Initial commit

etherpad/README.md

@@ -0,0 +1,12 @@
+To apply changes:
+
+```
+kubectl apply -n etherpad -f application.yml -f networkpolicy-base.yml
+```
+
+Initialize MySQL secrets:
+
+```
+kubectl create secret generic -n etherpad mariadb-secrets \
+     --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \
+     --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)

etherpad/application.yml

@@ -0,0 +1,206 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: etherpad
+  namespace: etherpad
+  annotations:
+    keel.sh/policy: minor
+    keel.sh/trigger: poll
+    keel.sh/pollSchedule: "@midnight"
+spec:
+  # Etherpad does NOT support running multiple replicas due to
+  # in-application caching https://github.com/ether/etherpad-lite/issues/3680
+  replicas: 1
+  serviceName: etherpad
+  selector:
+    matchLabels:
+      app: etherpad
+  template:
+    metadata:
+      labels:
+        app: etherpad
+    spec:
+      containers:
+        - name: etherpad
+          image: etherpad/etherpad:1
+          securityContext:
+            # Etherpad writes session key during start
+            readOnlyRootFilesystem: false
+            runAsNonRoot: true
+            runAsUser: 5001
+          ports:
+            - containerPort: 9001
+          env:
+            - name: DB_TYPE
+              value: mysql
+            - name: DB_HOST
+              value: 172.20.36.1
+            - name: DB_NAME
+              value: kspace_etherpad
+            - name: DB_USER
+              value: kspace_etherpad
+            - name: PAD_OPTIONS_NO_COLORS
+              value: "true"
+            - name: PAD_OPTIONS_USE_MONOSPACE_FONT
+              value: "true"
+            - name: PAD_OPTIONS_SHOW_CHAT
+              value: "false"
+            - name: TRUST_PROXY
+              value: "true"
+            - name: ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: application-secrets
+                  key: ADMIN_PASSWORD
+            - name: DB_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: mariadb-secrets
+                  key: MYSQL_PASSWORD
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: etherpad
+  namespace: etherpad
+spec:
+  type: ClusterIP
+  selector:
+    app: etherpad
+  ports:
+  - protocol: TCP
+    port: 9001
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: etherpad
+  namespace: etherpad
+  annotations:
+    kubernetes.io/ingress.class: traefik
+    cert-manager.io/cluster-issuer: default
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
+spec:
+  rules:
+  - host: pad.k-space.ee
+    http:
+      paths:
+      - pathType: Prefix
+        path: "/"
+        backend:
+          service:
+            name: etherpad
+            port:
+              number: 9001
+  tls:
+  - hosts:
+    - pad.k-space.ee
+    secretName: pad-tls
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: etherpad
+  namespace: etherpad
+spec:
+  podSelector:
+    matchLabels:
+      app: etherpad
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik
+      ports:
+        - protocol: TCP
+          port: 9001
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 172.20.36.1/32
+      ports:
+        - protocol: TCP
+          port: 3306
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: mysql-operator
+spec:
+  podSelector:
+    matchLabels:
+      app: etherpad
+  policyTypes:
+  - Ingress
+  - Egress
+  ingress:
+    - # TODO: Not sure why mysql-operator needs to be able to connect
+      from:
+        - namespaceSelector:
+           matchExpressions:
+             - key: kubernetes.io/metadata.name
+               operator: In
+               values:
+                 - mysql-operator
+      ports:
+        - protocol: TCP
+          port: 3306
+    - # Allow connecting from other MySQL pods in same namespace
+      from:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/managed-by: mysql-operator
+      ports:
+        - protocol: TCP
+          port: 3306
+  egress:
+    - # Allow connecting to other MySQL pods in same namespace
+      to:
+        - podSelector:
+            matchLabels:
+              app.kubernetes.io/managed-by: mysql-operator
+      ports:
+        - protocol: TCP
+          port: 3306
+---
+apiVersion: mysql.oracle.com/v2
+kind: InnoDBCluster
+metadata:
+  name: mysql-cluster
+spec:
+  secretName: mysql-secrets
+  instances: 3
+  router:
+    instances: 1
+  tlsUseSelfSigned: true
+  datadirVolumeClaimTemplate:
+    storageClassName: local-path
+    accessModes:
+      - ReadWriteOnce
+    resources:
+      requests:
+        storage: "10Gi"
+  podSpec:
+    affinity:
+      podAntiAffinity:
+        requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+                - key: app.kubernetes.io/managed-by
+                  operator: In
+                  values:
+                    - mysql-operator
+            topologyKey: kubernetes.io/hostname
+    nodeSelector:
+      dedicated: storage
+    tolerations:
+      - key: dedicated
+        operator: Equal
+        value: storage
+        effect: NoSchedule

etherpad/networkpolicy-base.yml

@@ -0,0 +1 @@
+../shared/networkpolicy-base.yml