version 1.0.6

Should remove one step from the instructions for developing plugins.
It's a step I consistently miss in my haste to get on with the hacking
and don't notice myself skip.

Dockerfile

@@ -5,12 +5,15 @@ RUN apk add --update --no-cache \
   git \
   jq
 WORKDIR "/home/node"
-ARG WIKI_PACKAGE=wiki@0.20.0
+ARG WIKI_PACKAGE=wiki@0.21.2
 RUN su node -c "npm install -g --prefix . $WIKI_PACKAGE"
 RUN su node -c "mkdir -p .wiki"
 VOLUME "/home/node/.wiki"
 EXPOSE 3000
 USER node
 ENV PATH="${PATH}:/home/node/bin"
+# Adding this line to make local plugin development easier
+# see https://local-farm.wiki.dbbs.co/make-a-new-plugin.html
+ENV NPM_CONFIG_PREFIX="${HOME}"
 ENTRYPOINT ["dumb-init"]
 CMD ["wiki", "--farm", "--security_type=friends"]

README.md

@@ -35,24 +35,26 @@ The last non-breaking revision is 0.52.0 https://github.com/dobbs/farm/tree/0.52
 
 # Development
 
-This image's tag does not match the version of the included wiki software.
+This image's tag does not match the version of the included wiki
+software. Our version indicates the scale of changes in this tiny
+devops pipeline. For example, when we changed the `USER` directive and
+removed the wiki config generation scripts, we bumped the major
+version from 0.50.x to 1.0.x.
 
 Notes to self:
 
 ``` bash
-docker build --tag dobbs/farm:0.51.0 .
-git tag -am "" '0.51.0'
-git push --tags
+docker build --tag dobbs/farm:1.0.2 .
+git tag -am "" '1.0.2'
+git push origin '1.0.2'
 ```
 
 The repos in Dockerhub and GitHub are configured to automatically build new tags.
 
 # Publish experimental plugins
 
+Invoke Dockerhub and GitHub integration.
 ``` bash
-docker build \
-  --tag dobbs/farm:0.14.0-frame \
-  --build-arg WIKI_PACKAGE='dobbs/wiki#frame' \
-  .
-docker push dobbs/farm:0.14.0-frame
+git tag -am "" '1.0.2-pre-0217'
+git push --atomic origin master '1.0.2-pre-0217'
 ```

examples/k8s/README.md

@@ -3,11 +3,46 @@
 There are easier ways to get started with federated wiki. Here we are
 using wiki to drive some learning about kubernetes.
 
-# We're using MacOS, Docker Desktop, and kind
+# We're using MacOS, Docker Desktop, and k3d
 
     brew cask install docker
-    brew install kind
-    kind create cluster --name wiki
+    brew install k3d
+
+    mkdir -p ~/.wiki-k8s ~/workspace/fedwiki
+    k3d create \
+      --server-arg --tls-san="127.0.0.1" \
+      --publish 80:80 \
+      -v "$HOME/.wiki-k8s:/macos/.wiki-k8s" \
+      -v "$HOME/workspace/fedwiki:/macos/fedwiki" \
+      --name wiki
+
+# example ~/.wiki-k8s/config.json
+
+    {
+      "admin": "any memorable password",
+      "autoseed": true,
+      "farm": true,
+      "cookieSecret": "any random string",
+      "secure_cookie": false,
+      "security_type": "friends",
+      "wikiDomains": {
+        "simple.localtest.me": {
+          "id": "/home/node/.wiki/config.owner.json"
+        }
+      }
+    }
+
+# example ~/.wiki-k8s/config.owner.json
+
+`.friend.secret` must match the `.admin` field from `config.json`
+
+    {
+      "name": "The Owner",
+      "friend": {
+        "secret": "any memorable password"
+      }
+    }
+
 
 # Deploy Wiki
 
@@ -15,13 +50,4 @@ using wiki to drive some learning about kubernetes.
 
 # Play with the wiki
 
-    # pbcopy & open are MacOS commands
-    kubectl port-forward svc/wiki-service 3000:80 \
-      > port-forward.log \
-      2> port-forward.err &
-    # get admin password on the clipboard
-    kubectl exec svc/wiki-service -- \
-      jq -r .admin .wiki/config.json \
-      | pbcopy
-    open http://localhost:3000
-    # login with the password on the clipboard
+    open http://simple.localtest.me

examples/k8s/vault/README.md

@@ -0,0 +1,29 @@
+# HashiCorp Vault in kubernetes
+
+HashiCorp recomend installing vault via helm. Your author prefers
+plain old kubernetes configs.
+
+So we generated the yaml via helm's template command.
+
+    helm template incubator/vault \
+      --name-template=vault \
+      --replicaCount=1 \
+      --set vault.dev=false \
+      --set vault.config.storage.file.path=/macos/.wiki-k8s/vault \
+    | egrep -v 'heritage: "?Helm"?' \
+    > vault.html
+
+    kubectl apply -k .
+    kubectl port-forward svc/vault 8200:8200 &> /dev/null &
+
+    export VAULT_ADDR=http://127.0.0.1:8200
+    vault status
+    vault operator init
+    vault operator unseal
+    # paste key-fragment 1
+    vault operator unseal
+    # paste key-fragment 2
+    vault operator unseal
+    # paste key-fragment 3
+    vault login
+    # paste root token

examples/k8s/vault/deployment-volumes.yaml

@@ -0,0 +1,16 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault
+spec:
+  template:
+    spec:
+      containers:
+      - name: vault
+        volumeMounts:
+        - name: vault-data
+          mountPath: /macos/.wiki-k8s/vault
+      volumes:
+      - name: vault-data
+        hostPath:
+          path: /macos/.wiki-k8s/vault

examples/k8s/vault/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+images:
+- name: vault
+  newName: vault
+  newTag: 1.3.1
+resources:
+- vault.yaml
+patchesStrategicMerge:
+- deployment-volumes.yaml

examples/k8s/vault/vault.yaml

@@ -0,0 +1,181 @@
+---
+# Source: vault/templates/clusterrolebinding.yaml
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: vault
+  labels:
+    app: vault
+    release: "vault"
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: default
+---
+# Source: vault/templates/configmap.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "vault-config"
+  labels:
+    app: "vault"
+    release: "vault"
+data:
+  config.json: |
+    {"listener":{"tcp":{"address":"[::]:8200","cluster_address":"[::]:8201","tls_disable":true}},"storage":{"file":{"path":"/macos/.wiki-k8s/vault"}}}
+---
+# Source: vault/templates/deployment.yaml
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vault
+  labels:
+    app: vault
+    release: vault
+  annotations:
+    {}
+spec:
+  selector:
+    matchLabels:
+      app: vault
+      release: vault
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        app: vault
+        release: vault
+      annotations:
+        checksum/config: 6868eb00aa48ca9485c365c3523ae431e7031233a1c046817a32c61e24ea817d
+    spec:
+      containers:
+      - name: vault
+        image: "vault:1.2.3"
+        imagePullPolicy: IfNotPresent
+        command: ["vault", "server", "-config", "/vault/config/config.json"]
+        ports:
+        - containerPort: 8200
+          name: api
+        - containerPort: 8201
+          name: cluster-address
+        livenessProbe:
+          # Alive if Vault is successfully responding to requests
+          httpGet:
+            path: /v1/sys/health?standbyok=true&uninitcode=204&sealedcode=204&
+            port: 8200
+            scheme: HTTP
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          # Ready depends on preference
+          httpGet:
+            path: /v1/sys/health?standbycode=204&uninitcode=204&
+            port: 8200
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        securityContext:
+          readOnlyRootFilesystem: true
+          capabilities:
+            add:
+            - IPC_LOCK
+        env:
+          - name: POD_IP
+            valueFrom:
+              fieldRef:
+                fieldPath: status.podIP
+          - name: VAULT_API_ADDR
+            value: "http://$(POD_IP):8200"
+          - name: VAULT_CLUSTER_ADDR
+            value: "https://$(POD_IP):8201"
+          - name: VAULT_LOG_LEVEL
+            value: "info"
+        resources:
+          {}
+        volumeMounts:
+        - name: vault-config
+          mountPath: /vault/config/
+        - name: vault-root
+          mountPath: /root/
+      affinity:
+        podAntiAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - podAffinityTerm:
+              labelSelector:
+                matchLabels:
+                  app: 'vault'
+                  release: 'vault'
+              topologyKey: kubernetes.io/hostname
+            weight: 100
+      serviceAccountName: vault
+      volumes:
+        - name: vault-config
+          configMap:
+            name: "vault-config"
+        - name: vault-root
+          emptyDir: {}
+---
+# Source: vault/templates/pdb.yaml
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: vault
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app: vault
+      release: vault
+---
+# Source: vault/templates/service.yaml
+apiVersion: v1
+kind: Service
+metadata:
+  name: vault
+  labels:
+    app: vault
+    release: vault
+spec:
+  type: ClusterIP
+  ports:
+  - port: 8200
+    protocol: TCP
+    targetPort: 8200
+    name: api
+  selector:
+    app: vault
+    release: vault
+---
+# Source: vault/templates/serviceaccount.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+  labels:
+    app: vault
+    release: "vault"
+---
+# Source: vault/templates/tests/test-vault-status.yaml
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "vault-vault-status-test"
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  containers:
+  - name: vault-vault-status-test
+    image: "vault:1.2.3"
+    env:
+      - name: VAULT_ADDR
+        value: http://vault.default:8200
+    command: ["sh", "-c", "vault status"]
+  restartPolicy: Never

examples/k8s/wiki.yaml

@@ -1,74 +1,3 @@
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: dot-wiki
-spec:
-  accessModes:
-    - ReadWriteOnce
-  volumeMode: Filesystem
-  resources:
-    requests:
-      storage: 4Gi
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: wiki-config
-data:
-  config.json: |
-    {
-      "admin": "ADMIN",
-      "farm": true,
-      "cookieSecret": "RANDOM",
-      "security_type": "friends",
-      "secure_cookie": false,
-      "wikiDomains": {
-        "local": {
-          "id": "/home/node/.wiki/local.owner.json"
-        },
-        "localhost": {
-          "id": "/home/node/.wiki/local.owner.json"
-        },
-        "localtest.me": {
-          "id": "/home/node/.wiki/local.owner.json"
-        },
-        "local.dbbs.co": {
-          "id": "/home/node/.wiki/local.owner.json"
-        }
-      }
-    }
-  local.owner.json: |
-    {
-      "name": "The Owner",
-      "friend": {
-        "secret": "ADMIN"
-      }
-    }
-  install-config: |
-    #!/bin/sh
-    randomstring() {
-        node -e 'console.log(require("crypto").randomBytes(64).toString("hex"))'
-    }
-    readonly ADMIN=$(randomstring)
-    readonly COOKIE=$(randomstring)
-
-    readonly CONFIG=/home/node/.wiki/config.json
-    readonly OWNER=/home/node/.wiki/local.owner.json
-    [ -f $CONFIG ] || {
-      jq --arg admin $ADMIN  \
-         --arg cookie $COOKIE \
-         '.admin = $admin | .cookieSecret = $cookie' \
-         /etc/config/config.json \
-         > $CONFIG
-    }
-    [ -f $OWNER ] || {
-      jq --arg admin $ADMIN  \
-         '.friend.secret = $admin' \
-         /etc/config/local.owner.json \
-         > $OWNER
-    }
-    chown -R 1000:1000 /home/node/.wiki
----
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -87,35 +16,24 @@ spec:
         runAsUser: 1000
         runAsGroup: 1000
         fsGroup: 1000
-      initContainers:
-      - name: wiki-config
-        image: dobbs/farm:1.0.0
-        securityContext:
-          runAsUser: 0
-          runAsGroup: 0
-          allowPrivilegeEscalation: false
-        volumeMounts:
-          - name: dot-wiki
-            mountPath: /home/node/.wiki
-          - name: config-templates
-            mountPath: /etc/config
-        command: ["sh", "/etc/config/install-config"]
       containers:
       - name: farm
-        image: dobbs/farm:1.0.0
-        command: ["wiki", "--config", "/home/node/.wiki/config.json"]
+        image: dobbs/farm:1.0.6
+        command: ["wiki"]
         ports:
         - containerPort: 3000
         volumeMounts:
           - name: dot-wiki
             mountPath: /home/node/.wiki
+          - name: fedwiki
+            mountPath: /home/node/fedwiki
       volumes:
       - name: dot-wiki
-        persistentVolumeClaim:
-          claimName: dot-wiki
-      - name: config-templates
-        configMap:
-          name: wiki-config
+        hostPath:
+          path: /macos/.wiki-k8s
+      - name: fedwiki
+        hostPath:
+          path: /macos/fedwiki
 ---
 apiVersion: v1
 kind: Service
@@ -128,3 +46,26 @@ spec:
     port: 80
   selector:
     app: wiki
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: simple-wiki
+  annotations:
+    kubernetes.io/ingress.class: traefik
+spec:
+  rules:
+  - host: simple.localtest.me
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: wiki-service
+          servicePort: http
+  - host: "*.simple.localtest.me"
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: wiki-service
+          servicePort: http