Compare commits
No commits in common. "master" and "master" have entirely different histories.
.drone.yml.gitignore.yamllintCLUSTER.mdCONTRIBUTORS.mdREADME.mdSLACK.mdansible-bind-primary.ymlansible-doors.ymlansible-kubernetes.ymlansible.cfg
_disabled
asterisk
discourse
freeswitch
openebs
argocd
README.mdapplication-extras.yml
applications
argocd-image-updater.yamlasterisk.yamlbind.yamlcamtiler.yamlcert-manager.yamlcpng.yamldragonfly.yamldrone-execution.yamldrone.yamletherpad.yamlfreescout.yamlfrigate.yamlgitea.yamlgrafana.yamlhackerspace.yamlharbor.yamlkubernetes-dashboard.yamlmetallb.yamlminio-clusters.yamlmonitoring.yamlmysql-clusters.yamlnextcloud.yamlnyancat.yamlpassmower-members.yamlprometheus-operator.yamlproxmox-csi.yamlripe87.yamlrosdump.yamlsecret-claim-operator.yamltigera-operator.yamltraefik.yamlwhoami-oidc.yamlwhoami.yamlwiki.yamlwildduck.yamlwoodpecker.yaml
deploy_key.pubredis.yamlvalues.yamlasterisk
bind
README.mdbind-secondary.yamlexternal-dns-k-space.yamlexternal-dns-k6.yamlexternal-dns-kspace.yamlexternal-dns.yaml
camtiler
.gitignoreREADME.mdapplication.ymlcamera-tiler.ymlingress.ymllogmower.ymlmongodb-support.ymlmongodb.ymlmongoexpress.ymlnetwork-policies.ymlnetworkpolicy-base.yml
cert-manager
cnpg-system
default
dragonfly-operator-system
drone-execution
drone
elastic-system
10
.drone.yml
Normal file
10
.drone.yml
Normal file
@ -0,0 +1,10 @@
|
|||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
type: kubernetes
|
||||||
|
name: gitleaks
|
||||||
|
|
||||||
|
steps:
|
||||||
|
- name: gitleaks
|
||||||
|
image: zricethezav/gitleaks
|
||||||
|
commands:
|
||||||
|
- gitleaks detect --source=/drone/src
|
5
.gitignore
vendored
5
.gitignore
vendored
@ -1,14 +1,9 @@
|
|||||||
*.keys
|
|
||||||
*secrets.yml
|
*secrets.yml
|
||||||
*secret.yml
|
*secret.yml
|
||||||
*.swp
|
*.swp
|
||||||
*.save
|
*.save
|
||||||
*.1
|
*.1
|
||||||
|
|
||||||
# Kustomize with Helm and secrets:
|
|
||||||
charts/
|
|
||||||
*.env
|
|
||||||
|
|
||||||
### IntelliJ IDEA ###
|
### IntelliJ IDEA ###
|
||||||
.idea
|
.idea
|
||||||
*.iml
|
*.iml
|
||||||
|
@ -1,4 +0,0 @@
|
|||||||
extends: default
|
|
||||||
ignore-from-file: .gitignore
|
|
||||||
rules:
|
|
||||||
line-length: disable
|
|
169
CLUSTER.md
169
CLUSTER.md
@ -1,169 +0,0 @@
|
|||||||
# Kubernetes cluster
|
|
||||||
Kubernetes hosts run on [PVE Cluster](https://wiki.k-space.ee/en/hosting/proxmox). Hosts are listed in Ansible [inventory](ansible/inventory.yml).
|
|
||||||
|
|
||||||
## `kubectl`
|
|
||||||
- Authorization [ACLs](cluster-role-bindings.yml)
|
|
||||||
- [Troubleshooting `no such host`](#systemd-resolved-issues)
|
|
||||||
|
|
||||||
Authenticate to auth.k-space.ee:
|
|
||||||
```bash
|
|
||||||
kubectl krew install oidc-login
|
|
||||||
mkdir -p ~/.kube
|
|
||||||
|
|
||||||
cat << EOF > ~/.kube/config
|
|
||||||
apiVersion: v1
|
|
||||||
clusters:
|
|
||||||
- cluster:
|
|
||||||
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNakEzTXpVMU1Wb1hEVE15TURReU9UQTNNelUxTVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2J2CjY3UFlXVHJMc3ZCQTZuWHUvcm55SlVhNnppTnNWTVN6N2w4ekhxM2JuQnhqWVNPUDJhN1RXTnpUTmZDanZBWngKTmlNbXJya1hpb2dYQWpVVkhSUWZlYm81TFIrb0JBOTdLWlcrN01UMFVJRXBuWVVaaTdBRHlaS01vcEJFUXlMNwp1SlU5UDhnNUR1T29FRHZieGJSMXFuV1JZRXpteFNmSFpocllpMVA3bFd4emkxR243eGRETFZaMjZjNm0xR3Y1CnViRjZyaFBXK1JSVkhiQzFKakJGeTBwRXdhYlUvUTd0Z2dic0JQUjk5NVZvMktCeElBelRmbHhVanlYVkJ3MjEKU2d3ZGI1amlpemxEM0NSbVdZZ0ZrRzd0NTVZeGF3ZmpaQjh5bW4xYjhUVjkwN3dRcG8veU8zM3RaaEE3L3BFUwpBSDJYeDk5bkpMbFVGVUtSY1A4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZKNnZKeVk1UlJ1aklQWGxIK2ZvU3g2QzFRT2RNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ04zcGtCTVM3ekkrbUhvOWdTZQp6SzdXdjl3bXlCTVE5Q3crQXBSNnRBQXg2T1VIN0d1enc5TTV2bXNkYjkrYXBKMHBlZFB4SUg3YXZ1aG9SUXNMCkxqTzRSVm9BMG9aNDBZV3J3UStBR0dvdkZuaWNleXRNcFVSNEZjRXc0ZDRmcGl6V3d0TVNlRlRIUXR6WG84V2MKNFJGWC9xUXNVR1NWa01PaUcvcVVrSFpXQVgyckdhWXZ1Tkw2eHdSRnh5ZHpsRTFSUk56TkNvQzVpTXhjaVRNagpackEvK0pqVEFWU2FuNXZnODFOSmthZEphbmNPWmEwS3JEdkZzd1JJSG5CMGpMLzh3VmZXSTV6czZURU1VZUk1ClF6dU01QXUxUFZ4VXZJUGhlMHl6UXZjWDV5RlhnMkJGU3MzKzJBajlNcENWVTZNY2dSSTl5TTRicitFTUlHL0kKY0pjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
|
||||||
server: https://master.kube.k-space.ee:6443
|
|
||||||
name: kubernetes
|
|
||||||
contexts:
|
|
||||||
- context:
|
|
||||||
cluster: kubernetes
|
|
||||||
user: oidc
|
|
||||||
name: default
|
|
||||||
current-context: default
|
|
||||||
kind: Config
|
|
||||||
preferences: {}
|
|
||||||
users:
|
|
||||||
- name: oidc
|
|
||||||
user:
|
|
||||||
exec:
|
|
||||||
apiVersion: client.authentication.k8s.io/v1beta1
|
|
||||||
args:
|
|
||||||
- oidc-login
|
|
||||||
- get-token
|
|
||||||
- --oidc-issuer-url=https://auth.k-space.ee/
|
|
||||||
- --oidc-client-id=passmower.kubelogin
|
|
||||||
- --oidc-extra-scope=profile,email,groups
|
|
||||||
- --listen-address=127.0.0.1:27890
|
|
||||||
command: kubectl
|
|
||||||
env: null
|
|
||||||
provideClusterInfo: false
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Test it:
|
|
||||||
kubectl get nodes # opens browser for authentication
|
|
||||||
```
|
|
||||||
|
|
||||||
### systemd-resolved issues
|
|
||||||
```sh
|
|
||||||
Unable to connect to the server: dial tcp: lookup master.kube.k-space.ee on 127.0.0.53:53: no such host
|
|
||||||
```
|
|
||||||
```
|
|
||||||
Network → VPN → `IPv4` → Other nameservers (Muud nimeserverid): `172.21.0.1`
|
|
||||||
Network → VPN → `IPv6` → Other nameservers (Muud nimeserverid): `2001:bb8:4008:21::1`
|
|
||||||
Network → VPN → `IPv4` → Search domains (Otsingudomeenid): `kube.k-space.ee`
|
|
||||||
Network → VPN → `IPv6` → Search domains (Otsingudomeenid): `kube.k-space.ee`
|
|
||||||
```
|
|
||||||
|
|
||||||
## Cluster formation
|
|
||||||
Created Ubuntu 22.04 VM-s on Proxmox with local storage.
|
|
||||||
Added some ARM64 workers by using Ubuntu 22.04 server on Raspberry Pi.
|
|
||||||
|
|
||||||
After machines have booted up and you can reach them via SSH:
|
|
||||||
|
|
||||||
```
|
|
||||||
# Disable Ubuntu caching DNS resolver
|
|
||||||
systemctl disable systemd-resolved.service
|
|
||||||
systemctl stop systemd-resolved
|
|
||||||
rm -fv /etc/resolv.conf
|
|
||||||
cat > /etc/resolv.conf << EOF
|
|
||||||
nameserver 1.1.1.1
|
|
||||||
nameserver 8.8.8.8
|
|
||||||
EOF
|
|
||||||
|
|
||||||
# Disable multipathd as Longhorn handles that itself
|
|
||||||
systemctl mask multipathd snapd
|
|
||||||
systemctl disable --now multipathd snapd bluetooth ModemManager hciuart wpa_supplicant packagekit
|
|
||||||
|
|
||||||
# Permit root login
|
|
||||||
sed -i -e 's/PermitRootLogin no/PermitRootLogin without-password/' /etc/ssh/sshd_config
|
|
||||||
systemctl reload ssh
|
|
||||||
cat ~ubuntu/.ssh/authorized_keys > /root/.ssh/authorized_keys
|
|
||||||
userdel -f ubuntu
|
|
||||||
apt-get install -yqq linux-image-generic
|
|
||||||
apt-get remove -yq cloud-init linux-image-*-kvm
|
|
||||||
```
|
|
||||||
|
|
||||||
On master:
|
|
||||||
|
|
||||||
```
|
|
||||||
kubeadm init --token-ttl=120m --pod-network-cidr=10.244.0.0/16 --control-plane-endpoint "master.kube.k-space.ee:6443" --upload-certs --apiserver-cert-extra-sans master.kube.k-space.ee --node-name master1.kube.k-space.ee
|
|
||||||
```
|
|
||||||
|
|
||||||
For the `kubeadm join` command specify FQDN via `--node-name $(hostname -f)`.
|
|
||||||
|
|
||||||
Set AZ labels:
|
|
||||||
|
|
||||||
```
|
|
||||||
for j in $(seq 1 9); do
|
|
||||||
for t in master mon worker storage; do
|
|
||||||
kubectl label nodes ${t}${j}.kube.k-space.ee topology.kubernetes.io/zone=node${j}
|
|
||||||
done
|
|
||||||
done
|
|
||||||
```
|
|
||||||
|
|
||||||
After forming the cluster add taints:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
for j in $(seq 1 9); do
|
|
||||||
kubectl label nodes worker${j}.kube.k-space.ee node-role.kubernetes.io/worker=''
|
|
||||||
done
|
|
||||||
|
|
||||||
for j in $(seq 1 4); do
|
|
||||||
kubectl taint nodes mon${j}.kube.k-space.ee dedicated=monitoring:NoSchedule
|
|
||||||
kubectl label nodes mon${j}.kube.k-space.ee dedicated=monitoring
|
|
||||||
done
|
|
||||||
|
|
||||||
for j in $(seq 1 4); do
|
|
||||||
kubectl taint nodes storage${j}.kube.k-space.ee dedicated=storage:NoSchedule
|
|
||||||
kubectl label nodes storage${j}.kube.k-space.ee dedicated=storage
|
|
||||||
done
|
|
||||||
```
|
|
||||||
|
|
||||||
For `arm64` nodes add suitable taint to prevent scheduling non-multiarch images on them:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
kubectl taint nodes worker9.kube.k-space.ee arch=arm64:NoSchedule
|
|
||||||
```
|
|
||||||
|
|
||||||
For door controllers:
|
|
||||||
```
|
|
||||||
for j in ground front back; do
|
|
||||||
kubectl taint nodes door-${j}.kube.k-space.ee dedicated=door:NoSchedule
|
|
||||||
kubectl label nodes door-${j}.kube.k-space.ee dedicated=door
|
|
||||||
kubectl taint nodes door-${j}.kube.k-space.ee arch=arm64:NoSchedule
|
|
||||||
done
|
|
||||||
```
|
|
||||||
|
|
||||||
To reduce wear on storage:
|
|
||||||
```
|
|
||||||
echo StandardOutput=null >> /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
|
||||||
systemctl daemon-reload
|
|
||||||
systemctl restart kubelet
|
|
||||||
```
|
|
||||||
|
|
||||||
## Technology mapping
|
|
||||||
Our self-hosted Kubernetes stack compared to AWS based deployments:
|
|
||||||
|
|
||||||
| Hipster startup | Self-hosted hackerspace | Purpose |
|
|
||||||
|-------------------|-------------------------------------|---------------------------------------------------------------------|
|
|
||||||
| AWS ALB | Traefik | Reverse proxy also known as ingress controller in Kubernetes jargon |
|
|
||||||
| AWS AMP | Prometheus Operator | Monitoring and alerting |
|
|
||||||
| AWS CloudTrail | ECK Operator | Log aggregation |
|
|
||||||
| AWS DocumentDB | MongoDB Community Operator | Highly available NoSQL database |
|
|
||||||
| AWS EBS | Longhorn | Block storage for arbitrary applications needing persistent storage |
|
|
||||||
| AWS EC2 | Proxmox | Virtualization layer |
|
|
||||||
| AWS ECR | Harbor | Docker registry |
|
|
||||||
| AWS EKS | kubeadm | Provision Kubernetes master nodes |
|
|
||||||
| AWS NLB | MetalLB | L2/L3 level load balancing |
|
|
||||||
| AWS RDS for MySQL | MySQL Operator | Provision highly available relational databases |
|
|
||||||
| AWS Route53 | Bind and RFC2136 | DNS records and Let's Encrypt DNS validation |
|
|
||||||
| AWS S3 | Minio Operator | Highly available object storage |
|
|
||||||
| AWS VPC | Calico | Overlay network |
|
|
||||||
| Dex | Passmower | ACL mapping and OIDC provider which integrates with GitHub/Samba |
|
|
||||||
| GitHub Actions | Woodpecker | Build Docker images |
|
|
||||||
| GitHub | Gitea | Source code management, issue tracking |
|
|
||||||
| GitHub OAuth2 | Samba (Active Directory compatible) | Source of truth for authentication and authorization |
|
|
||||||
| Gmail | Wildduck | E-mail |
|
|
@ -10,4 +10,3 @@ this Git repository happen:
|
|||||||
* Song Meo <songmeo@k-space.ee>
|
* Song Meo <songmeo@k-space.ee>
|
||||||
* Rasmus Kallas <rasmus@k-space.ee>
|
* Rasmus Kallas <rasmus@k-space.ee>
|
||||||
* Kristjan Kuusk <kkuusk@k-space.ee>
|
* Kristjan Kuusk <kkuusk@k-space.ee>
|
||||||
* Erki Aas <eaas@k-space.ee>
|
|
||||||
|
255
README.md
255
README.md
@ -1,55 +1,230 @@
|
|||||||
# k-space.ee infrastructure
|
# Kubernetes cluster manifests
|
||||||
Kubernetes manifests, Ansible [playbooks](ansible/README.md), and documentation for K-SPACE services.
|
|
||||||
|
|
||||||
<!-- TODO: Docs for adding to ArgoCD (auto-)sync -->
|
## Introduction
|
||||||
- Repo is deployed with [ArgoCD](https://argocd.k-space.ee). For `kubectl` access, see [CLUSTER.md](CLUSTER.md#kubectl).
|
|
||||||
- Debugging Kubernetes [on Wiki](https://wiki.k-space.ee/en/hosting/debugging-kubernetes)
|
|
||||||
- Need help? → [`#kube`](https://k-space-ee.slack.com/archives/C02EYV1NTM2)
|
|
||||||
|
|
||||||
Jump to docs: [inventory-app](hackerspace/README.md) / [cameras](_disabled/camtiler/README.md) / [doors](https://wiki.k-space.ee/en/hosting/doors) / [list of apps](https://auth.k-space.ee) // [all infra](ansible/inventory.yml) / [network](https://wiki.k-space.ee/en/hosting/network/sensitive) / [retro](https://wiki.k-space.ee/en/hosting/retro) / [non-infra](https://wiki.k-space.ee)
|
This is the Kubernetes manifests of services running on k-space.ee domains.
|
||||||
|
The applications are listed on https://auth2.k-space.ee for authenticated users.
|
||||||
|
|
||||||
Tip: Search the repo for `kind: xyz` for examples.
|
|
||||||
|
|
||||||
## Supporting services
|
## Cluster access
|
||||||
- Build [Git](https://git.k-space.ee) repositories with [Woodpecker](https://woodpecker.k-space.ee)[^nodrone].
|
|
||||||
- Passmower: Authz with `kind: OIDCClient` (or `kind: OIDCMiddlewareClient`[^authz]).
|
|
||||||
- Traefik[^nonginx]: Expose services with `kind: Service` + `kind: Ingress` (TLS and DNS **included**).
|
|
||||||
|
|
||||||
[^nodrone]: Replaces Drone CI.
|
General discussion is happening in the `#kube` Slack channel.
|
||||||
|
|
||||||
### Additional
|
<details><summary>Bootstrapping access</summary>
|
||||||
- bind: Manage _additional_ DNS records with `kind: DNSEndpoint`.
|
For bootstrap access obtain `/etc/kubernetes/admin.conf` from one of the master
|
||||||
- [Prometheus](https://wiki.k-space.ee/en/hosting/monitoring): Collect metrics with `kind: PodMonitor` (alerts with `kind: PrometheusRule`).
|
nodes and place it under `~/.kube/config` on your machine.
|
||||||
- [Slack bots](SLACK.md) and Kubernetes [CLUSTER.md](CLUSTER.md) itself.
|
|
||||||
<!-- TODO: Redirects: external-dns.alpha.kubernetes.io/hostname + in -extras.yaml: IngressRoute and Middleware -->
|
|
||||||
|
|
||||||
[^nonginx]: No nginx annotations! Use `kind: Ingress` instead. `IngressRoute` is not used as it doesn't support [`external-dns`](bind/README.md) out of the box.
|
Once Passmower is working, OIDC access for others can be enabled with
|
||||||
[^authz]: Applications should use OpenID Connect (`kind: OIDCClient`) for authentication, whereever possible. If not possible, use `kind: OIDCMiddlewareClient` client, which will provide authentication via a Traefik middleware (`traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd`). Sometimes you might use both for extra security.
|
running following on Kubernetes masters:
|
||||||
|
|
||||||
### Network
|
```bash
|
||||||
|
patch /etc/kubernetes/manifests/kube-apiserver.yaml - << EOF
|
||||||
|
@@ -23,6 +23,10 @@
|
||||||
|
- --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
|
||||||
|
- --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
|
||||||
|
- --etcd-servers=https://127.0.0.1:2379
|
||||||
|
+ - --oidc-issuer-url=https://auth2.k-space.ee/
|
||||||
|
+ - --oidc-client-id=oidc-gateway.kubelogin
|
||||||
|
+ - --oidc-username-claim=sub
|
||||||
|
+ - --oidc-groups-claim=groups
|
||||||
|
- --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
|
||||||
|
- --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
|
||||||
|
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
|
||||||
|
EOF
|
||||||
|
sudo systemctl daemon-reload
|
||||||
|
systemctl restart kubelet
|
||||||
|
```
|
||||||
|
</details>
|
||||||
|
|
||||||
All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and the router make a full-mesh. Both Serice LB IPs and Pod IPs are advertised to the router. Router does NAT for outbound pod traffic.
|
The following can be used to talk to the Kubernetes cluster using OIDC credentials:
|
||||||
See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router.
|
|
||||||
Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP.
|
|
||||||
|
|
||||||
<!-- Linked to by https://wiki.k-space.ee/e/en/hosting/storage -->
|
```bash
|
||||||
### Databases / -stores:
|
kubectl krew install oidc-login
|
||||||
- Dragonfly: `kind: Dragonfly` (replaces Redis[^redisdead])
|
mkdir -p ~/.kube
|
||||||
- Longhorn: `storageClassName: longhorn` (filesystem storage)
|
cat << EOF > ~/.kube/config
|
||||||
- Mongo[^mongoproblems]: `kind: MongoDBCommunity` (NAS* `inventory-mongodb`)
|
apiVersion: v1
|
||||||
- Minio S3: `kind: MinioBucketClaim` with `class: dedicated` (NAS*: `class: external`)
|
clusters:
|
||||||
- MariaDB*: search for `mysql`, `mariadb`[^mariadb] (replaces MySQL)
|
- cluster:
|
||||||
- Postgres*: hardcoded to [harbor/application.yml](harbor/application.yml)
|
certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNakEzTXpVMU1Wb1hEVE15TURReU9UQTNNelUxTVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2J2CjY3UFlXVHJMc3ZCQTZuWHUvcm55SlVhNnppTnNWTVN6N2w4ekhxM2JuQnhqWVNPUDJhN1RXTnpUTmZDanZBWngKTmlNbXJya1hpb2dYQWpVVkhSUWZlYm81TFIrb0JBOTdLWlcrN01UMFVJRXBuWVVaaTdBRHlaS01vcEJFUXlMNwp1SlU5UDhnNUR1T29FRHZieGJSMXFuV1JZRXpteFNmSFpocllpMVA3bFd4emkxR243eGRETFZaMjZjNm0xR3Y1CnViRjZyaFBXK1JSVkhiQzFKakJGeTBwRXdhYlUvUTd0Z2dic0JQUjk5NVZvMktCeElBelRmbHhVanlYVkJ3MjEKU2d3ZGI1amlpemxEM0NSbVdZZ0ZrRzd0NTVZeGF3ZmpaQjh5bW4xYjhUVjkwN3dRcG8veU8zM3RaaEE3L3BFUwpBSDJYeDk5bkpMbFVGVUtSY1A4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZKNnZKeVk1UlJ1aklQWGxIK2ZvU3g2QzFRT2RNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ04zcGtCTVM3ekkrbUhvOWdTZQp6SzdXdjl3bXlCTVE5Q3crQXBSNnRBQXg2T1VIN0d1enc5TTV2bXNkYjkrYXBKMHBlZFB4SUg3YXZ1aG9SUXNMCkxqTzRSVm9BMG9aNDBZV3J3UStBR0dvdkZuaWNleXRNcFVSNEZjRXc0ZDRmcGl6V3d0TVNlRlRIUXR6WG84V2MKNFJGWC9xUXNVR1NWa01PaUcvcVVrSFpXQVgyckdhWXZ1Tkw2eHdSRnh5ZHpsRTFSUk56TkNvQzVpTXhjaVRNagpackEvK0pqVEFWU2FuNXZnODFOSmthZEphbmNPWmEwS3JEdkZzd1JJSG5CMGpMLzh3VmZXSTV6czZURU1VZUk1ClF6dU01QXUxUFZ4VXZJUGhlMHl6UXZjWDV5RlhnMkJGU3MzKzJBajlNcENWVTZNY2dSSTl5TTRicitFTUlHL0kKY0pjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
|
||||||
- Seeded secrets: `kind: SecretClaim` (generates random secret in templated format)
|
server: https://master.kube.k-space.ee:6443
|
||||||
- Secrets in git: https://git.k-space.ee/secretspace (members personal info, API credentials, see argocd/deploy_key.pub comment)
|
name: kubernetes
|
||||||
|
contexts:
|
||||||
|
- context:
|
||||||
|
cluster: kubernetes
|
||||||
|
user: oidc
|
||||||
|
name: default
|
||||||
|
current-context: default
|
||||||
|
kind: Config
|
||||||
|
preferences: {}
|
||||||
|
users:
|
||||||
|
- name: oidc
|
||||||
|
user:
|
||||||
|
exec:
|
||||||
|
apiVersion: client.authentication.k8s.io/v1beta1
|
||||||
|
args:
|
||||||
|
- oidc-login
|
||||||
|
- get-token
|
||||||
|
- --oidc-issuer-url=https://auth2.k-space.ee/
|
||||||
|
- --oidc-client-id=oidc-gateway.kubelogin
|
||||||
|
- --oidc-use-pkce
|
||||||
|
- --oidc-extra-scope=profile,email,groups
|
||||||
|
- --listen-address=127.0.0.1:27890
|
||||||
|
command: kubectl
|
||||||
|
env: null
|
||||||
|
provideClusterInfo: false
|
||||||
|
EOF
|
||||||
|
```
|
||||||
|
|
||||||
\* External, hosted directly on [nas.k-space.ee](https://wiki.k-space.ee/en/hosting/storage)
|
For access control mapping see [cluster-role-bindings.yml](cluster-role-bindings.yml)
|
||||||
|
|
||||||
[^mariadb]: As of 2024-07-30 used by auth, authelia, bitwarden, etherpad, freescout, git, grafana, nextcloud, wiki, woodpecker
|
### systemd-resolved issues on access
|
||||||
|
```sh
|
||||||
|
Unable to connect to the server: dial tcp: lookup master.kube.k-space.ee on 127.0.0.53:53: no such host
|
||||||
|
```
|
||||||
|
```
|
||||||
|
Network → VPN → `IPv4` → Other nameservers (Muud nimeserverid): `172.21.0.1`
|
||||||
|
Network → VPN → `IPv6` → Other nameservers (Muud nimeserverid): `2001:bb8:4008:21::1`
|
||||||
|
Network → VPN → `IPv4` → Search domains (Otsingudomeenid): `kube.k-space.ee`
|
||||||
|
Network → VPN → `IPv6` → Search domains (Otsingudomeenid): `kube.k-space.ee`
|
||||||
|
```
|
||||||
|
|
||||||
[^redisdead]: Redis has been replaced as redis-operatori couldn't handle itself: didn't reconcile after reboots, master URI was empty, and clients complained about missing masters. Dragonfly replaces KeyDB.
|
# Technology mapping
|
||||||
|
|
||||||
[^mongoproblems]: Mongo problems: Incompatible with rawfile csi (wiredtiger.wt corrupts), complicated resizing (PVCs from statefulset PVC template).
|
Our self-hosted Kubernetes stack compared to AWS based deployments:
|
||||||
|
|
||||||
***
|
| Hipster startup | Self-hosted hackerspace | Purpose |
|
||||||
_This page is referenced by wiki [front page](https://wiki.k-space.ee) as **the** technical documentation for infra._
|
|-------------------|-------------------------------------|---------------------------------------------------------------------|
|
||||||
|
| AWS ALB | Traefik | Reverse proxy also known as ingress controller in Kubernetes jargon |
|
||||||
|
| AWS AMP | Prometheus Operator | Monitoring and alerting |
|
||||||
|
| AWS CloudTrail | ECK Operator | Log aggregation |
|
||||||
|
| AWS DocumentDB | MongoDB Community Operator | Highly available NoSQL database |
|
||||||
|
| AWS EBS | Longhorn | Block storage for arbitrary applications needing persistent storage |
|
||||||
|
| AWS EC2 | Proxmox | Virtualization layer |
|
||||||
|
| AWS ECR | Harbor | Docker registry |
|
||||||
|
| AWS EKS | kubeadm | Provision Kubernetes master nodes |
|
||||||
|
| AWS NLB | MetalLB | L2/L3 level load balancing |
|
||||||
|
| AWS RDS for MySQL | MySQL Operator | Provision highly available relational databases |
|
||||||
|
| AWS Route53 | Bind and RFC2136 | DNS records and Let's Encrypt DNS validation |
|
||||||
|
| AWS S3 | Minio Operator | Highly available object storage |
|
||||||
|
| AWS VPC | Calico | Overlay network |
|
||||||
|
| Dex | Passmower | ACL mapping and OIDC provider which integrates with GitHub/Samba |
|
||||||
|
| GitHub Actions | Drone | Build Docker images |
|
||||||
|
| GitHub | Gitea | Source code management, issue tracking |
|
||||||
|
| GitHub OAuth2 | Samba (Active Directory compatible) | Source of truth for authentication and authorization |
|
||||||
|
| Gmail | Wildduck | E-mail |
|
||||||
|
|
||||||
|
|
||||||
|
External dependencies running as classic virtual machines:
|
||||||
|
|
||||||
|
- Bind as DNS server
|
||||||
|
|
||||||
|
|
||||||
|
## Adding applications
|
||||||
|
|
||||||
|
Deploy applications via [ArgoCD](https://argocd.k-space.ee)
|
||||||
|
|
||||||
|
We use Treafik with Passmower for Ingress.
|
||||||
|
Applications where possible and where applicable should use `Remote-User`
|
||||||
|
authentication. This prevents application exposure on public Internet.
|
||||||
|
Otherwise use OpenID Connect for authentication,
|
||||||
|
see Argo itself as an example how that is done.
|
||||||
|
|
||||||
|
See `camtiler/ingress.yml` for commented Ingress example.
|
||||||
|
|
||||||
|
Note that we do not use IngressRoute objects because they don't
|
||||||
|
support `external-dns` out of the box.
|
||||||
|
Do NOT add nginx annotations, we use Traefik.
|
||||||
|
Do NOT manually add DNS records, they are added by `external-dns`.
|
||||||
|
Do NOT manually create Certificate objects,
|
||||||
|
these should be handled by `tls:` section in Ingress.
|
||||||
|
|
||||||
|
|
||||||
|
## Cluster formation
|
||||||
|
|
||||||
|
Created Ubuntu 22.04 VM-s on Proxmox with local storage.
|
||||||
|
Added some ARM64 workers by using Ubuntu 22.04 server on Raspberry Pi.
|
||||||
|
|
||||||
|
After machines have booted up and you can reach them via SSH:
|
||||||
|
|
||||||
|
```
|
||||||
|
# Disable Ubuntu caching DNS resolver
|
||||||
|
systemctl disable systemd-resolved.service
|
||||||
|
systemctl stop systemd-resolved
|
||||||
|
rm -fv /etc/resolv.conf
|
||||||
|
cat > /etc/resolv.conf << EOF
|
||||||
|
nameserver 1.1.1.1
|
||||||
|
nameserver 8.8.8.8
|
||||||
|
EOF
|
||||||
|
|
||||||
|
# Disable multipathd as Longhorn handles that itself
|
||||||
|
systemctl mask multipathd snapd
|
||||||
|
systemctl disable --now multipathd snapd bluetooth ModemManager hciuart wpa_supplicant packagekit
|
||||||
|
|
||||||
|
# Permit root login
|
||||||
|
sed -i -e 's/PermitRootLogin no/PermitRootLogin without-password/' /etc/ssh/sshd_config
|
||||||
|
systemctl reload ssh
|
||||||
|
cat ~ubuntu/.ssh/authorized_keys > /root/.ssh/authorized_keys
|
||||||
|
userdel -f ubuntu
|
||||||
|
apt-get install -yqq linux-image-generic
|
||||||
|
apt-get remove -yq cloud-init linux-image-*-kvm
|
||||||
|
```
|
||||||
|
|
||||||
|
On master:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubeadm init --token-ttl=120m --pod-network-cidr=10.244.0.0/16 --control-plane-endpoint "master.kube.k-space.ee:6443" --upload-certs --apiserver-cert-extra-sans master.kube.k-space.ee --node-name master1.kube.k-space.ee
|
||||||
|
```
|
||||||
|
|
||||||
|
For the `kubeadm join` command specify FQDN via `--node-name $(hostname -f)`.
|
||||||
|
|
||||||
|
Set AZ labels:
|
||||||
|
|
||||||
|
```
|
||||||
|
for j in $(seq 1 9); do
|
||||||
|
for t in master mon worker storage; do
|
||||||
|
kubectl label nodes ${t}${j}.kube.k-space.ee topology.kubernetes.io/zone=node${j}
|
||||||
|
done
|
||||||
|
done
|
||||||
|
```
|
||||||
|
|
||||||
|
After forming the cluster add taints:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
for j in $(seq 1 9); do
|
||||||
|
kubectl label nodes worker${j}.kube.k-space.ee node-role.kubernetes.io/worker=''
|
||||||
|
done
|
||||||
|
|
||||||
|
for j in $(seq 1 4); do
|
||||||
|
kubectl taint nodes mon${j}.kube.k-space.ee dedicated=monitoring:NoSchedule
|
||||||
|
kubectl label nodes mon${j}.kube.k-space.ee dedicated=monitoring
|
||||||
|
done
|
||||||
|
|
||||||
|
for j in $(seq 1 4); do
|
||||||
|
kubectl taint nodes storage${j}.kube.k-space.ee dedicated=storage:NoSchedule
|
||||||
|
kubectl label nodes storage${j}.kube.k-space.ee dedicated=storage
|
||||||
|
done
|
||||||
|
```
|
||||||
|
|
||||||
|
For `arm64` nodes add suitable taint to prevent scheduling non-multiarch images on them:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
kubectl taint nodes worker9.kube.k-space.ee arch=arm64:NoSchedule
|
||||||
|
```
|
||||||
|
|
||||||
|
For door controllers:
|
||||||
|
|
||||||
|
```
|
||||||
|
for j in ground front back; do
|
||||||
|
kubectl taint nodes door-${j}.kube.k-space.ee dedicated=door:NoSchedule
|
||||||
|
kubectl label nodes door-${j}.kube.k-space.ee dedicated=door
|
||||||
|
kubectl taint nodes door-${j}.kube.k-space.ee arch=arm64:NoSchedule
|
||||||
|
done
|
||||||
|
```
|
||||||
|
|
||||||
|
To reduce wear on storage:
|
||||||
|
|
||||||
|
```
|
||||||
|
echo StandardOutput=null >> /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
|
||||||
|
systemctl daemon-reload
|
||||||
|
systemctl restart kubelet
|
||||||
|
```
|
||||||
|
28
SLACK.md
28
SLACK.md
@ -1,28 +0,0 @@
|
|||||||
## Slack bots
|
|
||||||
### Doorboy3
|
|
||||||
https://api.slack.com/apps/A05NDB6FVJQ
|
|
||||||
Slack app author: rasmus
|
|
||||||
|
|
||||||
Managed by inventory-app:
|
|
||||||
- Incoming (open-commands) to `/api/slack/doorboy`, inventory-app authorizes based on command originating from #members or #work-shop && oidc access group (floor, workshop).
|
|
||||||
- Posts logs to a private channel. Restricted to 193.40.103.0/24.
|
|
||||||
|
|
||||||
Secrets as `SLACK_DOORLOG_CALLBACK` and `SLACK_VERIFICATION_TOKEN`.
|
|
||||||
|
|
||||||
### oidc-gateway
|
|
||||||
https://api.slack.com/apps/A05DART9PP1
|
|
||||||
Slack app author: eaas
|
|
||||||
|
|
||||||
Managed by passmower:
|
|
||||||
- Links e-mail to slackId.
|
|
||||||
- Login via Slack (not enabled).
|
|
||||||
|
|
||||||
Secrets as `slackId` and `slack-client`.
|
|
||||||
|
|
||||||
### podi-podi uuenduste spämmikoobas
|
|
||||||
https://api.slack.com/apps/A033RE9TUFK
|
|
||||||
Slack app author: rasmus
|
|
||||||
|
|
||||||
Posts Prometheus alerts to a private channel.
|
|
||||||
|
|
||||||
Secret as `slack-secrets`.
|
|
@ -1,39 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: NetworkPolicy
|
|
||||||
metadata:
|
|
||||||
name: asterisk
|
|
||||||
spec:
|
|
||||||
podSelector:
|
|
||||||
matchLabels:
|
|
||||||
app: asterisk
|
|
||||||
policyTypes:
|
|
||||||
- Ingress
|
|
||||||
- Egress
|
|
||||||
ingress:
|
|
||||||
- from:
|
|
||||||
- namespaceSelector:
|
|
||||||
matchLabels:
|
|
||||||
kubernetes.io/metadata.name: monitoring
|
|
||||||
podSelector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/name: prometheus
|
|
||||||
- from:
|
|
||||||
- ipBlock:
|
|
||||||
cidr: 100.101.0.0/16
|
|
||||||
- from:
|
|
||||||
- ipBlock:
|
|
||||||
cidr: 100.102.0.0/16
|
|
||||||
- from:
|
|
||||||
- ipBlock:
|
|
||||||
cidr: 81.90.125.224/32 # Lauri home
|
|
||||||
- from:
|
|
||||||
- ipBlock:
|
|
||||||
cidr: 172.20.8.241/32 # Erki A
|
|
||||||
- from:
|
|
||||||
- ipBlock:
|
|
||||||
cidr: 212.47.211.10/32 # Elisa SIP
|
|
||||||
egress:
|
|
||||||
- to:
|
|
||||||
- ipBlock:
|
|
||||||
cidr: 212.47.211.10/32 # Elisa SIP
|
|
@ -1,382 +0,0 @@
|
|||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: Ingress
|
|
||||||
metadata:
|
|
||||||
name: discourse
|
|
||||||
annotations:
|
|
||||||
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
||||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
||||||
spec:
|
|
||||||
tls:
|
|
||||||
- hosts:
|
|
||||||
- "*.k-space.ee"
|
|
||||||
secretName:
|
|
||||||
rules:
|
|
||||||
- host: "discourse.k-space.ee"
|
|
||||||
http:
|
|
||||||
paths:
|
|
||||||
- path: /
|
|
||||||
pathType: Prefix
|
|
||||||
backend:
|
|
||||||
service:
|
|
||||||
name: discourse
|
|
||||||
port:
|
|
||||||
name: http
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: discourse
|
|
||||||
spec:
|
|
||||||
type: ClusterIP
|
|
||||||
ipFamilyPolicy: SingleStack
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
port: 80
|
|
||||||
protocol: TCP
|
|
||||||
targetPort: http
|
|
||||||
selector:
|
|
||||||
app.kubernetes.io/instance: discourse
|
|
||||||
app.kubernetes.io/name: discourse
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: discourse
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: discourse
|
|
||||||
annotations:
|
|
||||||
reloader.stakater.com/auto: "true"
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app.kubernetes.io/instance: discourse
|
|
||||||
app.kubernetes.io/name: discourse
|
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app.kubernetes.io/instance: discourse
|
|
||||||
app.kubernetes.io/name: discourse
|
|
||||||
spec:
|
|
||||||
serviceAccountName: discourse
|
|
||||||
securityContext:
|
|
||||||
fsGroup: 0
|
|
||||||
fsGroupChangePolicy: Always
|
|
||||||
initContainers:
|
|
||||||
containers:
|
|
||||||
- name: discourse
|
|
||||||
image: docker.io/bitnami/discourse:3.3.2-debian-12-r0
|
|
||||||
imagePullPolicy: "IfNotPresent"
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
capabilities:
|
|
||||||
add:
|
|
||||||
- CHOWN
|
|
||||||
- SYS_CHROOT
|
|
||||||
- FOWNER
|
|
||||||
- SETGID
|
|
||||||
- SETUID
|
|
||||||
- DAC_OVERRIDE
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
privileged: false
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
runAsGroup: 0
|
|
||||||
runAsNonRoot: false
|
|
||||||
runAsUser: 0
|
|
||||||
seLinuxOptions: {}
|
|
||||||
seccompProfile:
|
|
||||||
type: RuntimeDefault
|
|
||||||
env:
|
|
||||||
- name: BITNAMI_DEBUG
|
|
||||||
value: "true"
|
|
||||||
- name: DISCOURSE_USERNAME
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-password
|
|
||||||
key: username
|
|
||||||
- name: DISCOURSE_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-password
|
|
||||||
key: password
|
|
||||||
- name: DISCOURSE_PORT_NUMBER
|
|
||||||
value: "8080"
|
|
||||||
- name: DISCOURSE_EXTERNAL_HTTP_PORT_NUMBER
|
|
||||||
value: "80"
|
|
||||||
- name: DISCOURSE_DATABASE_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-postgresql
|
|
||||||
key: password
|
|
||||||
- name: POSTGRESQL_CLIENT_CREATE_DATABASE_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-postgres-superuser
|
|
||||||
key: password
|
|
||||||
- name: POSTGRESQL_CLIENT_POSTGRES_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-postgres-superuser
|
|
||||||
key: password
|
|
||||||
- name: REDIS_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-redis
|
|
||||||
key: redis-password
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: discourse
|
|
||||||
- secretRef:
|
|
||||||
name: discourse-email
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
containerPort: 8080
|
|
||||||
protocol: TCP
|
|
||||||
livenessProbe:
|
|
||||||
tcpSocket:
|
|
||||||
port: http
|
|
||||||
initialDelaySeconds: 500
|
|
||||||
periodSeconds: 10
|
|
||||||
timeoutSeconds: 5
|
|
||||||
successThreshold: 1
|
|
||||||
failureThreshold: 6
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /srv/status
|
|
||||||
port: http
|
|
||||||
initialDelaySeconds: 100
|
|
||||||
periodSeconds: 10
|
|
||||||
timeoutSeconds: 5
|
|
||||||
successThreshold: 1
|
|
||||||
failureThreshold: 6
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: "6.0"
|
|
||||||
ephemeral-storage: 2Gi
|
|
||||||
memory: 12288Mi
|
|
||||||
requests:
|
|
||||||
cpu: "1.0"
|
|
||||||
ephemeral-storage: 50Mi
|
|
||||||
memory: 3072Mi
|
|
||||||
volumeMounts:
|
|
||||||
- name: discourse-data
|
|
||||||
mountPath: /bitnami/discourse
|
|
||||||
subPath: discourse
|
|
||||||
- name: sidekiq
|
|
||||||
image: docker.io/bitnami/discourse:3.3.2-debian-12-r0
|
|
||||||
imagePullPolicy: "IfNotPresent"
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: false
|
|
||||||
capabilities:
|
|
||||||
add:
|
|
||||||
- CHOWN
|
|
||||||
- SYS_CHROOT
|
|
||||||
- FOWNER
|
|
||||||
- SETGID
|
|
||||||
- SETUID
|
|
||||||
- DAC_OVERRIDE
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
privileged: false
|
|
||||||
readOnlyRootFilesystem: false
|
|
||||||
runAsGroup: 0
|
|
||||||
runAsNonRoot: false
|
|
||||||
runAsUser: 0
|
|
||||||
seLinuxOptions: {}
|
|
||||||
seccompProfile:
|
|
||||||
type: RuntimeDefault
|
|
||||||
command:
|
|
||||||
- /opt/bitnami/scripts/discourse/entrypoint.sh
|
|
||||||
args:
|
|
||||||
- /opt/bitnami/scripts/discourse-sidekiq/run.sh
|
|
||||||
env:
|
|
||||||
- name: BITNAMI_DEBUG
|
|
||||||
value: "true"
|
|
||||||
- name: DISCOURSE_USERNAME
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-password
|
|
||||||
key: username
|
|
||||||
- name: DISCOURSE_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-password
|
|
||||||
key: password
|
|
||||||
- name: DISCOURSE_DATABASE_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-postgresql
|
|
||||||
key: password
|
|
||||||
- name: DISCOURSE_POSTGRESQL_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-postgres-superuser
|
|
||||||
key: password
|
|
||||||
- name: REDIS_PASSWORD
|
|
||||||
valueFrom:
|
|
||||||
secretKeyRef:
|
|
||||||
name: discourse-redis
|
|
||||||
key: redis-password
|
|
||||||
envFrom:
|
|
||||||
- configMapRef:
|
|
||||||
name: discourse
|
|
||||||
- secretRef:
|
|
||||||
name: discourse-email
|
|
||||||
livenessProbe:
|
|
||||||
exec:
|
|
||||||
command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"]
|
|
||||||
initialDelaySeconds: 500
|
|
||||||
periodSeconds: 10
|
|
||||||
timeoutSeconds: 5
|
|
||||||
successThreshold: 1
|
|
||||||
failureThreshold: 6
|
|
||||||
readinessProbe:
|
|
||||||
exec:
|
|
||||||
command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"]
|
|
||||||
initialDelaySeconds: 30
|
|
||||||
periodSeconds: 10
|
|
||||||
timeoutSeconds: 5
|
|
||||||
successThreshold: 1
|
|
||||||
failureThreshold: 6
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 750m
|
|
||||||
ephemeral-storage: 2Gi
|
|
||||||
memory: 768Mi
|
|
||||||
requests:
|
|
||||||
cpu: 500m
|
|
||||||
ephemeral-storage: 50Mi
|
|
||||||
memory: 512Mi
|
|
||||||
volumeMounts:
|
|
||||||
- name: discourse-data
|
|
||||||
mountPath: /bitnami/discourse
|
|
||||||
subPath: discourse
|
|
||||||
volumes:
|
|
||||||
- name: discourse-data
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: discourse-data
|
|
||||||
---
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: discourse-data
|
|
||||||
namespace: discourse
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- "ReadWriteOnce"
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: "3Gi"
|
|
||||||
storageClassName: "proxmox-nas"
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: discourse
|
|
||||||
namespace: discourse
|
|
||||||
data:
|
|
||||||
DISCOURSE_HOST: "discourse.k-space.ee"
|
|
||||||
DISCOURSE_SKIP_INSTALL: "yes"
|
|
||||||
DISCOURSE_PRECOMPILE_ASSETS: "no"
|
|
||||||
DISCOURSE_SITE_NAME: "K-Space Discourse"
|
|
||||||
DISCOURSE_USERNAME: "k-space"
|
|
||||||
DISCOURSE_EMAIL: "dos4dev@k-space.ee"
|
|
||||||
DISCOURSE_REDIS_HOST: "discourse-redis"
|
|
||||||
DISCOURSE_REDIS_PORT_NUMBER: "6379"
|
|
||||||
DISCOURSE_DATABASE_HOST: "discourse-postgres-rw"
|
|
||||||
DISCOURSE_DATABASE_PORT_NUMBER: "5432"
|
|
||||||
DISCOURSE_DATABASE_NAME: "discourse"
|
|
||||||
DISCOURSE_DATABASE_USER: "discourse"
|
|
||||||
POSTGRESQL_CLIENT_DATABASE_HOST: "discourse-postgres-rw"
|
|
||||||
POSTGRESQL_CLIENT_DATABASE_PORT_NUMBER: "5432"
|
|
||||||
POSTGRESQL_CLIENT_POSTGRES_USER: "postgres"
|
|
||||||
POSTGRESQL_CLIENT_CREATE_DATABASE_NAME: "discourse"
|
|
||||||
POSTGRESQL_CLIENT_CREATE_DATABASE_EXTENSIONS: "hstore,pg_trgm"
|
|
||||||
---
|
|
||||||
apiVersion: codemowers.cloud/v1beta1
|
|
||||||
kind: OIDCClient
|
|
||||||
metadata:
|
|
||||||
name: discourse
|
|
||||||
namespace: discourse
|
|
||||||
spec:
|
|
||||||
displayName: Discourse
|
|
||||||
uri: https://discourse.k-space.ee
|
|
||||||
redirectUris:
|
|
||||||
- https://discourse.k-space.ee/auth/oidc/callback
|
|
||||||
allowedGroups:
|
|
||||||
- k-space:floor
|
|
||||||
- k-space:friends
|
|
||||||
grantTypes:
|
|
||||||
- authorization_code
|
|
||||||
- refresh_token
|
|
||||||
responseTypes:
|
|
||||||
- code
|
|
||||||
availableScopes:
|
|
||||||
- openid
|
|
||||||
- profile
|
|
||||||
pkce: false
|
|
||||||
---
|
|
||||||
apiVersion: codemowers.cloud/v1beta1
|
|
||||||
kind: SecretClaim
|
|
||||||
metadata:
|
|
||||||
name: discourse-redis
|
|
||||||
namespace: discourse
|
|
||||||
spec:
|
|
||||||
size: 32
|
|
||||||
mapping:
|
|
||||||
- key: redis-password
|
|
||||||
value: "%(plaintext)s"
|
|
||||||
- key: REDIS_URI
|
|
||||||
value: "redis://:%(plaintext)s@discourse-redis"
|
|
||||||
---
|
|
||||||
apiVersion: dragonflydb.io/v1alpha1
|
|
||||||
kind: Dragonfly
|
|
||||||
metadata:
|
|
||||||
name: discourse-redis
|
|
||||||
namespace: discourse
|
|
||||||
spec:
|
|
||||||
authentication:
|
|
||||||
passwordFromSecret:
|
|
||||||
key: redis-password
|
|
||||||
name: discourse-redis
|
|
||||||
replicas: 3
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 1000m
|
|
||||||
memory: 1Gi
|
|
||||||
topologySpreadConstraints:
|
|
||||||
- maxSkew: 1
|
|
||||||
topologyKey: topology.kubernetes.io/zone
|
|
||||||
whenUnsatisfiable: DoNotSchedule
|
|
||||||
labelSelector:
|
|
||||||
matchLabels:
|
|
||||||
app: discourse-redis
|
|
||||||
app.kubernetes.io/part-of: dragonfly
|
|
||||||
---
|
|
||||||
apiVersion: postgresql.cnpg.io/v1
|
|
||||||
kind: Cluster
|
|
||||||
metadata:
|
|
||||||
name: discourse-postgres
|
|
||||||
namespace: discourse
|
|
||||||
spec:
|
|
||||||
instances: 1
|
|
||||||
enableSuperuserAccess: true
|
|
||||||
bootstrap:
|
|
||||||
initdb:
|
|
||||||
database: discourse
|
|
||||||
owner: discourse
|
|
||||||
secret:
|
|
||||||
name: discourse-postgresql
|
|
||||||
dataChecksums: true
|
|
||||||
encoding: 'UTF8'
|
|
||||||
storage:
|
|
||||||
size: 10Gi
|
|
||||||
storageClass: postgres
|
|
1
_disabled/freeswitch/.gitignore
vendored
1
_disabled/freeswitch/.gitignore
vendored
@ -1 +0,0 @@
|
|||||||
PASSWORDS.xml
|
|
@ -1,14 +0,0 @@
|
|||||||
<include>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="default_password=">
|
|
||||||
