistent volume claims for shared storage and static files with nfs-rwx-storage.
  • k8s/ollama/pvc.yml: Added persistent volume claim for ollama data storage.

Services:

Secrets:

ConfigMaps:

StatefulSets:

These changes collectively set up the necessary infrastructure for deploying and managing the services in a Kubernetes environment.

…a, and Nginx

This commit adds the Kubernetes service configurations for Redis, Postgres, Web, Ollama, and Nginx. These services are essential for the application's functionality and communication within the Kubernetes cluster. Each service is defined with its respective port and targetPort, and is associated with the corresponding app label. The services are created with the necessary metadata and specifications to ensure proper networking and connectivity.

The added service configurations include:
- Redis service: Exposes port 6379 for Redis communication.
- Postgres service: Exposes port 5432 for Postgres communication.
- Web service: Exposes port 8000 for the web application.
- Ollama service: Exposes port 11434 for the Ollama application.
- Nginx service: Exposes ports 80 and 443 for HTTP and HTTPS traffic.

These service configurations are crucial for enabling communication between different components of the application and facilitating external access to the services when needed.
Copy link
Contributor

Woohoo @0xtejas! 🎉 You've just dropped some hot new code! 🔥

Hang tight while we review this! You rock! 🤘

@0xtejas
Copy link
Contributor Author

0xtejas commented Oct 21, 2024

I need additional hands on this to improvise a few more things:

  • Add Ingress
  • Support SSL from LetsEncrypt or Cert Manager services provided by Cloud
  • Current setup works for Digital Ocean. Native block storage provided by the PVCs doesn't support ReadWriteMany. Will have to test if the current configuration works on other cloud providers that use OpenEBS NFS Provisioner. I had to install OpenEBS NFS Provisioner on the Digital Ocean's k8s marketplace.
  • Fix the issue when routing with a domain name, I assume this will be resolved by solving the first two issues. Currently, I can view reNgine using https://IP, not the domain name.
  • Additionally, make some changes such that the DB works in master-slave or another concept to make use of the replicas that can be created using stateful sets.
  • Support user account creation upon web pod deployment.

@0xtejas
Copy link
Contributor Author

0xtejas commented Oct 21, 2024

The boot order for the services are: postgres, redis, web, celery and celery-beat.

@0xtejas
Copy link
Contributor Author

0xtejas commented Oct 21, 2024

@yogeshojha you'll also have to release packages (docker images) for celery and celery-beat. In the current setup, it is using the ones that I built and pushed to GHCR.

@yogeshojha
Copy link
Owner

@0xtejas I am reviewing this, is this ready?

@0xtejas
Copy link
Contributor Author

0xtejas commented Oct 28, 2024

No @yogeshojha I need some more help on the other points that I have listed out above. I'll try accomplishing if possible and update the checkboxes.

@0xtejas
Copy link
Contributor Author

0xtejas commented Oct 28, 2024

There seems to be an issue with the current PR, the celery pod gets evicted after an hour or so. Also, the current resource requests and limits will get the pod killed with OOM. If we remove it, the issue should be resolved. However, the former issue is not yet addressed.

…with fallback with custom certs

- Changed the service type from LoadBalancer to ClusterIP in the nginx service configuration.
- Updated the containerPort in the nginx deployment configuration from 8082 to 80.
- Added new files for cert-manager configuration: certificate.yaml and cluster-issuer.yml.
- Created an ingress configuration for nginx with SSL redirection and rewrite rules.
@0xtejas 0xtejas closed this Oct 29, 2024
Copy link
Contributor

Hey, thanks for your contribution! 🙏

We appreciate the time and effort you put into this PR. Sadly this is not the right fit for reNgine at the moment.

While we couldn't merge it this time, we value your interest in improving reNgine.

Feel free to reach out if you have any questions. Thanks again!

@0xtejas 0xtejas reopened this Oct 29, 2024
@0xtejas
Copy link
Contributor Author

0xtejas commented Oct 29, 2024

Sorry closed the PR by mistake. I have a few more changes left and an investigation to conduct into why the pod celery gets evicted once it reaches the end.

@0xtejas
Copy link
Contributor Author

0xtejas commented Oct 29, 2024

Almost, everything is done. I still cannot figure out why the celery pod gets OOMKilled. I'd appreciate it if you could check. Overall it works. I did not implement a replication method for DBs. This means if a user has more than 1 replica then they'll have to figure out how to setup data replication. We can revisit this advanced stuff in later issues/pr.

@0xtejas 0xtejas changed the title [DEV] WIP K8s setup for reNgine K8s setup for reNgine Oct 29, 2024
@0xtejas
Copy link
Contributor Author

0xtejas commented Oct 30, 2024

I've confirmed that the celery pod used to get killed cuz of less resource in the node. We will have to figure out a proper resource request and limitation for it to work in the 2 nodes - 4 GB / 2 vCPU environment. I confirmed that it is working without eviction/termination in memory-optimized nodes m-4vcpu-32gb x 2

@0xtejas
Copy link
Contributor Author

0xtejas commented Nov 6, 2024

@yogeshojha, can you please take a look when you get time? I've added all the manifest required. Some say the correct way to distribute K8s is using the HELM Chart, but I'm not very familiar with doing it.

@ajutamangdev
Copy link

Hi @0xtejas , Yes you are right the correct way to distribute in the K8s environment for the public one is via the Helm chart. Helm is the current industry standard and would have the most community support, making it hard to refuse. Let me know any thoughts over this @yogeshojha

@0xtejas
Copy link
Contributor Author

0xtejas commented Nov 23, 2024

You are right, @ajutamangdev. I did further research following my last comment. This is the case. However, I'm not familiar with the Helm Chart. Until then, this could be a stepping stone towards K8s deployments.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants