From 34b48308ff1f9402f2a541d7051d4029084ea1ff Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Sun, 18 Dec 2022 16:28:45 +0200 Subject: [PATCH] camtiler: Split up manifests --- camtiler/README.md | 17 +- camtiler/application.yml | 450 +--------------------------------- camtiler/camera-tiler.yml | 97 ++++++++ camtiler/ingress.yml | 40 +++ camtiler/logmower.yml | 137 +++++++++++ camtiler/minio.yml | 199 +++++++++++++++ camtiler/mongodb.yml | 107 ++++++++ camtiler/network-policies.yml | 192 +++++++++++++++ camtiler/persistence.yml | 294 ---------------------- 9 files changed, 797 insertions(+), 736 deletions(-) create mode 100644 camtiler/camera-tiler.yml create mode 100644 camtiler/ingress.yml create mode 100644 camtiler/logmower.yml create mode 100644 camtiler/minio.yml create mode 100644 camtiler/mongodb.yml create mode 100644 camtiler/network-policies.yml delete mode 100644 camtiler/persistence.yml diff --git a/camtiler/README.md b/camtiler/README.md index d99c6ed..56b677e 100644 --- a/camtiler/README.md +++ b/camtiler/README.md @@ -1,7 +1,16 @@ To apply changes: ``` -kubectl apply -n camtiler -f application.yml -f persistence.yml -f mongoexpress.yml -f mongodb-support.yml -f networkpolicy-base.yml +kubectl apply -n camtiler \ + -f application.yml \ + -f persistence.yml \ + -f mongoexpress.yml \ + -f mongodb-support.yml \ + -f camera-tiler.yml \ + -f logmower.yml \ + -f ingress.yml \ + -f network-policies.yml \ + -f networkpolicy-base.yml ``` To deploy changes: @@ -22,3 +31,9 @@ kubectl -n camtiler create secret generic camera-secrets \ --from-literal=username=... \ --from-literal=password=... ``` + +To restart all deployments: + +``` +for j in $(kubectl get deployments -n camtiler -o name); do kubectl rollout restart -n camtiler $j; done +``` diff --git a/camtiler/application.yml b/camtiler/application.yml index de296e7..7605fb8 100644 --- a/camtiler/application.yml +++ b/camtiler/application.yml @@ -1,432 +1,4 @@ --- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: camera-tiler - annotations: - keel.sh/policy: force - keel.sh/trigger: poll -spec: - revisionHistoryLimit: 0 - replicas: 2 - selector: - matchLabels: &selectorLabels - app.kubernetes.io/name: camtiler - component: camera-tiler - template: - metadata: - labels: *selectorLabels - spec: - serviceAccountName: camera-tiler - containers: - - name: camera-tiler - image: harbor.k-space.ee/k-space/camera-tiler:latest - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - ports: - - containerPort: 5001 - name: "http" - resources: - requests: - memory: "200Mi" - cpu: "100m" - limits: - memory: "500Mi" - cpu: "1" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: logmower-frontend -spec: - revisionHistoryLimit: 0 - replicas: 2 - selector: - matchLabels: &selectorLabels - app.kubernetes.io/name: camtiler - component: logmower-frontend - template: - metadata: - labels: *selectorLabels - spec: - containers: - - name: logmower-frontend - image: harbor.k-space.ee/k-space/logmower-frontend - ports: - - containerPort: 8080 - name: http ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: logmower-eventsource -spec: - revisionHistoryLimit: 0 - replicas: 2 - selector: - matchLabels: &selectorLabels - app.kubernetes.io/name: camtiler - component: logmower-eventsource - template: - metadata: - labels: *selectorLabels - spec: - containers: - - name: logmower-eventsource - image: harbor.k-space.ee/k-space/logmower-eventsource - ports: - - containerPort: 3002 - name: nodejs - env: - - name: MONGO_COLLECTION - value: eventlog - - name: MONGODB_HOST - valueFrom: - secretKeyRef: - name: mongodb-application-readonly - key: connectionString.standard - - name: BACKEND - value: 'camtiler' - - name: BACKEND_BROKER_URL - value: 'http://logmower-event-broker' ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: logmower-event-broker -spec: - revisionHistoryLimit: 0 - replicas: 5 - selector: - matchLabels: &selectorLabels - app.kubernetes.io/name: camtiler - component: logmower-event-broker - template: - metadata: - labels: *selectorLabels - spec: - containers: - - name: logmower-event-broker - image: harbor.k-space.ee/k-space/camera-event-broker - ports: - - containerPort: 3000 - env: - - name: AWS_SECRET_ACCESS_KEY - valueFrom: - secretKeyRef: - name: minio-secrets - key: MINIO_ROOT_PASSWORD - - name: AWS_ACCESS_KEY_ID - valueFrom: - secretKeyRef: - name: minio-secrets - key: MINIO_ROOT_USER - - name: MINIO_BUCKET - value: 'application' - - name: MINIO_HOSTNAME - value: 'cams-s3.k-space.ee' - - name: MINIO_PORT - value: '443' - - name: MINIO_SCHEMA - value: 'https' ---- -apiVersion: v1 -kind: Service -metadata: - name: logmower-frontend -spec: - type: ClusterIP - selector: - app.kubernetes.io/name: camtiler - component: logmower-frontend - ports: - - protocol: TCP - port: 8080 ---- -apiVersion: v1 -kind: Service -metadata: - name: logmower-eventsource -spec: - type: ClusterIP - selector: - app.kubernetes.io/name: camtiler - component: logmower-eventsource - ports: - - protocol: TCP - port: 3002 ---- -apiVersion: v1 -kind: Service -metadata: - name: logmower-event-broker -spec: - type: ClusterIP - selector: - app.kubernetes.io/name: camtiler - component: logmower-event-broker - ports: - - protocol: TCP - port: 80 - targetPort: 3000 ---- -apiVersion: v1 -kind: Service -metadata: - name: camera-tiler - labels: - app.kubernetes.io/name: camtiler - component: camera-tiler -spec: - type: ClusterIP - selector: - app.kubernetes.io/name: camtiler - component: camera-tiler - ports: - - protocol: TCP - port: 5001 ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: camera-tiler ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camera-tiler -rules: - - apiGroups: - - "" - resources: - - services - verbs: - - list ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: camera-tiler -subjects: - - kind: ServiceAccount - name: camera-tiler - apiGroup: "" -roleRef: - kind: Role - name: camera-tiler - apiGroup: "" ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: camtiler - annotations: - kubernetes.io/ingress.class: traefik - - # This tells Traefik this Ingress object is associated with the - # https:// entrypoint - # Global http:// to https:// redirect is enabled in - # ../traefik/values.yml using `globalArguments` - traefik.ingress.kubernetes.io/router.entrypoints: websecure - - # Following enables Authelia intercepting middleware - # which makes sure user is authenticated and then - # proceeds to inject Remote-User header for the application - traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd - - traefik.ingress.kubernetes.io/router.tls: "true" - - # Following tells external-dns to add CNAME entry which makes - # cams.k-space.ee point to same IP address as traefik.k-space.ee - # The A record for traefik.k-space.ee is created via annotation - # added in ../traefik/ingress.yml - external-dns.alpha.kubernetes.io/target: traefik.k-space.ee -spec: - rules: - - host: cams.k-space.ee - http: - paths: - - pathType: Prefix - path: "/tiled" - backend: - service: - name: camera-tiler - port: - number: 5001 - - pathType: Prefix - path: "/events" - backend: - service: - name: logmower-eventsource - port: - number: 3002 - - pathType: Prefix - path: "/" - backend: - service: - name: logmower-frontend - port: - number: 8080 - tls: - - hosts: - - "*.k-space.ee" ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: camera-motion-detect -spec: - podSelector: - matchLabels: - component: camera-motion-detect - policyTypes: - - Ingress - - Egress - ingress: - - from: - - podSelector: - matchLabels: - app.kubernetes.io/name: camtiler - component: camera-tiler - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: prometheus-operator - podSelector: - matchLabels: - app.kubernetes.io/name: prometheus - egress: - - to: - - ipBlock: - # Permit access to cameras outside the cluster - cidr: 100.102.0.0/16 - - to: - - podSelector: - matchLabels: - app: mongodb-svc - ports: - - port: 27017 - - to: - - podSelector: - matchLabels: - app.kubernetes.io/name: minio - ports: - - port: 9000 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: camera-tiler -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: camtiler - component: camera-tiler - policyTypes: - - Ingress - - Egress - egress: - - to: - - podSelector: - matchLabels: - component: camera-motion-detect - ports: - - port: 5000 - ingress: - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: prometheus-operator - podSelector: - matchLabels: - app.kubernetes.io/name: prometheus - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: traefik - podSelector: - matchLabels: - app.kubernetes.io/name: traefik ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: logmower-eventsource -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: camtiler - component: logmower-eventsource - policyTypes: - - Ingress - - Egress - egress: - - to: - - podSelector: - matchLabels: - app: mongodb-svc - - podSelector: - matchLabels: - component: logmower-event-broker - ingress: - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: traefik - podSelector: - matchLabels: - app.kubernetes.io/name: traefik ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: logmower-event-broker -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: camtiler - component: logmower-event-broker - policyTypes: - - Ingress - - Egress - egress: - - to: - # Minio access via Traefik's public endpoint - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: traefik - podSelector: - matchLabels: - app.kubernetes.io/name: traefik - ingress: - - from: - - podSelector: - matchLabels: - component: logmower-eventsource ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: logmower-frontend -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: camtiler - component: logmower-frontend - policyTypes: - - Ingress - - Egress - ingress: - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: traefik - podSelector: - matchLabels: - app.kubernetes.io/name: traefik ---- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: @@ -538,6 +110,7 @@ spec: keel.sh/policy: force keel.sh/trigger: poll spec: + revisionHistoryLimit: 0 replicas: 1 # Make sure we do not congest the network during rollout @@ -581,7 +154,7 @@ spec: cpu: "200m" limits: memory: "256Mi" - cpu: "1" + cpu: "4000m" securityContext: readOnlyRootFilesystem: true runAsNonRoot: true @@ -640,18 +213,6 @@ spec: component: camera-motion-detect --- apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: camtiler -spec: - selector: {} - podMetricsEndpoints: - - port: http - podTargetLabels: - - app.kubernetes.io/name - - component ---- -apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: cameras @@ -689,6 +250,13 @@ spec: annotations: summary: Motion detection processing pipeline is not keeping up with incoming frames + - alert: CameraResourcesThrottled + expr: sum by (pod) (rate(container_cpu_cfs_throttled_periods_total{namespace="camtiler"}[1m])) > 0 + for: 5m + labels: + severity: warning + annotations: + summary: CPU limits are bottleneck --- apiVersion: k-space.ee/v1alpha1 kind: Camera diff --git a/camtiler/camera-tiler.yml b/camtiler/camera-tiler.yml new file mode 100644 index 0000000..7f6d275 --- /dev/null +++ b/camtiler/camera-tiler.yml @@ -0,0 +1,97 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: camera-tiler + annotations: + keel.sh/policy: force + keel.sh/trigger: poll +spec: + revisionHistoryLimit: 0 + replicas: 2 + selector: + matchLabels: &selectorLabels + app.kubernetes.io/name: camtiler + component: camera-tiler + template: + metadata: + labels: *selectorLabels + spec: + serviceAccountName: camera-tiler + containers: + - name: camera-tiler + image: harbor.k-space.ee/k-space/camera-tiler:latest + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1000 + ports: + - containerPort: 5001 + name: "http" + resources: + requests: + memory: "200Mi" + cpu: "100m" + limits: + memory: "500Mi" + cpu: "4000m" +--- +apiVersion: v1 +kind: Service +metadata: + name: camera-tiler + labels: + app.kubernetes.io/name: camtiler + component: camera-tiler +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: camtiler + component: camera-tiler + ports: + - protocol: TCP + port: 5001 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: camera-tiler +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camera-tiler +rules: + - apiGroups: + - "" + resources: + - services + verbs: + - list +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: camera-tiler +subjects: + - kind: ServiceAccount + name: camera-tiler + apiGroup: "" +roleRef: + kind: Role + name: camera-tiler + apiGroup: "" +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: camtiler +spec: + selector: + matchLabels: + app.kubernetes.io/name: camtiler + podMetricsEndpoints: + - port: http + podTargetLabels: + - app.kubernetes.io/name + - component diff --git a/camtiler/ingress.yml b/camtiler/ingress.yml new file mode 100644 index 0000000..573e547 --- /dev/null +++ b/camtiler/ingress.yml @@ -0,0 +1,40 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: camtiler + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns.alpha.kubernetes.io/target: traefik.k-space.ee +spec: + rules: + - host: cams.k-space.ee + http: + paths: + - pathType: Prefix + path: "/tiled" + backend: + service: + name: camera-tiler + port: + number: 5001 + - pathType: Prefix + path: "/events" + backend: + service: + name: logmower-eventsource + port: + number: 3002 + - pathType: Prefix + path: "/" + backend: + service: + name: logmower-frontend + port: + number: 8080 + tls: + - hosts: + - "*.k-space.ee" diff --git a/camtiler/logmower.yml b/camtiler/logmower.yml new file mode 100644 index 0000000..e21a146 --- /dev/null +++ b/camtiler/logmower.yml @@ -0,0 +1,137 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: logmower-eventsource +spec: + revisionHistoryLimit: 0 + replicas: 2 + selector: + matchLabels: &selectorLabels + app.kubernetes.io/name: camtiler + component: logmower-eventsource + template: + metadata: + labels: *selectorLabels + spec: + containers: + - name: logmower-eventsource + image: harbor.k-space.ee/k-space/logmower-eventsource + ports: + - containerPort: 3002 + name: nodejs + env: + - name: MONGO_COLLECTION + value: eventlog + - name: MONGODB_HOST + valueFrom: + secretKeyRef: + name: mongodb-application-readonly + key: connectionString.standard + - name: BACKEND + value: 'camtiler' + - name: BACKEND_BROKER_URL + value: 'http://logmower-event-broker' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: logmower-event-broker +spec: + revisionHistoryLimit: 0 + replicas: 5 + selector: + matchLabels: &selectorLabels + app.kubernetes.io/name: camtiler + component: logmower-event-broker + template: + metadata: + labels: *selectorLabels + spec: + containers: + - name: logmower-event-broker + image: harbor.k-space.ee/k-space/camera-event-broker + ports: + - containerPort: 3000 + env: + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: minio-secrets + key: MINIO_ROOT_PASSWORD + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: minio-secrets + key: MINIO_ROOT_USER + - name: MINIO_BUCKET + value: 'application' + - name: MINIO_HOSTNAME + value: 'cams-s3.k-space.ee' + - name: MINIO_PORT + value: '443' + - name: MINIO_SCHEMA + value: 'https' +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: logmower-frontend +spec: + revisionHistoryLimit: 0 + replicas: 2 + selector: + matchLabels: &selectorLabels + app.kubernetes.io/name: camtiler + component: logmower-frontend + template: + metadata: + labels: *selectorLabels + spec: + containers: + - name: logmower-frontend + image: harbor.k-space.ee/k-space/logmower-frontend + ports: + - containerPort: 8080 + name: http + +--- +apiVersion: v1 +kind: Service +metadata: + name: logmower-frontend +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: camtiler + component: logmower-frontend + ports: + - protocol: TCP + port: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: logmower-eventsource +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: camtiler + component: logmower-eventsource + ports: + - protocol: TCP + port: 3002 +--- +apiVersion: v1 +kind: Service +metadata: + name: logmower-event-broker +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: camtiler + component: logmower-event-broker + ports: + - protocol: TCP + port: 80 + targetPort: 3000 diff --git a/camtiler/minio.yml b/camtiler/minio.yml new file mode 100644 index 0000000..fdaa647 --- /dev/null +++ b/camtiler/minio.yml @@ -0,0 +1,199 @@ +--- +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: minio + labels: + app.kubernetes.io/name: minio +spec: + selector: + matchLabels: + app.kubernetes.io/name: minio + serviceName: minio-svc + replicas: 4 + podManagementPolicy: Parallel + template: + metadata: + labels: + app.kubernetes.io/name: minio + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - minio + topologyKey: kubernetes.io/hostname + nodeSelector: + dedicated: storage + tolerations: + - key: dedicated + operator: Equal + value: storage + effect: NoSchedule + containers: + - name: minio + env: + - name: MINIO_PROMETHEUS_AUTH_TYPE + value: public + envFrom: + - secretRef: + name: minio-secrets + image: minio/minio:RELEASE.2022-12-12T19-27-27Z + args: + - server + - http://minio-{0...3}.minio-svc.camtiler.svc.cluster.local/data + - --address + - 0.0.0.0:9000 + - --console-address + - 0.0.0.0:9001 + ports: + - containerPort: 9000 + name: http + - containerPort: 9001 + name: console + readinessProbe: + httpGet: + path: /minio/health/ready + port: 9000 + initialDelaySeconds: 2 + periodSeconds: 5 + resources: + requests: + cpu: 300m + memory: 1Gi + limits: + cpu: 4000m + memory: 2Gi + volumeMounts: + - name: minio-data + mountPath: /data + volumeClaimTemplates: + - metadata: + name: minio-data + spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: '30Gi' + storageClassName: minio +--- +apiVersion: v1 +kind: Service +metadata: + name: minio +spec: + sessionAffinity: ClientIP + type: ClusterIP + ports: + - port: 80 + targetPort: 9000 + protocol: TCP + name: http + selector: + app.kubernetes.io/name: minio +--- +kind: Service +apiVersion: v1 +metadata: + name: minio-svc +spec: + selector: + app.kubernetes.io/name: minio + clusterIP: None + publishNotReadyAddresses: true + ports: + - name: http + port: 9000 + - name: console + port: 9001 +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: minio +spec: + selector: + matchLabels: + app.kubernetes.io/name: minio + podMetricsEndpoints: + - port: http + path: /minio/v2/metrics/node + podTargetLabels: + - app.kubernetes.io/name +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: minio +spec: + endpoints: + - bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token + honorLabels: true + port: minio + path: /minio/v2/metrics/cluster + selector: + matchLabels: + app.kubernetes.io/name: minio +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: minio + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: websecure + traefik.ingress.kubernetes.io/router.tls: "true" + external-dns.alpha.kubernetes.io/target: traefik.k-space.ee +spec: + rules: + - host: cams-s3.k-space.ee + http: + paths: + - pathType: Prefix + path: "/" + backend: + service: + name: minio-svc + port: + name: http + tls: + - hosts: + - "*.k-space.ee" +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: minio +spec: + groups: + - name: minio + rules: + - alert: MinioClusterDiskOffline + expr: minio_cluster_disk_offline_total > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Minio cluster disk offline (instance {{ $labels.instance }}) + description: "Minio cluster disk is offline" + - alert: MinioNodeDiskOffline + expr: minio_cluster_nodes_offline_total > 0 + for: 0m + labels: + severity: critical + annotations: + summary: Minio node disk offline (instance {{ $labels.instance }}) + description: "Minio cluster node disk is offline" + - alert: MinioDiskSpaceUsage + expr: disk_storage_available / disk_storage_total * 100 < 10 + for: 0m + labels: + severity: warning + annotations: + summary: Minio disk space usage (instance {{ $labels.instance }}) + description: "Minio available free space is low (< 10%)" diff --git a/camtiler/mongodb.yml b/camtiler/mongodb.yml new file mode 100644 index 0000000..73959f2 --- /dev/null +++ b/camtiler/mongodb.yml @@ -0,0 +1,107 @@ +--- +apiVersion: mongodbcommunity.mongodb.com/v1 +kind: MongoDBCommunity +metadata: + name: mongodb +spec: + additionalMongodConfig: + systemLog: + quiet: true + members: 2 + arbiters: 1 + type: ReplicaSet + version: "6.0.3" + security: + authentication: + modes: ["SCRAM"] + users: + - name: readwrite + db: application + passwordSecretRef: + name: mongodb-application-readwrite-password + roles: + - name: readWrite + db: application + scramCredentialsSecretName: mongodb-application-readwrite + - name: readonly + db: application + passwordSecretRef: + name: mongodb-application-readonly-password + roles: + - name: read + db: application + scramCredentialsSecretName: mongodb-application-readonly + statefulSet: + spec: + logLevel: WARN + template: + spec: + containers: + - name: mongod + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + cpu: 500m + memory: 1Gi + volumeMounts: + - name: journal-volume + mountPath: /data/journal + - name: mongodb-agent + resources: + requests: + cpu: 1m + memory: 100Mi + limits: {} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - mongodb-svc + topologyKey: kubernetes.io/hostname + nodeSelector: + dedicated: storage + tolerations: + - key: dedicated + operator: Equal + value: storage + effect: NoSchedule + volumeClaimTemplates: + - metadata: + name: logs-volume + labels: + usecase: logs + spec: + storageClassName: mongo + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 100Mi + - metadata: + name: journal-volume + labels: + usecase: journal + spec: + storageClassName: mongo + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 512Mi + - metadata: + name: data-volume + labels: + usecase: data + spec: + storageClassName: mongo + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi diff --git a/camtiler/network-policies.yml b/camtiler/network-policies.yml new file mode 100644 index 0000000..e182b6a --- /dev/null +++ b/camtiler/network-policies.yml @@ -0,0 +1,192 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: camera-motion-detect +spec: + podSelector: + matchLabels: + component: camera-motion-detect + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: camtiler + component: camera-tiler + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: prometheus-operator + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + egress: + - to: + - ipBlock: + # Permit access to cameras outside the cluster + cidr: 100.102.0.0/16 + - to: + - podSelector: + matchLabels: + app: mongodb-svc + ports: + - port: 27017 + - to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + ports: + - port: 9000 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: camera-tiler +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: camtiler + component: camera-tiler + policyTypes: + - Ingress + - Egress + egress: + - to: + - podSelector: + matchLabels: + component: camera-motion-detect + ports: + - port: 5000 + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: prometheus-operator + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik + podSelector: + matchLabels: + app.kubernetes.io/name: traefik +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: logmower-eventsource +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: camtiler + component: logmower-eventsource + policyTypes: + - Ingress + - Egress + egress: + - to: + - podSelector: + matchLabels: + app: mongodb-svc + - podSelector: + matchLabels: + component: logmower-event-broker + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik + podSelector: + matchLabels: + app.kubernetes.io/name: traefik +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: logmower-event-broker +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: camtiler + component: logmower-event-broker + policyTypes: + - Ingress + - Egress + egress: + - to: + # Minio access via Traefik's public endpoint + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + ingress: + - from: + - podSelector: + matchLabels: + component: logmower-eventsource +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: logmower-frontend +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: camtiler + component: logmower-frontend + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik + podSelector: + matchLabels: + app.kubernetes.io/name: traefik +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: minio +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: minio + policyTypes: + - Ingress + - Egress + egress: + - ports: + - port: http + to: + - podSelector: + matchLabels: + app.kubernetes.io/name: minio + ingress: + - ports: + - port: http + from: + - podSelector: {} + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik + podSelector: + matchLabels: + app.kubernetes.io/name: traefik + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: prometheus-operator + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus diff --git a/camtiler/persistence.yml b/camtiler/persistence.yml deleted file mode 100644 index 95d6af4..0000000 --- a/camtiler/persistence.yml +++ /dev/null @@ -1,294 +0,0 @@ ---- -apiVersion: mongodbcommunity.mongodb.com/v1 -kind: MongoDBCommunity -metadata: - name: mongodb -spec: - additionalMongodConfig: - systemLog: - quiet: true - members: 2 - arbiters: 1 - type: ReplicaSet - version: "6.0.3" - security: - authentication: - modes: ["SCRAM"] - users: - - name: readwrite - db: application - passwordSecretRef: - name: mongodb-application-readwrite-password - roles: - - name: readWrite - db: application - scramCredentialsSecretName: mongodb-application-readwrite - - name: readonly - db: application - passwordSecretRef: - name: mongodb-application-readonly-password - roles: - - name: read - db: application - scramCredentialsSecretName: mongodb-application-readonly - statefulSet: - spec: - logLevel: WARN - template: - spec: - containers: - - name: mongod - resources: - requests: - cpu: 100m - memory: 512Mi - limits: - cpu: 500m - memory: 1Gi - volumeMounts: - - name: journal-volume - mountPath: /data/journal - - name: mongodb-agent - resources: - requests: - cpu: 1m - memory: 100Mi - limits: {} - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - mongodb-svc - topologyKey: kubernetes.io/hostname - nodeSelector: - dedicated: storage - tolerations: - - key: dedicated - operator: Equal - value: storage - effect: NoSchedule - volumeClaimTemplates: - - metadata: - name: logs-volume - labels: - usecase: logs - spec: - storageClassName: mongo - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 100Mi - - metadata: - name: journal-volume - labels: - usecase: journal - spec: - storageClassName: mongo - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 512Mi - - metadata: - name: data-volume - labels: - usecase: data - spec: - storageClassName: mongo - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: minio - labels: - app.kubernetes.io/name: minio -spec: - selector: - matchLabels: - app.kubernetes.io/name: minio - serviceName: minio-svc - replicas: 4 - podManagementPolicy: Parallel - template: - metadata: - labels: - app.kubernetes.io/name: minio - spec: - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app - operator: In - values: - - minio - topologyKey: kubernetes.io/hostname - nodeSelector: - dedicated: storage - tolerations: - - key: dedicated - operator: Equal - value: storage - effect: NoSchedule - containers: - - name: minio - env: - - name: MINIO_PROMETHEUS_AUTH_TYPE - value: public - envFrom: - - secretRef: - name: minio-secrets - image: minio/minio:latest - args: - - server - - http://minio-{0...3}.minio-svc.camtiler.svc.cluster.local/data - - --address - - 0.0.0.0:9000 - - --console-address - - 0.0.0.0:9001 - ports: - - containerPort: 9000 - name: http - - containerPort: 9001 - name: console - livenessProbe: - httpGet: - path: /minio/health/live - port: 9000 - initialDelaySeconds: 10 - periodSeconds: 20 - resources: - requests: - cpu: 1m - memory: 512Mi - limits: - cpu: 1000m - memory: 1Gi - volumeMounts: - - name: minio-data - mountPath: /data - volumeClaimTemplates: - - metadata: - name: minio-data - spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: '30Gi' - storageClassName: minio ---- -apiVersion: v1 -kind: Service -metadata: - name: minio -spec: - type: ClusterIP - ports: - - port: 80 - targetPort: 9000 - protocol: TCP - name: http - selector: - app.kubernetes.io/name: minio ---- -kind: Service -apiVersion: v1 -metadata: - name: minio-svc -spec: - selector: - app.kubernetes.io/name: minio - clusterIP: None - publishNotReadyAddresses: true - ports: - - name: http - port: 9000 ---- -apiVersion: monitoring.coreos.com/v1 -kind: PodMonitor -metadata: - name: minio -spec: - selector: - matchLabels: - app.kubernetes.io/name: minio - podMetricsEndpoints: - - port: http - path: /minio/v2/metrics/node - podTargetLabels: - - app.kubernetes.io/name ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: minio -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: minio - policyTypes: - - Ingress - - Egress - egress: - - ports: - - port: http - to: - - podSelector: - matchLabels: - app.kubernetes.io/name: minio - ingress: - - ports: - - port: http - from: - - podSelector: {} - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: traefik - podSelector: - matchLabels: - app.kubernetes.io/name: traefik - - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: prometheus-operator - podSelector: - matchLabels: - app.kubernetes.io/name: prometheus ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: minio - annotations: - kubernetes.io/ingress.class: traefik - traefik.ingress.kubernetes.io/router.entrypoints: websecure - traefik.ingress.kubernetes.io/router.tls: "true" - external-dns.alpha.kubernetes.io/target: traefik.k-space.ee -spec: - rules: - - host: cams-s3.k-space.ee - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: minio-svc - port: - number: 9000 - tls: - - hosts: - - "*.k-space.ee"