<X-PRE-PROCESS cmd="set" data="ipcall_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1000_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1001_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1002_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1003_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1004_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1005_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1006_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1007_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1008_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="1009_password="/>
|
|
||||||
</include>
|
|
@ -1,7 +0,0 @@
|
|||||||
```
|
|
||||||
kubectl -n freeswitch create secret generic freeswitch-passwords --from-file freeswitch/PASSWORDS.xml
|
|
||||||
```
|
|
||||||
|
|
||||||
PASSWORDS.xml is in git.k-space.ee/secretspace/kube:_disabled/freeswitch
|
|
||||||
|
|
||||||
freeswitch-sounds was extracted form of http://files.freeswitch.org/releases/sounds/freeswitch-sounds-en-us-callie-32000-1.0.53.tar.gz (with /us/ at root of the volume)
|
|
@ -1,567 +0,0 @@
|
|||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: freeswitch
|
|
||||||
namespace: freeswitch
|
|
||||||
annotations:
|
|
||||||
external-dns.alpha.kubernetes.io/hostname: freeswitch.k-space.ee
|
|
||||||
metallb.universe.tf/address-pool: eenet
|
|
||||||
metallb.universe.tf/ip-allocated-from-pool: eenet
|
|
||||||
spec:
|
|
||||||
ports:
|
|
||||||
- name: sip-internal-udp
|
|
||||||
protocol: UDP
|
|
||||||
port: 5060
|
|
||||||
targetPort: 5060
|
|
||||||
nodePort: 31787
|
|
||||||
- name: sip-nat-udp
|
|
||||||
protocol: UDP
|
|
||||||
port: 5070
|
|
||||||
targetPort: 5070
|
|
||||||
nodePort: 32241
|
|
||||||
- name: sip-external-udp
|
|
||||||
protocol: UDP
|
|
||||||
port: 5080
|
|
||||||
targetPort: 5080
|
|
||||||
nodePort: 31354
|
|
||||||
- name: sip-data-10000
|
|
||||||
protocol: UDP
|
|
||||||
port: 10000
|
|
||||||
targetPort: 10000
|
|
||||||
nodePort: 30786
|
|
||||||
- name: sip-data-10001
|
|
||||||
protocol: UDP
|
|
||||||
port: 10001
|
|
||||||
targetPort: 10001
|
|
||||||
nodePort: 31788
|
|
||||||
- name: sip-data-10002
|
|
||||||
protocol: UDP
|
|
||||||
port: 10002
|
|
||||||
targetPort: 10002
|
|
||||||
nodePort: 30247
|
|
||||||
- name: sip-data-10003
|
|
||||||
protocol: UDP
|
|
||||||
port: 10003
|
|
||||||
targetPort: 10003
|
|
||||||
nodePort: 32389
|
|
||||||
- name: sip-data-10004
|
|
||||||
protocol: UDP
|
|
||||||
port: 10004
|
|
||||||
targetPort: 10004
|
|
||||||
nodePort: 30723
|
|
||||||
- name: sip-data-10005
|
|
||||||
protocol: UDP
|
|
||||||
port: 10005
|
|
||||||
targetPort: 10005
|
|
||||||
nodePort: 30295
|
|
||||||
- name: sip-data-10006
|
|
||||||
protocol: UDP
|
|
||||||
port: 10006
|
|
||||||
targetPort: 10006
|
|
||||||
nodePort: 30782
|
|
||||||
- name: sip-data-10007
|
|
||||||
protocol: UDP
|
|
||||||
port: 10007
|
|
||||||
targetPort: 10007
|
|
||||||
nodePort: 32165
|
|
||||||
- name: sip-data-10008
|
|
||||||
protocol: UDP
|
|
||||||
port: 10008
|
|
||||||
targetPort: 10008
|
|
||||||
nodePort: 30282
|
|
||||||
- name: sip-data-10009
|
|
||||||
protocol: UDP
|
|
||||||
port: 10009
|
|
||||||
targetPort: 10009
|
|
||||||
nodePort: 31325
|
|
||||||
- name: sip-data-10010
|
|
||||||
protocol: UDP
|
|
||||||
port: 10010
|
|
||||||
targetPort: 10010
|
|
||||||
nodePort: 31234
|
|
||||||
selector:
|
|
||||||
app: freeswitch
|
|
||||||
type: LoadBalancer
|
|
||||||
externalTrafficPolicy: Local
|
|
||||||
ipFamilies:
|
|
||||||
- IPv4
|
|
||||||
ipFamilyPolicy: SingleStack
|
|
||||||
internalTrafficPolicy: Cluster
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: PersistentVolumeClaim
|
|
||||||
metadata:
|
|
||||||
name: freeswitch-sounds
|
|
||||||
namespace: freeswitch
|
|
||||||
spec:
|
|
||||||
accessModes:
|
|
||||||
- ReadWriteMany
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
storage: 2Gi
|
|
||||||
storageClassName: longhorn
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: freeswitch
|
|
||||||
namespace: freeswitch
|
|
||||||
labels:
|
|
||||||
app: freeswitch
|
|
||||||
annotations:
|
|
||||||
reloader.stakater.com/auto: "true" # reloader is disabled in cluster, (re)deploy it to use
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: freeswitch
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: freeswitch
|
|
||||||
spec:
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
configMap:
|
|
||||||
name: freeswitch-config
|
|
||||||
defaultMode: 420
|
|
||||||
- name: directory
|
|
||||||
configMap:
|
|
||||||
name: freeswitch-directory
|
|
||||||
defaultMode: 420
|
|
||||||
- name: sounds
|
|
||||||
persistentVolumeClaim:
|
|
||||||
claimName: freeswitch-sounds
|
|
||||||
- name: passwords
|
|
||||||
secret:
|
|
||||||
secretName: freeswitch-passwords
|
|
||||||
containers:
|
|
||||||
- name: freeswitch
|
|
||||||
image: mirror.gcr.io/dheaps/freeswitch:latest
|
|
||||||
env:
|
|
||||||
- name: SOUND_TYPES
|
|
||||||
value: en-us-callie
|
|
||||||
- name: SOUND_RATES
|
|
||||||
value: "32000"
|
|
||||||
resources: {}
|
|
||||||
volumeMounts:
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/freeswitch/sip_profiles/external/ipcall.xml
|
|
||||||
subPath: ipcall.xml
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/freeswitch/dialplan/default/00_outbound_ipcall.xml
|
|
||||||
subPath: 00_outbound_ipcall.xml
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/freeswitch/dialplan/public.xml
|
|
||||||
subPath: dialplan.xml
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/freeswitch/autoload_configs/switch.conf.xml
|
|
||||||
subPath: switch.xml
|
|
||||||
- name: config
|
|
||||||
mountPath: /etc/freeswitch/vars.xml
|
|
||||||
subPath: vars.xml
|
|
||||||
- name: passwords
|
|
||||||
mountPath: /etc/freeswitch/PASSWORDS.xml
|
|
||||||
subPath: PASSWORDS.xml
|
|
||||||
- name: directory
|
|
||||||
mountPath: /etc/freeswitch/directory/default
|
|
||||||
- name: sounds
|
|
||||||
mountPath: /usr/share/freeswitch/sounds
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: freeswitch-config
|
|
||||||
namespace: freeswitch
|
|
||||||
data:
|
|
||||||
dialplan.xml: |
|
|
||||||
<!--
|
|
||||||
NOTICE:
|
|
||||||
|
|
||||||
This context is usually accessed via the external sip profile listening on port 5080.
|
|
||||||
|
|
||||||
It is recommended to have separate inbound and outbound contexts. Not only for security
|
|
||||||
but clearing up why you would need to do such a thing. You don't want outside un-authenticated
|
|
||||||
callers hitting your default context which allows dialing calls thru your providers and results
|
|
||||||
in Toll Fraud.
|
|
||||||
-->
|
|
||||||
|
|
||||||
<!-- http://wiki.freeswitch.org/wiki/Dialplan_XML -->
|
|
||||||
<include>
|
|
||||||
<context name="public">
|
|
||||||
|
|
||||||
<extension name="unloop">
|
|
||||||
<condition field="${unroll_loops}" expression="^true$"/>
|
|
||||||
<condition field="${sip_looped_call}" expression="^true$">
|
|
||||||
<action application="deflect" data="${destination_number}"/>
|
|
||||||
</condition>
|
|
||||||
</extension>
|
|
||||||
<!--
|
|
||||||
Tag anything pass thru here as an outside_call so you can make sure not
|
|
||||||
to create any routing loops based on the conditions that it came from
|
|
||||||
the outside of the switch.
|
|
||||||
-->
|
|
||||||
<extension name="outside_call" continue="true">
|
|
||||||
<condition>
|
|
||||||
<action application="set" data="outside_call=true"/>
|
|
||||||
<action application="export" data="RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)}"/>
|
|
||||||
</condition>
|
|
||||||
</extension>
|
|
||||||
|
|
||||||
<extension name="call_debug" continue="true">
|
|
||||||
<condition field="${call_debug}" expression="^true$" break="never">
|
|
||||||
<action application="info"/>
|
|
||||||
</condition>
|
|
||||||
</extension>
|
|
||||||
|
|
||||||
<extension name="public_extensions">
|
|
||||||
<condition field="destination_number" expression="^(10[01][0-9])$">
|
|
||||||
<action application="transfer" data="$1 XML default"/>
|
|
||||||
</condition>
|
|
||||||
</extension>
|
|
||||||
|
|
||||||
<extension name="public_conference_extensions">
|
|
||||||
<condition field="destination_number" expression="^(3[5-8][01][0-9])$">
|
|
||||||
<action application="transfer" data="$1 XML default"/>
|
|
||||||
</condition>
|
|
||||||
</extension>
|
|
||||||
|
|
||||||
<!--
|
|
||||||
You can place files in the public directory to get included.
|
|
||||||
-->
|
|
||||||
<X-PRE-PROCESS cmd="include" data="public/*.xml"/>
|
|
||||||
<!--
|
|
||||||
If you have made it this far lets challenge the caller and if they authenticate
|
|
||||||
lets try what they dialed in the default context. (commented out by default)
|
|
||||||
-->
|
|
||||||
<!-- TODO:
|
|
||||||
<extension name="check_auth" continue="true">
|
|
||||||
<condition field="${sip_authorized}" expression="^true$" break="never">
|
|
||||||
<anti-action application="respond" data="407"/>
|
|
||||||
</condition>
|
|
||||||
</extension>
|
|
||||||
-->
|
|
||||||
<extension name="transfer_to_default">
|
|
||||||
<condition>
|
|
||||||
<!-- TODO: proper ring grouping -->
|
|
||||||
<action application="bridge" data="user/1004@freeswitch.k-space.ee,user/1003@freeswitch.k-space.ee,sofia/gateway/ipcall/53543824"/>
|
|
||||||
</condition>
|
|
||||||
</extension>
|
|
||||||
</context>
|
|
||||||
</include>
|
|
||||||
ipcall.xml: |
|
|
||||||
<include>
|
|
||||||
<gateway name="ipcall">
|
|
||||||
<param name="proxy" value="sip.ipcall.ee"/>
|
|
||||||
<param name="register" value="true"/>
|
|
||||||
<param name="realm" value="sip.ipcall.ee"/>
|
|
||||||
<param name="username" value="6659652"/>
|
|
||||||
<param name="password" value="$${ipcall_password}"/>
|
|
||||||
<param name="from-user" value="6659652"/>
|
|
||||||
<param name="from-domain" value="sip.ipcall.ee"/>
|
|
||||||
<param name="extension" value="ring_group/default"/>
|
|
||||||
</gateway>
|
|
||||||
</include>
|
|
||||||
00_outbound_ipcall.xml: |
|
|
||||||
<extension name="outbound">
|
|
||||||
<!-- TODO: check toll_allow ? -->
|
|
||||||
<condition field="destination_number" expression="^(\d+)$">
|
|
||||||
<action application="set" data="sip_invite_domain=sip.ipcall.ee"/>
|
|
||||||
<action application="bridge" data="sofia/gateway/ipcall/${destination_number}"/>
|
|
||||||
</condition>
|
|
||||||
</extension>
|
|
||||||
switch.xml: |
|
|
||||||
<configuration name="switch.conf" description="Core Configuration">
|
|
||||||
<cli-keybindings>
|
|
||||||
<key name="1" value="help"/>
|
|
||||||
<key name="2" value="status"/>
|
|
||||||
<key name="3" value="show channels"/>
|
|
||||||
<key name="4" value="show calls"/>
|
|
||||||
<key name="5" value="sofia status"/>
|
|
||||||
<key name="6" value="reloadxml"/>
|
|
||||||
<key name="7" value="console loglevel 0"/>
|
|
||||||
<key name="8" value="console loglevel 7"/>
|
|
||||||
<key name="9" value="sofia status profile internal"/>
|
|
||||||
<key name="10" value="sofia profile internal siptrace on"/>
|
|
||||||
<key name="11" value="sofia profile internal siptrace off"/>
|
|
||||||
<key name="12" value="version"/>
|
|
||||||
</cli-keybindings>
|
|
||||||
<default-ptimes>
|
|
||||||
</default-ptimes>
|
|
||||||
<settings>
|
|
||||||
<param name="colorize-console" value="true"/>
|
|
||||||
<param name="dialplan-timestamps" value="false"/>
|
|
||||||
<param name="max-db-handles" value="50"/>
|
|
||||||
<param name="db-handle-timeout" value="10"/>
|
|
||||||
<param name="max-sessions" value="1000"/>
|
|
||||||
<param name="sessions-per-second" value="30"/>
|
|
||||||
<param name="loglevel" value="debug"/>
|
|
||||||
<param name="mailer-app" value="sendmail"/>
|
|
||||||
<param name="mailer-app-args" value="-t"/>
|
|
||||||
<param name="dump-cores" value="yes"/>
|
|
||||||
<param name="rtp-start-port" value="10000"/>
|
|
||||||
<param name="rtp-end-port" value="10010"/>
|
|
||||||
</settings>
|
|
||||||
</configuration>
|
|
||||||
vars.xml: |
|
|
||||||
<include>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="disable_system_api_commands=true"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="sound_prefix=$${sounds_dir}/en/us/callie"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="domain=freeswitch.k-space.ee"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="use_profile=external"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_128_GCM_8|AES_CM_256_HMAC_SHA1_80|AES_CM_192_HMAC_SHA1_80|AES_CM_128_HMAC_SHA1_80|AES_CM_256_HMAC_SHA1_32|AES_CM_192_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_32|AES_CM_128_NULL_AUTH"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="global_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="xmpp_client_profile=xmppc"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="xmpp_server_profile=xmpps"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="bind_server_ip=auto"/>
|
|
||||||
<X-PRE-PROCESS cmd="stun-set" data="external_rtp_ip=host:freeswitch.k-space.ee"/>
|
|
||||||
<X-PRE-PROCESS cmd="stun-set" data="external_sip_ip=host:freeswitch.k-space.ee"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="unroll_loops=true"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="outbound_caller_name=FreeSWITCH"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="outbound_caller_id=0000000000"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="call_debug=false"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="console_loglevel=info"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="default_areacode=372"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="default_country=EE"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="presence_privacy=false"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="au-ring=%(400,200,383,417);%(400,2000,383,417)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="be-ring=%(1000,3000,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="ca-ring=%(2000,4000,440,480)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="cn-ring=%(1000,4000,450)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="cy-ring=%(1500,3000,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="cz-ring=%(1000,4000,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="de-ring=%(1000,4000,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="dk-ring=%(1000,4000,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="dz-ring=%(1500,3500,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="eg-ring=%(2000,1000,475,375)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="es-ring=%(1500,3000,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="fi-ring=%(1000,4000,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="fr-ring=%(1500,3500,440)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="hk-ring=%(400,200,440,480);%(400,3000,440,480)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="hu-ring=%(1250,3750,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="il-ring=%(1000,3000,400)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="in-ring=%(400,200,425,375);%(400,2000,425,375)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="jp-ring=%(1000,2000,420,380)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="ko-ring=%(1000,2000,440,480)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="pk-ring=%(1000,2000,400)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="pl-ring=%(1000,4000,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="ro-ring=%(1850,4150,475,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="rs-ring=%(1000,4000,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="ru-ring=%(800,3200,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="sa-ring=%(1200,4600,425)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="tr-ring=%(2000,4000,450)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="uk-ring=%(400,200,400,450);%(400,2000,400,450)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="us-ring=%(2000,4000,440,480)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="bong-ring=v=-7;%(100,0,941.0,1477.0);v=-7;>=2;+=.1;%(1400,0,350,440)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="beep=%(1000,0,640)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="sit=%(274,0,913.8);%(274,0,1370.6);%(380,0,1776.7)"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="df_us_ssn=(?!219099999|078051120)(?!666|000|9\d{2})\d{3}(?!00)\d{2}(?!0{4})\d{4}"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="df_luhn=?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11}"/>
|
|
||||||
<XX-PRE-PROCESS cmd="set" data="digits_dialed_filter=(($${df_luhn})|($${df_us_ssn}))"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="default_provider=sip.ipcall.ee"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="default_provider_username="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="default_provider_password="/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="default_provider_from_domain=sip.ipcall.ee"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="default_provider_register=true"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="default_provider_contact=1004"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_in=3mb"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_out=3mb"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="suppress_cng=true"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="rtp_liberal_dtmf=true"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="video_mute_png=$${images_dir}/default-mute.png"/>
|
|
||||||
<X-PRE-PROCESS cmd="set" data="video_no_avatar_png=$${images_dir}/default-avatar.png"/>
|
|
||||||
<X-PRE-PROCESS cmd="include" data="PASSWORDS.xml"/>
|
|
||||||
</include>
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: freeswitch-directory
|
|
||||||
namespace: freeswitch
|
|
||||||
data:
|
|
||||||
1000.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1000">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1000_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1000"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value=""/>
|
|
||||||
<variable name="effective_caller_id_number" value="1000"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
1001.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1001">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1001_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1001"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value=""/>
|
|
||||||
<variable name="effective_caller_id_number" value="1001"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
1002.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1002">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1002_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1002"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value=""/>
|
|
||||||
<variable name="effective_caller_id_number" value="1002"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
1003.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1003">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1003_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1003"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value="Erki A"/>
|
|
||||||
<variable name="effective_caller_id_number" value="1003"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
1004.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1004">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1004_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1004"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value="Erki A"/>
|
|
||||||
<variable name="effective_caller_id_number" value="1004"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
1005.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1005">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1005_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1005"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value=""/>
|
|
||||||
<variable name="effective_caller_id_number" value="1005"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
1006.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1006">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1006_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1006"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value=""/>
|
|
||||||
<variable name="effective_caller_id_number" value="1006"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
1007.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1007">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1007_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1007"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value=""/>
|
|
||||||
<variable name="effective_caller_id_number" value="1007"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
1008.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1008">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1008_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1008"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value=""/>
|
|
||||||
<variable name="effective_caller_id_number" value="1008"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
1009.xml: |
|
|
||||||
<include>
|
|
||||||
<user id="1009">
|
|
||||||
<params>
|
|
||||||
<param name="password" value="$${1009_password}"/>
|
|
||||||
</params>
|
|
||||||
<variables>
|
|
||||||
<variable name="toll_allow" value="domestic,local"/>
|
|
||||||
<variable name="accountcode" value="1009"/>
|
|
||||||
<variable name="user_context" value="default"/>
|
|
||||||
<variable name="effective_caller_id_name" value=""/>
|
|
||||||
<variable name="effective_caller_id_number" value="1009"/>
|
|
||||||
<variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/>
|
|
||||||
<variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/>
|
|
||||||
</variables>
|
|
||||||
</user>
|
|
||||||
</include>
|
|
||||||
|
|
@ -1,937 +0,0 @@
|
|||||||
# This manifest deploys the OpenEBS control plane components, with associated CRs & RBAC rules
|
|
||||||
# NOTE: On GKE, deploy the openebs-operator.yaml in admin context
|
|
||||||
|
|
||||||
# Create the OpenEBS namespace
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Namespace
|
|
||||||
metadata:
|
|
||||||
name: openebs
|
|
||||||
---
|
|
||||||
# Create Maya Service Account
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: openebs-maya-operator
|
|
||||||
namespace: openebs
|
|
||||||
---
|
|
||||||
# Define Role that allows operations on K8s pods/deployments
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: openebs-maya-operator
|
|
||||||
rules:
|
|
||||||
- apiGroups: ["*"]
|
|
||||||
resources: ["nodes", "nodes/proxy"]
|
|
||||||
verbs: ["*"]
|
|
||||||
- apiGroups: ["*"]
|
|
||||||
resources: ["namespaces", "services", "pods", "pods/exec", "deployments", "deployments/finalizers", "replicationcontrollers", "replicasets", "events", "endpoints", "configmaps", "secrets", "jobs", "cronjobs"]
|
|
||||||
verbs: ["*"]
|
|
||||||
- apiGroups: ["*"]
|
|
||||||
resources: ["statefulsets", "daemonsets"]
|
|
||||||
verbs: ["*"]
|
|
||||||
- apiGroups: ["*"]
|
|
||||||
resources: ["resourcequotas", "limitranges"]
|
|
||||||
verbs: ["list", "watch"]
|
|
||||||
- apiGroups: ["*"]
|
|
||||||
resources: ["ingresses", "horizontalpodautoscalers", "verticalpodautoscalers", "poddisruptionbudgets", "certificatesigningrequests"]
|
|
||||||
verbs: ["list", "watch"]
|
|
||||||
- apiGroups: ["*"]
|
|
||||||
resources: ["storageclasses", "persistentvolumeclaims", "persistentvolumes"]
|
|
||||||
verbs: ["*"]
|
|
||||||
- apiGroups: ["apiextensions.k8s.io"]
|
|
||||||
resources: ["customresourcedefinitions"]
|
|
||||||
verbs: [ "get", "list", "create", "update", "delete", "patch"]
|
|
||||||
- apiGroups: ["openebs.io"]
|
|
||||||
resources: [ "*"]
|
|
||||||
verbs: ["*"]
|
|
||||||
- apiGroups: ["coordination.k8s.io"]
|
|
||||||
resources: ["leases"]
|
|
||||||
verbs: ["get", "create", "update"]
|
|
||||||
- nonResourceURLs: ["/metrics"]
|
|
||||||
verbs: ["get"]
