k-space/kube
12
1
Fork 3
Code Issues 64 Pull Requests 1 Wiki Activity

Compare commits

base: k-space:master
Branches Tags
k-space:master k-space:hackerspaceRefactor k-space:develop k-space:ingressroute k-space:alertmanager-config
..
compare: k-space:hackerspaceRefactor
Branches Tags
k-space:master k-space:hackerspaceRefactor k-space:develop k-space:ingressroute k-space:alertmanager-config

1 Commits
master ... hackerspac

Author SHA1 Message Date
rasmus
9ef252c8ec hackerspace kustomize 
+ move static env to dockerfile
+ doorboy-direct refactor
 2025-08-14 01:19:43 +03:00
49 changed files with 746 additions and 1335 deletions
Expand all files Collapse all files

4
_disabled/freeswitch/application.yaml
View File

@@ -5,8 +5,8 @@ metadata:
namespace: freeswitch namespace: freeswitch
annotations: annotations:
external-dns.alpha.kubernetes.io/hostname: freeswitch.k-space.ee external-dns.alpha.kubernetes.io/hostname: freeswitch.k-space.ee
metallb.io/address-pool: eenet metallb.universe.tf/address-pool: eenet
metallb.io/ip-allocated-from-pool: eenet metallb.universe.tf/ip-allocated-from-pool: eenet
spec: spec:
ports: ports:
- name: sip-internal-udp - name: sip-internal-udp

20
argocd/applications/rotmower.yaml
View File

@@ -1,20 +0,0 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: rotmower
namespace: argocd
spec:
project: k-space.ee
source:
repoURL: 'git@git.k-space.ee:k-space/kube.git'
path: rotmower
targetRevision: HEAD
destination:
server: 'https://kubernetes.default.svc'
namespace: rotmower
syncPolicy:
automated:
prune: true
syncOptions:
- CreateNamespace=true

20
argocd/applications/unifi.yaml
View File

@@ -1,20 +0,0 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: unifi
namespace: argocd
spec:
project: k-space.ee
source:
repoURL: 'git@git.k-space.ee:k-space/kube.git'
path: unifi
targetRevision: HEAD
destination:
server: 'https://kubernetes.default.svc'
namespace: unifi
syncPolicy:
automated:
prune: true
syncOptions:
- CreateNamespace=true

4
elastic-system/application.yml
View File

@@ -146,7 +146,7 @@ metadata:
name: filebeat-syslog-udp name: filebeat-syslog-udp
annotations: annotations:
external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee
metallb.io/allow-shared-ip: syslog.k-space.ee metallb.universe.tf/allow-shared-ip: syslog.k-space.ee
spec: spec:
type: LoadBalancer type: LoadBalancer
externalTrafficPolicy: Local externalTrafficPolicy: Local
@@ -165,7 +165,7 @@ metadata:
name: filebeat-syslog-tcp name: filebeat-syslog-tcp
annotations: annotations:
external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee external-dns.alpha.kubernetes.io/hostname: syslog.k-space.ee
metallb.io/allow-shared-ip: syslog.k-space.ee metallb.universe.tf/allow-shared-ip: syslog.k-space.ee
spec: spec:
type: LoadBalancer type: LoadBalancer
externalTrafficPolicy: Local externalTrafficPolicy: Local

136
freescout/application.yml
View File

@@ -25,7 +25,6 @@ spec:
uri: https://freescout.k-space.ee uri: https://freescout.k-space.ee
redirectUris: redirectUris:
- https://freescout.k-space.ee/oauth_callback - https://freescout.k-space.ee/oauth_callback
- https://freescout.k-space.ee/oauth-login/callback/mlz500opr
allowedGroups: allowedGroups:
- k-space:floor - k-space:floor
grantTypes: grantTypes:
@@ -86,14 +85,14 @@ spec:
- /bin/bash - /bin/bash
- '-c' - '-c'
- >- - >-
mysql -u freescout freescout -h mariadb mysql -u kspace_freescout kspace_freescout -h mariadb.infra.k-space.ee
-p${MYSQL_PWD} < /tmp/update.sql -p${MYSQL_PWD} < /tmp/update.sql
env: env:
- name: MYSQL_PWD - name: MYSQL_PWD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: mariadb-secrets name: freescout-secrets
key: MYSQL_PASSWORD key: DB_PASS
resources: {} resources: {}
volumeMounts: volumeMounts:
- name: tmp - name: tmp
@@ -141,7 +140,7 @@ spec:
ports: ports:
- protocol: TCP - protocol: TCP
port: 80 port: 80
targetPort: 80 targetPort: 8080
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@@ -163,57 +162,118 @@ spec:
spec: spec:
containers: containers:
- name: freescout - name: freescout
image: ghcr.io/tiredofit/docker-freescout:php8.3-1.17.135 image: harbor.k-space.ee/k-space/freescout
ports: ports:
- containerPort: 80 - containerPort: 8080
env: env:
- name: DISPLAY_ERRORS - name: DISPLAY_ERRORS
value: 'false' value: 'true'
- name: APP_DEBUG
value: 'false'
- name: SITE_URL - name: SITE_URL
value: 'https://freescout.k-space.ee' value: 'https://freescout.k-space.ee'
- name: APP_URL - name: APP_URL
value: 'https://freescout.k-space.ee' value: 'https://freescout.k-space.ee'
- name: DB_HOST - name: DB_HOST
value: mariadb value: mariadb.infra.k-space.ee
- name: DB_PORT - name: DB_PORT
value: "3306" value: "3306"
- name: DB_NAME - name: DB_DATABASE
value: freescout value: kspace_freescout
- name: DB_USER - name: DB_USERNAME
value: freescout value: kspace_freescout
- name: ADMIN_EMAIL
value: lauri@k-space.ee
- name: ADMIN_PASS
value: Salakala1!
- name: TIMEZONE - name: TIMEZONE
value: Europe/Tallinn value: Europe/Tallinn
- name: DB_PASS - name: FREESCOUT_ATTACHMENTS_DRIVER
value: s3
- name: DB_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: mariadb-secrets name: freescout-secrets
key: MYSQL_PASSWORD key: DB_PASS
volumeMounts: - name: AWS_USE_PATH_STYLE_ENDPOINT
- name: freescout-attachments value: "true"
mountPath: /www/html/storage/app/attachment - name: AWS_BUCKET
subPath: attachment valueFrom:
- name: freescout-attachments secretKeyRef:
mountPath: /www/html/Modules name: miniobucket-attachments-owner-secrets
subPath: Modules key: BUCKET_NAME
volumes: - name: APP_KEY
- name: freescout-attachments valueFrom:
persistentVolumeClaim: secretKeyRef:
claimName: freescout-attachments name: freescout-app
key: APP_KEY
envFrom:
- secretRef:
name: miniobucket-attachments-owner-secrets
--- ---
apiVersion: v1 apiVersion: batch/v1
kind: PersistentVolumeClaim kind: CronJob
metadata: metadata:
name: freescout-attachments name: freescout-cron
namespace: freescout namespace: freescout
spec: spec:
storageClassName: ceph-rbd schedule: "0,30 * * * *" # Should be every minute in theory, keeps hanging
accessModes: jobTemplate:
- ReadWriteOnce spec:
resources: activeDeadlineSeconds: 1800 # this is unholy https://github.com/freescout-helpdesk/freescout/blob/dist/app/Console/Kernel.php
requests: ttlSecondsAfterFinished: 100
storage: 10Gi template:
spec:
containers:
- name: freescout-cron
image: harbor.k-space.ee/k-space/freescout
imagePullPolicy: Always
command:
- php
- artisan
- schedule:run
env:
- name: DISPLAY_ERRORS
value: 'true'
- name: SITE_URL
value: 'https://freescout.k-space.ee'
- name: APP_URL
value: 'https://freescout.k-space.ee'
- name: DB_HOST
value: mariadb.infra.k-space.ee
- name: DB_PORT
value: "3306"
- name: DB_DATABASE
value: kspace_freescout
- name: DB_USERNAME
value: kspace_freescout
- name: ADMIN_EMAIL
value: lauri@k-space.ee
- name: ADMIN_PASS
value: Salakala1!
- name: TIMEZONE
value: Europe/Tallinn
- name: FREESCOUT_ATTACHMENTS_DRIVER
value: s3
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: freescout-secrets
key: DB_PASS
- name: AWS_USE_PATH_STYLE_ENDPOINT
value: "true"
- name: AWS_BUCKET
valueFrom:
secretKeyRef:
name: miniobucket-attachments-owner-secrets
key: BUCKET_NAME
- name: APP_KEY
valueFrom:
secretKeyRef:
name: freescout-app
key: APP_KEY
envFrom:
- secretRef:
name: miniobucket-attachments-owner-secrets
restartPolicy: Never
--- ---
apiVersion: codemowers.cloud/v1beta1 apiVersion: codemowers.cloud/v1beta1
kind: MinioBucketClaim kind: MinioBucketClaim

