diff --git a/README.md b/README.md index 7dcfc9b..4c3a65e 100644 --- a/README.md +++ b/README.md @@ -32,6 +32,11 @@ All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and t See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router. Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP. +#### Regenerate networkpolicy-base.yml +It's quite odd there is no better way to generate these. + +[regenerate-networkpolicy-base.sh](regenerate-networkpolicy-base.sh) + ### Databases / -stores: - Dragonfly: `kind: Dragonfly` (replaces Redis[^redisdead]) diff --git a/_disabled/playground/mongoexpress.yml b/_disabled/playground/mongoexpress.yml deleted file mode 120000 index ebf5773..0000000 --- a/_disabled/playground/mongoexpress.yml +++ /dev/null @@ -1 +0,0 @@ -../shared/mongoexpress.yml \ No newline at end of file diff --git a/_disabled/playground/mongoexpress.yml b/_disabled/playground/mongoexpress.yml new file mode 100644 index 0000000..1f3c969 --- /dev/null +++ b/_disabled/playground/mongoexpress.yml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mongoexpress +spec: + revisionHistoryLimit: 0 + replicas: 1 + selector: + matchLabels: + app: mongoexpress + template: + metadata: + labels: + app: mongoexpress + spec: + containers: + - name: mongoexpress + image: mirror.gcr.io/library/mongo-express + ports: + - name: mongoexpress + containerPort: 8081 + env: + - name: ME_CONFIG_MONGODB_URL + valueFrom: + secretKeyRef: + name: mongodb-application-readwrite + key: connectionString.standard + - name: ME_CONFIG_MONGODB_ENABLE_ADMIN + value: 'false' +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: mongoexpress +spec: + podSelector: + matchLabels: + app: mongoexpress + policyTypes: + - Egress + egress: + - to: + - podSelector: + matchLabels: + app: mongodb-svc + ports: + - port: 27017 diff --git a/shared/README.md b/regenerate-networkpolicy-base.sh old mode 100644 new mode 100755 similarity index 91% rename from shared/README.md rename to regenerate-networkpolicy-base.sh index e7adb1e..2a7664e --- a/shared/README.md +++ b/regenerate-networkpolicy-base.sh @@ -1,8 +1,4 @@ -# To regenerate base network policies -It's quite odd there is no better way to generate these. - -```sh cat << EOF > networkpolicy-base.yml --- apiVersion: networking.k8s.io/v1 @@ -63,4 +59,4 @@ EOF done cp networkpolicy-base.yml ../traefik/ -``` +cp networkpolicy-base.yml ../rosdump/ diff --git a/rosdump/networkpolicy-base.yml b/rosdump/networkpolicy-base.yml deleted file mode 120000 index e84a698..0000000 --- a/rosdump/networkpolicy-base.yml +++ /dev/null @@ -1 +0,0 @@ -../shared/networkpolicy-base.yml \ No newline at end of file diff --git a/rosdump/networkpolicy-base.yml b/rosdump/networkpolicy-base.yml new file mode 100644 index 0000000..e58af61 --- /dev/null +++ b/rosdump/networkpolicy-base.yml @@ -0,0 +1,90 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kubedns +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + ports: + - protocol: UDP + port: 53 + - protocol: TCP + port: 53 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kubeprobe +spec: + podSelector: {} + policyTypes: + - Ingress + ingress: + - from: + - ipBlock: + cidr: 10.244.0.1/32 + - from: + - ipBlock: + cidr: 10.244.1.1/32 + - from: + - ipBlock: + cidr: 10.244.2.1/32 + - from: + - ipBlock: + cidr: 10.244.9.1/32 + - from: + - ipBlock: + cidr: 10.244.4.1/32 + - from: + - ipBlock: + cidr: 10.244.3.1/32 + - from: + - ipBlock: + cidr: 10.244.5.1/32 + - from: + - ipBlock: + cidr: 10.244.7.1/32 + - from: + - ipBlock: + cidr: 10.244.11.1/32 + - from: + - ipBlock: + cidr: 10.244.12.1/32 + - from: + - ipBlock: + cidr: 10.244.6.1/32 + - from: + - ipBlock: + cidr: 10.244.10.1/32 + - from: + - ipBlock: + cidr: 10.244.8.1/32 + - from: + - ipBlock: + cidr: 10.244.13.1/32 +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: kubeapi +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - ports: + - port: 6443 + to: + - ipBlock: + cidr: 172.21.3.51/32 + - ipBlock: + cidr: 172.21.3.52/32 + - ipBlock: + cidr: 172.21.3.53/32 diff --git a/shared/backup-service.yml b/shared/backup-service.yml deleted file mode 100644 index 9de3262..0000000 --- a/shared/backup-service.yml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: backup-service -spec: - replicas: 1 - selector: - matchLabels: - app: backup-service - template: - metadata: - labels: - app: backup-service - spec: - serviceAccount: backup-service - containers: - - name: backup-service - image: harbor.k-space.ee/k-space/backup-service - ports: - - name: backup-service - containerPort: 5000 - env: - - name: TOKEN - value: CYdCDFIvGX ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: backup-service ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: backup-service -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - list -- apiGroups: - - "" - resources: - - secrets - verbs: - - get -- apiGroups: - - mongodbcommunity.mongodb.com - resources: - - mongodbcommunity - verbs: - - get - - list - - watch -- apiGroups: - - mysql.oracle.com - resources: - - innodbclusters - verbs: - - get - - list - - watch ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: backup-service - namespace: shared -subjects: -- kind: ServiceAccount - name: backup-service - namespace: shared -roleRef: - kind: ClusterRole - name: backup-service - apiGroup: rbac.authorization.k8s.io diff --git a/shared/mariadb.yml b/shared/mariadb.yml deleted file mode 100644 index 54b5cbb..0000000 --- a/shared/mariadb.yml +++ /dev/null @@ -1,104 +0,0 @@ -# MariaDB 10.5 is supported until 2025 -# Note that MariaDB 10.6 breaks with Nextcloud -# https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/7 ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: mariadb - annotations: - keel.sh/policy: patch - keel.sh/trigger: poll - keel.sh/pollSchedule: "@midnight" -spec: - revisionHistoryLimit: 0 - serviceName: mariadb - selector: - matchLabels: - app: mariadb - replicas: 1 - template: - metadata: - labels: - app: mariadb - annotations: - prometheus.io/port: '9104' - prometheus.io/scrape: 'true' - spec: - containers: - - name: exporter - image: mirror.gcr.io/prom/mysqld-exporter:latest - env: - - name: DATA_SOURCE_NAME - value: exporter@tcp(127.0.0.1)/ - - name: mariadb - image: mirror.gcr.io/library/mariadb:10.5 - imagePullPolicy: Always - env: - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: mariadb-secrets - key: MYSQL_ROOT_PASSWORD - - name: MYSQL_USER - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MYSQL_DATABASE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: mariadb-secrets - key: MYSQL_PASSWORD - volumeMounts: - - name: mariadb-data - mountPath: /var/lib/mysql - - name: mariadb-init - mountPath: /docker-entrypoint-initdb.d - volumes: - - name: mariadb-init - configMap: - name: mariadb-init-config - - # Make sure MariaDB instances run on storage{1..3} nodes, as close - # as possible to Longhorn instances - tolerations: - - key: dedicated - operator: Equal - value: storage - effect: NoSchedule - nodeSelector: - dedicated: storage - volumeClaimTemplates: - - metadata: - name: mariadb-data - spec: - storageClassName: longhorn - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 2Gi ---- -apiVersion: v1 -kind: Service -metadata: - name: mariadb -spec: - ports: - - protocol: TCP - port: 3306 - selector: - app: mariadb ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: mariadb-init-config -data: - initdb.sql: | - CREATE USER 'exporter'@'127.0.0.1' WITH MAX_USER_CONNECTIONS 3; - GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'127.0.0.1'; diff --git a/shared/memcached.yml b/shared/memcached.yml deleted file mode 100644 index 2cb2b00..0000000 --- a/shared/memcached.yml +++ /dev/null @@ -1,81 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -automountServiceAccountToken: false -metadata: - name: memcached ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: memcached - labels: - app: memcached -spec: - revisionHistoryLimit: 0 - serviceName: memcached - selector: - matchLabels: - app: memcached - replicas: 1 - template: - metadata: - labels: - app: memcached - spec: - securityContext: - fsGroup: 1001 - affinity: - podAffinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - podAffinityTerm: - labelSelector: - matchLabels: - app: memcached - topologyKey: kubernetes.io/hostname - weight: 1 - serviceAccountName: memcached - containers: - - name: memcached - image: mirror.gcr.io/library/memcached:1-alpine - securityContext: - runAsUser: 1001 - readOnlyRootFilesystem: true - runAsNonRoot: true - livenessProbe: - tcpSocket: - port: 11211 - initialDelaySeconds: 30 - timeoutSeconds: 5 - failureThreshold: 6 - readinessProbe: - tcpSocket: - port: 11211 - initialDelaySeconds: 5 - timeoutSeconds: 3 - periodSeconds: 5 - resources: - limits: {} - requests: - cpu: 250m - memory: 256Mi - volumeMounts: - - name: tmp - mountPath: /tmp - volumes: - - name: tmp - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: memcached - labels: - app: memcached -spec: - type: ClusterIP - ports: - - name: memcache - port: 