|
|
||||||
---
|
|
||||||
# Bind the Service Account with the Role Privileges.
|
|
||||||
# TODO: Check if default account also needs to be there
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: openebs-maya-operator
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: openebs-maya-operator
|
|
||||||
namespace: openebs
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: openebs-maya-operator
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
|
||||||
kind: CustomResourceDefinition
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
controller-gen.kubebuilder.io/version: v0.5.0
|
|
||||||
creationTimestamp: null
|
|
||||||
name: blockdevices.openebs.io
|
|
||||||
spec:
|
|
||||||
group: openebs.io
|
|
||||||
names:
|
|
||||||
kind: BlockDevice
|
|
||||||
listKind: BlockDeviceList
|
|
||||||
plural: blockdevices
|
|
||||||
shortNames:
|
|
||||||
- bd
|
|
||||||
singular: blockdevice
|
|
||||||
scope: Namespaced
|
|
||||||
versions:
|
|
||||||
- additionalPrinterColumns:
|
|
||||||
- jsonPath: .spec.nodeAttributes.nodeName
|
|
||||||
name: NodeName
|
|
||||||
type: string
|
|
||||||
- jsonPath: .spec.path
|
|
||||||
name: Path
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- jsonPath: .spec.filesystem.fsType
|
|
||||||
name: FSType
|
|
||||||
priority: 1
|
|
||||||
type: string
|
|
||||||
- jsonPath: .spec.capacity.storage
|
|
||||||
name: Size
|
|
||||||
type: string
|
|
||||||
- jsonPath: .status.claimState
|
|
||||||
name: ClaimState
|
|
||||||
type: string
|
|
||||||
- jsonPath: .status.state
|
|
||||||
name: Status
|
|
||||||
type: string
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
name: v1alpha1
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
description: BlockDevice is the Schema for the blockdevices API
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
||||||
type: string
|
|
||||||
metadata:
|
|
||||||
type: object
|
|
||||||
spec:
|
|
||||||
description: DeviceSpec defines the properties and runtime status of a BlockDevice
|
|
||||||
properties:
|
|
||||||
aggregateDevice:
|
|
||||||
description: AggregateDevice was intended to store the hierarchical information in cases of LVM. However this is currently not implemented and may need to be re-looked into for better design. To be deprecated
|
|
||||||
type: string
|
|
||||||
capacity:
|
|
||||||
description: Capacity
|
|
||||||
properties:
|
|
||||||
logicalSectorSize:
|
|
||||||
description: LogicalSectorSize is blockdevice logical-sector size in bytes
|
|
||||||
format: int32
|
|
||||||
type: integer
|
|
||||||
physicalSectorSize:
|
|
||||||
description: PhysicalSectorSize is blockdevice physical-Sector size in bytes
|
|
||||||
format: int32
|
|
||||||
type: integer
|
|
||||||
storage:
|
|
||||||
description: Storage is the blockdevice capacity in bytes
|
|
||||||
format: int64
|
|
||||||
type: integer
|
|
||||||
required:
|
|
||||||
- storage
|
|
||||||
type: object
|
|
||||||
claimRef:
|
|
||||||
description: ClaimRef is the reference to the BDC which has claimed this BD
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description: API version of the referent.
|
|
||||||
type: string
|
|
||||||
fieldPath:
|
|
||||||
description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.'
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
||||||
type: string
|
|
||||||
name:
|
|
||||||
description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
|
|
||||||
type: string
|
|
||||||
namespace:
|
|
||||||
description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
|
|
||||||
type: string
|
|
||||||
resourceVersion:
|
|
||||||
description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
|
|
||||||
type: string
|
|
||||||
uid:
|
|
||||||
description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
details:
|
|
||||||
description: Details contain static attributes of BD like model,serial, and so forth
|
|
||||||
properties:
|
|
||||||
compliance:
|
|
||||||
description: Compliance is standards/specifications version implemented by device firmware such as SPC-1, SPC-2, etc
|
|
||||||
type: string
|
|
||||||
deviceType:
|
|
||||||
description: DeviceType represents the type of device like sparse, disk, partition, lvm, crypt
|
|
||||||
enum:
|
|
||||||
- disk
|
|
||||||
- partition
|
|
||||||
- sparse
|
|
||||||
- loop
|
|
||||||
- lvm
|
|
||||||
- crypt
|
|
||||||
- dm
|
|
||||||
- mpath
|
|
||||||
type: string
|
|
||||||
driveType:
|
|
||||||
description: DriveType is the type of backing drive, HDD/SSD
|
|
||||||
enum:
|
|
||||||
- HDD
|
|
||||||
- SSD
|
|
||||||
- Unknown
|
|
||||||
- ""
|
|
||||||
type: string
|
|
||||||
firmwareRevision:
|
|
||||||
description: FirmwareRevision is the disk firmware revision
|
|
||||||
type: string
|
|
||||||
hardwareSectorSize:
|
|
||||||
description: HardwareSectorSize is the hardware sector size in bytes
|
|
||||||
format: int32
|
|
||||||
type: integer
|
|
||||||
logicalBlockSize:
|
|
||||||
description: LogicalBlockSize is the logical block size in bytes reported by /sys/class/block/sda/queue/logical_block_size
|
|
||||||
format: int32
|
|
||||||
type: integer
|
|
||||||
model:
|
|
||||||
description: Model is model of disk
|
|
||||||
type: string
|
|
||||||
physicalBlockSize:
|
|
||||||
description: PhysicalBlockSize is the physical block size in bytes reported by /sys/class/block/sda/queue/physical_block_size
|
|
||||||
format: int32
|
|
||||||
type: integer
|
|
||||||
serial:
|
|
||||||
description: Serial is serial number of disk
|
|
||||||
type: string
|
|
||||||
vendor:
|
|
||||||
description: Vendor is vendor of disk
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
devlinks:
|
|
||||||
description: DevLinks contains soft links of a block device like /dev/by-id/... /dev/by-uuid/...
|
|
||||||
items:
|
|
||||||
description: DeviceDevLink holds the mapping between type and links like by-id type or by-path type link
|
|
||||||
properties:
|
|
||||||
kind:
|
|
||||||
description: Kind is the type of link like by-id or by-path.
|
|
||||||
enum:
|
|
||||||
- by-id
|
|
||||||
- by-path
|
|
||||||
type: string
|
|
||||||
links:
|
|
||||||
description: Links are the soft links
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
filesystem:
|
|
||||||
description: FileSystem contains mountpoint and filesystem type
|
|
||||||
properties:
|
|
||||||
fsType:
|
|
||||||
description: Type represents the FileSystem type of the block device
|
|
||||||
type: string
|
|
||||||
mountPoint:
|
|
||||||
description: MountPoint represents the mountpoint of the block device.
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
nodeAttributes:
|
|
||||||
description: NodeAttributes has the details of the node on which BD is attached
|
|
||||||
properties:
|
|
||||||
nodeName:
|
|
||||||
description: NodeName is the name of the Kubernetes node resource on which the device is attached
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
parentDevice:
|
|
||||||
description: "ParentDevice was intended to store the UUID of the parent Block Device as is the case for partitioned block devices. \n For example: /dev/sda is the parent for /dev/sda1 To be deprecated"
|
|
||||||
type: string
|
|
||||||
partitioned:
|
|
||||||
description: Partitioned represents if BlockDevice has partitions or not (Yes/No) Currently always default to No. To be deprecated
|
|
||||||
enum:
|
|
||||||
- "Yes"
|
|
||||||
- "No"
|
|
||||||
type: string
|
|
||||||
path:
|
|
||||||
description: Path contain devpath (e.g. /dev/sdb)
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- capacity
|
|
||||||
- devlinks
|
|
||||||
- nodeAttributes
|
|
||||||
- path
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
description: DeviceStatus defines the observed state of BlockDevice
|
|
||||||
properties:
|
|
||||||
claimState:
|
|
||||||
description: ClaimState represents the claim state of the block device
|
|
||||||
enum:
|
|
||||||
- Claimed
|
|
||||||
- Unclaimed
|
|
||||||
- Released
|
|
||||||
type: string
|
|
||||||
state:
|
|
||||||
description: State is the current state of the blockdevice (Active/Inactive/Unknown)
|
|
||||||
enum:
|
|
||||||
- Active
|
|
||||||
- Inactive
|
|
||||||
- Unknown
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- claimState
|
|
||||||
- state
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: true
|
|
||||||
subresources: {}
|
|
||||||
status:
|
|
||||||
acceptedNames:
|
|
||||||
kind: ""
|
|
||||||
plural: ""
|
|
||||||
conditions: []
|
|
||||||
storedVersions: []
|
|
||||||
|
|
||||||
---
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
|
||||||
kind: CustomResourceDefinition
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
controller-gen.kubebuilder.io/version: v0.5.0
|
|
||||||
creationTimestamp: null
|
|
||||||
name: blockdeviceclaims.openebs.io
|
|
||||||
spec:
|
|
||||||
group: openebs.io
|
|
||||||
names:
|
|
||||||
kind: BlockDeviceClaim
|
|
||||||
listKind: BlockDeviceClaimList
|
|
||||||
plural: blockdeviceclaims
|
|
||||||
shortNames:
|
|
||||||
- bdc
|
|
||||||
singular: blockdeviceclaim
|
|
||||||
scope: Namespaced
|
|
||||||
versions:
|
|
||||||
- additionalPrinterColumns:
|
|
||||||
- jsonPath: .spec.blockDeviceName
|
|
||||||
name: BlockDeviceName
|
|
||||||
type: string
|
|
||||||
- jsonPath: .status.phase
|
|
||||||
name: Phase
|
|
||||||
type: string
|
|
||||||
- jsonPath: .metadata.creationTimestamp
|
|
||||||
name: Age
|
|
||||||
type: date
|
|
||||||
name: v1alpha1
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
description: BlockDeviceClaim is the Schema for the blockdeviceclaims API
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
||||||
type: string
|
|
||||||
metadata:
|
|
||||||
type: object
|
|
||||||
spec:
|
|
||||||
description: DeviceClaimSpec defines the request details for a BlockDevice
|
|
||||||
properties:
|
|
||||||
blockDeviceName:
|
|
||||||
description: BlockDeviceName is the reference to the block-device backing this claim
|
|
||||||
type: string
|
|
||||||
blockDeviceNodeAttributes:
|
|
||||||
description: BlockDeviceNodeAttributes is the attributes on the node from which a BD should be selected for this claim. It can include nodename, failure domain etc.
|
|
||||||
properties:
|
|
||||||
hostName:
|
|
||||||
description: HostName represents the hostname of the Kubernetes node resource where the BD should be present
|
|
||||||
type: string
|
|
||||||
nodeName:
|
|
||||||
description: NodeName represents the name of the Kubernetes node resource where the BD should be present
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
deviceClaimDetails:
|
|
||||||
description: Details of the device to be claimed
|
|
||||||
properties:
|
|
||||||
allowPartition:
|
|
||||||
description: AllowPartition represents whether to claim a full block device or a device that is a partition
|
|
||||||
type: boolean
|
|
||||||
blockVolumeMode:
|
|
||||||
description: 'BlockVolumeMode represents whether to claim a device in Block mode or Filesystem mode. These are use cases of BlockVolumeMode: 1) Not specified: VolumeMode check will not be effective 2) VolumeModeBlock: BD should not have any filesystem or mountpoint 3) VolumeModeFileSystem: BD should have a filesystem and mountpoint. If DeviceFormat is specified then the format should match with the FSType in BD'
|
|
||||||
type: string
|
|
||||||
formatType:
|
|
||||||
description: Format of the device required, eg:ext4, xfs
|
|
||||||
type: string
|
|
||||||
type: object
|
|
||||||
deviceType:
|
|
||||||
description: DeviceType represents the type of drive like SSD, HDD etc.,
|
|
||||||
nullable: true
|
|
||||||
type: string
|
|
||||||
hostName:
|
|
||||||
description: Node name from where blockdevice has to be claimed. To be deprecated. Use NodeAttributes.HostName instead
|
|
||||||
type: string
|
|
||||||
resources:
|
|
||||||
description: Resources will help with placing claims on Capacity, IOPS
|
|
||||||
properties:
|
|
||||||
requests:
|
|
||||||
additionalProperties:
|
|
||||||
anyOf:
|
|
||||||
- type: integer
|
|
||||||
- type: string
|
|
||||||
pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
|
|
||||||
x-kubernetes-int-or-string: true
|
|
||||||
description: 'Requests describes the minimum resources required. eg: if storage resource of 10G is requested minimum capacity of 10G should be available TODO for validating'
|
|
||||||
type: object
|
|
||||||
required:
|
|
||||||
- requests
|
|
||||||
type: object
|
|
||||||
selector:
|
|
||||||
description: Selector is used to find block devices to be considered for claiming
|
|
||||||
properties:
|
|
||||||
matchExpressions:
|
|
||||||
description: matchExpressions is a list of label selector requirements. The requirements are ANDed.
|
|
||||||
items:
|
|
||||||
description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.
|
|
||||||
properties:
|
|
||||||
key:
|
|
||||||
description: key is the label key that the selector applies to.
|
|
||||||
type: string
|
|
||||||
operator:
|
|
||||||
description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
|
|
||||||
type: string
|
|
||||||
values:
|
|
||||||
description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
|
|
||||||
items:
|
|
||||||
type: string
|
|
||||||
type: array
|
|
||||||
required:
|
|
||||||
- key
|
|
||||||
- operator
|
|
||||||
type: object
|
|
||||||
type: array
|
|
||||||
matchLabels:
|
|
||||||
additionalProperties:
|
|
||||||
type: string
|
|
||||||
description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
status:
|
|
||||||
description: DeviceClaimStatus defines the observed state of BlockDeviceClaim
|
|
||||||
properties:
|
|
||||||
phase:
|
|
||||||
description: Phase represents the current phase of the claim
|
|
||||||
type: string
|
|
||||||
required:
|
|
||||||
- phase
|
|
||||||
type: object
|
|
||||||
type: object
|
|
||||||
served: true
|
|
||||||
storage: true
|
|
||||||
subresources: {}
|
|
||||||
status:
|
|
||||||
acceptedNames:
|
|
||||||
kind: ""
|
|
||||||
plural: ""
|
|
||||||
conditions: []
|
|
||||||
storedVersions: []
|
|
||||||
---
|
|
||||||
# This is the node-disk-manager related config.
|
|
||||||
# It can be used to customize the disks probes and filters
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ConfigMap
|
|
||||||
metadata:
|
|
||||||
name: openebs-ndm-config
|
|
||||||
namespace: openebs
|
|
||||||
labels:
|
|
||||||
openebs.io/component-name: ndm-config
|
|
||||||
data:
|
|
||||||
# udev-probe is default or primary probe it should be enabled to run ndm
|
|
||||||
# filterconfigs contains configs of filters. To provide a group of include
|
|
||||||
# and exclude values add it as , separated string
|
|
||||||
node-disk-manager.config: |
|
|
||||||
probeconfigs:
|
|
||||||
- key: udev-probe
|
|
||||||
name: udev probe
|
|
||||||
state: true
|
|
||||||
- key: seachest-probe
|
|
||||||
name: seachest probe
|
|
||||||
state: false
|
|
||||||
- key: smart-probe
|
|
||||||
name: smart probe
|
|
||||||
state: true
|
|
||||||
filterconfigs:
|
|
||||||
- key: os-disk-exclude-filter
|
|
||||||
name: os disk exclude filter
|
|
||||||
state: true
|
|
||||||
exclude: "/,/etc/hosts,/boot"
|
|
||||||
- key: vendor-filter
|
|
||||||
name: vendor filter
|
|
||||||
state: true
|
|
||||||
include: ""
|
|
||||||
exclude: "CLOUDBYT,OpenEBS"
|
|
||||||
- key: path-filter
|
|
||||||
name: path filter
|
|
||||||
state: true
|
|
||||||
include: ""
|
|
||||||
exclude: "/dev/loop,/dev/fd0,/dev/sr0,/dev/ram,/dev/md,/dev/dm-,/dev/rbd,/dev/zd"
|
|
||||||
# metconfig can be used to decorate the block device with different types of labels
|
|
||||||
# that are available on the node or come in a device properties.
|
|
||||||
# node labels - the node where bd is discovered. A whitlisted label prefixes
|
|
||||||
# attribute labels - a property of the BD can be added as a ndm label as ndm.io/<property>=<property-value>
|
|
||||||
metaconfigs:
|
|
||||||
- key: node-labels
|
|
||||||
name: node labels
|
|
||||||
pattern: ""
|
|
||||||
- key: device-labels
|
|
||||||
name: device labels
|
|
||||||
type: ""
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: DaemonSet
|
|
||||||
metadata:
|
|
||||||
name: openebs-ndm
|
|
||||||
namespace: openebs
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm
|
|
||||||
openebs.io/component-name: ndm
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
name: openebs-ndm
|
|
||||||
openebs.io/component-name: ndm
|
|
||||||
updateStrategy:
