k-space/kube
12
1
Fork 3
Code Issues 63 Pull Requests Wiki Activity

clean up shared/

Browse Source 
most of it replaced or unused
This commit is contained in:
Rasmus Kallas
2026-01-03 05:34:13 +02:00
parent fe1e7f015f
commit 8fe0356599
10 changed files with 143 additions and 514 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
README.md
View File

@@ -32,6 +32,11 @@ All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and t
See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router.
Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP.
#### Regenerate networkpolicy-base.yml
It's quite odd there is no better way to generate these.
[regenerate-networkpolicy-base.sh](regenerate-networkpolicy-base.sh)
<!-- Linked to by https://wiki.k-space.ee/e/en/hosting/storage -->
### Databases / -stores:
- Dragonfly: `kind: Dragonfly` (replaces Redis[^redisdead])

1
_disabled/playground/mongoexpress.yml
View File

@@ -1 +0,0 @@
../shared/mongoexpress.yml

47
_disabled/playground/mongoexpress.yml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mongoexpress
spec:
revisionHistoryLimit: 0
replicas: 1
selector:
matchLabels:
app: mongoexpress
template:
metadata:
labels:
app: mongoexpress
spec:
containers:
- name: mongoexpress
image: mirror.gcr.io/library/mongo-express
ports:
- name: mongoexpress
containerPort: 8081
env:
- name: ME_CONFIG_MONGODB_URL
valueFrom:
secretKeyRef:
name: mongodb-application-readwrite
key: connectionString.standard
- name: ME_CONFIG_MONGODB_ENABLE_ADMIN
value: 'false'
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mongoexpress
spec:
podSelector:
matchLabels:
app: mongoexpress
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: mongodb-svc
ports:
- port: 27017

6
shared/README.md → regenerate-networkpolicy-base.sh Normal file → Executable file
View File

@@ -1,8 +1,4 @@
# To regenerate base network policies
It's quite odd there is no better way to generate these.
```sh
cat << EOF > networkpolicy-base.yml
---
apiVersion: networking.k8s.io/v1
@@ -63,4 +59,4 @@ EOF
done
cp networkpolicy-base.yml ../traefik/
```
cp networkpolicy-base.yml ../rosdump/

1
rosdump/networkpolicy-base.yml
View File

@@ -1 +0,0 @@
../shared/networkpolicy-base.yml

90
rosdump/networkpolicy-base.yml Normal file
View File

@@ -0,0 +1,90 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubedns
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubeprobe
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.244.0.1/32
- from:
- ipBlock:
cidr: 10.244.1.1/32
- from:
- ipBlock:
cidr: 10.244.2.1/32
- from:
- ipBlock:
cidr: 10.244.9.1/32
- from:
- ipBlock:
cidr: 10.244.4.1/32
- from:
- ipBlock:
cidr: 10.244.3.1/32
- from:
- ipBlock:
cidr: 10.244.5.1/32
- from:
- ipBlock:
cidr: 10.244.7.1/32
- from:
- ipBlock:
cidr: 10.244.11.1/32
- from:
- ipBlock:
cidr: 10.244.12.1/32
- from:
- ipBlock:
cidr: 10.244.6.1/32
- from:
- ipBlock:
cidr: 10.244.10.1/32
- from:
- ipBlock:
cidr: 10.244.8.1/32
- from:
- ipBlock:
cidr: 10.244.13.1/32
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubeapi
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 6443
to:
- ipBlock:
cidr: 172.21.3.51/32
- ipBlock:
cidr: 172.21.3.52/32
- ipBlock:
cidr: 172.21.3.53/32

77
shared/backup-service.yml
View File

@@ -1,77 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: backup-service
spec:
replicas: 1
selector:
matchLabels:
app: backup-service
template:
metadata:
labels:
app: backup-service
spec:
serviceAccount: backup-service
containers:
- name: backup-service
image: harbor.k-space.ee/k-space/backup-service
ports:
- name: backup-service
containerPort: 5000
env:
- name: TOKEN
value: CYdCDFIvGX
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: backup-service
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: backup-service
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups:
- mongodbcommunity.mongodb.com
resources:
- mongodbcommunity
verbs:
- get
- list
- watch
- apiGroups:
- mysql.oracle.com
resources:
- innodbclusters
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: backup-service
namespace: shared
subjects:
- kind: ServiceAccount
name: backup-service
namespace: shared
roleRef:
kind: ClusterRole
name: backup-service
apiGroup: rbac.authorization.k8s.io

104
shared/mariadb.yml
View File

@@ -1,104 +0,0 @@
# MariaDB 10.5 is supported until 2025
# Note that MariaDB 10.6 breaks with Nextcloud
# https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/7
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mariadb
annotations:
keel.sh/policy: patch
keel.sh/trigger: poll
keel.sh/pollSchedule: "@midnight"
spec:
revisionHistoryLimit: 0
serviceName: mariadb
selector:
matchLabels:
app: mariadb
replicas: 1
template:
metadata:
labels:
app: mariadb
annotations:
prometheus.io/port: '9104'
prometheus.io/scrape: 'true'
spec:
containers:
- name: exporter
image: mirror.gcr.io/prom/mysqld-exporter:latest
env:
- name: DATA_SOURCE_NAME
value: exporter@tcp(127.0.0.1)/
- name: mariadb
image: mirror.gcr.io/library/mariadb:10.5
imagePullPolicy: Always
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_ROOT_PASSWORD
- name: MYSQL_USER
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_DATABASE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_PASSWORD
volumeMounts:
- name: mariadb-data
mountPath: /var/lib/mysql
- name: mariadb-init
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: mariadb-init
configMap:
name: mariadb-init-config
# Make sure MariaDB instances run on storage{1..3} nodes, as close
# as possible to Longhorn instances
tolerations:
- key: dedicated
operator: Equal
value: storage
effect: NoSchedule
nodeSelector:
dedicated: storage
volumeClaimTemplates:
- metadata:
name: mariadb-data
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: Service
metadata:
name: mariadb
spec:
ports:
- protocol: TCP
port: 3306
selector:
app: mariadb
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mariadb-init-config
data:
initdb.sql: |
CREATE USER 'exporter'@'127.0.0.1' WITH MAX_USER_CONNECTIONS 3;
GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'127.0.0.1';

