wildduck: migrate to dragonfly, disable network policies, upgrade wildduck-operator

2024-07-28 16:56:15 +03:00 · 2024-07-28 16:56:15 +03:00 · 2d25377090
commit 2d25377090
parent 73d185b2ee
7 changed files with 102 additions and 58 deletions
--- a/wildduck/haraka.yaml
+++ b/wildduck/haraka.yaml
@ -175,8 +175,8 @@ spec:
            - name: REDIS_URI
              valueFrom:
                secretKeyRef:
-                  name: redis-wildduck-owner-secrets
-                  key: REDIS_MASTER_0_URI
+                  name: dragonfly-auth
+                  key: REDIS_URI
            - name: MONGO_URI
              valueFrom:
                secretKeyRef:
--- a/wildduck/webmail.yaml
+++ b/wildduck/webmail.yaml
@ -96,8 +96,8 @@ spec:
            - name: APPCONF_dbs_redis
              valueFrom:
                secretKeyRef:
-                  name: redis-wildduck-owner-secrets
-                  key: REDIS_MASTER_1_URI
+                  name: dragonfly-auth
+                  key: REDIS_URI
      volumes:
        - name: webmail-config
          projected:
@ -155,23 +155,23 @@ spec:
    replacement: https://webmail.k-space.ee/webmail/
    permanent: false
 ---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: webmail
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: webmail
-  policyTypes:
-    - Ingress
-  ingress:
-    - ports:
-        - port: 3000
-      from:
-        - namespaceSelector:
-            matchLabels:
-              kubernetes.io/metadata.name: traefik
-          podSelector:
-            matchLabels:
-              app.kubernetes.io/name: traefik
+# apiVersion: networking.k8s.io/v1
+# kind: NetworkPolicy
+# metadata:
+#   name: webmail
+# spec:
+#   podSelector:
+#     matchLabels:
+#       app.kubernetes.io/name: webmail
+#   policyTypes:
+#     - Ingress
+#   ingress:
+#     - ports:
+#         - port: 3000
+#       from:
+#         - namespaceSelector:
+#             matchLabels:
+#               kubernetes.io/metadata.name: traefik
+#           podSelector:
+#             matchLabels:
+#               app.kubernetes.io/name: traefik
--- a/wildduck/wildduck-operator-rbac.yaml
+++ b/wildduck/wildduck-operator-rbac.yaml
@ -2,20 +2,20 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: codemowers-io-wildduck-operator
+  name: codemowers-cloud-wildduck-operator
 rules:
  - apiGroups:
-      - codemowers.io
+      - codemowers.cloud
    resources:
-      - oidcgatewayusers
+      - oidcusers
    verbs:
      - get
      - list
      - watch
  - apiGroups:
-      - codemowers.io
+      - codemowers.cloud
    resources:
-      - oidcgatewayusers/status
+      - oidcusers/status
    verbs:
      - patch
      - update
@ -23,18 +23,18 @@ rules:
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: codemowers-io-wildduck-operator
+  name: codemowers-cloud-wildduck-operator
  namespace: wildduck
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: codemowers-io-wildduck-operator
+  name: codemowers-cloud-wildduck-operator
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
-  name: codemowers-io-wildduck-operator
+  name: codemowers-cloud-wildduck-operator
 subjects:
  - kind: ServiceAccount
-    name: codemowers-io-wildduck-operator
+    name: codemowers-cloud-wildduck-operator
    namespace: wildduck
--- a/wildduck/wildduck-operator.yaml
+++ b/wildduck/wildduck-operator.yaml
@ -34,7 +34,7 @@ spec:
            - containerPort: 8000
              name: metrics
      enableServiceLinks: false
-      serviceAccountName: codemowers-io-wildduck-operator
+      serviceAccountName: codemowers-cloud-wildduck-operator
 ---
 apiVersion: v1
 kind: Service
--- a/wildduck/wildduck.yaml
+++ b/wildduck/wildduck.yaml
@ -1,11 +1,29 @@
 ---
 apiVersion: codemowers.cloud/v1beta1
-kind: RedisClaim
+kind: SecretClaim
 metadata:
-  name: wildduck
+  name: dragonfly-auth
 spec:
-  class: ephemeral
-  capacity: 100Mi
+  size: 32
+  mapping:
+    - key: password
+      value: "%(plaintext)s"
+    - key: REDIS_URI
+      value: "redis://:%(plaintext)s@dragonfly"
+---
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: dragonfly
+spec:
+  authentication:
+    passwordFromSecret:
+      key: password
+      name: dragonfly-auth
+  replicas: 3
+  resources:
+    limits:
+      memory: 5Gi
 ---
 apiVersion: v1
 kind: Service
@ -98,8 +116,8 @@ spec:
            - name: APPCONF_dbs_redis
              valueFrom:
                secretKeyRef:
-                  name: redis-wildduck-owner-secrets
-                  key: REDIS_MASTER_0_URI
+                  name: dragonfly-auth
+                  key: REDIS_URI
          volumeMounts:
            - mountPath: /cert
              name: cert
--- a/wildduck/wildflock.yaml
+++ b/wildduck/wildflock.yaml
@ -96,8 +96,8 @@ spec:
            - name: REDIS_URL
              valueFrom:
                secretKeyRef:
-                  name: redis-webmail-owner-secrets
-                  key: REDIS_MASTER_1_URI
+                  name: dragonfly-wildflock-auth
+                  key: REDIS_URI
            - name: CLIENT_URL
              value: https://wildflock.k-space.ee
            - name: WILDDUCK_DOMAIN
@ -139,3 +139,29 @@ spec:
          envFrom:
            - secretRef:
                name: oidc-client-wildflock-owner-secrets
+---
+apiVersion: codemowers.cloud/v1beta1
+kind: SecretClaim
+metadata:
+  name: dragonfly-wildflock-auth
+spec:
+  size: 32
+  mapping:
+    - key: password
+      value: "%(plaintext)s"
+    - key: REDIS_URI
+      value: "redis://:%(plaintext)s@dragonfly-wildflock"
+---
+apiVersion: dragonflydb.io/v1alpha1
+kind: Dragonfly
+metadata:
+  name: dragonfly-wildflock
+spec:
+  authentication:
+    passwordFromSecret:
+      key: password
+      name: dragonfly-wildflock-auth
+  replicas: 3
+  resources:
+    limits:
+      memory: 5Gi
--- a/wildduck/zonemta.yaml
+++ b/wildduck/zonemta.yaml
@ -123,8 +123,8 @@ spec:
            - name: APPCONF_dbs_redis
              valueFrom:
                secretKeyRef:
-                  name: redis-wildduck-owner-secrets
-                  key: REDIS_MASTER_0_URI
+                  name: dragonfly-auth
+                  key: REDIS_URI
          volumeMounts:
            - name: cert
              mountPath: /cert
@ -141,17 +141,17 @@ spec:
          secret:
            secretName: wildduck-tls
 ---
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: zonemta
-spec:
-  podSelector:
-    matchLabels:
-      app.kubernetes.io/name: wildduck
-      app.kubernetes.io/component: zonemta
-  policyTypes:
-    - Ingress
-  ingress:
-    - ports:
-      - port: 9465
+# apiVersion: networking.k8s.io/v1
+# kind: NetworkPolicy
+# metadata:
+#   name: zonemta
+# spec:
+#   podSelector:
+#     matchLabels:
+#       app.kubernetes.io/name: wildduck
+#       app.kubernetes.io/component: zonemta
+#   policyTypes:
+#     - Ingress
+#   ingress:
+#     - ports:
+#       - port: 9465