From 2d25377090b14a339a54dfeb49b1f736c3d9c131 Mon Sep 17 00:00:00 2001 From: Erki Aas Date: Sun, 28 Jul 2024 16:56:15 +0300 Subject: [PATCH] wildduck: migrate to dragonfly, disable network policies, upgrade wildduck-operator --- wildduck/haraka.yaml | 4 +-- wildduck/webmail.yaml | 44 ++++++++++++++-------------- wildduck/wildduck-operator-rbac.yaml | 18 ++++++------ wildduck/wildduck-operator.yaml | 2 +- wildduck/wildduck.yaml | 30 +++++++++++++++---- wildduck/wildflock.yaml | 30 +++++++++++++++++-- wildduck/zonemta.yaml | 32 ++++++++++---------- 7 files changed, 102 insertions(+), 58 deletions(-) diff --git a/wildduck/haraka.yaml b/wildduck/haraka.yaml index 02c406d..e9852f4 100644 --- a/wildduck/haraka.yaml +++ b/wildduck/haraka.yaml @@ -175,8 +175,8 @@ spec: - name: REDIS_URI valueFrom: secretKeyRef: - name: redis-wildduck-owner-secrets - key: REDIS_MASTER_0_URI + name: dragonfly-auth + key: REDIS_URI - name: MONGO_URI valueFrom: secretKeyRef: diff --git a/wildduck/webmail.yaml b/wildduck/webmail.yaml index dc544db..49fa9a5 100644 --- a/wildduck/webmail.yaml +++ b/wildduck/webmail.yaml @@ -96,8 +96,8 @@ spec: - name: APPCONF_dbs_redis valueFrom: secretKeyRef: - name: redis-wildduck-owner-secrets - key: REDIS_MASTER_1_URI + name: dragonfly-auth + key: REDIS_URI volumes: - name: webmail-config projected: @@ -155,23 +155,23 @@ spec: replacement: https://webmail.k-space.ee/webmail/ permanent: false --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: webmail -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: webmail - policyTypes: - - Ingress - ingress: - - ports: - - port: 3000 - from: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: traefik - podSelector: - matchLabels: - app.kubernetes.io/name: traefik +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# name: webmail +# spec: +# podSelector: +# matchLabels: +# app.kubernetes.io/name: webmail +# policyTypes: +# - Ingress +# ingress: +# - ports: +# - port: 3000 +# from: +# - namespaceSelector: +# matchLabels: +# kubernetes.io/metadata.name: traefik +# podSelector: +# matchLabels: +# app.kubernetes.io/name: traefik diff --git a/wildduck/wildduck-operator-rbac.yaml b/wildduck/wildduck-operator-rbac.yaml index 83fd57c..80bf36c 100644 --- a/wildduck/wildduck-operator-rbac.yaml +++ b/wildduck/wildduck-operator-rbac.yaml @@ -2,20 +2,20 @@ apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: codemowers-io-wildduck-operator + name: codemowers-cloud-wildduck-operator rules: - apiGroups: - - codemowers.io + - codemowers.cloud resources: - - oidcgatewayusers + - oidcusers verbs: - get - list - watch - apiGroups: - - codemowers.io + - codemowers.cloud resources: - - oidcgatewayusers/status + - oidcusers/status verbs: - patch - update @@ -23,18 +23,18 @@ rules: apiVersion: v1 kind: ServiceAccount metadata: - name: codemowers-io-wildduck-operator + name: codemowers-cloud-wildduck-operator namespace: wildduck --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: codemowers-io-wildduck-operator + name: codemowers-cloud-wildduck-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: codemowers-io-wildduck-operator + name: codemowers-cloud-wildduck-operator subjects: - kind: ServiceAccount - name: codemowers-io-wildduck-operator + name: codemowers-cloud-wildduck-operator namespace: wildduck