81
shared/memcached.yml
View File

@@ -1,81 +0,0 @@
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
name: memcached
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: memcached
labels:
app: memcached
spec:
revisionHistoryLimit: 0
serviceName: memcached
selector:
matchLabels:
app: memcached
replicas: 1
template:
metadata:
labels:
app: memcached
spec:
securityContext:
fsGroup: 1001
affinity:
podAffinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: memcached
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: memcached
containers:
- name: memcached
image: mirror.gcr.io/library/memcached:1-alpine
securityContext:
runAsUser: 1001
readOnlyRootFilesystem: true
runAsNonRoot: true
livenessProbe:
tcpSocket:
port: 11211
initialDelaySeconds: 30
timeoutSeconds: 5
failureThreshold: 6
readinessProbe:
tcpSocket:
port: 11211
initialDelaySeconds: 5
timeoutSeconds: 3
periodSeconds: 5
resources:
limits: {}
requests:
cpu: 250m
memory: 256Mi
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: memcached
labels:
app: memcached
spec:
type: ClusterIP
ports:
- name: memcache
port: 11211
selector:
app: memcached

108
shared/mongo.yml
View File

@@ -1,108 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mongo
annotations:
keel.sh/policy: force
keel.sh/trigger: poll
keel.sh/pollSchedule: "@midnight"
spec:
revisionHistoryLimit: 0
serviceName: mongo
selector:
matchLabels:
app: mongo
replicas: 1
template:
metadata:
labels:
app: mongo
spec:
securityContext:
fsGroup: 999
containers:
- name: mongo
image: mirror.gcr.io/library/mongo:5
command:
- mongod
- --quiet
- --replSet
- rs0
- --bind_ip_all
ports:
- name: mongo
containerPort: 27017
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- name: tmp
mountPath: /tmp
- name: mongo-data
mountPath: /data/db
- name: exporter
image: mirror.gcr.io/percona/mongodb_exporter:0.44
args:
- --compatible-mode
- --mongodb.direct-connect=false
ports:
- name: mongo-exporter
containerPort: 9216
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65535
env:
- name: MONGODB_URI
value: mongodb://mongo
# Make sure MongoDB instances run on storage{1..3} nodes, as close
# as possible to Longhorn instances
tolerations:
- key: dedicated
operator: Equal
value: storage
effect: NoSchedule
nodeSelector:
dedicated: storage
volumes:
- name: tmp
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: mongo-data
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
name: mongo-exporter
annotations:
prometheus.io/scrape: 'true'
spec:
ports:
- protocol: TCP
port: 9216
selector:
app: mongo
---
apiVersion: batch/v1
kind: Job
metadata:
name: mongo-rs0-init
spec:
template:
spec:
containers:
- name: mongo-rs0-init
image: mirror.gcr.io/library/mongo
command: ["mongo", "--eval", "rs.initiate();", "mongodb://mongo-0.mongo"]
restartPolicy: OnFailure
backoffLimit: 4

47
shared/mongoexpress.yml
View File

@@ -1,47 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mongoexpress
spec:
revisionHistoryLimit: 0
replicas: 1
selector:
matchLabels:
app: mongoexpress
template:
metadata:
labels:
app: mongoexpress
spec:
containers:
- name: mongoexpress
image: mirror.gcr.io/library/mongo-express
ports:
- name: mongoexpress
containerPort: 8081
env:
- name: ME_CONFIG_MONGODB_URL
valueFrom:
secretKeyRef:
name: mongodb-application-readwrite
key: connectionString.standard
- name: ME_CONFIG_MONGODB_ENABLE_ADMIN
value: 'false'
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mongoexpress
spec:
podSelector:
matchLabels:
app: mongoexpress
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: mongodb-svc
ports:
- port: 27017

90
shared/networkpolicy-base.yml
View File

@@ -1,90 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubedns
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubeprobe
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.244.0.1/32
- from:
- ipBlock:
cidr: 10.244.1.1/32
- from:
- ipBlock:
cidr: 10.244.2.1/32
- from:
- ipBlock:
cidr: 10.244.9.1/32
- from:
- ipBlock:
cidr: 10.244.4.1/32
- from:
- ipBlock:
cidr: 10.244.3.1/32
- from:
- ipBlock:
cidr: 10.244.5.1/32
- from:
- ipBlock:
cidr: 10.244.7.1/32
- from:
- ipBlock:
cidr: 10.244.11.1/32
- from:
- ipBlock:
cidr: 10.244.12.1/32
- from:
- ipBlock:
cidr: 10.244.6.1/32
- from:
- ipBlock:
cidr: 10.244.10.1/32
- from:
- ipBlock:
cidr: 10.244.8.1/32
- from:
- ipBlock:
cidr: 10.244.13.1/32
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubeapi
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 6443
to:
- ipBlock:
cidr: 172.21.3.51/32
- ipBlock:
cidr: 172.21.3.52/32
- ipBlock:
cidr: 172.21.3.53/32