|
|
||||||
type: RollingUpdate
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm
|
|
||||||
openebs.io/component-name: ndm
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
# By default the node-disk-manager will be run on all kubernetes nodes
|
|
||||||
# If you would like to limit this to only some nodes, say the nodes
|
|
||||||
# that have storage attached, you could label those node and use
|
|
||||||
# nodeSelector.
|
|
||||||
#
|
|
||||||
# e.g. label the storage nodes with - "openebs.io/nodegroup"="storage-node"
|
|
||||||
# kubectl label node <node-name> "openebs.io/nodegroup"="storage-node"
|
|
||||||
#nodeSelector:
|
|
||||||
# "openebs.io/nodegroup": "storage-node"
|
|
||||||
serviceAccountName: openebs-maya-operator
|
|
||||||
hostNetwork: true
|
|
||||||
# host PID is used to check status of iSCSI Service when the NDM
|
|
||||||
# API service is enabled
|
|
||||||
#hostPID: true
|
|
||||||
containers:
|
|
||||||
- name: node-disk-manager
|
|
||||||
image: openebs/node-disk-manager:2.1.0
|
|
||||||
args:
|
|
||||||
- -v=4
|
|
||||||
# The feature-gate is used to enable the new UUID algorithm.
|
|
||||||
- --feature-gates="GPTBasedUUID"
|
|
||||||
# Use partition table UUID instead of create single partition to get
|
|
||||||
# partition UUID. Require `GPTBasedUUID` to be enabled with.
|
|
||||||
# - --feature-gates="PartitionTableUUID"
|
|
||||||
# Detect changes to device size, filesystem and mount-points without restart.
|
|
||||||
# - --feature-gates="ChangeDetection"
|
|
||||||
# The feature gate is used to start the gRPC API service. The gRPC server
|
|
||||||
# starts at 9115 port by default. This feature is currently in Alpha state
|
|
||||||
# - --feature-gates="APIService"
|
|
||||||
# The feature gate is used to enable NDM, to create blockdevice resources
|
|
||||||
# for unused partitions on the OS disk
|
|
||||||
# - --feature-gates="UseOSDisk"
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
volumeMounts:
|
|
||||||
- name: config
|
|
||||||
mountPath: /host/node-disk-manager.config
|
|
||||||
subPath: node-disk-manager.config
|
|
||||||
readOnly: true
|
|
||||||
# make udev database available inside container
|
|
||||||
- name: udev
|
|
||||||
mountPath: /run/udev
|
|
||||||
- name: procmount
|
|
||||||
mountPath: /host/proc
|
|
||||||
readOnly: true
|
|
||||||
- name: devmount
|
|
||||||
mountPath: /dev
|
|
||||||
- name: basepath
|
|
||||||
mountPath: /var/openebs/ndm
|
|
||||||
- name: sparsepath
|
|
||||||
mountPath: /var/openebs/sparse
|
|
||||||
env:
|
|
||||||
# namespace in which NDM is installed will be passed to NDM Daemonset
|
|
||||||
# as environment variable
|
|
||||||
- name: NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
# pass hostname as env variable using downward API to the NDM container
|
|
||||||
- name: NODE_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.nodeName
|
|
||||||
# specify the directory where the sparse files need to be created.
|
|
||||||
# if not specified, then sparse files will not be created.
|
|
||||||
- name: SPARSE_FILE_DIR
|
|
||||||
value: "/var/openebs/sparse"
|
|
||||||
# Size(bytes) of the sparse file to be created.
|
|
||||||
- name: SPARSE_FILE_SIZE
|
|
||||||
value: "10737418240"
|
|
||||||
# Specify the number of sparse files to be created
|
|
||||||
- name: SPARSE_FILE_COUNT
|
|
||||||
value: "0"
|
|
||||||
livenessProbe:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- pgrep
|
|
||||||
- "ndm"
|
|
||||||
initialDelaySeconds: 30
|
|
||||||
periodSeconds: 60
|
|
||||||
volumes:
|
|
||||||
- name: config
|
|
||||||
configMap:
|
|
||||||
name: openebs-ndm-config
|
|
||||||
- name: udev
|
|
||||||
hostPath:
|
|
||||||
path: /run/udev
|
|
||||||
type: Directory
|
|
||||||
# mount /proc (to access mount file of process 1 of host) inside container
|
|
||||||
# to read mount-point of disks and partitions
|
|
||||||
- name: procmount
|
|
||||||
hostPath:
|
|
||||||
path: /proc
|
|
||||||
type: Directory
|
|
||||||
- name: devmount
|
|
||||||
# the /dev directory is mounted so that we have access to the devices that
|
|
||||||
# are connected at runtime of the pod.
|
|
||||||
hostPath:
|
|
||||||
path: /dev
|
|
||||||
type: Directory
|
|
||||||
- name: basepath
|
|
||||||
hostPath:
|
|
||||||
path: /var/openebs/ndm
|
|
||||||
type: DirectoryOrCreate
|
|
||||||
- name: sparsepath
|
|
||||||
hostPath:
|
|
||||||
path: /var/openebs/sparse
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: openebs-ndm-operator
|
|
||||||
namespace: openebs
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm-operator
|
|
||||||
openebs.io/component-name: ndm-operator
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
name: openebs-ndm-operator
|
|
||||||
openebs.io/component-name: ndm-operator
|
|
||||||
replicas: 1
|
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm-operator
|
|
||||||
openebs.io/component-name: ndm-operator
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
serviceAccountName: openebs-maya-operator
|
|
||||||
containers:
|
|
||||||
- name: node-disk-operator
|
|
||||||
image: openebs/node-disk-operator:2.1.0
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
env:
|
|
||||||
- name: WATCH_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
# the service account of the ndm-operator pod
|
|
||||||
- name: SERVICE_ACCOUNT
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.serviceAccountName
|
|
||||||
- name: OPERATOR_NAME
|
|
||||||
value: "node-disk-operator"
|
|
||||||
- name: CLEANUP_JOB_IMAGE
|
|
||||||
value: "openebs/linux-utils:3.5.0"
|
|
||||||
# OPENEBS_IO_IMAGE_PULL_SECRETS environment variable is used to pass the image pull secrets
|
|
||||||
# to the cleanup pod launched by NDM operator
|
|
||||||
#- name: OPENEBS_IO_IMAGE_PULL_SECRETS
|
|
||||||
# value: ""
|
|
||||||
livenessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /healthz
|
|
||||||
port: 8585
|
|
||||||
initialDelaySeconds: 15
|
|
||||||
periodSeconds: 20
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /readyz
|
|
||||||
port: 8585
|
|
||||||
initialDelaySeconds: 5
|
|
||||||
periodSeconds: 10
|
|
||||||
---
|
|
||||||
# Create NDM cluster exporter deployment.
|
|
||||||
# This is an optional component and is not required for the basic
|
|
||||||
# functioning of NDM
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: openebs-ndm-cluster-exporter
|
|
||||||
namespace: openebs
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm-cluster-exporter
|
|
||||||
openebs.io/component-name: ndm-cluster-exporter
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
name: openebs-ndm-cluster-exporter
|
|
||||||
openebs.io/component-name: ndm-cluster-exporter
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm-cluster-exporter
|
|
||||||
openebs.io/component-name: ndm-cluster-exporter
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
serviceAccountName: openebs-maya-operator
|
|
||||||
containers:
|
|
||||||
- name: ndm-cluster-exporter
|
|
||||||
image: openebs/node-disk-exporter:2.1.0
|
|
||||||
command:
|
|
||||||
- /usr/local/bin/exporter
|
|
||||||
args:
|
|
||||||
- "start"
|
|
||||||
- "--mode=cluster"
|
|
||||||
- "--port=$(METRICS_LISTEN_PORT)"
|
|
||||||
- "--metrics=/metrics"
|
|
||||||
ports:
|
|
||||||
- containerPort: 9100
|
|
||||||
protocol: TCP
|
|
||||||
name: metrics
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
env:
|
|
||||||
- name: NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
- name: METRICS_LISTEN_PORT
|
|
||||||
value: :9100
|
|
||||||
---
|
|
||||||
# Create NDM cluster exporter service
|
|
||||||
# This is optional and required only when
|
|
||||||
# ndm-cluster-exporter deployment is used
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: openebs-ndm-cluster-exporter-service
|
|
||||||
namespace: openebs
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm-cluster-exporter-service
|
|
||||||
openebs.io/component-name: ndm-cluster-exporter
|
|
||||||
app: openebs-ndm-exporter
|
|
||||||
spec:
|
|
||||||
clusterIP: None
|
|
||||||
ports:
|
|
||||||
- name: metrics
|
|
||||||
port: 9100
|
|
||||||
targetPort: 9100
|
|
||||||
selector:
|
|
||||||
name: openebs-ndm-cluster-exporter
|
|
||||||
---
|
|
||||||
# Create NDM node exporter daemonset.
|
|
||||||
# This is an optional component used for getting disk level
|
|
||||||
# metrics from each of the storage nodes
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: DaemonSet
|
|
||||||
metadata:
|
|
||||||
name: openebs-ndm-node-exporter
|
|
||||||
namespace: openebs
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm-node-exporter
|
|
||||||
openebs.io/component-name: ndm-node-exporter
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
updateStrategy:
|
|
||||||
type: RollingUpdate
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
name: openebs-ndm-node-exporter
|
|
||||||
openebs.io/component-name: ndm-node-exporter
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm-node-exporter
|
|
||||||
openebs.io/component-name: ndm-node-exporter
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
serviceAccountName: openebs-maya-operator
|
|
||||||
containers:
|
|
||||||
- name: node-disk-exporter
|
|
||||||
image: openebs/node-disk-exporter:2.1.0
|
|
||||||
command:
|
|
||||||
- /usr/local/bin/exporter
|
|
||||||
args:
|
|
||||||
- "start"
|
|
||||||
- "--mode=node"
|
|
||||||
- "--port=$(METRICS_LISTEN_PORT)"
|
|
||||||
- "--metrics=/metrics"
|
|
||||||
ports:
|
|
||||||
- containerPort: 9101
|
|
||||||
protocol: TCP
|
|
||||||
name: metrics
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
env:
|
|
||||||
- name: NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
- name: METRICS_LISTEN_PORT
|
|
||||||
value: :9101
|
|
||||||
---
|
|
||||||
# Create NDM node exporter service
|
|
||||||
# This is optional and required only when
|
|
||||||
# ndm-node-exporter daemonset is used
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Service
|
|
||||||
metadata:
|
|
||||||
name: openebs-ndm-node-exporter-service
|
|
||||||
namespace: openebs
|
|
||||||
labels:
|
|
||||||
name: openebs-ndm-node-exporter
|
|
||||||
openebs.io/component: openebs-ndm-node-exporter
|
|
||||||
app: openebs-ndm-exporter
|
|
||||||
spec:
|
|
||||||
clusterIP: None
|
|
||||||
ports:
|
|
||||||
- name: metrics
|
|
||||||
port: 9101
|
|
||||||
targetPort: 9101
|
|
||||||
selector:
|
|
||||||
name: openebs-ndm-node-exporter
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: openebs-localpv-provisioner
|
|
||||||
namespace: openebs
|
|
||||||
labels:
|
|
||||||
name: openebs-localpv-provisioner
|
|
||||||
openebs.io/component-name: openebs-localpv-provisioner
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
name: openebs-localpv-provisioner
|
|
||||||
openebs.io/component-name: openebs-localpv-provisioner
|
|
||||||
replicas: 1
|
|
||||||
strategy:
|
|
||||||
type: Recreate
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
name: openebs-localpv-provisioner
|
|
||||||
openebs.io/component-name: openebs-localpv-provisioner
|
|
||||||
openebs.io/version: 3.5.0
|
|
||||||
spec:
|
|
||||||
serviceAccountName: openebs-maya-operator
|
|
||||||
containers:
|
|
||||||
- name: openebs-provisioner-hostpath
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
image: openebs/provisioner-localpv:3.5.0
|
|
||||||
args:
|
|
||||||
- "--bd-time-out=$(BDC_BD_BIND_RETRIES)"
|
|
||||||
env:
|
|
||||||
# OPENEBS_IO_K8S_MASTER enables openebs provisioner to connect to K8s
|
|
||||||
# based on this address. This is ignored if empty.
|
|
||||||
# This is supported for openebs provisioner version 0.5.2 onwards
|
|
||||||
#- name: OPENEBS_IO_K8S_MASTER
|
|
||||||
# value: "http://10.128.0.12:8080"
|
|
||||||
# OPENEBS_IO_KUBE_CONFIG enables openebs provisioner to connect to K8s
|
|
||||||
# based on this config. This is ignored if empty.
|
|
||||||
# This is supported for openebs provisioner version 0.5.2 onwards
|
|
||||||
#- name: OPENEBS_IO_KUBE_CONFIG
|
|
||||||
# value: "/home/ubuntu/.kube/config"
|
|
||||||
# This sets the number of times the provisioner should try
|
|
||||||
# with a polling interval of 5 seconds, to get the Blockdevice
|
|
||||||
# Name from a BlockDeviceClaim, before the BlockDeviceClaim
|
|
||||||
# is deleted. E.g. 12 * 5 seconds = 60 seconds timeout
|
|
||||||
- name: BDC_BD_BIND_RETRIES
|
|
||||||
value: "12"
|
|
||||||
- name: NODE_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.nodeName
|
|
||||||
- name: OPENEBS_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
# OPENEBS_SERVICE_ACCOUNT provides the service account of this pod as
|
|
||||||
# environment variable
|
|
||||||
- name: OPENEBS_SERVICE_ACCOUNT
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.serviceAccountName
|
|
||||||
- name: OPENEBS_IO_ENABLE_ANALYTICS
|
|
||||||
value: "true"
|
|
||||||
- name: OPENEBS_IO_INSTALLER_TYPE
|
|
||||||
value: "openebs-operator-lite"
|
|
||||||
- name: OPENEBS_IO_HELPER_IMAGE
|
|
||||||
value: "openebs/linux-utils:3.5.0"
|
|
||||||
- name: OPENEBS_IO_BASE_PATH
|
|
||||||
value: "/var/openebs/local"
|
|
||||||
# LEADER_ELECTION_ENABLED is used to enable/disable leader election. By default
|
|
||||||
# leader election is enabled.
|
|
||||||
#- name: LEADER_ELECTION_ENABLED
|
|
||||||
# value: "true"
|
|
||||||
# OPENEBS_IO_IMAGE_PULL_SECRETS environment variable is used to pass the image pull secrets
|
|
||||||
# to the helper pod launched by local-pv hostpath provisioner
|
|
||||||
#- name: OPENEBS_IO_IMAGE_PULL_SECRETS
|
|
||||||
# value: ""
|
|
||||||
# Process name used for matching is limited to the 15 characters
|
|
||||||
# present in the pgrep output.
|
|
||||||
# So fullname can't be used here with pgrep (>15 chars).A regular expression
|
|
||||||
# that matches the entire command name has to specified.
|
|
||||||
# Anchor `^` : matches any string that starts with `provisioner-loc`
|
|
||||||
# `.*`: matches any string that has `provisioner-loc` followed by zero or more char
|
|
||||||
livenessProbe:
|
|
||||||
exec:
|
|
||||||
command:
|
|
||||||
- sh
|
|
||||||
- -c
|
|
||||||
- test `pgrep -c "^provisioner-loc.*"` = 1
|
|
||||||
initialDelaySeconds: 30
|
|
||||||
periodSeconds: 60
|
|
||||||
---
|
|
||||||
|
|
@ -1,16 +0,0 @@
|
|||||||
apiVersion: storage.k8s.io/v1
|
|
||||||
kind: StorageClass
|
|
||||||
metadata:
|
|
||||||
name: openebs-hostpath-xfs
|
|
||||||
annotations:
|
|
||||||
openebs.io/cas-type: local
|
|
||||||
cas.openebs.io/config: |
|
|
||||||
- name: StorageType
|
|
||||||
value: "hostpath"
|
|
||||||
- name: BasePath
|
|
||||||
value: "/var/openebs/local/"
|
|
||||||
- name: XFSQuota
|
|
||||||
enabled: "true"
|
|
||||||
provisioner: openebs.io/local
|
|
||||||
volumeBindingMode: WaitForFirstConsumer
|
|
||||||
reclaimPolicy: Delete
|
|
76
ansible-bind-primary.yml
Normal file
76
ansible-bind-primary.yml
Normal file
@ -0,0 +1,76 @@
|
|||||||
|
- name: Setup primary nameserver
|
||||||
|
hosts: ns1.k-space.ee
|
||||||
|
tasks:
|
||||||
|
- name: Make sure bind9 is installed
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: bind9
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Configure Bind
|
||||||
|
register: bind
|
||||||
|
copy:
|
||||||
|
dest: /etc/bind/named.conf
|
||||||
|
content: |
|
||||||
|
# This file is managed by Ansible
|
||||||
|
# https://git.k-space.ee/k-space/kube/src/branch/master/ansible-bind-primary.yml
|
||||||
|
# Do NOT modify manually
|
||||||
|
|
||||||
|
include "/etc/bind/named.conf.local";
|
||||||
|
include "/etc/bind/readwrite.key";
|
||||||
|
include "/etc/bind/readonly.key";
|
||||||
|
|
||||||
|
options {
|
||||||
|
directory "/var/cache/bind";
|
||||||
|
version "";
|
||||||
|
listen-on { any; };
|
||||||
|
listen-on-v6 { any; };
|
||||||
|
pid-file "/var/run/named/named.pid";
|
||||||
|
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
||||||
|
allow-recursion { none; };
|
||||||
|
recursion no;
|
||||||
|
check-names master ignore;
|
||||||
|
dnssec-validation no;
|
||||||
|
auth-nxdomain no;
|
||||||
|
};
|
||||||
|
|
||||||
|
# https://kb.isc.org/docs/aa-00723
|
||||||
|
|
||||||
|
acl allowed {
|
||||||
|
172.20.3.0/24;
|
||||||
|
172.20.4.0/24;
|
||||||
|
};
|
||||||
|
|
||||||
|
acl rejected { !allowed; any; };
|
||||||
|
|
||||||
|
zone "." {
|
||||||
|
type hint;
|
||||||
|
file "/var/lib/bind/db.root";
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "k-space.ee" {
|
||||||
|
type master;
|
||||||
|
file "/var/lib/bind/db.k-space.ee";
|
||||||
|
allow-update { !rejected; key readwrite; };
|
||||||
|
allow-transfer { !rejected; key readonly; key readwrite; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "k6.ee" {
|
||||||
|
type master;
|
||||||
|
file "/var/lib/bind/db.k6.ee";
|
||||||
|
allow-update { !rejected; key readwrite; };
|
||||||
|
allow-transfer { !rejected; key readonly; key readwrite; };
|
||||||
|
};
|
||||||
|
|
||||||
|
zone "kspace.ee" {
|
||||||
|
type master;
|
||||||
|
file "/var/lib/bind/db.kspace.ee";
|
||||||
|
allow-update { !rejected; key readwrite; };
|
||||||
|
allow-transfer { !rejected; key readonly; key readwrite; };
|
||||||
|
};
|
||||||
|
- name: Check Bind config
|
||||||
|
ansible.builtin.shell: "named-checkconf"
|
||||||
|
- name: Reload Bind config
|
||||||
|
service:
|
||||||
|
name: bind9
|
||||||
|
state: reloaded
|
||||||
|
when: bind.changed
|
63
ansible-doors.yml
Normal file
63
ansible-doors.yml
Normal file
@ -0,0 +1,63 @@
|
|||||||
|
# ansible doors -m shell -a "ctr image pull harbor.k-space.ee/k-space/mjpg-streamer:latest"
|
||||||
|
# journalctl -u mjpg_streamer@video0.service -f
|
||||||
|
- name: Setup doors
|
||||||
|
hosts: doors
|
||||||
|
tasks:
|
||||||
|
- name: Make sure containerd is installed
|
||||||
|
ansible.builtin.apt:
|
||||||
|
name: containerd
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Copy systemd service for Doorboy controller
|
||||||
|
copy:
|
||||||
|
dest: /etc/systemd/system/godoor.service
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Description=Doorboy service
|
||||||
|
Documentation=https://git.k-space.ee/k-space/godoor
|
||||||
|
After=network.target
|
||||||
|
[Service]
|
||||||
|
Environment=IMAGE=harbor.k-space.ee/k-space/godoor:latest
|
||||||
|
ExecStartPre=-ctr task kill --signal=9 %N
|
||||||
|
ExecStartPre=-ctr task rm %N
|
||||||
|
ExecStartPre=-ctr c rm %N
|
||||||
|
ExecStartPre=-ctr image pull $IMAGE
|
||||||
|
ExecStart=ctr run --rm --pid-file=/run/%N.pid --privileged --read-only --env-file=/etc/godoor --env=KDOORPI_API_ALLOWED=https://doorboy-proxy.k-space.ee/allowed --env=KDOORPI_API_LONGPOLL=https://doorboy-proxy.k-space.ee/longpoll --env=KDOORPI_API_SWIPE=https://doorboy-proxy.k-space.ee/swipe --env=KDOORPI_DOOR=%H --net-host --net-host --cwd /app $IMAGE %N /godoor
|
||||||
|
ExecStopPost=ctr task rm %N
|
||||||
|
ExecStopPost=ctr c rm %N
|
||||||
|
Restart=always
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
- name: Enable Doorboy controller
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
state: restarted
|
||||||
|
daemon_reload: yes
|
||||||
|
name: godoor.service
|
||||||
|
|
||||||
|
- name: Copy systemd service for mjpg-streamer
|
||||||
|
copy:
|
||||||
|
dest: /etc/systemd/system/mjpg_streamer@.service
|
||||||
|
content: |
|
||||||
|
[Unit]
|
||||||
|
Description=A server for streaming Motion-JPEG from a video capture device
|
||||||
|
After=network.target
|
||||||
|
ConditionPathExists=/dev/%I
|
||||||
|
[Service]
|
||||||
|
Environment=IMAGE=harbor.k-space.ee/k-space/mjpg-streamer:latest
|
||||||
|
StandardOutput=tty
|
||||||
|
Type=forking
|
||||||
|
ExecStartPre=-ctr task kill --signal=9 %p_%i
|
||||||
|
ExecStartPre=-ctr task rm %p_%i
|
||||||
|
ExecStartPre=-ctr c rm %p_%i
|
||||||
|
ExecStartPre=-ctr image pull $IMAGE
|
||||||
|
ExecStart=ctr run --tty -d --rm --pid-file=/run/%i.pid --privileged --read-only --net-host $IMAGE %p_%i /usr/local/bin/mjpg_streamer -i 'input_uvc.so -d /dev/%I -r 1280x720 -f 10' -o 'output_http.so -w /usr/share/mjpg_streamer/www'
|
||||||
|
ExecStopPost=ctr task rm %p_%i
|
||||||
|
ExecStopPost=ctr c rm %p_%i
|
||||||
|
PIDFile=/run/%i.pid
|
||||||
|
[Install]
|
||||||
|
WantedBy=multi-user.target
|
||||||
|
- name: Enable mjpg-streamer
|
||||||
|
ansible.builtin.systemd:
|
||||||
|
state: restarted
|
||||||
|
daemon_reload: yes
|
||||||
|
name: mjpg_streamer@video0.service
|
81
ansible-kubernetes.yml
Normal file
81
ansible-kubernetes.yml
Normal file
@ -0,0 +1,81 @@
|
|||||||
|
---
|
||||||
|
- name: Reconfigure graceful shutdown for kubelet
|
||||||
|
hosts: kubernetes
|
||||||
|
tasks:
|
||||||
|
- name: Reconfigure shutdownGracePeriod
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /var/lib/kubelet/config.yaml
|
||||||
|
regexp: '^shutdownGracePeriod:'
|
||||||
|
line: 'shutdownGracePeriod: 5m'
|
||||||
|
- name: Reconfigure shutdownGracePeriodCriticalPods
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /var/lib/kubelet/config.yaml
|
||||||
|
regexp: '^shutdownGracePeriodCriticalPods:'
|
||||||
|
line: 'shutdownGracePeriodCriticalPods: 5m'
|
||||||
|
- name: Work around unattended-upgrades
|
||||||
|
ansible.builtin.lineinfile:
|
||||||
|
path: /lib/systemd/logind.conf.d/unattended-upgrades-logind-maxdelay.conf
|
||||||
|
regexp: '^InhibitDelayMaxSec='
|
||||||
|
line: 'InhibitDelayMaxSec=5m0s'
|
||||||
|
|
||||||
|
- name: Pin kube components
|
||||||
|
hosts: kubernetes
|
||||||
|
tasks:
|
||||||
|
- name: Pin packages
|
||||||
|
loop:
|
||||||
|
- kubeadm
|
||||||
|
- kubectl
|
||||||
|
- kubelet
|
||||||
|
ansible.builtin.copy:
|
||||||
|
dest: "/etc/apt/preferences.d/{{ item }}"
|
||||||
|
content: |
|
||||||
|
Package: {{ item }}
|
||||||
|
Pin: version 1.26.*
|
||||||
|
Pin-Priority: 1001
|
||||||
|
|
||||||
|
- name: Reset /etc/containers/registries.conf
|
||||||
|
hosts: kubernetes
|
||||||
|
tasks:
|
||||||
|
- name: Copy /etc/containers/registries.conf
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: "unqualified-search-registries = [\"docker.io\"]\n"
|
||||||
|
dest: /etc/containers/registries.conf
|
||||||
|
register: registries
|
||||||
|
- name: Restart CRI-O
|
||||||
|
service:
|
||||||
|
name: cri-o
|
||||||
|
state: restarted
|
||||||
|
when: registries.changed
|
||||||
|
|
||||||
|
- name: Reset /etc/modules
|
||||||
|
hosts: kubernetes
|
||||||
|
tasks:
|
||||||
|
- name: Copy /etc/modules
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: |
|
||||||
|
overlay
|
||||||
|
br_netfilter
|
||||||
|
dest: /etc/modules
|
||||||
|
register: kernel_modules
|
||||||
|
- name: Load kernel modules
|
||||||
|
ansible.builtin.shell: "cat /etc/modules | xargs -L 1 -t modprobe"
|
||||||
|
when: kernel_modules.changed
|
||||||
|
|
||||||
|
- name: Reset /etc/sysctl.d/99-k8s.conf
|
||||||
|
hosts: kubernetes
|
||||||
|
tasks:
|
||||||
|
- name: Copy /etc/sysctl.d/99-k8s.conf
|
||||||
|
ansible.builtin.copy:
|
||||||
|
content: |
|
||||||
|
net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
net.bridge.bridge-nf-call-iptables = 1
|
||||||
|
net.ipv4.ip_forward = 1
|
||||||
|
net.bridge.bridge-nf-call-ip6tables = 1
|
||||||
|
vm.max_map_count = 524288
|
||||||
|
fs.inotify.max_user_instances = 1280
|
||||||
|
fs.inotify.max_user_watches = 655360
|
||||||
|
dest: /etc/sysctl.d/99-k8s.conf
|
||||||
|
register: sysctl
|
||||||
|
- name: Reload sysctl config
|
||||||
|
ansible.builtin.shell: "sysctl --system"
|
||||||
|
when: sysctl.changed
|
12
ansible.cfg
Normal file
12
ansible.cfg
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
[defaults]
|
||||||
|
ansible_managed = This file is managed by Ansible, manual changes will be overwritten.