99
freescout/mariadb.yml
View File

@@ -1,99 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mariadb
spec:
revisionHistoryLimit: 0
serviceName: mariadb
selector:
matchLabels:
app: mariadb
replicas: 1
template:
metadata:
labels:
app: mariadb
annotations:
prometheus.io/port: '9104'
prometheus.io/scrape: 'true'
spec:
containers:
- name: exporter
image: mirror.gcr.io/prom/mysqld-exporter:latest
args:
- --mysqld.username
- exporter
- name: mariadb
image: mirror.gcr.io/library/mariadb:12.1
imagePullPolicy: Always
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_ROOT_PASSWORD
- name: MYSQL_USER
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_DATABASE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_PASSWORD
volumeMounts:
- name: mariadb-data
mountPath: /var/lib/mysql
- name: mariadb-init
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: mariadb-init
configMap:
name: mariadb-init-config
volumeClaimTemplates:
- metadata:
name: mariadb-data
spec:
storageClassName: ceph-rbd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
name: mariadb-secrets
spec:
size: 32
mapping:
- key: MYSQL_ROOT_PASSWORD
value: "%(plaintext)s"
- key: MYSQL_PASSWORD
value: "%(plaintext)s"
---
apiVersion: v1
kind: Service
metadata:
name: mariadb
spec:
ports:
- protocol: TCP
port: 3306
selector:
app: mariadb
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mariadb-init-config
data:
initdb.sql: |
CREATE USER 'exporter'@'127.0.0.1' WITH MAX_USER_CONNECTIONS 3;
GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'127.0.0.1';

4
frigate/README.md
View File

@@ -14,7 +14,3 @@ kustomize build . --enable-helm
- Amcrest 5MP Turret PoE Outdoor IP Camera with Mic/Audio, 98ft NightVision, 132° FOV, MicroSD (256GB) IP5M-T1179EW-AI-V3 white - Amcrest 5MP Turret PoE Outdoor IP Camera with Mic/Audio, 98ft NightVision, 132° FOV, MicroSD (256GB) IP5M-T1179EW-AI-V3 white
Cameras are enumerated (with credentials) in secretspace. Cameras are enumerated (with credentials) in secretspace.
## Coral setup
1. Map USB to VM (#TODO: blog post coming up for exact steps)
2. `k label no worker91.kube.k-space.ee coral.ai/tpu=Exists`

1
frigate/kustomization.yaml
View File

@@ -16,4 +16,5 @@ resources:
- ssh://git@git.k-space.ee/secretspace/kube/frigate # secrets (.env): go2rtc-config, frigate-mqtt-secret, frigate-rtsp-secret - ssh://git@git.k-space.ee/secretspace/kube/frigate # secrets (.env): go2rtc-config, frigate-mqtt-secret, frigate-rtsp-secret
- ./auth.yml - ./auth.yml
- ./rabbitmq.yml - ./rabbitmq.yml
- ./storage.yml
- ./transcode.yml - ./transcode.yml

32
frigate/storage.yml Normal file
View File

@@ -0,0 +1,32 @@
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: frigate-storage
spec:
persistentVolumeReclaimPolicy: Retain
capacity:
storage: 1Ti
accessModes:
- ReadWriteMany
storageClassName: ""
nfs:
server: 172.21.0.7
path: /nas/k6/frigate
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: frigate-storage
spec:
volumeName: frigate-storage
storageClassName: ""
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Ti

13
frigate/transcode.yml
View File

@@ -29,6 +29,13 @@ spec:
values: values:
- go2rtc - go2rtc
topologyKey: "kubernetes.io/hostname" topologyKey: "kubernetes.io/hostname"
nodeSelector:
dedicated: nvr
tolerations:
- key: dedicated
operator: Equal
value: nvr
effect: NoSchedule
containers: containers:
- name: go2rtc - name: go2rtc
image: alexxit/go2rtc image: alexxit/go2rtc
@@ -43,9 +50,9 @@ spec:
- mountPath: /config/go2rtc.yaml - mountPath: /config/go2rtc.yaml
subPath: config.yml subPath: config.yml
name: config name: config
# resources: resources:
# limits: limits:
# nvidia.com/gpu: 1 nvidia.com/gpu: 1
volumes: volumes:
- name: config - name: config
secret: secret:

18
frigate/values.yaml
View File

@@ -125,16 +125,24 @@ ingress:
- "*.k-space.ee" - "*.k-space.ee"
persistence: persistence:
config:
# WIP :)
enabled: false
storageClass: "null"
accessMode: ReadWriteOnce
size: 1000Mi
skipuninstall: false
media: media:
enabled: true enabled: true
storageClass: "hdd-ceph" existingClaim: "frigate-storage"
size: 1Ti skipuninstall: true
# Force application to run on nvr node # Force application to run on nvr node
nodeSelector: nodeSelector:
coral.ai/tpu: Exists dedicated: nvr
tolerations: tolerations:
- key: coral.ai/tpu - key: dedicated
operator: Equal operator: Equal
value: Exists value: nvr
effect: NoSchedule effect: NoSchedule

19
gitea/application.yaml
View File

@@ -92,12 +92,12 @@ spec:
- name: MYSQL_PWD - name: MYSQL_PWD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: mariadb-secrets name: gitea-secrets
key: MYSQL_PASSWORD key: GITEA__DATABASE__PASSWD
command: command:
- /bin/bash - /bin/bash
- -c - -c
- mysql -u gitea gitea -h mariadb -p${MYSQL_PWD} < /tmp/update.sql - mysql -u kspace_git kspace_git -h mariadb.infra.k-space.ee -p${MYSQL_PWD} < /tmp/update.sql
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
@@ -125,8 +125,7 @@ spec:
runAsNonRoot: true runAsNonRoot: true
containers: containers:
- name: gitea - name: gitea
# https://github.com/go-gitea/gitea/releases image: docker.gitea.com/gitea:1.24.3-rootless
image: docker.gitea.com/gitea:1.25.0-rootless
imagePullPolicy: IfNotPresent imagePullPolicy: IfNotPresent
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
@@ -164,11 +163,11 @@ spec:
- name: GITEA__DATABASE__DB_TYPE - name: GITEA__DATABASE__DB_TYPE
value: mysql value: mysql
- name: GITEA__DATABASE__HOST - name: GITEA__DATABASE__HOST
value: mariadb:3306 value: mariadb.infra.k-space.ee:3306
- name: GITEA__DATABASE__NAME - name: GITEA__DATABASE__NAME
value: gitea value: kspace_git
- name: GITEA__DATABASE__USER - name: GITEA__DATABASE__USER
value: gitea value: kspace_git
- name: GITEA__DATABASE__SSL_MODE - name: GITEA__DATABASE__SSL_MODE
value: disable value: disable
- name: GITEA__DATABASE__LOG_SQL - name: GITEA__DATABASE__LOG_SQL
@@ -209,8 +208,8 @@ spec:
- name: GITEA__DATABASE__PASSWD - name: GITEA__DATABASE__PASSWD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: mariadb-secrets name: gitea-secrets
key: MYSQL_PASSWORD key: GITEA__DATABASE__PASSWD
- name: GITEA__MAILER__PASSWD - name: GITEA__MAILER__PASSWD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:

