clean up shared/

most of it replaced or unused
2026-01-03 05:34:13 +02:00
parent fe1e7f015f
commit 8fe0356599
10 changed files with 143 additions and 514 deletions
--- a/README.md
+++ b/README.md
@@ -32,6 +32,11 @@ All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and t
 See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router.
 Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP.
 #### Regenerate networkpolicy-base.yml
 It's quite odd there is no better way to generate these.
 [regenerate-networkpolicy-base.sh](regenerate-networkpolicy-base.sh)
 <!-- Linked to by https://wiki.k-space.ee/e/en/hosting/storage -->
 ### Databases / -stores:
 - Dragonfly: `kind: Dragonfly` (replaces Redis[^redisdead])
--- a/_disabled/playground/mongoexpress.yml
+++ b/_disabled/playground/mongoexpress.yml
@@ -1 +0,0 @@
 ../shared/mongoexpress.yml
--- a/_disabled/playground/mongoexpress.yml
+++ b/_disabled/playground/mongoexpress.yml
@@ -0,0 +1,47 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: mongoexpress
 spec:
  revisionHistoryLimit: 0
  replicas: 1
  selector:
    matchLabels:
      app: mongoexpress
  template:
    metadata:
      labels:
        app: mongoexpress
    spec:
      containers:
        - name: mongoexpress
          image: mirror.gcr.io/library/mongo-express
          ports:
           - name: mongoexpress
             containerPort: 8081
          env:
            - name: ME_CONFIG_MONGODB_URL
              valueFrom:
                secretKeyRef:
                  name: mongodb-application-readwrite
                  key: connectionString.standard
            - name: ME_CONFIG_MONGODB_ENABLE_ADMIN
              value: 'false'
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: mongoexpress
 spec:
  podSelector:
    matchLabels:
      app: mongoexpress
  policyTypes:
  - Egress
  egress:
    - to:
      - podSelector:
          matchLabels:
            app: mongodb-svc
      ports:
      - port: 27017
--- a/regenerate-networkpolicy-base.sh
+++ b/regenerate-networkpolicy-base.sh
@@ -1,8 +1,4 @@
 # To regenerate base network policies
 It's quite odd there is no better way to generate these.
 ```sh
 cat << EOF > networkpolicy-base.yml
 ---
 apiVersion: networking.k8s.io/v1
@@ -63,4 +59,4 @@ EOF
 done
 cp networkpolicy-base.yml ../traefik/
-```
+cp networkpolicy-base.yml ../rosdump/
--- a/rosdump/networkpolicy-base.yml
+++ b/rosdump/networkpolicy-base.yml
@@ -1 +0,0 @@
 ../shared/networkpolicy-base.yml
--- a/rosdump/networkpolicy-base.yml
+++ b/rosdump/networkpolicy-base.yml
@@ -0,0 +1,90 @@
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: kubedns
 spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: kubeprobe
 spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.244.0.1/32
  - from:
    - ipBlock:
        cidr: 10.244.1.1/32
  - from:
    - ipBlock:
        cidr: 10.244.2.1/32
  - from:
    - ipBlock:
        cidr: 10.244.9.1/32
  - from:
    - ipBlock:
        cidr: 10.244.4.1/32
  - from:
    - ipBlock:
        cidr: 10.244.3.1/32
  - from:
    - ipBlock:
        cidr: 10.244.5.1/32
  - from:
    - ipBlock:
        cidr: 10.244.7.1/32
  - from:
    - ipBlock:
        cidr: 10.244.11.1/32
  - from:
    - ipBlock:
        cidr: 10.244.12.1/32
  - from:
    - ipBlock:
        cidr: 10.244.6.1/32
  - from:
    - ipBlock:
        cidr: 10.244.10.1/32
  - from:
    - ipBlock:
        cidr: 10.244.8.1/32
  - from:
    - ipBlock:
        cidr: 10.244.13.1/32
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: kubeapi
 spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - ports:
    - port: 6443
    to:
    - ipBlock:
        cidr: 172.21.3.51/32
    - ipBlock:
        cidr: 172.21.3.52/32
    - ipBlock:
        cidr: 172.21.3.53/32
--- a/shared/backup-service.yml
+++ b/shared/backup-service.yml
@@ -1,77 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: backup-service
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: backup-service
  template:
    metadata:
      labels:
        app: backup-service
    spec:
      serviceAccount: backup-service
      containers:
        - name: backup-service
          image: harbor.k-space.ee/k-space/backup-service
          ports:
           - name: backup-service
             containerPort: 5000
          env:
            - name: TOKEN
              value: CYdCDFIvGX
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: backup-service
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
  name: backup-service
 rules:
 - apiGroups:
  - ""
  resources:
  - namespaces
  verbs:
  - list
 - apiGroups:
  - ""
  resources:
  - secrets
  verbs:
  - get
 - apiGroups:
  - mongodbcommunity.mongodb.com
  resources:
  - mongodbcommunity
  verbs:
  - get
  - list
  - watch
 - apiGroups:
  - mysql.oracle.com
  resources:
  - innodbclusters
  verbs:
  - get
  - list
  - watch
 ---
 kind:  ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  name: backup-service
  namespace: shared
 subjects:
 - kind: ServiceAccount
  name: backup-service
  namespace: shared
 roleRef:
  kind:  ClusterRole
  name: backup-service
  apiGroup: rbac.authorization.k8s.io
--- a/shared/mariadb.yml
+++ b/shared/mariadb.yml
@@ -1,104 +0,0 @@
 # MariaDB 10.5 is supported until 2025
 # Note that MariaDB 10.6 breaks with Nextcloud
 # https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/7
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: mariadb
  annotations:
    keel.sh/policy: patch
    keel.sh/trigger: poll
    keel.sh/pollSchedule: "@midnight"
 spec:
  revisionHistoryLimit: 0
  serviceName: mariadb
  selector:
    matchLabels:
      app: mariadb
  replicas: 1
  template:
    metadata:
      labels:
        app: mariadb
      annotations:
        prometheus.io/port: '9104'
        prometheus.io/scrape: 'true'
    spec:
      containers:
      - name: exporter
        image: mirror.gcr.io/prom/mysqld-exporter:latest
        env:
        - name: DATA_SOURCE_NAME
          value: exporter@tcp(127.0.0.1)/
      - name: mariadb
        image: mirror.gcr.io/library/mariadb:10.5
        imagePullPolicy: Always
        env:
        - name: MYSQL_ROOT_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mariadb-secrets
              key: MYSQL_ROOT_PASSWORD
        - name: MYSQL_USER
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: MYSQL_DATABASE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              name: mariadb-secrets
              key: MYSQL_PASSWORD
        volumeMounts:
        - name: mariadb-data
          mountPath: /var/lib/mysql
        - name: mariadb-init
          mountPath: /docker-entrypoint-initdb.d
      volumes:
        - name: mariadb-init
          configMap:
            name: mariadb-init-config
      # Make sure MariaDB instances run on storage{1..3} nodes, as close
      # as possible to Longhorn instances
      tolerations:
      - key: dedicated
        operator: Equal
        value: storage
        effect: NoSchedule
      nodeSelector:
        dedicated: storage
  volumeClaimTemplates:
  - metadata:
      name: mariadb-data
    spec:
      storageClassName: longhorn
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 2Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mariadb
 spec:
  ports:
    - protocol: TCP
      port: 3306
  selector:
    app: mariadb
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: mariadb-init-config
 data:
  initdb.sql: |
    CREATE USER 'exporter'@'127.0.0.1' WITH MAX_USER_CONNECTIONS 3;
    GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'127.0.0.1';
--- a/shared/memcached.yml
+++ b/shared/memcached.yml
@@ -1,81 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 automountServiceAccountToken: false
 metadata:
  name: memcached
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: memcached
  labels:
    app: memcached
 spec:
  revisionHistoryLimit: 0
  serviceName: memcached
  selector:
    matchLabels:
      app: memcached
  replicas: 1
  template:
    metadata:
      labels:
        app: memcached
    spec:
      securityContext:
        fsGroup: 1001
      affinity:
        podAffinity:
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
            - podAffinityTerm:
                labelSelector:
                  matchLabels:
                    app: memcached
                topologyKey: kubernetes.io/hostname
              weight: 1
      serviceAccountName: memcached
      containers:
        - name: memcached
          image: mirror.gcr.io/library/memcached:1-alpine
          securityContext:
            runAsUser: 1001
            readOnlyRootFilesystem: true
            runAsNonRoot: true
          livenessProbe:
            tcpSocket:
              port: 11211
            initialDelaySeconds: 30
            timeoutSeconds: 5
            failureThreshold: 6
          readinessProbe:
            tcpSocket:
              port: 11211
            initialDelaySeconds: 5
            timeoutSeconds: 3
            periodSeconds: 5
          resources:
            limits: {}
            requests:
              cpu: 250m
              memory: 256Mi
          volumeMounts:
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: tmp
          emptyDir: {}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: memcached
  labels:
    app: memcached
 spec:
  type: ClusterIP
  ports:
    - name: memcache
      port: 11211
  selector:
    app: memcached
--- a/shared/mongo.yml
+++ b/shared/mongo.yml
@@ -1,108 +0,0 @@
 ---
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
  name: mongo
  annotations:
    keel.sh/policy: force
    keel.sh/trigger: poll
    keel.sh/pollSchedule: "@midnight"
 spec:
  revisionHistoryLimit: 0
  serviceName: mongo
  selector:
    matchLabels:
      app: mongo
  replicas: 1
  template:
    metadata:
      labels:
        app: mongo
    spec:
      securityContext:
        fsGroup: 999
      containers:
      - name: mongo
        image: mirror.gcr.io/library/mongo:5
        command:
         - mongod
         - --quiet
         - --replSet
         - rs0
         - --bind_ip_all
        ports:
        - name: mongo
          containerPort: 27017
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 999
        volumeMounts:
        - name: tmp
          mountPath: /tmp
        - name: mongo-data
          mountPath: /data/db
      - name: exporter
        image: mirror.gcr.io/percona/mongodb_exporter:0.44
        args:
          - --compatible-mode
          - --mongodb.direct-connect=false
        ports:
        - name: mongo-exporter
          containerPort: 9216
        securityContext:
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 65535
        env:
        - name: MONGODB_URI
          value: mongodb://mongo
      # Make sure MongoDB instances run on storage{1..3} nodes, as close
      # as possible to Longhorn instances
      tolerations:
      - key: dedicated
        operator: Equal
        value: storage
        effect: NoSchedule
      nodeSelector:
        dedicated: storage
      volumes:
      - name: tmp
        emptyDir: {}
  volumeClaimTemplates:
  - metadata:
      name: mongo-data
    spec:
      storageClassName: longhorn
      accessModes:
        - ReadWriteOnce
      resources:
        requests:
          storage: 10Gi
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: mongo-exporter
  annotations:
    prometheus.io/scrape: 'true'
 spec:
  ports:
    - protocol: TCP
      port: 9216
  selector:
    app: mongo
 ---
 apiVersion: batch/v1
 kind: Job
 metadata:
  name: mongo-rs0-init
 spec:
  template:
    spec:
      containers:
      - name: mongo-rs0-init
        image: mirror.gcr.io/library/mongo
        command: ["mongo", "--eval", "rs.initiate();", "mongodb://mongo-0.mongo"]
      restartPolicy: OnFailure
  backoffLimit: 4
--- a/shared/mongoexpress.yml
+++ b/shared/mongoexpress.yml
@@ -1,47 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: mongoexpress
 spec:
  revisionHistoryLimit: 0
  replicas: 1
  selector:
    matchLabels:
      app: mongoexpress
  template:
    metadata:
      labels:
        app: mongoexpress
    spec:
      containers:
        - name: mongoexpress
          image: mirror.gcr.io/library/mongo-express
          ports:
           - name: mongoexpress
             containerPort: 8081
          env:
            - name: ME_CONFIG_MONGODB_URL
              valueFrom:
                secretKeyRef:
                  name: mongodb-application-readwrite
                  key: connectionString.standard
            - name: ME_CONFIG_MONGODB_ENABLE_ADMIN
              value: 'false'
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: mongoexpress
 spec:
  podSelector:
    matchLabels:
      app: mongoexpress
  policyTypes:
  - Egress
  egress:
    - to:
      - podSelector:
          matchLabels:
            app: mongodb-svc
      ports:
      - port: 27017
--- a/shared/networkpolicy-base.yml
+++ b/shared/networkpolicy-base.yml
@@ -1,90 +0,0 @@
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: kubedns
 spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
    ports:
    - protocol: UDP
      port: 53
    - protocol: TCP
      port: 53
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: kubeprobe
 spec:
  podSelector: {}
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 10.244.0.1/32
  - from:
    - ipBlock:
        cidr: 10.244.1.1/32
  - from:
    - ipBlock:
        cidr: 10.244.2.1/32
  - from:
    - ipBlock:
        cidr: 10.244.9.1/32
  - from:
    - ipBlock:
        cidr: 10.244.4.1/32
  - from:
    - ipBlock:
        cidr: 10.244.3.1/32
  - from:
    - ipBlock:
        cidr: 10.244.5.1/32
  - from:
    - ipBlock:
        cidr: 10.244.7.1/32
  - from:
    - ipBlock:
        cidr: 10.244.11.1/32
  - from:
    - ipBlock:
        cidr: 10.244.12.1/32
  - from:
    - ipBlock:
        cidr: 10.244.6.1/32
  - from:
    - ipBlock:
        cidr: 10.244.10.1/32
  - from:
    - ipBlock:
        cidr: 10.244.8.1/32
  - from:
    - ipBlock:
        cidr: 10.244.13.1/32
 ---
 apiVersion: networking.k8s.io/v1
 kind: NetworkPolicy
 metadata:
  name: kubeapi
 spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - ports:
    - port: 6443
    to:
    - ipBlock:
        cidr: 172.21.3.51/32
    - ipBlock:
        cidr: 172.21.3.52/32
    - ipBlock:
        cidr: 172.21.3.53/32