11211 - selector: - app: memcached diff --git a/shared/mongo.yml b/shared/mongo.yml deleted file mode 100644 index 237e782..0000000 --- a/shared/mongo.yml +++ /dev/null @@ -1,108 +0,0 @@ ---- -apiVersion: apps/v1 -kind: StatefulSet -metadata: - name: mongo - annotations: - keel.sh/policy: force - keel.sh/trigger: poll - keel.sh/pollSchedule: "@midnight" -spec: - revisionHistoryLimit: 0 - serviceName: mongo - selector: - matchLabels: - app: mongo - replicas: 1 - template: - metadata: - labels: - app: mongo - spec: - securityContext: - fsGroup: 999 - containers: - - name: mongo - image: mirror.gcr.io/library/mongo:5 - command: - - mongod - - --quiet - - --replSet - - rs0 - - --bind_ip_all - ports: - - name: mongo - containerPort: 27017 - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 999 - volumeMounts: - - name: tmp - mountPath: /tmp - - name: mongo-data - mountPath: /data/db - - name: exporter - image: mirror.gcr.io/percona/mongodb_exporter:0.44 - args: - - --compatible-mode - - --mongodb.direct-connect=false - ports: - - name: mongo-exporter - containerPort: 9216 - securityContext: - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 65535 - env: - - name: MONGODB_URI - value: mongodb://mongo - # Make sure MongoDB instances run on storage{1..3} nodes, as close - # as possible to Longhorn instances - tolerations: - - key: dedicated - operator: Equal - value: storage - effect: NoSchedule - nodeSelector: - dedicated: storage - volumes: - - name: tmp - emptyDir: {} - volumeClaimTemplates: - - metadata: - name: mongo-data - spec: - storageClassName: longhorn - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 10Gi ---- -apiVersion: v1 -kind: Service -metadata: - name: mongo-exporter - annotations: - prometheus.io/scrape: 'true' -spec: - ports: - - protocol: TCP - port: 9216 - selector: - app: mongo ---- -apiVersion: batch/v1 -kind: Job -metadata: - name: mongo-rs0-init -spec: - template: - spec: - containers: - - name: mongo-rs0-init - image: mirror.gcr.io/library/mongo - command: ["mongo", "--eval", "rs.initiate();", "mongodb://mongo-0.mongo"] - restartPolicy: OnFailure - backoffLimit: 4 diff --git a/shared/mongoexpress.yml b/shared/mongoexpress.yml deleted file mode 100644 index 1f3c969..0000000 --- a/shared/mongoexpress.yml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: mongoexpress -spec: - revisionHistoryLimit: 0 - replicas: 1 - selector: - matchLabels: - app: mongoexpress - template: - metadata: - labels: - app: mongoexpress - spec: - containers: - - name: mongoexpress - image: mirror.gcr.io/library/mongo-express - ports: - - name: mongoexpress - containerPort: 8081 - env: - - name: ME_CONFIG_MONGODB_URL - valueFrom: - secretKeyRef: - name: mongodb-application-readwrite - key: connectionString.standard - - name: ME_CONFIG_MONGODB_ENABLE_ADMIN - value: 'false' ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: mongoexpress -spec: - podSelector: - matchLabels: - app: mongoexpress - policyTypes: - - Egress - egress: - - to: - - podSelector: - matchLabels: - app: mongodb-svc - ports: - - port: 27017 diff --git a/shared/networkpolicy-base.yml b/shared/networkpolicy-base.yml deleted file mode 100644 index e58af61..0000000 --- a/shared/networkpolicy-base.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: kubedns -spec: - podSelector: {} - policyTypes: - - Egress - egress: - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: kube-system - ports: - - protocol: UDP - port: 53 - - protocol: TCP - port: 53 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: kubeprobe -spec: - podSelector: {} - policyTypes: - - Ingress - ingress: - - from: - - ipBlock: - cidr: 10.244.0.1/32 - - from: - - ipBlock: - cidr: 10.244.1.1/32 - - from: - - ipBlock: - cidr: 10.244.2.1/32 - - from: - - ipBlock: - cidr: 10.244.9.1/32 - - from: - - ipBlock: - cidr: 10.244.4.1/32 - - from: - - ipBlock: - cidr: 10.244.3.1/32 - - from: - - ipBlock: - cidr: 10.244.5.1/32 - - from: - - ipBlock: - cidr: 10.244.7.1/32 - - from: - - ipBlock: - cidr: 10.244.11.1/32 - - from: - - ipBlock: - cidr: 10.244.12.1/32 - - from: - - ipBlock: - cidr: 10.244.6.1/32 - - from: - - ipBlock: - cidr: 10.244.10.1/32 - - from: - - ipBlock: - cidr: 10.244.8.1/32 - - from: - - ipBlock: - cidr: 10.244.13.1/32 ---- -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: kubeapi -spec: - podSelector: {} - policyTypes: - - Egress - egress: - - ports: - - port: 6443 - to: - - ipBlock: - cidr: 172.21.3.51/32 - - ipBlock: - cidr: 172.21.3.52/32 - - ipBlock: - cidr: 172.21.3.53/32