99
gitea/mariadb.yml
View File

@@ -1,99 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mariadb
spec:
revisionHistoryLimit: 0
serviceName: mariadb
selector:
matchLabels:
app: mariadb
replicas: 1
template:
metadata:
labels:
app: mariadb
annotations:
prometheus.io/port: '9104'
prometheus.io/scrape: 'true'
spec:
containers:
- name: exporter
image: mirror.gcr.io/prom/mysqld-exporter:latest
args:
- --mysqld.username
- exporter
- name: mariadb
image: mirror.gcr.io/library/mariadb:12.1
imagePullPolicy: Always
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_ROOT_PASSWORD
- name: MYSQL_USER
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_DATABASE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_PASSWORD
volumeMounts:
- name: mariadb-data
mountPath: /var/lib/mysql
- name: mariadb-init
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: mariadb-init
configMap:
name: mariadb-init-config
volumeClaimTemplates:
- metadata:
name: mariadb-data
spec:
storageClassName: ceph-rbd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
name: mariadb-secrets
spec:
size: 32
mapping:
- key: MYSQL_ROOT_PASSWORD
value: "%(plaintext)s"
- key: MYSQL_PASSWORD
value: "%(plaintext)s"
---
apiVersion: v1
kind: Service
metadata:
name: mariadb
spec:
ports:
- protocol: TCP
port: 3306
selector:
app: mariadb
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mariadb-init-config
data:
initdb.sql: |
CREATE USER 'exporter'@'127.0.0.1' WITH MAX_USER_CONNECTIONS 3;
GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'127.0.0.1';

22
hackerspace/README.md
View File

@@ -1,8 +1,20 @@
## inventory.k-space.ee ## hackerspace / inventory
Reads-writes to mongo.
<!-- Referenced/linked by https://wiki.k-space.ee/en/hosting/doors --> <!-- Referenced/linked by https://wiki.k-space.ee/en/hosting/doors -->
A component of inventory is 'doorboy' (https://wiki.k-space.ee/en/hosting/doors)
## k6.ee ## [doorboy-proxy](https://github.com/k-space/doorboy-proxy)
- Dispatches open events (from mongodb) to door controllers.
- Handles Slack open events (to mongodb).
- Forwards logs from door controllers to mongodb.
- Broadcasts mongodb logs to Slack.
See also:
- inventory-app door components
- https://wiki.k-space.ee/en/hosting/doors
## [inventory-app](https://github.com/k-space/inventory-app) (inventory.k-space.ee)
- Inventory
- Manages door keycards.
- Forwards door opens from website to mongodb (what are picked up by doorboy-proxy).
## [goredirect](https://github.com/k-space/goredirect) (k6.ee)
Reads from mongo, HTTP redirect to //inventory.k-space.ee/m/inventory/{uuid}/view Reads from mongo, HTTP redirect to //inventory.k-space.ee/m/inventory/{uuid}/view

22
hackerspace/doorboy.yml → hackerspace/doorboy.yaml
View File

@@ -26,6 +26,7 @@ spec:
- doorboy-proxy - doorboy-proxy
topologyKey: topology.kubernetes.io/zone topologyKey: topology.kubernetes.io/zone
weight: 100 weight: 100
serviceAccountName: inventory-svcacc
containers: containers:
- name: doorboy-proxy - name: doorboy-proxy
image: harbor.k-space.ee/k-space/doorboy-proxy:latest image: harbor.k-space.ee/k-space/doorboy-proxy:latest
@@ -33,21 +34,14 @@ spec:
- secretRef: - secretRef:
name: inventory-mongodb name: inventory-mongodb
- secretRef: - secretRef:
name: doorboy-api name: doorboy-godoor
- secretRef:
name: doorboy-slack
env: env:
- name: FLOOR_ACCESS_GROUP - name: OIDC_USERS_NAMESPACE
value: 'k-space:floor' value: passmower
- name: WORKSHOP_ACCESS_GROUP - name: SLACK_CHANNEL_ID
value: 'k-space:workshop' value: CDL9H8Q9W
- name: CARD_URI
value: 'https://inventory.k-space.ee/cards'
- name: SWIPE_URI
value: 'https://inventory.k-space.ee/m/doorboy/swipe'
- name: INVENTORY_API_KEY
valueFrom:
secretKeyRef:
name: inventory-api-key
key: INVENTORY_API_KEY
securityContext: securityContext:
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsNonRoot: true runAsNonRoot: true

47
hackerspace/inventory-extras.yaml
View File

@@ -1,37 +1,24 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: members-inventory-redirect
spec:
redirectRegex:
regex: ^https://members.k-space.ee/(.*)
replacement: https://inventory.k-space.ee/${1}
permanent: false
--- ---
# Creates a dummy/stub in auth.k-space.ee user-facing service listing (otherwise only inventory.k-space.ee is listed).
apiVersion: codemowers.cloud/v1beta1 apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient kind: OIDCClient
metadata: metadata:
name: doorboy name: inventory-app
spec: spec:
displayName: Doorboy uri: 'https://inventory.k-space.ee'
uri: 'https://inventory.k-space.ee/m/doorboy' redirectUris:
--- - 'https://inventory.k-space.ee/login-callback'
apiVersion: traefik.io/v1alpha1 grantTypes:
kind: IngressRoute - 'authorization_code'
metadata: - 'refresh_token'
name: members-inventory responseTypes:
spec: - 'code'
entryPoints: availableScopes:
- websecure - 'openid'
routes: - 'profile'
- match: Host(`members.k-space.ee`) - 'groups'
kind: Rule - 'offline_access'
middlewares: tokenEndpointAuthMethod: 'client_secret_basic'
- name: members-inventory-redirect pkce: false
services:
- kind: TraefikService
name: api@internal
--- ---
apiVersion: codemowers.cloud/v1beta1 apiVersion: codemowers.cloud/v1beta1
kind: MinioBucketClaim kind: MinioBucketClaim

35
hackerspace/inventory-redirects.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
# Creates a dummy/stub in auth.k-space.ee user-facing service listing (otherwise only inventory.k-space.ee is listed).
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: doorboy
spec:
displayName: Doorboy
uri: 'https://inventory.k-space.ee/m/doorboy'
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: members-inventory-redirect
spec:
redirectRegex:
regex: ^https://members.k-space.ee/(.*)
replacement: https://inventory.k-space.ee/${1}
permanent: false
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: members-inventory
spec:
entryPoints:
- websecure
routes:
- match: Host(`members.k-space.ee`)
kind: Rule
middlewares:
- name: members-inventory-redirect
services:
- kind: TraefikService
name: api@internal