|
||||||
|
inventory = inventory.yml
|
||||||
|
nocows = 1
|
||||||
|
pipelining = True
|
||||||
|
pattern =
|
||||||
|
deprecation_warnings = False
|
||||||
|
fact_caching = jsonfile
|
||||||
|
fact_caching_connection = ~/.ansible/k-space-fact-cache
|
||||||
|
|
||||||
|
[ssh_connection]
|
||||||
|
ssh_args = -F ssh_config
|
@ -1,11 +1,63 @@
|
|||||||
|
# Workflow
|
||||||
|
|
||||||
Most applications in our Kubernetes cluster are managed by ArgoCD.
|
Most applications in our Kubernetes cluster are managed by ArgoCD.
|
||||||
Most notably operators are NOT managed by ArgoCD.
|
Most notably operators are NOT managed by ArgoCD.
|
||||||
|
|
||||||
## Managing applications
|
Adding to `applications/`: `kubectl apply -f newapp.yaml`
|
||||||
Update apps (see TODO below):
|
|
||||||
|
# Deployment
|
||||||
|
|
||||||
|
To deploy ArgoCD:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
helm repo add argo-cd https://argoproj.github.io/argo-helm
|
||||||
|
kubectl create secret -n argocd generic argocd-secret # Initialize empty secret for sessions
|
||||||
|
helm template -n argocd --release-name k6 argo-cd/argo-cd --include-crds -f values.yaml > argocd.yml
|
||||||
|
kubectl apply -f argocd.yml -f application-extras.yml -n argocd
|
||||||
|
kubectl -n argocd rollout restart deployment/k6-argocd-redis
|
||||||
|
kubectl -n argocd rollout restart deployment/k6-argocd-repo-server
|
||||||
|
kubectl -n argocd rollout restart deployment/k6-argocd-server
|
||||||
|
kubectl -n argocd rollout restart deployment/k6-argocd-notifications-controller
|
||||||
|
kubectl -n argocd rollout restart statefulset/k6-argocd-application-controller
|
||||||
|
kubectl label -n argocd secret oidc-client-argocd-owner-secrets app.kubernetes.io/part-of=argocd
|
||||||
|
```
|
||||||
|
|
||||||
|
|
||||||
|
# Setting up Git secrets
|
||||||
|
|
||||||
|
Generate SSH key to access Gitea:
|
||||||
|
|
||||||
```
|
```
|
||||||
for j in asterisk bind camtiler etherpad freescout gitea grafana hackerspace nextcloud nyancat rosdump traefik wiki wildduck; do
|
ssh-keygen -t ecdsa -f id_ecdsa -C argocd.k-space.ee -P ''
|
||||||
|
kubectl -n argocd create secret generic gitea-kube \
|
||||||
|
--from-literal=type=git \
|
||||||
|
--from-literal=url=git@git.k-space.ee:k-space/kube \
|
||||||
|
--from-file=sshPrivateKey=id_ecdsa
|
||||||
|
kubectl -n argocd create secret generic gitea-kube-staging \
|
||||||
|
--from-literal=type=git \
|
||||||
|
--from-literal=url=git@git.k-space.ee:k-space/kube-staging \
|
||||||
|
--from-file=sshPrivateKey=id_ecdsa
|
||||||
|
kubectl -n argocd create secret generic gitea-kube-members \
|
||||||
|
--from-literal=type=git \
|
||||||
|
--from-literal=url=git@git.k-space.ee:k-space/kube-members \
|
||||||
|
--from-file=sshPrivateKey=id_ecdsa
|
||||||
|
kubectl label -n argocd secret gitea-kube argocd.argoproj.io/secret-type=repository
|
||||||
|
kubectl label -n argocd secret gitea-kube-staging argocd.argoproj.io/secret-type=repository
|
||||||
|
kubectl label -n argocd secret gitea-kube-members argocd.argoproj.io/secret-type=repository
|
||||||
|
rm -fv id_ecdsa
|
||||||
|
```
|
||||||
|
|
||||||
|
Have Gitea admin reset password for user `argocd` and log in with that account.
|
||||||
|
Add the SSH key for user `argocd` from file `id_ecdsa.pub`.
|
||||||
|
Delete any other SSH keys associated with Gitea user `argocd`.
|
||||||
|
|
||||||
|
|
||||||
|
# Managing applications
|
||||||
|
|
||||||
|
To update apps:
|
||||||
|
|
||||||
|
```
|
||||||
|
for j in asterisk bind camtiler drone drone-execution etherpad freescout gitea grafana hackerspace nextcloud nyancat rosdump traefik wiki wildduck woodpecker; do
|
||||||
cat << EOF >> applications/$j.yaml
|
cat << EOF >> applications/$j.yaml
|
||||||
---
|
---
|
||||||
apiVersion: argoproj.io/v1alpha1
|
apiVersion: argoproj.io/v1alpha1
|
||||||
@ -13,10 +65,6 @@ kind: Application
|
|||||||
metadata:
|
metadata:
|
||||||
name: $j
|
name: $j
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
annotations:
|
|
||||||
# Works with only Kustomize and Helm. Kustomize is easy, see https://github.com/argoproj-labs/argocd-image-updater/tree/master/manifests/base for an example.
|
|
||||||
argocd-image-updater.argoproj.io/image-list: TODO:^2 # semver 2.*.*
|
|
||||||
argocd-image-updater.argoproj.io/write-back-method: git
|
|
||||||
spec:
|
spec:
|
||||||
project: k-space.ee
|
project: k-space.ee
|
||||||
source:
|
source:
|
||||||
@ -26,33 +74,8 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: $j
|
namespace: $j
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
EOF
|
EOF
|
||||||
done
|
done
|
||||||
find applications -name "*.yaml" -exec kubectl apply -n argocd -f {} \;
|
find applications -name "*.yaml" -exec kubectl apply -n argocd -f {} \;
|
||||||
```
|
```
|
||||||
|
|
||||||
### Repository secrets
|
|
||||||
1. Generate keys locally with `ssh-keygen -f argo`
|
|
||||||
2. Add `argo.pub` in `git.k-space.ee/<your>/<repo>` → Settings → Deploy keys
|
|
||||||
3. Add `argo` (private key) at https://argocd.k-space.ee/settings/repos along with referenced repo.
|
|
||||||
|
|
||||||
## Argo Deployment
|
|
||||||
To deploy ArgoCD itself:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
helm repo add argo-cd https://argoproj.github.io/argo-helm
|
|
||||||
kubectl create secret -n argocd generic argocd-secret # Empty secret for sessions
|
|
||||||
kubectl label -n argocd secret oidc-client-argocd-owner-secrets app.kubernetes.io/part-of=argocd
|
|
||||||
|
|
||||||
helm template -n argocd --release-name k6 argo-cd/argo-cd --include-crds -f values.yaml > argocd.yml
|
|
||||||
kubectl apply -f argocd.yml -f application-extras.yml -f redis.yaml -f monitoring.yml -n argocd
|
|
||||||
|
|
||||||
kubectl -n argocd rollout restart deployment/k6-argocd-redis deployment/k6-argocd-repo-server deployment/k6-argocd-server deployment/k6-argocd-notifications-controller statefulset/k6-argocd-application-controller
|
|
||||||
```
|
|
||||||
|
|
||||||
WARN: ArgoCD doesn't host its own redis, Dragonfly must be able to independently cold-start.
|
|
||||||
|
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
apiVersion: codemowers.cloud/v1beta1
|
apiVersion: codemowers.io/v1alpha1
|
||||||
kind: OIDCClient
|
kind: OIDCGWClient
|
||||||
metadata:
|
metadata:
|
||||||
name: argocd
|
name: argocd
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
@ -9,7 +9,6 @@ spec:
|
|||||||
uri: https://argocd.k-space.ee
|
uri: https://argocd.k-space.ee
|
||||||
redirectUris:
|
redirectUris:
|
||||||
- https://argocd.k-space.ee/auth/callback
|
- https://argocd.k-space.ee/auth/callback
|
||||||
- http://localhost:8085/auth/callback
|
|
||||||
allowedGroups:
|
allowedGroups:
|
||||||
- k-space:kubernetes:admins
|
- k-space:kubernetes:admins
|
||||||
grantTypes:
|
grantTypes:
|
||||||
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: argocd-image-updater
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: 'https://github.com/argoproj-labs/argocd-image-updater.git'
|
|
||||||
path: manifests/base
|
|
||||||
targetRevision: stable
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: argocd
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -2,17 +2,15 @@
|
|||||||
apiVersion: argoproj.io/v1alpha1
|
apiVersion: argoproj.io/v1alpha1
|
||||||
kind: Application
|
kind: Application
|
||||||
metadata:
|
metadata:
|
||||||
name: argocd-applications
|
name: asterisk
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
spec:
|
spec:
|
||||||
project: k-space.ee
|
project: k-space.ee
|
||||||
source:
|
source:
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
||||||
path: argocd/applications
|
path: asterisk
|
||||||
targetRevision: HEAD
|
targetRevision: HEAD
|
||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: argocd
|
namespace: asterisk
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: false
|
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: bind
|
namespace: bind
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -2,19 +2,15 @@
|
|||||||
apiVersion: argoproj.io/v1alpha1
|
apiVersion: argoproj.io/v1alpha1
|
||||||
kind: Application
|
kind: Application
|
||||||
metadata:
|
metadata:
|
||||||
name: signs
|
name: camtiler
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
spec:
|
spec:
|
||||||
project: k-space.ee
|
project: k-space.ee
|
||||||
source:
|
source:
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
||||||
path: signs
|
path: camtiler
|
||||||
targetRevision: HEAD
|
targetRevision: HEAD
|
||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: signs
|
namespace: camtiler
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,21 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: cert-manager
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
# also depends on git@git.k-space.ee:secretspace/kube.git
|
|
||||||
repoURL: git@git.k-space.ee:k-space/kube.git
|
|
||||||
targetRevision: HEAD
|
|
||||||
path: cert-manager
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: cert-manager
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,23 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: cnpg # aka in-cluster postgres
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: https://github.com/cloudnative-pg/cloudnative-pg
|
|
||||||
targetRevision: v1.25.1
|
|
||||||
path: releases
|
|
||||||
directory:
|
|
||||||
include: 'cnpg-1.25.1.yaml'
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: cnpg-system
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
- ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
|
|
@ -1,23 +0,0 @@
|
|||||||
# See [/dragonfly/README.md](/dragonfly-operator-system/README.md)
|
|
||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: dragonfly # replaces redis and keydb
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: https://github.com/dragonflydb/dragonfly-operator
|
|
||||||
targetRevision: v1.1.11 # https://github.com/dragonflydb/dragonfly-operator/releases
|
|
||||||
path: manifests
|
|
||||||
directory:
|
|
||||||
include: 'dragonfly-operator.yaml'
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: dragonfly-operator-system
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -2,19 +2,15 @@
|
|||||||
apiVersion: argoproj.io/v1alpha1
|
apiVersion: argoproj.io/v1alpha1
|
||||||
kind: Application
|
kind: Application
|
||||||
metadata:
|
metadata:
|
||||||
name: pgweb
|
name: drone-execution
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
spec:
|
spec:
|
||||||
project: k-space.ee
|
project: k-space.ee
|
||||||
source:
|
source:
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
||||||
path: pgweb
|
path: drone-execution
|
||||||
targetRevision: HEAD
|
targetRevision: HEAD
|
||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: pgweb
|
namespace: drone-execution
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
16
argocd/applications/drone.yaml
Normal file
16
argocd/applications/drone.yaml
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
---
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: drone
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
project: k-space.ee
|
||||||
|
source:
|
||||||
|
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
||||||
|
path: drone
|
||||||
|
targetRevision: HEAD
|
||||||
|
destination:
|
||||||
|
server: 'https://kubernetes.default.svc'
|
||||||
|
namespace: drone
|
||||||
|
syncPolicy: {}
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: etherpad
|
namespace: etherpad
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: freescout
|
namespace: freescout
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -1,21 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: frigate
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
# also depends on git@git.k-space.ee:secretspace/kube.git
|
|
||||||
repoURL: git@git.k-space.ee:k-space/kube.git
|
|
||||||
targetRevision: HEAD
|
|
||||||
path: frigate
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: frigate
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: gitea
|
namespace: gitea
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: grafana
|
namespace: grafana
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: hackerspace
|
namespace: hackerspace
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -1,21 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: harbor
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
# also depends on git@git.k-space.ee:secretspace/kube.git
|
|
||||||
repoURL: git@git.k-space.ee:k-space/kube.git
|
|
||||||
targetRevision: HEAD
|
|
||||||
path: harbor
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: harbor-operator
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: kubernetes-dashboard
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
|
||||||
path: kubernetes-dashboard
|
|
||||||
targetRevision: HEAD
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: kubernetes-dashboard
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,21 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: metallb
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
# also depends on git@git.k-space.ee:secretspace/kube.git
|
|
||||||
repoURL: git@git.k-space.ee:k-space/kube.git
|
|
||||||
targetRevision: HEAD
|
|
||||||
path: metallb
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: metallb-system
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: minio-clusters
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
|
||||||
path: minio-clusters
|
|
||||||
targetRevision: HEAD
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: minio-clusters
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: monitoring
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
|
||||||
path: monitoring
|
|
||||||
targetRevision: HEAD
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: monitoring
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: mysql-clusters
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
|
||||||
path: mysql-clusters
|
|
||||||
targetRevision: HEAD
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: mysql-clusters
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: nextcloud
|
namespace: nextcloud
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: nyancat
|
namespace: nyancat
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: members
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: 'git@git.k-space.ee:secretspace/members.git'
|
|
||||||
path: members
|
|
||||||
targetRevision: HEAD
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: passmower
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,24 +0,0 @@
|
|||||||
# Note: Do not put any Prometheus instances or exporters in this namespace, instead have them in `monitoring` namespace
|
|
||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: prometheus-operator
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: https://github.com/prometheus-operator/prometheus-operator.git
|
|
||||||
targetRevision: v0.82.0
|
|
||||||
path: .
|
|
||||||
kustomize:
|
|
||||||
namespace: prometheus-operator
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: prometheus-operator
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
- ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
|
|
@ -1,21 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: proxmox-csi
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
# also depends on git@git.k-space.ee:secretspace/kube.git
|
|
||||||
repoURL: git@git.k-space.ee:k-space/kube.git
|
|
||||||
targetRevision: HEAD
|
|
||||||
path: proxmox-csi
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: csi-proxmox
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: ripe87
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
|
||||||
path: ripe87
|
|
||||||
targetRevision: HEAD
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: ripe87
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: rosdump
|
namespace: rosdump
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: secret-claim-operator
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: https://github.com/codemowers/operatorlib
|
|
||||||
path: samples/secret-claim-operator
|
|
||||||
targetRevision: HEAD
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: secret-claim-operator
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -1,24 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: tigera-operator
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
# also depends on git@git.k-space.ee:secretspace/kube.git
|
|
||||||
repoURL: git@git.k-space.ee:k-space/kube.git
|
|
||||||
targetRevision: HEAD
|
|
||||||
path: tigera-operator
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: tigera-operator
|
|
||||||
# also houses calico-system and calico-apiserver
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
- ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size.