diff --git a/wildduck/wildduck-operator.yaml b/wildduck/wildduck-operator.yaml index bb60e2c..c98ae58 100644 --- a/wildduck/wildduck-operator.yaml +++ b/wildduck/wildduck-operator.yaml @@ -34,7 +34,7 @@ spec: - containerPort: 8000 name: metrics enableServiceLinks: false - serviceAccountName: codemowers-io-wildduck-operator + serviceAccountName: codemowers-cloud-wildduck-operator --- apiVersion: v1 kind: Service diff --git a/wildduck/wildduck.yaml b/wildduck/wildduck.yaml index 03b428c..b10e1ae 100644 --- a/wildduck/wildduck.yaml +++ b/wildduck/wildduck.yaml @@ -1,11 +1,29 @@ --- apiVersion: codemowers.cloud/v1beta1 -kind: RedisClaim +kind: SecretClaim metadata: - name: wildduck + name: dragonfly-auth spec: - class: ephemeral - capacity: 100Mi + size: 32 + mapping: + - key: password + value: "%(plaintext)s" + - key: REDIS_URI + value: "redis://:%(plaintext)s@dragonfly" +--- +apiVersion: dragonflydb.io/v1alpha1 +kind: Dragonfly +metadata: + name: dragonfly +spec: + authentication: + passwordFromSecret: + key: password + name: dragonfly-auth + replicas: 3 + resources: + limits: + memory: 5Gi --- apiVersion: v1 kind: Service @@ -98,8 +116,8 @@ spec: - name: APPCONF_dbs_redis valueFrom: secretKeyRef: - name: redis-wildduck-owner-secrets - key: REDIS_MASTER_0_URI + name: dragonfly-auth + key: REDIS_URI volumeMounts: - mountPath: /cert name: cert diff --git a/wildduck/wildflock.yaml b/wildduck/wildflock.yaml index 37da612..9ff34b8 100644 --- a/wildduck/wildflock.yaml +++ b/wildduck/wildflock.yaml @@ -96,8 +96,8 @@ spec: - name: REDIS_URL valueFrom: secretKeyRef: - name: redis-webmail-owner-secrets - key: REDIS_MASTER_1_URI + name: dragonfly-wildflock-auth + key: REDIS_URI - name: CLIENT_URL value: https://wildflock.k-space.ee - name: WILDDUCK_DOMAIN @@ -139,3 +139,29 @@ spec: envFrom: - secretRef: name: oidc-client-wildflock-owner-secrets +--- +apiVersion: codemowers.cloud/v1beta1 +kind: SecretClaim +metadata: + name: dragonfly-wildflock-auth +spec: + size: 32 + mapping: + - key: password + value: "%(plaintext)s" + - key: REDIS_URI + value: "redis://:%(plaintext)s@dragonfly-wildflock" +--- +apiVersion: dragonflydb.io/v1alpha1 +kind: Dragonfly +metadata: + name: dragonfly-wildflock +spec: + authentication: + passwordFromSecret: + key: password + name: dragonfly-wildflock-auth + replicas: 3 + resources: + limits: + memory: 5Gi diff --git a/wildduck/zonemta.yaml b/wildduck/zonemta.yaml index c2fd2f1..63631d1 100644 --- a/wildduck/zonemta.yaml +++ b/wildduck/zonemta.yaml @@ -123,8 +123,8 @@ spec: - name: APPCONF_dbs_redis valueFrom: secretKeyRef: - name: redis-wildduck-owner-secrets - key: REDIS_MASTER_0_URI + name: dragonfly-auth + key: REDIS_URI volumeMounts: - name: cert mountPath: /cert @@ -141,17 +141,17 @@ spec: secret: secretName: wildduck-tls --- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: zonemta -spec: - podSelector: - matchLabels: - app.kubernetes.io/name: wildduck - app.kubernetes.io/component: zonemta - policyTypes: - - Ingress - ingress: - - ports: - - port: 9465 +# apiVersion: networking.k8s.io/v1 +# kind: NetworkPolicy +# metadata: +# name: zonemta +# spec: +# podSelector: +# matchLabels: +# app.kubernetes.io/name: wildduck +# app.kubernetes.io/component: zonemta +# policyTypes: +# - Ingress +# ingress: +# - ports: +# - port: 9465