80
hackerspace/inventory.yaml
View File

@@ -20,36 +20,12 @@ spec:
- image: harbor.k-space.ee/k-space/inventory-app:latest - image: harbor.k-space.ee/k-space/inventory-app:latest
imagePullPolicy: Always imagePullPolicy: Always
env: env:
- name: ENVIRONMENT_TYPE
value: PROD
- name: PYTHONUNBUFFERED
value: "1"
- name: INVENTORY_ASSETS_BASE_URL - name: INVENTORY_ASSETS_BASE_URL
value: https://external.minio-clusters.k-space.ee/hackerspace-701d9303-0f27-4829-a2be-b1084021ad91/ value: https://external.minio-clusters.k-space.ee/hackerspace-701d9303-0f27-4829-a2be-b1084021ad91/
- name: MACADDRESS_OUTLINK_BASEURL - name: MACADDRESS_OUTLINK_BASEURL
value: https://grafana.k-space.ee/d/ddwyidbtbc16oa/ip-usage?orgId=1&from=now-2y&to=now&timezone=browser&var-Filters=mac%7C%3D%7C value: https://grafana.k-space.ee/d/ddwyidbtbc16oa/ip-usage?orgId=1&from=now-2y&to=now&timezone=browser&var-Filters=mac%7C%3D%7C
- name: OIDC_USERS_NAMESPACE - name: OIDC_USERS_NAMESPACE
value: passmower value: passmower
- name: SECRET_KEY
valueFrom:
secretKeyRef:
key: SECRET_KEY
name: inventory-secrets
- name: INVENTORY_API_KEY
valueFrom:
secretKeyRef:
key: INVENTORY_API_KEY
name: inventory-api-key
- name: SLACK_DOORLOG_CALLBACK
valueFrom:
secretKeyRef:
key: SLACK_DOORLOG_CALLBACK
name: slack-secrets
- name: SLACK_VERIFICATION_TOKEN
valueFrom:
secretKeyRef:
key: SLACK_VERIFICATION_TOKEN
name: slack-secrets
envFrom: envFrom:
- secretRef: - secretRef:
name: miniobucket-inventory-external-owner-secrets name: miniobucket-inventory-external-owner-secrets
@@ -122,59 +98,3 @@ spec:
tls: tls:
- hosts: - hosts:
- "*.k-space.ee" - "*.k-space.ee"
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCClient
metadata:
name: inventory-app
spec:
uri: 'https://inventory.k-space.ee'
redirectUris:
- 'https://inventory.k-space.ee/login-callback'
grantTypes:
- 'authorization_code'
- 'refresh_token'
responseTypes:
- 'code'
availableScopes:
- 'openid'
- 'profile'
- 'groups'
- 'offline_access'
tokenEndpointAuthMethod: 'client_secret_basic'
pkce: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: inventory-role
namespace: hackerspace
rules:
- verbs:
- get
- list
- watch
apiGroups:
- codemowers.cloud
resources:
- oidcusers
- oidcusers/status
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: inventory-roles
namespace: hackerspace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: inventory-role
subjects:
- kind: ServiceAccount
name: inventory-svcacc
namespace: hackerspace
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: inventory-svcacc

13
hackerspace/kustomization.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: hackerspace
resources:
- ssh://git@git.k-space.ee/secretspace/kube/hackerspace # secrets: inventory-mongodb, inventory-s3, doorboy-godoor, doorboy-slack
- ./doorboy.yaml
- ./svcacc.yaml
- ./inventory.yaml
- ./inventory-extras.yaml
- ./inventory-redirects.yaml
- ./goredirect.yaml

35
hackerspace/svcacc.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: inventory-role
namespace: hackerspace
rules:
- verbs:
- get
- list
- watch
apiGroups:
- codemowers.cloud
resources:
- oidcusers
- oidcusers/status
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: inventory-roles
namespace: hackerspace
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: inventory-role
subjects:
- kind: ServiceAccount
name: inventory-svcacc
namespace: hackerspace
---
# used by inventory and doorboy
apiVersion: v1
kind: ServiceAccount
metadata:
name: inventory-svcacc

2
harbor-operator/values.yaml
View File

@@ -34,7 +34,7 @@ persistence:
jobservice: jobservice:
jobLog: jobLog:
existingClaim: "" existingClaim: ""
storageClass: "cephfs" storageClass: "longhorn"
subPath: "" subPath: ""
accessMode: ReadWriteMany accessMode: ReadWriteMany
size: 5Gi size: 5Gi

0
kube-system/kube-state-metrics.yaml → kube-system/kube-state-metrics.yml
View File

8
kube-system/kustomization.yaml
View File

@@ -4,7 +4,7 @@ kind: Kustomization
namespace: kube-system namespace: kube-system
resources: resources:
- ./descheduler.yaml - ./descheduler.yml
- ./kube-state-metrics.yaml - ./kube-state-metrics.yml
- ./metrics-server.yaml - ./metrics-server.yml
# - ./nvidia-device-plugin.yml - ./nvidia-device-plugin.yml

0
kube-system/metrics-server.yaml → kube-system/metrics-server.yml
View File

0
kube-system/nvidia-device-plugin.yaml → kube-system/nvidia-device-plugin.yml
View File

1
longhorn-system/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
longhorn.yaml

41
longhorn-system/README.md Normal file
View File

@@ -0,0 +1,41 @@
# Longhorn distributed block storage system
## For users
You should really avoid using Longhorn as it has over time
[proven to be unreliable system](https://www.reddit.com/r/kubernetes/comments/1cbggo8/longhorn_is_unreliable/).
Prefer using remote databases in your application via
the Kubernetes operator pattern.
Use Longhorn for applications that need persistent storage, but are unable
to provide replication in the application layer:
* Applications that insist writing into filesystem
* Applications that serve Git repositories (eg Gitea)
* Applications that check out Git repositories (eg Woodpecker, Drone and CI systems)
* Applications that need to use SQLite
Instead of using built-in `longhorn` storage class, please add new storage class
with suitable replication, data locality parameters and reclaim policy
[here](https://git.k-space.ee/k-space/kube/src/branch/master/storage-class.yaml)
Longhorn backups are made once per day and it's configured to be uploaded to
the Minio S3 bucket hosted at nas.k-space.ee
## For administrators
Longhorn was last upgraded with following snippet:
```
wget https://raw.githubusercontent.com/longhorn/longhorn/v1.8.2/deploy/longhorn.yaml
patch -p0 < changes.diff
kubectl -n longhorn-system apply -f longhorn.yaml -f application-extras.yml -f backup.yaml
```
After initial deployment `dedicated=storage:NoSchedule` was specified
for `Kubernetes Taint Toleration` under `Setting -> General` on
[Longhorn Dashboard](https://longhorn.k-space.ee/).
Suitable nodes were tagged with `storage` and Longhorn scheduling was disabled on others.
This is to prevent scheduling Longhorn data on arbitrary Kubernetes nodes as
`storage[1-4].kube.k-space.ee` nodes are the ones which have additional 200G volume mounted at `/mnt/persistent/`