|
|
||||||
- Force=true # `--force-conflicts`, according to https://docs.tigera.io/calico/latest/operations/upgrading/kubernetes-upgrade
|
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: traefik
|
namespace: traefik
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -2,17 +2,16 @@
|
|||||||
apiVersion: argoproj.io/v1alpha1
|
apiVersion: argoproj.io/v1alpha1
|
||||||
kind: Application
|
kind: Application
|
||||||
metadata:
|
metadata:
|
||||||
name: passmower
|
name: whoami-oidc
|
||||||
namespace: argocd
|
namespace: argocd
|
||||||
spec:
|
spec:
|
||||||
project: k-space.ee
|
project: k-space.ee
|
||||||
source:
|
source:
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
||||||
path: passmower
|
path: whoami-oidc
|
||||||
targetRevision: HEAD
|
targetRevision: HEAD
|
||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: passmower
|
namespace: whoami-oidc
|
||||||
syncPolicy:
|
syncPolicy:
|
||||||
automated:
|
automated: {}
|
||||||
prune: true
|
|
@ -1,20 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: argoproj.io/v1alpha1
|
|
||||||
kind: Application
|
|
||||||
metadata:
|
|
||||||
name: whoami
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
project: k-space.ee
|
|
||||||
source:
|
|
||||||
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
|
||||||
path: whoami
|
|
||||||
targetRevision: HEAD
|
|
||||||
destination:
|
|
||||||
server: 'https://kubernetes.default.svc'
|
|
||||||
namespace: whoami
|
|
||||||
syncPolicy:
|
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: wiki
|
namespace: wiki
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -13,8 +13,4 @@ spec:
|
|||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: wildduck
|
namespace: wildduck
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -7,15 +7,10 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
project: k-space.ee
|
project: k-space.ee
|
||||||
source:
|
source:
|
||||||
# also depends on git@git.k-space.ee:secretspace/kube.git
|
repoURL: 'git@git.k-space.ee:k-space/kube.git'
|
||||||
repoURL: git@git.k-space.ee:k-space/kube.git
|
|
||||||
targetRevision: HEAD
|
|
||||||
path: woodpecker
|
path: woodpecker
|
||||||
|
targetRevision: HEAD
|
||||||
destination:
|
destination:
|
||||||
server: 'https://kubernetes.default.svc'
|
server: 'https://kubernetes.default.svc'
|
||||||
namespace: woodpecker
|
namespace: woodpecker
|
||||||
syncPolicy:
|
syncPolicy: {}
|
||||||
automated:
|
|
||||||
prune: true
|
|
||||||
syncOptions:
|
|
||||||
- CreateNamespace=true
|
|
||||||
|
@ -1,2 +0,0 @@
|
|||||||
# used for git.k-space: k-space/kube, secretspace/kube, secretspace/members
|
|
||||||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxYpFf85Vnxw7WNb/V5dtZT0PJ4VbBhdBNscDd8TVv/ argocd.k-space.ee
|
|
@ -1,50 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: codemowers.cloud/v1beta1
|
|
||||||
kind: SecretClaim
|
|
||||||
metadata:
|
|
||||||
name: argocd-redis
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
size: 32
|
|
||||||
mapping:
|
|
||||||
- key: redis-password
|
|
||||||
value: "%(plaintext)s"
|
|
||||||
- key: REDIS_URI
|
|
||||||
value: "redis://:%(plaintext)s@argocd-redis"
|
|
||||||
---
|
|
||||||
apiVersion: dragonflydb.io/v1alpha1
|
|
||||||
kind: Dragonfly
|
|
||||||
metadata:
|
|
||||||
name: argocd-redis
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
authentication:
|
|
||||||
passwordFromSecret:
|
|
||||||
key: redis-password
|
|
||||||
name: argocd-redis
|
|
||||||
replicas: 3
|
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 1000m
|
|
||||||
memory: 1Gi
|
|
||||||
topologySpreadConstraints:
|
|
||||||
- maxSkew: 1
|
|
||||||
topologyKey: topology.kubernetes.io/zone
|
|
||||||
whenUnsatisfiable: DoNotSchedule
|
|
||||||
labelSelector:
|
|
||||||
matchLabels:
|
|
||||||
app: argocd-redis
|
|
||||||
app.kubernetes.io/part-of: dragonfly
|
|
||||||
---
|
|
||||||
apiVersion: monitoring.coreos.com/v1
|
|
||||||
kind: PodMonitor
|
|
||||||
metadata:
|
|
||||||
name: argocd-redis
|
|
||||||
namespace: argocd
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: argocd-redis
|
|
||||||
app.kubernetes.io/part-of: dragonfly
|
|
||||||
podMetricsEndpoints:
|
|
||||||
- port: admin
|
|
@ -5,26 +5,38 @@ global:
|
|||||||
dex:
|
dex:
|
||||||
enabled: false
|
enabled: false
|
||||||
|
|
||||||
redis:
|
# Maybe one day switch to Redis HA?
|
||||||
enabled: false
|
|
||||||
redis-ha:
|
redis-ha:
|
||||||
enabled: false
|
enabled: false
|
||||||
externalRedis:
|
|
||||||
host: argocd-redis
|
|
||||||
existingSecret: argocd-redis
|
|
||||||
|
|
||||||
server:
|
server:
|
||||||
|
# HTTPS is implemented by Traefik
|
||||||
ingress:
|
ingress:
|
||||||
enabled: true
|
enabled: true
|
||||||
annotations:
|
annotations:
|
||||||
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||||
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||||
hosts:
|
hosts:
|
||||||
- argocd.k-space.ee
|
- argocd.k-space.ee
|
||||||
tls:
|
tls:
|
||||||
- hosts:
|
- hosts:
|
||||||
- "*.k-space.ee"
|
- "*.k-space.ee"
|
||||||
|
|
||||||
|
configfucked:
|
||||||
|
resource.customizations: |
|
||||||
|
# https://github.com/argoproj/argo-cd/issues/1704
|
||||||
|
networking.k8s.io/Ingress:
|
||||||
|
health.lua: |
|
||||||
|
hs = {}
|
||||||
|
hs.status = "Healthy"
|
||||||
|
return hs
|
||||||
|
apiextensions.k8s.io/CustomResourceDefinition:
|
||||||
|
ignoreDifferences: |
|
||||||
|
jsonPointers:
|
||||||
|
- "x-kubernetes-validations"
|
||||||
|
|
||||||
|
|
||||||
metrics:
|
metrics:
|
||||||
enabled: true
|
enabled: true
|
||||||
|
|
||||||
@ -67,27 +79,12 @@ configs:
|
|||||||
p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
|
p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow
|
||||||
p, role:developers, applications, sync, default/camtiler, allow
|
p, role:developers, applications, sync, default/camtiler, allow
|
||||||
p, role:developers, applications, update, default/camtiler, allow
|
p, role:developers, applications, update, default/camtiler, allow
|
||||||
# argocd-image-updater
|
|
||||||
p, role:image-updater, applications, get, */*, allow
|
|
||||||
p, role:image-updater, applications, update, */*, allow
|
|
||||||
g, image-updater, role:image-updater
|
|
||||||
cm:
|
cm:
|
||||||
kustomize.buildOptions: --enable-helm
|
|
||||||
admin.enabled: "false"
|
admin.enabled: "false"
|
||||||
resource.customizations: |
|
|
||||||
# https://github.com/argoproj/argo-cd/issues/1704
|
|
||||||
networking.k8s.io/Ingress:
|
|
||||||
health.lua: |
|
|
||||||
hs = {}
|
|
||||||
hs.status = "Healthy"
|
|
||||||
return hs
|
|
||||||
apiextensions.k8s.io/CustomResourceDefinition:
|
|
||||||
ignoreDifferences: |
|
|
||||||
jsonPointers:
|
|
||||||
- "x-kubernetes-validations"
|
|
||||||
oidc.config: |
|
oidc.config: |
|
||||||
name: OpenID Connect
|
name: OpenID Connect
|
||||||
issuer: https://auth.k-space.ee/
|
issuer: https://auth2.k-space.ee/
|
||||||
clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
|
clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
|
||||||
cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
|
cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID
|
||||||
clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET
|
clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET
|
||||||
|
@ -9,5 +9,3 @@ Should ArgoCD be down manifests here can be applied with:
|
|||||||
```
|
```
|
||||||
kubectl apply -n asterisk -f application.yaml
|
kubectl apply -n asterisk -f application.yaml
|
||||||
```
|
```
|
||||||
|
|
||||||
asterisk-secrets was dumped to git.k-space.ee/secretspace/kube:_disabled/asterisk
|
|
@ -2,11 +2,11 @@
|
|||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: networking.k8s.io/v1
|
||||||
kind: NetworkPolicy
|
kind: NetworkPolicy
|
||||||
metadata:
|
metadata:
|
||||||
name: freeswitch
|
name: asterisk
|
||||||
spec:
|
spec:
|
||||||
podSelector:
|
podSelector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: freeswitch
|
app: asterisk
|
||||||
policyTypes:
|
policyTypes:
|
||||||
- Ingress
|
- Ingress
|
||||||
- Egress
|
- Egress
|
||||||
@ -32,18 +32,14 @@ spec:
|
|||||||
cidr: 172.20.8.241/32 # Erki A
|
cidr: 172.20.8.241/32 # Erki A
|
||||||
- from:
|
- from:
|
||||||
- ipBlock:
|
- ipBlock:
|
||||||
cidr: 212.47.211.10/32 # Elisa SIP
|
cidr: 195.222.16.36/32 # Elisa SIP
|
||||||
- from:
|
- from:
|
||||||
- ipBlock:
|
- ipBlock:
|
||||||
cidr: 212.47.211.10/32 # Elisa SIP
|
cidr: 195.222.16.38/32 # Elisa SIP
|
||||||
egress:
|
egress:
|
||||||
- to:
|
- to:
|
||||||
- ipBlock:
|
- ipBlock:
|
||||||
cidr: 212.47.211.10/32 # Elisa SIP
|
cidr: 195.222.16.36/32 # Elisa SIP
|
||||||
- to:
|
- to:
|
||||||
- ipBlock:
|
- ipBlock:
|
||||||
cidr: 195.222.16.38/32 # Elisa SIP
|
cidr: 195.222.16.38/32 # Elisa SIP
|
||||||
- to:
|
|
||||||
ports:
|
|
||||||
- port: 53
|
|
||||||
protocol: UDP
|
|
@ -1,42 +1,22 @@
|
|||||||
# Bind namespace
|
# Bind setup
|
||||||
|
|
||||||
The Bind secondary servers and `external-dns` service pods are running in this namespace.
|
The Bind primary resides outside Kubernetes at `193.40.103.2` and
|
||||||
The `external-dns` pods are used to declaratively update DNS records on the
|
|
||||||
[Bind primary](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml).
|
|
||||||
|
|
||||||
The Bind primary `ns1.k-space.ee` resides outside Kubernetes at `193.40.103.2` and
|
|
||||||
it's internally reachable via `172.20.0.2`.
|
it's internally reachable via `172.20.0.2`.
|
||||||
Bind secondaries perform AXFR (zone transfer) from `ns1.k-space.ee` using
|
|
||||||
shared secret autentication.
|
|
||||||
The primary triggers notification events to `172.20.53.{1..3}`
|
|
||||||
which are internally exposed IP-s of the secondaries.
|
|
||||||
Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
|
Bind secondaries are hosted inside Kubernetes, load balanced behind `62.65.250.2` and
|
||||||
under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).
|
under normal circumstances managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/bind).
|
||||||
|
|
||||||
Note that [cert-manager](https://git.k-space.ee/k-space/kube/src/branch/master/cert-manager/) also performs DNS updates on the Bind primary.
|
|
||||||
|
|
||||||
|
|
||||||
# For user
|
|
||||||
|
|
||||||
`Ingresses` and `DNSEndpoint` resources under `k-space.ee`, `kspace.ee`, `k6.ee`
|
|
||||||
domains are picked up automatically by `external-dns` and updated on the Bind primary.
|
|
||||||
To find usage examples in this repository use
|
|
||||||
`grep -r -A25 "^kind: Ingress" .` and
|
|
||||||
`grep -R -r -A100 "^kind: DNSEndpoint" .`
|
|
||||||
|
|
||||||
|
|
||||||
# For administrator
|
|
||||||
Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
|
Ingresses and DNSEndpoints referring to `k-space.ee`, `kspace.ee`, `k6.ee`
|
||||||
are picked up automatically by `external-dns` and updated on primary.
|
are picked up automatically by `external-dns` and updated on primary.
|
||||||
|
|
||||||
The primary triggers notification events to `172.21.53.{1..3}`
|
The primary triggers notification events to `172.20.53.{1..3}`
|
||||||
which are internally exposed IP-s of the secondaries.
|
which are internally exposed IP-s of the secondaries.
|
||||||
|
|
||||||
# Secrets
|
# Secrets
|
||||||
|
|
||||||
To configure TSIG secrets:
|
To configure TSIG secrets:
|
||||||
|
|
||||||
```sh
|
```
|
||||||
kubectl create secret generic -n bind bind-readonly-secret \
|
kubectl create secret generic -n bind bind-readonly-secret \
|
||||||
--from-file=readonly.key
|
--from-file=readonly.key
|
||||||
kubectl create secret generic -n bind bind-readwrite-secret \
|
kubectl create secret generic -n bind bind-readwrite-secret \
|
||||||
@ -45,8 +25,9 @@ kubectl create secret generic -n bind external-dns
|
|||||||
kubectl -n bind delete secret tsig-secret
|
kubectl -n bind delete secret tsig-secret
|
||||||
kubectl -n bind create secret generic tsig-secret \
|
kubectl -n bind create secret generic tsig-secret \
|
||||||
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
||||||
|
kubectl -n cert-manager delete secret tsig-secret
|
||||||
# ^ same tsig-secret is in git.k-space.ee/secretspace/kube cert-manager
|
kubectl -n cert-manager create secret generic tsig-secret \
|
||||||
|
--from-literal=TSIG_SECRET=$(cat readwrite.key | grep secret | cut -d '"' -f 2)
|
||||||
```
|
```
|
||||||
|
|
||||||
# Serving additional zones
|
# Serving additional zones
|
||||||
@ -67,7 +48,7 @@ zone "foobar.com" {
|
|||||||
file "/var/lib/bind/db.foobar.com";
|
file "/var/lib/bind/db.foobar.com";
|
||||||
allow-update { !rejected; key foobar; };
|
allow-update { !rejected; key foobar; };
|
||||||
allow-transfer { !rejected; key readonly; key foobar; };
|
allow-transfer { !rejected; key readonly; key foobar; };
|
||||||
notify explicit; also-notify { 172.21.53.1; 172.21.53.2; 172.21.53.3; };
|
notify explicit; also-notify { 172.20.53.1; 172.20.53.2; 172.20.53.3; };
|
||||||
};
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
|
@ -3,7 +3,6 @@ apiVersion: v1
|
|||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: bind-secondary-config-local
|
name: bind-secondary-config-local
|
||||||
namespace: bind
|
|
||||||
data:
|
data:
|
||||||
named.conf.local: |
|
named.conf.local: |
|
||||||
zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
zone "codemowers.ee" { type slave; masters { 172.20.0.2 key readonly; }; };
|
||||||
@ -14,7 +13,6 @@ apiVersion: v1
|
|||||||
kind: ConfigMap
|
kind: ConfigMap
|
||||||
metadata:
|
metadata:
|
||||||
name: bind-secondary-config
|
name: bind-secondary-config
|
||||||
namespace: bind
|
|
||||||
data:
|
data:
|
||||||
named.conf: |
|
named.conf: |
|
||||||
include "/etc/bind/named.conf.local";
|
include "/etc/bind/named.conf.local";
|
||||||
@ -38,7 +36,6 @@ metadata:
|
|||||||
name: bind-secondary
|
name: bind-secondary
|
||||||
namespace: bind
|
namespace: bind
|
||||||
spec:
|
spec:
|
||||||
revisionHistoryLimit: 0
|
|
||||||
replicas: 3
|
replicas: 3
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
@ -48,16 +45,15 @@ spec:
|
|||||||
labels:
|
labels:
|
||||||
app: bind-secondary
|
app: bind-secondary
|
||||||
spec:
|
spec:
|
||||||
|
volumes:
|
||||||
|
- name: run
|
||||||
|
emptyDir: {}
|
||||||
containers:
|
containers:
|
||||||
- name: bind-secondary
|
- name: bind-secondary
|
||||||
image: mirror.gcr.io/internetsystemsconsortium/bind9:9.20
|
image: internetsystemsconsortium/bind9:9.19
|
||||||
resources:
|
volumeMounts:
|
||||||
limits:
|
- mountPath: /run/named
|
||||||
cpu: 100m
|
name: run
|
||||||
memory: 100Mi
|
|
||||||
requests:
|
|
||||||
cpu: 1m
|
|
||||||
memory: 35Mi
|
|
||||||
workingDir: /var/bind
|
workingDir: /var/bind
|
||||||
command:
|
command:
|
||||||
- named
|
- named
|
||||||
@ -83,13 +79,16 @@ spec:
|
|||||||
name: bind-readonly-secret
|
name: bind-readonly-secret
|
||||||
- name: bind-data
|
- name: bind-data
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
topologySpreadConstraints:
|
affinity:
|
||||||
- maxSkew: 1
|
podAntiAffinity:
|
||||||
topologyKey: topology.kubernetes.io/zone
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
whenUnsatisfiable: DoNotSchedule
|
- labelSelector:
|
||||||
labelSelector:
|
matchExpressions:
|
||||||
matchLabels:
|
- key: app
|
||||||
app: bind-secondary
|
operator: In
|
||||||
|
values:
|
||||||
|
- bind-secondary
|
||||||
|
topologyKey: "kubernetes.io/hostname"
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
@ -120,7 +119,7 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
externalTrafficPolicy: Local
|
externalTrafficPolicy: Local
|
||||||
loadBalancerIP: 172.21.53.1
|
loadBalancerIP: 172.20.53.1
|
||||||
selector:
|
selector:
|
||||||
app: bind-secondary
|
app: bind-secondary
|
||||||
statefulset.kubernetes.io/pod-name: bind-secondary-0
|
statefulset.kubernetes.io/pod-name: bind-secondary-0
|
||||||
@ -142,7 +141,7 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
externalTrafficPolicy: Local
|
externalTrafficPolicy: Local
|
||||||
loadBalancerIP: 172.21.53.2
|
loadBalancerIP: 172.20.53.2
|
||||||
selector:
|
selector:
|
||||||
app: bind-secondary
|
app: bind-secondary
|
||||||
statefulset.kubernetes.io/pod-name: bind-secondary-1
|
statefulset.kubernetes.io/pod-name: bind-secondary-1
|
||||||
@ -164,7 +163,7 @@ metadata:
|
|||||||
spec:
|
spec:
|
||||||
type: LoadBalancer
|
type: LoadBalancer
|
||||||
externalTrafficPolicy: Local
|
externalTrafficPolicy: Local
|
||||||
loadBalancerIP: 172.21.53.3
|
loadBalancerIP: 172.20.53.3
|
||||||
selector:
|
selector:
|
||||||
app: bind-secondary
|
app: bind-secondary
|
||||||
statefulset.kubernetes.io/pod-name: bind-secondary-2
|
statefulset.kubernetes.io/pod-name: bind-secondary-2
|
||||||
|
@ -3,7 +3,6 @@ apiVersion: apps/v1
|
|||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: external-dns-k-space
|
name: external-dns-k-space
|
||||||
namespace: bind
|
|
||||||
spec:
|
spec:
|
||||||
revisionHistoryLimit: 0
|
revisionHistoryLimit: 0
|
||||||
selector:
|
selector:
|
||||||
@ -17,14 +16,7 @@ spec:
|
|||||||
serviceAccountName: external-dns
|
serviceAccountName: external-dns
|
||||||
containers:
|
containers:
|
||||||
- name: external-dns
|
- name: external-dns
|
||||||
image: registry.k8s.io/external-dns/external-dns:v0.16.1
|
image: registry.k8s.io/external-dns/external-dns:v0.13.5
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 100Mi
|
|
||||||
requests:
|
|
||||||
cpu: 2m
|
|
||||||
memory: 35Mi
|
|
||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: tsig-secret
|
name: tsig-secret
|
||||||
|
@ -3,7 +3,6 @@ apiVersion: apps/v1
|
|||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: external-dns-k6
|
name: external-dns-k6
|
||||||
namespace: bind
|
|
||||||
spec:
|
spec:
|
||||||
revisionHistoryLimit: 0
|
revisionHistoryLimit: 0
|
||||||
selector:
|
selector:
|
||||||
@ -17,22 +16,15 @@ spec:
|
|||||||
serviceAccountName: external-dns
|
serviceAccountName: external-dns
|
||||||
containers:
|
containers:
|
||||||
- name: external-dns
|
- name: external-dns
|
||||||
image: registry.k8s.io/external-dns/external-dns:v0.16.1
|
image: registry.k8s.io/external-dns/external-dns:v0.13.5
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 100Mi
|
|
||||||
requests:
|
|
||||||
cpu: 2m
|
|
||||||
memory: 35Mi
|
|
||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: tsig-secret
|
name: tsig-secret
|
||||||
args:
|
args:
|
||||||
|
- --log-level=debug
|
||||||
- --events
|
- --events
|
||||||
- --registry=noop
|
- --registry=noop
|
||||||
- --provider=rfc2136
|
- --provider=rfc2136
|
||||||
- --source=ingress
|
|
||||||
- --source=service
|
- --source=service
|
||||||
- --source=crd
|
- --source=crd
|
||||||
- --domain-filter=k6.ee
|
- --domain-filter=k6.ee
|
||||||
@ -49,7 +41,6 @@ apiVersion: externaldns.k8s.io/v1alpha1
|
|||||||
kind: DNSEndpoint
|
kind: DNSEndpoint
|
||||||
metadata:
|
metadata:
|
||||||
name: k6
|
name: k6
|
||||||
namespace: bind
|
|
||||||
spec:
|
spec:
|
||||||
endpoints:
|
endpoints:
|
||||||
- dnsName: k6.ee
|
- dnsName: k6.ee
|
||||||
@ -73,3 +64,8 @@ spec:
|
|||||||
recordType: A
|
recordType: A
|
||||||
targets:
|
targets:
|
||||||
- 62.65.250.2
|
- 62.65.250.2
|
||||||
|
- dnsName: k-space.ee
|
||||||
|
recordTTL: 300
|
||||||
|
recordType: MX
|
||||||
|
targets:
|
||||||
|
- 10 mail.k-space.ee
|
||||||
|
@ -3,7 +3,6 @@ apiVersion: apps/v1
|
|||||||
kind: Deployment
|
kind: Deployment
|
||||||
metadata:
|
metadata:
|
||||||
name: external-dns-kspace
|
name: external-dns-kspace
|
||||||
namespace: bind
|
|
||||||
spec:
|
spec:
|
||||||
revisionHistoryLimit: 0
|
revisionHistoryLimit: 0
|
||||||
selector:
|
selector:
|
||||||
@ -17,14 +16,7 @@ spec:
|
|||||||
serviceAccountName: external-dns
|
serviceAccountName: external-dns
|
||||||
containers:
|
containers:
|
||||||
- name: external-dns
|
- name: external-dns
|
||||||
image: registry.k8s.io/external-dns/external-dns:v0.16.1
|
image: registry.k8s.io/external-dns/external-dns:v0.13.5
|
||||||
resources:
|
|
||||||
limits:
|
|
||||||
cpu: 100m
|
|
||||||
memory: 100Mi
|
|
||||||
requests:
|
|
||||||
cpu: 2m
|
|
||||||
memory: 35Mi
|
|
||||||
envFrom:
|
envFrom:
|
||||||
- secretRef:
|
- secretRef:
|
||||||
name: tsig-secret
|
name: tsig-secret
|
||||||
@ -49,7 +41,6 @@ apiVersion: externaldns.k8s.io/v1alpha1
|
|||||||
kind: DNSEndpoint
|
kind: DNSEndpoint
|
||||||
metadata:
|
metadata:
|
||||||
name: kspace
|
name: kspace
|
||||||
namespace: bind
|
|
||||||
spec:
|
spec:
|
||||||
endpoints:
|
endpoints:
|
||||||
- dnsName: kspace.ee
|
- dnsName: kspace.ee
|
||||||
|
@ -4,7 +4,7 @@ kind: ClusterRole
|
|||||||
metadata:
|
metadata:
|
||||||
name: external-dns
|
name: external-dns
|
||||||
rules:
|
rules:
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- ""
|
- ""
|
||||||
resources:
|
resources:
|
||||||
- services
|
- services
|
||||||
@ -15,7 +15,7 @@ rules:
|
|||||||
- get
|
- get
|
||||||
- watch
|
- watch
|
||||||
- list
|
- list
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- extensions
|
- extensions
|
||||||
- networking.k8s.io
|
- networking.k8s.io
|
||||||
resources:
|
resources:
|
||||||
@ -24,7 +24,7 @@ rules:
|
|||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
- watch
|
- watch
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- externaldns.k8s.io
|
- externaldns.k8s.io
|
||||||
resources:
|
resources:
|
||||||
- dnsendpoints
|
- dnsendpoints
|
||||||
@ -32,7 +32,7 @@ rules:
|
|||||||
- get
|
- get
|
||||||
- watch
|
- watch
|
||||||
- list
|
- list
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- externaldns.k8s.io
|
- externaldns.k8s.io
|
||||||
resources:
|
resources:
|
||||||
- dnsendpoints/status
|
- dnsendpoints/status
|
||||||
@ -43,18 +43,16 @@ apiVersion: v1
|
|||||||
kind: ServiceAccount
|
kind: ServiceAccount
|
||||||
metadata:
|
metadata:
|
||||||
name: external-dns
|
name: external-dns
|
||||||
namespace: bind
|
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
kind: ClusterRoleBinding
|
kind: ClusterRoleBinding
|
||||||
metadata:
|
metadata:
|
||||||
name: external-dns-viewer
|
name: external-dns-viewer
|
||||||
namespace: bind
|
|
||||||
roleRef:
|
roleRef:
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: rbac.authorization.k8s.io
|
||||||
kind: ClusterRole
|
kind: ClusterRole
|
||||||
name: external-dns
|
name: external-dns
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: ServiceAccount
|
||||||
name: external-dns
|
name: external-dns
|
||||||
namespace: bind
|
namespace: bind
|
||||||
|
1
camtiler/.gitignore
vendored
Normal file
1
camtiler/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
deployments/
|
39
camtiler/README.md
Normal file
39
camtiler/README.md
Normal file
@ -0,0 +1,39 @@
|
|||||||
|
To apply changes:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl apply -n camtiler \
|
||||||
|
-f application.yml \
|
||||||
|
-f minio.yml \
|
||||||
|
-f mongoexpress.yml \
|
||||||
|
-f mongodb-support.yml \
|
||||||
|
-f camera-tiler.yml \
|
||||||
|
-f logmower.yml \
|
||||||
|
-f ingress.yml \
|
||||||
|
-f network-policies.yml \
|
||||||
|
-f networkpolicy-base.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
To deploy changes:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl -n camtiler rollout restart deployment.apps/camtiler
|
||||||
|
```
|
||||||
|
|
||||||
|
To initialize secrets:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl create secret generic -n camtiler mongodb-application-readwrite-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
|
||||||
|
kubectl create secret generic -n camtiler mongodb-application-readonly-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)"
|
||||||
|
kubectl create secret generic -n camtiler minio-secrets \
|
||||||
|
--from-literal="MINIO_ROOT_USER=root" \
|
||||||
|
--from-literal="MINIO_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30)"
|
||||||
|
kubectl -n camtiler create secret generic camera-secrets \
|
||||||
|
--from-literal=username=... \
|
||||||
|
--from-literal=password=...
