From 9be8fc3a95407e1020814ee95f9e9f4eb6f70897 Mon Sep 17 00:00:00 2001 From: rasmus Date: Fri, 8 Aug 2025 03:03:49 +0300 Subject: [PATCH] mongodb is all external --- hackerspace/mongodb-support.yml | 1 - mongodb-operator/README.md | 29 ++---- mongodb-operator/mongodb-netpol.yml | 25 ++++++ mongodb-operator/mongodb-support.yml | 126 --------------------------- wildduck/mongodb-support.yml | 1 - wildduck/mongodb.yaml | 83 ------------------ 6 files changed, 32 insertions(+), 233 deletions(-) delete mode 120000 hackerspace/mongodb-support.yml create mode 100644 mongodb-operator/mongodb-netpol.yml delete mode 100644 mongodb-operator/mongodb-support.yml delete mode 120000 wildduck/mongodb-support.yml delete mode 100644 wildduck/mongodb.yaml diff --git a/hackerspace/mongodb-support.yml b/hackerspace/mongodb-support.yml deleted file mode 120000 index e834dd2..0000000 --- a/hackerspace/mongodb-support.yml +++ /dev/null @@ -1 +0,0 @@ -../mongodb-operator/mongodb-support.yml \ No newline at end of file diff --git a/mongodb-operator/README.md b/mongodb-operator/README.md index 8bfa4fd..afa598f 100644 --- a/mongodb-operator/README.md +++ b/mongodb-operator/README.md @@ -8,29 +8,14 @@ With ArgoCD. Render it locally: kustomize build . --enable-helm ``` - -To update RBAC rules: - -``` -curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/role.yaml > mongodb-support.yml -echo "---" >> mongodb-support.yml -curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/role_binding.yaml >> mongodb-support.yml -echo "---" >> mongodb-support.yml -curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/role_binding_database.yaml >> mongodb-support.yml -echo "---" >> mongodb-support.yml -curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/role_database.yaml >> mongodb-support.yml -echo "---" >> mongodb-support.yml -curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/service_account.yaml >> mongodb-support.yml -echo "---" >> mongodb-support.yml -curl https://raw.githubusercontent.com/mongodb/mongodb-kubernetes-operator/master/config/rbac/service_account_database.yaml >> mongodb-support.yml -``` - # Instantiating databases - -For each application: +For each application include mongodb-netpol.yaml and kustomization in resources: +```yaml +resources: + - https://git.k-space.ee/k-space/kube//mongodb-operator/mongodb-netpol.yaml + - https://github.com/mongodb/mongodb-kubernetes-operator//config/rbac/?ref=v0.13.0 +``` ``` -ln -s ../mongodb/mongo-support.yml -kubectl apply -f mongo-support.yml -kubectl create secret generic -n default mongodb-application-user-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)" +kubectl create secret generic -n mongodb-application-user-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)" ``` diff --git a/mongodb-operator/mongodb-netpol.yml b/mongodb-operator/mongodb-netpol.yml new file mode 100644 index 0000000..bb8d131 --- /dev/null +++ b/mongodb-operator/mongodb-netpol.yml @@ -0,0 +1,25 @@ +# Allow any pod in this namespace to connect to MongoDB and +# allow cluster members to talk to eachother +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: mongodb-operator +spec: + podSelector: + matchLabels: + app: mongodb-svc + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + ports: + - port: 27017 + egress: + - to: + - podSelector: + matchLabels: + app: mongodb-svc + ports: + - port: 27017 diff --git a/mongodb-operator/mongodb-support.yml b/mongodb-operator/mongodb-support.yml deleted file mode 100644 index bc7526b..0000000 --- a/mongodb-operator/mongodb-support.yml +++ /dev/null @@ -1,126 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: mongodb-kubernetes-operator -rules: -- apiGroups: - - "" - resources: - - pods - - services - - configmaps - - secrets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - apps - resources: - - statefulsets - verbs: - - create - - delete - - get - - list - - patch - - update - - watch -- apiGroups: - - mongodbcommunity.mongodb.com - resources: - - mongodbcommunity - - mongodbcommunity/status - - mongodbcommunity/spec - - mongodbcommunity/finalizers - verbs: - - get - - patch - - list - - update - - watch ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-kubernetes-operator -subjects: -- kind: ServiceAccount - name: mongodb-kubernetes-operator -roleRef: - kind: Role - name: mongodb-kubernetes-operator - apiGroup: rbac.authorization.k8s.io ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-database -subjects: -- kind: ServiceAccount - name: mongodb-database -roleRef: - kind: Role - name: mongodb-database - apiGroup: rbac.authorization.k8s.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: mongodb-database -rules: - - apiGroups: - - "" - resources: - - secrets - verbs: - - get - - apiGroups: - - "" - resources: - - pods - verbs: - - patch - - delete - - get ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: mongodb-kubernetes-operator ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: mongodb-database ---- -# Allow any pod in this namespace to connect to MongoDB and -# allow cluster members to talk to eachother -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: mongodb-operator -spec: - podSelector: - matchLabels: - app: mongodb-svc - policyTypes: - - Ingress - - Egress - ingress: - - from: - - podSelector: {} - ports: - - port: 27017 - egress: - - to: - - podSelector: - matchLabels: - app: mongodb-svc - ports: - - port: 27017 diff --git a/wildduck/mongodb-support.yml b/wildduck/mongodb-support.yml deleted file mode 120000 index e834dd2..0000000 --- a/wildduck/mongodb-support.yml +++ /dev/null @@ -1 +0,0 @@ -../mongodb-operator/mongodb-support.yml \ No newline at end of file diff --git a/wildduck/mongodb.yaml b/wildduck/mongodb.yaml deleted file mode 100644 index 44a0fa3..0000000 --- a/wildduck/mongodb.yaml +++ /dev/null @@ -1,83 +0,0 @@ ---- -apiVersion: codemowers.cloud/v1beta1 -kind: SecretClaim -metadata: - name: wildduck-readwrite-password - namespace: wildduck -spec: - mapping: - - key: password - value: "%(plaintext)s" ---- -apiVersion: mongodbcommunity.mongodb.com/v1 -kind: MongoDBCommunity -metadata: - name: wildduck-mongodb - namespace: wildduck -spec: - agent: - logFile: /dev/stdout - members: 2 - arbiters: 1 - type: ReplicaSet - version: "7.0.12" - security: - authentication: - modes: - - SCRAM - users: - - name: readwrite - db: wildduck - passwordSecretRef: - name: wildduck-readwrite-password - roles: - - name: readWrite - db: wildduck - scramCredentialsSecretName: wildduck-readwrite - statefulSet: - spec: - template: - spec: - containers: - - name: mongod - resources: - requests: - cpu: 100m - memory: 1Gi - limits: - cpu: 4000m - memory: 1Gi - - name: mongodb-agent - resources: - requests: - cpu: 1m - memory: 100Mi - limits: - cpu: 1000m - memory: 1Gi - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app: wildduck-mongodb-svc - volumeClaimTemplates: - - metadata: - name: data-volume - spec: - storageClassName: mongo - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi - - metadata: - name: logs-volume - spec: - storageClassName: "null" - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 1000Mi