138
longhorn-system/application-extras.yml Normal file
View File

@@ -0,0 +1,138 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: ui
spec:
displayName: Longhorn
uri: 'https://longhorn.k-space.ee'
allowedGroups:
- k-space:kubernetes:admins
headerMapping:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-Username
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-dashboard
namespace: longhorn-system
annotations:
kubernetes.io/ingress.class: traefik
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-ui@kubernetescrd
spec:
rules:
- host: longhorn.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: longhorn-frontend
port:
number: 80
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: manager
spec:
selector: {}
podMetricsEndpoints:
- port: manager
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: longhorn
spec:
# Copied from https://longhorn.io/docs/1.2.4/monitoring/alert-rules-example/
groups:
- name: longhorn
rules:
- alert: LonghornVolumeActualSpaceUsedWarning
annotations:
description: The accumulated snapshots for volume use up more space than the volume's capacity
summary: The actual used space of Longhorn volume is twice the size of the volume capacity.
expr: longhorn_volume_actual_size_bytes > longhorn_volume_capacity_bytes * 2
for: 5m
labels:
issue: The actual used space of Longhorn volume {{$labels.volume}} on {{$labels.node}} is high.
severity: warning
- alert: LonghornVolumeStatusCritical
annotations:
description: Longhorn volume {{$labels.volume}} on {{$labels.node}} is Fault for
more than 2 minutes.
summary: Longhorn volume {{$labels.volume}} is Fault
expr: longhorn_volume_robustness == 3
for: 5m
labels:
issue: Longhorn volume {{$labels.volume}} is Fault.
severity: critical
- alert: LonghornVolumeStatusWarning
annotations:
description: Longhorn volume {{$labels.volume}} on {{$labels.node}} is Degraded for
more than 5 minutes.
summary: Longhorn volume {{$labels.volume}} is Degraded
expr: longhorn_volume_robustness == 2
for: 5m
labels:
issue: Longhorn volume {{$labels.volume}} is Degraded.
severity: warning
- alert: LonghornNodeStorageWarning
annotations:
description: The used storage of node {{$labels.node}} is at {{$value}}% capacity for
more than 5 minutes.
summary: The used storage of node is over 70% of the capacity.
expr: (longhorn_node_storage_usage_bytes / longhorn_node_storage_capacity_bytes) * 100 > 70
for: 5m
labels:
issue: The used storage of node {{$labels.node}} is high.
severity: warning
- alert: LonghornDiskStorageWarning
annotations:
description: The used storage of disk {{$labels.disk}} on node {{$labels.node}} is at {{$value}}% capacity for
more than 5 minutes.
summary: The used storage of disk is over 70% of the capacity.
expr: (longhorn_disk_usage_bytes / longhorn_disk_capacity_bytes) * 100 > 70
for: 5m
labels:
issue: The used storage of disk {{$labels.disk}} on node {{$labels.node}} is high.
severity: warning
- alert: LonghornNodeDown
annotations:
description: There are {{$value}} Longhorn nodes which have been offline for more than 5 minutes.
summary: Longhorn nodes is offline
expr: (avg(longhorn_node_count_total) or on() vector(0)) - (count(longhorn_node_status{condition="ready"} == 1) or on() vector(0)) > 0
for: 5m
labels:
issue: There are {{$value}} Longhorn nodes are offline
severity: critical
- alert: LonghornIntanceManagerCPUUsageWarning
annotations:
description: Longhorn instance manager {{$labels.instance_manager}} on {{$labels.node}} has CPU Usage / CPU request is {{$value}}% for
more than 5 minutes.
summary: Longhorn instance manager {{$labels.instance_manager}} on {{$labels.node}} has CPU Usage / CPU request is over 300%.
expr: (longhorn_instance_manager_cpu_usage_millicpu/longhorn_instance_manager_cpu_requests_millicpu) * 100 > 300
for: 5m
labels:
issue: Longhorn instance manager {{$labels.instance_manager}} on {{$labels.node}} consumes 3 times the CPU request.
severity: warning
- alert: LonghornNodeCPUUsageWarning
annotations:
description: Longhorn node {{$labels.node}} has CPU Usage / CPU capacity is {{$value}}% for
more than 5 minutes.
summary: Longhorn node {{$labels.node}} experiences high CPU pressure for more than 5m.
expr: (longhorn_node_cpu_usage_millicpu / longhorn_node_cpu_capacity_millicpu) * 100 > 90
for: 5m
labels:
issue: Longhorn node {{$labels.node}} experiences high CPU pressure.
severity: warning

46
longhorn-system/backup.yaml Normal file
View File

@@ -0,0 +1,46 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: MinioBucketClaim
metadata:
name: backup
spec:
capacity: 1Ti
class: external
---
apiVersion: longhorn.io/v1beta2
kind: Setting
metadata:
name: backup-target
namespace: longhorn-system
value: 's3://longhorn-system-a4b235c5-7919-4cb0-9949-259e60c579f1@us-east1/'
---
apiVersion: longhorn.io/v1beta2
kind: Setting
metadata:
name: backup-target-credential-secret
namespace: longhorn-system
value: 'miniobucket-backup-owner-secrets'
---
apiVersion: longhorn.io/v1beta1
kind: RecurringJob
metadata:
name: backup
namespace: longhorn-system
spec:
cron: "0 2 * * *"
task: backup
groups:
- default
retain: 1
concurrency: 4
---
apiVersion: longhorn.io/v1beta1
kind: RecurringJob
metadata:
name: trim
namespace: longhorn-system
spec:
cron: "0 * * * *"
task: trim
groups:
- default

53
longhorn-system/changes.diff Normal file
View File

@@ -0,0 +1,53 @@
--- longhorn.yaml 2024-07-07 14:16:47.953593433 +0300
+++ longhorn.modded 2024-07-07 14:18:51.103452617 +0300
@@ -86,14 +86,14 @@
storageclass.kubernetes.io/is-default-class: "true"
provisioner: driver.longhorn.io
allowVolumeExpansion: true
- reclaimPolicy: "Delete"
+ reclaimPolicy: "Retain"
volumeBindingMode: Immediate
parameters:
- numberOfReplicas: "3"
+ numberOfReplicas: "2"
staleReplicaTimeout: "30"
fromBackup: ""
- fsType: "ext4"
- dataLocality: "disabled"
+ fsType: "xfs"
+ dataLocality: "best-effort"
unmapMarkSnapChainRemoved: "ignored"
---
# Source: longhorn/templates/crds.yaml
@@ -4379,6 +4379,15 @@
app.kubernetes.io/version: v1.6.2
app: longhorn-manager
spec:
+ tolerations:
+ - key: dedicated
+ operator: Equal
+ value: nvr
+ effect: NoSchedule
+ - key: arch
+ operator: Equal
+ value: arm64
+ effect: NoSchedule
containers:
- name: longhorn-manager
image: longhornio/longhorn-manager:v1.6.2
@@ -4484,6 +4493,15 @@
app.kubernetes.io/version: v1.6.2
app: longhorn-driver-deployer
spec:
+ tolerations:
+ - key: dedicated
+ operator: Equal
+ value: nvr
+ effect: NoSchedule
+ - key: arch
+ operator: Equal
+ value: arm64
+ effect: NoSchedule
initContainers:
- name: wait-longhorn-manager
image: longhornio/longhorn-manager:v1.6.2

9
metallb-system/application-extras.yaml
View File

@@ -40,15 +40,6 @@ spec:
--- ---
apiVersion: metallb.io/v1beta1 apiVersion: metallb.io/v1beta1
kind: IPAddressPool kind: IPAddressPool
metadata:
name: unifi
namespace: metallb-system
spec:
addresses:
- 172.21.102.0/24
---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata: metadata:
name: bind-secondary-external name: bind-secondary-external
namespace: metallb-system namespace: metallb-system

18
monitoring/ceph.yaml
View File

@@ -1,18 +0,0 @@
---
apiVersion: monitoring.coreos.com/v1alpha1
kind: ScrapeConfig
metadata:
name: nodes-ceph
namespace: monitoring
spec:
metricsPath: /metrics
scheme: HTTP
scrapeInterval: 3s
staticConfigs:
- labels:
job: ceph-exporter
targets:
- pve90.proxmox.infra.k-space.ee:9283
- pve91.proxmox.infra.k-space.ee:9283
- pve92.proxmox.infra.k-space.ee:9283
- pve93.proxmox.infra.k-space.ee:9283

