From 0fd0094ba0754aaacdfb801aec194e645dc4acc5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lauri=20V=C3=B5sandi?= Date: Fri, 14 Oct 2022 00:14:35 +0300 Subject: [PATCH] playground: Initial commit --- playground/README.md | 10 ++ playground/logging.yml | 263 ++++++++++++++++++++++++++++++ playground/mongodb-support.yml | 1 + playground/mongoexpress.yml | 1 + playground/networkpolicy-base.yml | 1 + 5 files changed, 276 insertions(+) create mode 100644 playground/README.md create mode 100644 playground/logging.yml create mode 120000 playground/mongodb-support.yml create mode 120000 playground/mongoexpress.yml create mode 120000 playground/networkpolicy-base.yml diff --git a/playground/README.md b/playground/README.md new file mode 100644 index 0000000..55b2760 --- /dev/null +++ b/playground/README.md @@ -0,0 +1,10 @@ +# Playground + +Playground namespace is accessible to `Developers` AD group. + +Novel log aggregator is being developer in this namespace: + +``` +kubectl create secret generic -n playground mongodb-application-readwrite-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)" +kubectl create secret generic -n playground mongodb-application-readonly-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)" +kubectl apply -n playground -f logging.yml -f mongodb-support.yml -f mongoexpress.yml -f networkpolicy-base.yml diff --git a/playground/logging.yml b/playground/logging.yml new file mode 100644 index 0000000..3b789a8 --- /dev/null +++ b/playground/logging.yml @@ -0,0 +1,263 @@ +--- +apiVersion: mongodbcommunity.mongodb.com/v1 +kind: MongoDBCommunity +metadata: + name: mongodb +spec: + additionalMongodConfig: + systemLog: + quiet: true + members: 3 + type: ReplicaSet + version: "5.0.13" + security: + authentication: + modes: ["SCRAM"] + users: + - name: readwrite + db: application + passwordSecretRef: + name: mongodb-application-readwrite-password + roles: + - name: readWrite + db: application + scramCredentialsSecretName: mongodb-application-readwrite + - name: readonly + db: application + passwordSecretRef: + name: mongodb-application-readonly-password + roles: + - name: readOnly + db: application + scramCredentialsSecretName: mongodb-application-readonly + statefulSet: + spec: + logLevel: WARN + template: + spec: + containers: + - name: mongod + resources: + requests: + cpu: 100m + memory: 2Gi + limits: + cpu: 2000m + memory: 2Gi + - name: mongodb-agent + resources: + requests: + cpu: 1m + memory: 100Mi + limits: {} + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: + - key: app + operator: In + values: + - mongodb-svc + topologyKey: kubernetes.io/hostname + nodeSelector: + dedicated: monitoring + tolerations: + - key: dedicated + operator: Equal + value: monitoring + effect: NoSchedule + volumeClaimTemplates: + - metadata: + name: logs-volume + spec: + storageClassName: local-path + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 512Mi + - metadata: + name: data-volume + spec: + storageClassName: local-path + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: log-shipper +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 50% + selector: + matchLabels: + app: log-shipper + template: + metadata: + labels: + app: log-shipper + spec: + serviceAccountName: log-shipper + containers: + - name: log-shipper + image: harbor.k-space.ee/k-space/log-shipper + securityContext: + runAsUser: 0 + env: + - name: MY_POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: MONGODB_HOST + valueFrom: + secretKeyRef: + name: mongodb-application-readwrite + key: connectionString.standard + ports: + - containerPort: 8000 + name: metrics + resources: + limits: + memory: 200Mi + requests: + cpu: 100m + memory: 100Mi + volumeMounts: + - name: etcmachineid + mountPath: /etc/machine-id + readOnly: true + - name: varlibdockercontainers + mountPath: /var/lib/docker/containers + readOnly: true + - name: varlog + mountPath: /var/log + readOnly: true + volumes: + - name: etcmachineid + hostPath: + path: /etc/machine-id + - name: varlibdockercontainers + hostPath: + path: /var/lib/docker/containers + - name: varlog + hostPath: + path: /var/log + tolerations: + - operator: "Exists" + effect: "NoExecute" + - operator: "Exists" + effect: "NoSchedule" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: logging-log-shipper +subjects: + - kind: ServiceAccount + name: log-shipper + namespace: playground +roleRef: + kind: ClusterRole + name: filebeat + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: log-shipper + labels: + app: log-shipper +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: log-shipper +spec: + podSelector: + matchLabels: + app: log-shipper + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: prometheus-operator + podSelector: + matchLabels: + app.kubernetes.io/name: prometheus + egress: + - to: + - podSelector: + matchLabels: + app: mongodb-svc + ports: + - port: 27017 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: log-viewer-backend +spec: + podSelector: + matchLabels: + app: log-viewer-backend + policyTypes: + - Ingress + - Egress + egress: + - to: + - podSelector: + matchLabels: + app: mongodb-svc + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik + podSelector: + matchLabels: + app.kubernetes.io/name: traefik +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: log-viewer-frontend +spec: + podSelector: + matchLabels: + app: log-viewer-frontend + policyTypes: + - Ingress + - Egress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik + podSelector: + matchLabels: + app.kubernetes.io/name: traefik +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: log-shipper +spec: + selector: + matchLabels: + app: log-shipper + podMetricsEndpoints: + - port: metrics diff --git a/playground/mongodb-support.yml b/playground/mongodb-support.yml new file mode 120000 index 0000000..e834dd2 --- /dev/null +++ b/playground/mongodb-support.yml @@ -0,0 +1 @@ +../mongodb-operator/mongodb-support.yml \ No newline at end of file diff --git a/playground/mongoexpress.yml b/playground/mongoexpress.yml new file mode 120000 index 0000000..ebf5773 --- /dev/null +++ b/playground/mongoexpress.yml @@ -0,0 +1 @@ +../shared/mongoexpress.yml \ No newline at end of file diff --git a/playground/networkpolicy-base.yml b/playground/networkpolicy-base.yml new file mode 120000 index 0000000..e84a698 --- /dev/null +++ b/playground/networkpolicy-base.yml @@ -0,0 +1 @@ +../shared/networkpolicy-base.yml \ No newline at end of file