10
monitoring/node-exporter.yaml
View File

@@ -8,11 +8,11 @@ spec:
targets: targets:
staticConfig: staticConfig:
static: static:
- pve90.proxmox.infra.k-space.ee:9100 - nas.mgmt.k-space.ee:9100
- pve91.proxmox.infra.k-space.ee:9100 - pve1.proxmox.infra.k-space.ee:9100
- pve92.proxmox.infra.k-space.ee:9100 - pve2.proxmox.infra.k-space.ee:9100
- pve93.proxmox.infra.k-space.ee:9100 - pve8.proxmox.infra.k-space.ee:9100
- pbs.infra.k-space.ee:9100 - pve9.proxmox.infra.k-space.ee:9100
relabelingConfigs: relabelingConfigs:
- sourceLabels: [__param_target] - sourceLabels: [__param_target]
targetLabel: instance targetLabel: instance

22
monitoring/pbs.yaml
View File

@@ -1,22 +0,0 @@
---
apiVersion: monitoring.coreos.com/v1
kind: Probe
metadata:
name: pbs-proxmox
spec:
scrapeTimeout: 30s
targets:
staticConfig:
static:
- pbs.infra.k-space.ee:10019
relabelingConfigs:
- sourceLabels: [__param_target]
targetLabel: instance
- sourceLabels: [__param_target]
targetLabel: __address__
prober:
url: localhost
path: /metrics
metricRelabelings:
- sourceLabels: [__address__]
targetLabel: target

7
monitoring/prometheus.yaml
View File

@@ -58,9 +58,10 @@ spec:
retentionSize: 8GB retentionSize: 8GB
resources: resources:
limits: limits:
memory: 4Gi cpu: 500m
memory: 2Gi
requests: requests:
cpu: 1000m cpu: 100m
memory: 700Mi memory: 700Mi
storage: storage:
volumeClaimTemplate: volumeClaimTemplate:
@@ -71,8 +72,6 @@ spec:
requests: requests:
storage: 10Gi storage: 10Gi
storageClassName: prometheus storageClassName: prometheus
scrapeConfigSelector: {}
scrapeConfigNamespaceSelector: {}
--- ---
apiVersion: v1 apiVersion: v1
kind: ServiceAccount kind: ServiceAccount

52
nextcloud/application.yaml
View File

@@ -45,8 +45,7 @@ spec:
displayName: Nextcloud displayName: Nextcloud
uri: https://nextcloud.k-space.ee uri: https://nextcloud.k-space.ee
redirectUris: redirectUris:
- https://nextcloud.k-space.ee/apps/user_oidc/code - https://nextcloud.k-space.ee/apps/oidc_login/oidc
- https://nextcloud.k-space.ee/apps/user_oidc
allowedGroups: allowedGroups:
- k-space:floor - k-space:floor
grantTypes: grantTypes:
@@ -79,33 +78,16 @@ spec:
spec: spec:
enableServiceLinks: false enableServiceLinks: false
initContainers: initContainers:
- name: fix-permissions
image: busybox
command: ["sh", "-c", "chown -R 1000:1000 /var/www/html/"]
securityContext:
runAsUser: 0
volumeMounts:
- mountPath: /var/www/html/
name: data
- name: setup-php-config - name: setup-php-config
image: mirror.gcr.io/library/nextcloud:32.0.2@sha256:8cb1dc8c26944115469dd22f4965d2ed35bab9cf8c48d2bb052c8e9f83821ded image: mirror.gcr.io/library/nextcloud:31.0.2@sha256:c418eb78924b446c744eee30587564a8d5ef625ad64369c81936bd1491f589e3
command: [ "/bin/sh","-c" ] command: [ "/bin/sh","-c" ]
args: ["cp -r /usr/local/etc/php/conf.d/. /config/"] args: ["cp -r /usr/local/etc/php/conf.d/. /config/"]
volumeMounts: volumeMounts:
- mountPath: /config - mountPath: /config
name: php-config name: php-config
- name: setup-nextcloud-config
image: busybox
command: [ "/bin/sh","-c" ]
args: ["cp -r /config/. /var/www/html/config/"]
volumeMounts:
- mountPath: /config
name: config
- name: data
mountPath: /var/www/html
containers: containers:
- name: nextcloud - name: nextcloud
image: mirror.gcr.io/library/nextcloud:32.0.2@sha256:8cb1dc8c26944115469dd22f4965d2ed35bab9cf8c48d2bb052c8e9f83821ded image: mirror.gcr.io/library/nextcloud:31.0.2@sha256:c418eb78924b446c744eee30587564a8d5ef625ad64369c81936bd1491f589e3
resources: resources:
limits: limits:
cpu: 4000m cpu: 4000m
@@ -113,14 +95,14 @@ spec:
requests: requests:
cpu: 400m cpu: 400m
memory: 500Mi memory: 500Mi
livenessProbe: readinessProbe:
exec: exec:
command: command:
- /usr/local/bin/php - /usr/local/bin/php
- /var/www/html/cron.php - /var/www/html/cron.php
initialDelaySeconds: 300 initialDelaySeconds: 1
periodSeconds: 300 periodSeconds: 300
timeoutSeconds: 300 timeoutSeconds: 30
env: env:
- name: OIDC_CLIENT_ID - name: OIDC_CLIENT_ID
valueFrom: valueFrom:
@@ -145,13 +127,13 @@ spec:
- name: UPLOAD_LIMIT - name: UPLOAD_LIMIT
value: 10G value: 10G
- name: MYSQL_USER - name: MYSQL_USER
value: nextcloud value: kspace_nextcloud
- name: MYSQL_DATABASE - name: MYSQL_DATABASE
value: nextcloud value: kspace_nextcloud
- name: MYSQL_HOST - name: MYSQL_HOST
value: mariadb value: mariadb.infra.k-space.ee
- name: NEXTCLOUD_ADMIN_USER - name: NEXTCLOUD_ADMIN_USER
value: k6_admin value: admin
- name: NEXTCLOUD_TRUSTED_DOMAINS - name: NEXTCLOUD_TRUSTED_DOMAINS
value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation. value: nextcloud.k-space.ee nextcloud # This is for reference - these values are not actually changed by env after installation.
- name: OBJECTSTORE_S3_HOST - name: OBJECTSTORE_S3_HOST
@@ -191,7 +173,7 @@ spec:
- name: MYSQL_PASSWORD - name: MYSQL_PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: mariadb-secrets name: nextcloud-imported-secrets
key: MYSQL_PASSWORD key: MYSQL_PASSWORD
- name: OBJECTSTORE_S3_SECRET - name: OBJECTSTORE_S3_SECRET
valueFrom: valueFrom:
@@ -204,6 +186,12 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /var/www/html - mountPath: /var/www/html
name: data name: data
- mountPath: /var/www/html/config/oidc.config.php
name: config
subPath: oidc.config.php
- mountPath: /var/www/html/config/override.config.php
name: config
subPath: override.config.php
- name: php-config - name: php-config
mountPath: /usr/local/etc/php/conf.d/ mountPath: /usr/local/etc/php/conf.d/
securityContext: securityContext:
@@ -291,6 +279,12 @@ kind: ConfigMap
metadata: metadata:
name: nextcloud-config name: nextcloud-config
data: data:
override.config.php: |-
<?php
$CONFIG = array (
'skeletondirectory' => '',
'default_phone_region' => 'EE',
);
oidc.config.php: |- oidc.config.php: |-
<?php <?php
$CONFIG = array ( $CONFIG = array (

99
nextcloud/mariadb.yml
View File

@@ -1,99 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mariadb
spec:
revisionHistoryLimit: 0
serviceName: mariadb
selector:
matchLabels:
app: mariadb
replicas: 1
template:
metadata:
labels:
app: mariadb
annotations:
prometheus.io/port: '9104'
prometheus.io/scrape: 'true'
spec:
containers:
- name: exporter
image: mirror.gcr.io/prom/mysqld-exporter:latest
args:
- --mysqld.username
- exporter
- name: mariadb
image: mirror.gcr.io/library/mariadb:12.1
imagePullPolicy: Always
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_ROOT_PASSWORD
- name: MYSQL_USER
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_DATABASE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_PASSWORD
volumeMounts:
- name: mariadb-data
mountPath: /var/lib/mysql
- name: mariadb-init
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: mariadb-init
configMap:
name: mariadb-init-config
volumeClaimTemplates:
- metadata:
name: mariadb-data
spec:
storageClassName: ceph-rbd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
name: mariadb-secrets
spec:
size: 32
mapping:
- key: MYSQL_ROOT_PASSWORD
value: "%(plaintext)s"
- key: MYSQL_PASSWORD
value: "%(plaintext)s"
---
apiVersion: v1
kind: Service
metadata:
name: mariadb
spec:
ports:
- protocol: TCP
port: 3306
selector:
app: mariadb
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mariadb-init-config
data:
initdb.sql: |
CREATE USER 'exporter'@'127.0.0.1' WITH MAX_USER_CONNECTIONS 3;
GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'127.0.0.1';

2
nyancat/application.yaml
View File

@@ -36,7 +36,7 @@ metadata:
name: nyancat name: nyancat
namespace: nyancat namespace: nyancat
annotations: annotations:
metallb.io/address-pool: zoo metallb.universe.tf/address-pool: zoo
external-dns.alpha.kubernetes.io/hostname: nyancat.k-space.ee external-dns.alpha.kubernetes.io/hostname: nyancat.k-space.ee
spec: spec:
type: LoadBalancer type: LoadBalancer

13
passmower/proxmox.yaml
View File

@@ -188,13 +188,12 @@ spec:
service: service:
name: pve92 name: pve92
port: {number: 8006} port: {number: 8006}
#TODO: hw failure, disabled for now - pathType: Prefix
# - pathType: Prefix path: "/"
# path: "/" backend:
# backend: service:
# service: name: pve93
# name: pve93 port: {number: 8006}
# port: {number: 8006}
tls: tls:
- hosts: - hosts:
- "*.k-space.ee" - "*.k-space.ee"

236
rook-ceph/storage-classes.yaml
View File

@@ -1,236 +0,0 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: mongo
annotations:
kubernetes.io/description: |
Storage class for Mongo and similar applications that
implement high availability in application layer.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: prometheus
annotations:
kubernetes.io/description: |
Storage class for Prometheus and similar applications that
implement high availability in application layer.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: woodpecker
annotations:
kubernetes.io/description: |
Storage class for Drone, Woodpecker and similar application
pipeline runs where Git repos are checked out to.
This storage class uses XFS, has no block level redundancy and it's
deleted as soon as the pod exits.
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: gitea
annotations:
kubernetes.io/description: |
Storage class for Gitea and similar applications needing
block device level replication with 3 replicas using XFS filesystem and
best effort data locality.
provisioner: rook-ceph.rbd.csi.ceph.com
reclaimPolicy: Retain
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: nextcloud
annotations:
kubernetes.io/description: |
Storage class for Nextcloud needing
block device level replication with 3 replicas using XFS filesystem and
best effort data locality.
provisioner: rook-ceph.rbd.csi.ceph.com
reclaimPolicy: Retain
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rabbitmq
annotations:
kubernetes.io/description: |
Storage class for RabbitMQ and similar applications
deployed in highly available fashion utilizing application level
replication needing persistent volume.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: unifi
annotations:
kubernetes.io/description: |
Storage class for Unifi and similar applications
deployed in highly available fashion utilizing application level
replication needing persistent volume.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: hdd-ceph
annotations:
kubernetes.io/description: |
Generic HDD storage on CEPH.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-hdd
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: "null"
annotations:
kubernetes.io/description: |
Storage class for applications insisting on having a PV, but actually do
not and for data that can be discarded immediately
provisioner: rancher.io/local-path
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: cephfs
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
fsName: ks-fs
pool: ks-fs_data
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: Immediate

124
rotmower/application.yaml
View File

@@ -1,124 +0,0 @@
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: rotmower
spec:
displayName: rotmower
uri: 'https://rotmower.k-space.ee'
headerMapping:
email: Remote-Email
groups: Remote-Groups
name: Remote-Name
user: Remote-Username
allowedGroups:
- k-space:kubernetes:admins
- github.com:codemowers:admins
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rotmower
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
traefik.ingress.kubernetes.io/router.middlewares: rotmower-rotmower@kubernetescrd
spec:
rules:
- host: rotmower.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: rotmower
port:
number: 8080
tls:
- hosts:
- "*.k-space.ee"
---
apiVersion: v1
kind: Service
metadata:
name: rotmower
spec:
type: ClusterIP
selector:
app: rotmower
ports:
- protocol: TCP
port: 8080
targetPort: 8080
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: rotmower
namespace: rotmower
labels:
app: rotmower
spec:
replicas: 1
selector:
matchLabels:
app: rotmower
template:
metadata:
labels:
app: rotmower
spec:
serviceAccountName: rotmower
containers:
- name: rotmower
image: docker.io/codemowers/rotmower:latest
args:
- web
- --host
- 0.0.0.0
ports:
- containerPort: 8080
name: http
resources:
requests:
memory: "128Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: rotmower
namespace: rotmower
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: rotmower
rules:
- apiGroups: [""]
resources: ["pods", "secrets"]
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources: ["deployments", "replicasets", "daemonsets", "statefulsets"]
verbs: ["get", "list"]
- apiGroups: ["batch"]
resources: ["jobs", "cronjobs"]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: rotmower
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: rotmower
subjects:
- kind: ServiceAccount
name: rotmower
namespace: rotmower

125
storage-class.yaml Normal file
View File

@@ -0,0 +1,125 @@
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: mongo
annotations:
kubernetes.io/description: |
Storage class for Mongo and similar applications that
implement high availability in application layer.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: prometheus
annotations:
kubernetes.io/description: |
Storage class for Prometheus and similar applications that
implement high availability in application layer.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: woodpecker
annotations:
kubernetes.io/description: |
Storage class for Drone, Woodpecker and similar application
pipeline runs where Git repos are checked out to.
This storage class uses XFS, has no block level redundancy and it's
deleted as soon as the pod exits.
provisioner: driver.longhorn.io
reclaimPolicy: Delete
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
dataLocality: best-effort
numberOfReplicas: "1"
fsType: "xfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: gitea
annotations:
kubernetes.io/description: |
Storage class for Gitea and similar applications needing
block device level replication with 3 replicas using XFS filesystem and
best effort data locality.
provisioner: driver.longhorn.io
reclaimPolicy: Retain
volumeBindingMode: Immediate
allowVolumeExpansion: true
parameters:
dataLocality: best-effort
numberOfReplicas: "3"
fsType: "xfs"
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: rabbitmq
annotations:
kubernetes.io/description: |
Storage class for RabbitMQ and similar applications
deployed in highly available fashion utilizing application level
replication needing persistent volume.
provisioner: rook-ceph.rbd.csi.ceph.com
parameters:
clusterID: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/fstype: xfs
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
imageFeatures: layering
imageFormat: '2'
pool: ks-nvme
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: "null"
annotations:
kubernetes.io/description: |
Storage class for applications insisting on having a PV, but actually do
not and for data that can be discarded immediately
provisioner: rancher.io/local-path
reclaimPolicy: Delete
volumeBindingMode: WaitForFirstConsumer

1
tigera-operator/custom-resources.yaml
View File

@@ -199,7 +199,6 @@ spec:
- cidr: 172.21.53.1/32 - cidr: 172.21.53.1/32
- cidr: 172.21.53.2/32 - cidr: 172.21.53.2/32
- cidr: 172.21.53.3/32 - cidr: 172.21.53.3/32
- cidr: 172.21.102.1/32
- cidr: 193.40.103.36/32 - cidr: 193.40.103.36/32
- cidr: 193.40.103.37/32 - cidr: 193.40.103.37/32
- cidr: 193.40.103.38/32 - cidr: 193.40.103.38/32

9
unifi/kustomization.yaml
View File

@@ -1,9 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: &ns unifi
resources:
- ssh://git@git.k-space.ee/secretspace/kube/unifi # secrets: unifi, unifi-mongo
- unifi-mongo.yaml
- unifi.yaml

53
unifi/unifi-mongo.yaml
View File

@@ -1,53 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: unifi-db
namespace: unifi
spec:
selector:
matchLabels:
app: unifi-db
replicas: 1
minReadySeconds: 10
template:
metadata:
labels:
app: unifi-db
spec:
terminationGracePeriodSeconds: 10
containers:
- name: mongodb
image: mongo:8
ports:
- containerPort: 27017
name: mongo
envFrom:
- secretRef:
name: unifi-mongo
volumeMounts:
- name: data
mountPath: /data/db
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: [ "ReadWriteOnce" ]
storageClassName: unifi
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
name: unifi-db
namespace: unifi
spec:
ports:
- port: 27017
name: mongo
targetPort: 27017
selector:
app: unifi-db
type: ClusterIP

176
unifi/unifi.yaml
View File

@@ -1,176 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: unifi-app
namespace: unifi
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: unifi
---
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: unifi
namespace: unifi
spec:
serviceName: "unifi"
replicas: 1
selector:
matchLabels:
name: unifi
template:
metadata:
name: unifi
labels:
name: unifi
spec:
containers:
- name: unifi
image: lscr.io/linuxserver/unifi-network-application:latest
env:
- name: PUID
value: '1000'
- name: GUID
value: '1000'
- name: TZ
value: Etc/UTC
envFrom:
- secretRef:
name: unifi
ports:
- containerPort: 3478
protocol: UDP
- containerPort: 10001
protocol: UDP
- containerPort: 8080
protocol: TCP
- containerPort: 8443
protocol: TCP
- containerPort: 1900
protocol: UDP
- containerPort: 8843
protocol: TCP
- containerPort: 8880
protocol: TCP
- containerPort: 6789
protocol: TCP
- containerPort: 5514
protocol: UDP
volumeMounts:
- name: unifi-persistent-storage
mountPath: /config
volumes:
- name: unifi-persistent-storage
persistentVolumeClaim:
claimName: unifi-app
---
kind: Service
apiVersion: v1
metadata:
name: lb-unifi
namespace: unifi
annotations:
metallb.io/allow-shared-ip: 'true'
traefik.ingress.kubernetes.io/service.serverstransport: unifi-unifi@kubernetescrd
spec:
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: 172.21.102.1
selector:
name: unifi
ports:
- name: '8080'
protocol: TCP
port: 8080
targetPort: 8080
- name: '8443'
protocol: TCP
port: 8443
targetPort: 8443
- name: '1900'
protocol: TCP
port: 1900
targetPort: 1900
- name: '8843'
protocol: TCP
port: 8843
targetPort: 8843
- name: '8880'
protocol: TCP
port: 8880
targetPort: 8880
- name: '6789'
protocol: TCP
port: 6789
targetPort: 6789
---
kind: Service
apiVersion: v1
metadata:
name: lb-unifi-udp
namespace: unifi
annotations:
metallb.io/allow-shared-ip: 'true'
spec:
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: 172.21.102.1
selector:
name: unifi
ports:
- name: '3478'
protocol: UDP
port: 3478
targetPort: 3478
- name: '10001'
protocol: UDP
port: 10001
targetPort: 10001
- name: '5514'
protocol: UDP
port: 5514
targetPort: 5514
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: unifi
namespace: unifi
spec:
insecureSkipVerify: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: unifi
namespace: unifi
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
rules:
- host: "unifi.k-space.ee"
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: lb-unifi
port:
number: 8443
---
apiVersion: codemowers.cloud/v1beta1
kind: OIDCMiddlewareClient
metadata:
name: unifi
namespace: unifi
spec:
uri: 'https://unifi.k-space.ee/'

10
wiki/application.yml
View File

@@ -85,18 +85,18 @@ spec:
- name: DB_TYPE - name: DB_TYPE
value: mysql value: mysql
- name: DB_HOST - name: DB_HOST
value: mariadb value: mariadb.infra.k-space.ee
- name: DB_PORT - name: DB_PORT
value: "3306" value: "3306"
- name: DB_USER - name: DB_USER
value: wiki value: kspace_wiki
- name: DB_NAME - name: DB_NAME
value: wiki value: kspace_wiki
- name: DB_PASS - name: DB_PASS
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: mariadb-secrets name: wikijs-secrets
key: MYSQL_PASSWORD key: DB_PASS
ports: ports:
- containerPort: 3000 - containerPort: 3000
name: http name: http

99
wiki/mariadb.yml
View File

@@ -1,99 +0,0 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mariadb
spec:
revisionHistoryLimit: 0
serviceName: mariadb
selector:
matchLabels:
app: mariadb
replicas: 1
template:
metadata:
labels:
app: mariadb
annotations:
prometheus.io/port: '9104'
prometheus.io/scrape: 'true'
spec:
containers:
- name: exporter
image: mirror.gcr.io/prom/mysqld-exporter:latest
args:
- --mysqld.username
- exporter
- name: mariadb
image: mirror.gcr.io/library/mariadb:12.1
imagePullPolicy: Always
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_ROOT_PASSWORD
- name: MYSQL_USER
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_DATABASE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_PASSWORD
volumeMounts:
- name: mariadb-data
mountPath: /var/lib/mysql
- name: mariadb-init
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: mariadb-init
configMap:
name: mariadb-init-config
volumeClaimTemplates:
- metadata:
name: mariadb-data
spec:
storageClassName: ceph-rbd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: codemowers.cloud/v1beta1
kind: SecretClaim
metadata:
name: mariadb-secrets
spec:
size: 32
mapping:
- key: MYSQL_ROOT_PASSWORD
value: "%(plaintext)s"
- key: MYSQL_PASSWORD
value: "%(plaintext)s"
---
apiVersion: v1
kind: Service
metadata:
name: mariadb
spec:
ports:
- protocol: TCP
port: 3306
selector:
app: mariadb
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mariadb-init-config
data:
initdb.sql: |
CREATE USER 'exporter'@'127.0.0.1' WITH MAX_USER_CONNECTIONS 3;
GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'127.0.0.1';

2
wildduck/loadbalancer.yaml
View File

@@ -5,7 +5,7 @@ metadata:
name: wildduck name: wildduck
annotations: annotations:
external-dns.alpha.kubernetes.io/hostname: mail.k-space.ee external-dns.alpha.kubernetes.io/hostname: mail.k-space.ee
metallb.io/address-pool: wildduck metallb.universe.tf/address-pool: wildduck
spec: spec:
loadBalancerIP: 193.40.103.25 loadBalancerIP: 193.40.103.25
type: LoadBalancer type: LoadBalancer