|
||||||
|
```
|
||||||
|
|
||||||
|
To restart all deployments:
|
||||||
|
|
||||||
|
```
|
||||||
|
for j in $(kubectl get deployments -n camtiler -o name); do kubectl rollout restart -n camtiler $j; done
|
||||||
|
```
|
355
camtiler/application.yml
Normal file
355
camtiler/application.yml
Normal file
@ -0,0 +1,355 @@
|
|||||||
|
---
|
||||||
|
apiVersion: codemowers.cloud/v1beta1
|
||||||
|
kind: MinioBucketClaim
|
||||||
|
metadata:
|
||||||
|
name: camtiler
|
||||||
|
spec:
|
||||||
|
capacity: 150Gi
|
||||||
|
class: dedicated
|
||||||
|
---
|
||||||
|
apiVersion: apiextensions.k8s.io/v1
|
||||||
|
kind: CustomResourceDefinition
|
||||||
|
metadata:
|
||||||
|
name: cams.k-space.ee
|
||||||
|
spec:
|
||||||
|
group: k-space.ee
|
||||||
|
names:
|
||||||
|
plural: cams
|
||||||
|
singular: cam
|
||||||
|
kind: Camera
|
||||||
|
shortNames:
|
||||||
|
- cam
|
||||||
|
scope: Namespaced
|
||||||
|
versions:
|
||||||
|
- name: v1alpha1
|
||||||
|
served: true
|
||||||
|
storage: true
|
||||||
|
schema:
|
||||||
|
openAPIV3Schema:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
spec:
|
||||||
|
type: object
|
||||||
|
properties:
|
||||||
|
roi:
|
||||||
|
type: object
|
||||||
|
description: Region of interest for this camera
|
||||||
|
properties:
|
||||||
|
threshold:
|
||||||
|
type: integer
|
||||||
|
description: Percentage of pixels changed within ROI to
|
||||||
|
consider whole frame to have motion detected.
|
||||||
|
Defaults to 5.
|
||||||
|
enabled:
|
||||||
|
type: boolean
|
||||||
|
description: Whether motion detection is enabled for this
|
||||||
|
camera. Defaults to false.
|
||||||
|
left:
|
||||||
|
type: integer
|
||||||
|
description: Left boundary of ROI as
|
||||||
|
percentage of the width of a frame.
|
||||||
|
By default 0.
|
||||||
|
right:
|
||||||
|
type: integer
|
||||||
|
description: Right boundary of ROI as
|
||||||
|
percentage of the width of a frame.
|
||||||
|
By default 100.
|
||||||
|
top:
|
||||||
|
type: integer
|
||||||
|
description: Top boundary of ROI as
|
||||||
|
percentage of the height of a frame
|
||||||
|
By deafault 0.
|
||||||
|
bottom:
|
||||||
|
type: integer
|
||||||
|
description: Bottom boundary of ROI as
|
||||||
|
percentage of the height of a frame.
|
||||||
|
By default 100.
|
||||||
|
secretRef:
|
||||||
|
type: string
|
||||||
|
description: Secret that contains authentication credentials
|
||||||
|
target:
|
||||||
|
type: string
|
||||||
|
description: URL of the video feed stream
|
||||||
|
replicas:
|
||||||
|
type: integer
|
||||||
|
minimum: 1
|
||||||
|
maximum: 2
|
||||||
|
description: For highly available deployment set this to 2 or
|
||||||
|
higher. Make sure you also run Mongo and Minio in HA
|
||||||
|
configurations
|
||||||
|
required: ["target"]
|
||||||
|
required: ["spec"]
|
||||||
|
---
|
||||||
|
apiVersion: codemowers.io/v1alpha1
|
||||||
|
kind: ClusterOperator
|
||||||
|
metadata:
|
||||||
|
name: camera
|
||||||
|
spec:
|
||||||
|
resource:
|
||||||
|
group: k-space.ee
|
||||||
|
version: v1alpha1
|
||||||
|
plural: cams
|
||||||
|
secret:
|
||||||
|
enabled: false
|
||||||
|
services:
|
||||||
|
- apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: foobar
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: foobar
|
||||||
|
component: camera-motion-detect
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: foobar
|
||||||
|
component: camera-motion-detect
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 80
|
||||||
|
targetPort: 5000
|
||||||
|
deployments:
|
||||||
|
- apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: camera-foobar
|
||||||
|
spec:
|
||||||
|
revisionHistoryLimit: 0
|
||||||
|
replicas: 1
|
||||||
|
|
||||||
|
strategy:
|
||||||
|
type: RollingUpdate
|
||||||
|
rollingUpdate:
|
||||||
|
# Swap following two with replicas: 2
|
||||||
|
maxSurge: 1
|
||||||
|
maxUnavailable: 0
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: foobar
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: foobar
|
||||||
|
component: camera-motion-detect
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: camera-motion-detect
|
||||||
|
image: harbor.k-space.ee/k-space/camera-motion-detect:latest
|
||||||
|
starupProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /healthz
|
||||||
|
port: 5000
|
||||||
|
initialDelaySeconds: 2
|
||||||
|
periodSeconds: 180
|
||||||
|
timeoutSeconds: 60
|
||||||
|
readinessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /readyz
|
||||||
|
port: 5000
|
||||||
|
initialDelaySeconds: 60
|
||||||
|
periodSeconds: 60
|
||||||
|
timeoutSeconds: 5
|
||||||
|
ports:
|
||||||
|
- containerPort: 5000
|
||||||
|
name: "http"
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: "64Mi"
|
||||||
|
cpu: "200m"
|
||||||
|
limits:
|
||||||
|
memory: "256Mi"
|
||||||
|
cpu: "4000m"
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
command:
|
||||||
|
- /app/camdetect.py
|
||||||
|
- http://user@foobar.cam.k-space.ee:8080/?action=stream
|
||||||
|
env:
|
||||||
|
- name: SOURCE_NAME
|
||||||
|
value: foobar
|
||||||
|
- name: S3_BUCKET_NAME
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: miniobucket-camtiler-owner-secrets
|
||||||
|
key: BUCKET_NAME
|
||||||
|
- name: S3_ENDPOINT_URL
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: miniobucket-camtiler-owner-secrets
|
||||||
|
key: AWS_S3_ENDPOINT_URL
|
||||||
|
- name: AWS_SECRET_ACCESS_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: miniobucket-camtiler-owner-secrets
|
||||||
|
key: AWS_SECRET_ACCESS_KEY
|
||||||
|
- name: AWS_ACCESS_KEY_ID
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: miniobucket-camtiler-owner-secrets
|
||||||
|
key: AWS_ACCESS_KEY_ID
|
||||||
|
- name: BASIC_AUTH_PASSWORD
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: camera-secrets
|
||||||
|
key: password
|
||||||
|
- name: MONGO_URI
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mongodb-application-readwrite
|
||||||
|
key: connectionString.standard
|
||||||
|
|
||||||
|
# Make sure 2+ pods of same camera are scheduled on different hosts
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app.kubernetes.io/name
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- foobar
|
||||||
|
topologyKey: topology.kubernetes.io/zone
|
||||||
|
|
||||||
|
# Make sure camera deployments are spread over workers
|
||||||
|
topologySpreadConstraints:
|
||||||
|
- maxSkew: 1
|
||||||
|
topologyKey: topology.kubernetes.io/zone
|
||||||
|
whenUnsatisfiable: DoNotSchedule
|
||||||
|
labelSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: foobar
|
||||||
|
component: camera-motion-detect
|
||||||
|
---
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: PrometheusRule
|
||||||
|
metadata:
|
||||||
|
name: cameras
|
||||||
|
spec:
|
||||||
|
groups:
|
||||||
|
- name: cameras
|
||||||
|
rules:
|
||||||
|
- alert: CameraLost
|
||||||
|
expr: rate(camtiler_frames_total{stage="downloaded"}[1m]) < 1
|
||||||
|
for: 2m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: Camera feed stopped
|
||||||
|
- alert: CameraServerRoomMotion
|
||||||
|
expr: rate(camtiler_events_total{app_kubernetes_io_name="server-room"}[30m]) > 0
|
||||||
|
for: 1m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: Motion was detected in server room
|
||||||
|
- alert: CameraSlowUploads
|
||||||
|
expr: camtiler_queue_frames{stage="upload"} > 10
|
||||||
|
for: 5m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: Motion detect snapshots are piling up and
|
||||||
|
not getting uploaded to S3
|
||||||
|
- alert: CameraSlowProcessing
|
||||||
|
expr: camtiler_queue_frames{stage="download"} > 10
|
||||||
|
for: 5m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: Motion detection processing pipeline is not keeping up
|
||||||
|
with incoming frames
|
||||||
|
- alert: CameraResourcesThrottled
|
||||||
|
expr: sum by (pod) (rate(container_cpu_cfs_throttled_periods_total{namespace="camtiler"}[1m])) > 0
|
||||||
|
for: 5m
|
||||||
|
labels:
|
||||||
|
severity: warning
|
||||||
|
annotations:
|
||||||
|
summary: CPU limits are bottleneck
|
||||||
|
---
|
||||||
|
apiVersion: k-space.ee/v1alpha1
|
||||||
|
kind: Camera
|
||||||
|
metadata:
|
||||||
|
name: workshop
|
||||||
|
spec:
|
||||||
|
target: http://user@workshop.cam.k-space.ee:8080/?action=stream
|
||||||
|
secretRef: camera-secrets
|
||||||
|
replicas: 1
|
||||||
|
---
|
||||||
|
apiVersion: k-space.ee/v1alpha1
|
||||||
|
kind: Camera
|
||||||
|
metadata:
|
||||||
|
name: server-room
|
||||||
|
spec:
|
||||||
|
target: http://user@server-room.cam.k-space.ee:8080/?action=stream
|
||||||
|
secretRef: camera-secrets
|
||||||
|
replicas: 2
|
||||||
|
---
|
||||||
|
apiVersion: k-space.ee/v1alpha1
|
||||||
|
kind: Camera
|
||||||
|
metadata:
|
||||||
|
name: printer
|
||||||
|
spec:
|
||||||
|
target: http://user@printer.cam.k-space.ee:8080/?action=stream
|
||||||
|
secretRef: camera-secrets
|
||||||
|
replicas: 1
|
||||||
|
---
|
||||||
|
apiVersion: k-space.ee/v1alpha1
|
||||||
|
kind: Camera
|
||||||
|
metadata:
|
||||||
|
name: chaos
|
||||||
|
spec:
|
||||||
|
target: http://user@chaos.cam.k-space.ee:8080/?action=stream
|
||||||
|
secretRef: camera-secrets
|
||||||
|
replicas: 1
|
||||||
|
---
|
||||||
|
apiVersion: k-space.ee/v1alpha1
|
||||||
|
kind: Camera
|
||||||
|
metadata:
|
||||||
|
name: cyber
|
||||||
|
spec:
|
||||||
|
target: http://user@cyber.cam.k-space.ee:8080/?action=stream
|
||||||
|
secretRef: camera-secrets
|
||||||
|
replicas: 1
|
||||||
|
---
|
||||||
|
apiVersion: k-space.ee/v1alpha1
|
||||||
|
kind: Camera
|
||||||
|
metadata:
|
||||||
|
name: kitchen
|
||||||
|
spec:
|
||||||
|
target: http://user@kitchen.cam.k-space.ee:8080/?action=stream
|
||||||
|
secretRef: camera-secrets
|
||||||
|
replicas: 1
|
||||||
|
---
|
||||||
|
apiVersion: k-space.ee/v1alpha1
|
||||||
|
kind: Camera
|
||||||
|
metadata:
|
||||||
|
name: back-door
|
||||||
|
spec:
|
||||||
|
target: http://user@100.102.3.3:8080/?action=stream
|
||||||
|
secretRef: camera-secrets
|
||||||
|
replicas: 1
|
||||||
|
---
|
||||||
|
apiVersion: k-space.ee/v1alpha1
|
||||||
|
kind: Camera
|
||||||
|
metadata:
|
||||||
|
name: ground-door
|
||||||
|
spec:
|
||||||
|
target: http://user@100.102.3.1:8080/?action=stream
|
||||||
|
secretRef: camera-secrets
|
||||||
|
replicas: 1
|
||||||
|
---
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: PodMonitor
|
||||||
|
metadata:
|
||||||
|
name: camera-motion-detect
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
component: camera-motion-detect
|
||||||
|
podMetricsEndpoints:
|
||||||
|
- port: http
|
||||||
|
podTargetLabels:
|
||||||
|
- app.kubernetes.io/name
|
||||||
|
- component
|
98
camtiler/camera-tiler.yml
Normal file
98
camtiler/camera-tiler.yml
Normal file
@ -0,0 +1,98 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: camera-tiler
|
||||||
|
annotations:
|
||||||
|
keel.sh/policy: force
|
||||||
|
keel.sh/trigger: poll
|
||||||
|
spec:
|
||||||
|
revisionHistoryLimit: 0
|
||||||
|
replicas: 2
|
||||||
|
selector:
|
||||||
|
matchLabels: &selectorLabels
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: camera-tiler
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels: *selectorLabels
|
||||||
|
spec:
|
||||||
|
serviceAccountName: camera-tiler
|
||||||
|
containers:
|
||||||
|
- name: camera-tiler
|
||||||
|
image: harbor.k-space.ee/k-space/camera-tiler:latest
|
||||||
|
securityContext:
|
||||||
|
readOnlyRootFilesystem: true
|
||||||
|
runAsNonRoot: true
|
||||||
|
runAsUser: 1000
|
||||||
|
ports:
|
||||||
|
- containerPort: 5001
|
||||||
|
name: "http"
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: "200Mi"
|
||||||
|
cpu: "100m"
|
||||||
|
limits:
|
||||||
|
memory: "500Mi"
|
||||||
|
cpu: "4000m"
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: camera-tiler
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: camera-tiler
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: camera-tiler
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 5001
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: camera-tiler
|
||||||
|
---
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: camera-tiler
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- services
|
||||||
|
verbs:
|
||||||
|
- list
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: camera-tiler
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: camera-tiler
|
||||||
|
apiGroup: ""
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: camera-tiler
|
||||||
|
apiGroup: ""
|
||||||
|
---
|
||||||
|
apiVersion: monitoring.coreos.com/v1
|
||||||
|
kind: PodMonitor
|
||||||
|
metadata:
|
||||||
|
name: camtiler
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: camera-tiler
|
||||||
|
podMetricsEndpoints:
|
||||||
|
- port: http
|
||||||
|
podTargetLabels:
|
||||||
|
- app.kubernetes.io/name
|
||||||
|
- component
|
78
camtiler/ingress.yml
Normal file
78
camtiler/ingress.yml
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
---
|
||||||
|
apiVersion: codemowers.io/v1alpha1
|
||||||
|
kind: OIDCGWMiddlewareClient
|
||||||
|
metadata:
|
||||||
|
name: sso
|
||||||
|
spec:
|
||||||
|
displayName: Cameras
|
||||||
|
uri: 'https://cams.k-space.ee/tiled'
|
||||||
|
allowedGroups:
|
||||||
|
- k-space:floor
|
||||||
|
- k-space:friends
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: camtiler
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/ingress.class: traefik
|
||||||
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||||
|
traefik.ingress.kubernetes.io/router.middlewares: camtiler-sso@kubernetescrd,camtiler-redirect@kubernetescrd
|
||||||
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||||
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- host: cams.k-space.ee
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- pathType: Prefix
|
||||||
|
path: "/"
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: logmower-frontend
|
||||||
|
port:
|
||||||
|
number: 8080
|
||||||
|
- host: cam.k-space.ee
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- pathType: Prefix
|
||||||
|
path: "/tiled"
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: camera-tiler
|
||||||
|
port:
|
||||||
|
number: 5001
|
||||||
|
- pathType: Prefix
|
||||||
|
path: "/m"
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: camera-tiler
|
||||||
|
port:
|
||||||
|
number: 5001
|
||||||
|
- pathType: Prefix
|
||||||
|
path: "/events"
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: logmower-eventsource
|
||||||
|
port:
|
||||||
|
number: 3002
|
||||||
|
- pathType: Prefix
|
||||||
|
path: "/"
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: logmower-frontend
|
||||||
|
port:
|
||||||
|
number: 8080
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- "*.k-space.ee"
|
||||||
|
---
|
||||||
|
apiVersion: traefik.containo.us/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: redirect
|
||||||
|
spec:
|
||||||
|
redirectRegex:
|
||||||
|
regex: ^https://cams.k-space.ee/(.*)$
|
||||||
|
replacement: https://cam.k-space.ee/$1
|
||||||
|
permanent: false
|
182
camtiler/logmower.yml
Normal file
182
camtiler/logmower.yml
Normal file
@ -0,0 +1,182 @@
|
|||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: logmower-eventsource
|
||||||
|
spec:
|
||||||
|
revisionHistoryLimit: 0
|
||||||
|
replicas: 2
|
||||||
|
selector:
|
||||||
|
matchLabels: &selectorLabels
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: logmower-eventsource
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels: *selectorLabels
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app.kubernetes.io/name
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- camtiler
|
||||||
|
- key: component
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- logmower-eventsource
|
||||||
|
topologyKey: topology.kubernetes.io/zone
|
||||||
|
nodeSelector:
|
||||||
|
dedicated: storage
|
||||||
|
tolerations:
|
||||||
|
- key: dedicated
|
||||||
|
operator: Equal
|
||||||
|
value: storage
|
||||||
|
effect: NoSchedule
|
||||||
|
containers:
|
||||||
|
- name: logmower-eventsource
|
||||||
|
image: harbor.k-space.ee/k-space/logmower-eventsource
|
||||||
|
ports:
|
||||||
|
- containerPort: 3002
|
||||||
|
name: nodejs
|
||||||
|
env:
|
||||||
|
- name: MONGO_COLLECTION
|
||||||
|
value: eventlog
|
||||||
|
- name: MONGODB_HOST
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: mongodb-application-readonly
|
||||||
|
key: connectionString.standard
|
||||||
|
- name: BACKEND
|
||||||
|
value: 'camtiler'
|
||||||
|
- name: BACKEND_BROKER_URL
|
||||||
|
value: 'http://logmower-event-broker'
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: logmower-event-broker
|
||||||
|
spec:
|
||||||
|
revisionHistoryLimit: 0
|
||||||
|
replicas: 2
|
||||||
|
selector:
|
||||||
|
matchLabels: &selectorLabels
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: logmower-event-broker
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels: *selectorLabels
|
||||||
|
spec:
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app.kubernetes.io/name
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- camtiler
|
||||||
|
- key: component
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- logmower-event-broker
|
||||||
|
topologyKey: topology.kubernetes.io/zone
|
||||||
|
nodeSelector:
|
||||||
|
dedicated: storage
|
||||||
|
tolerations:
|
||||||
|
- key: dedicated
|
||||||
|
operator: Equal
|
||||||
|
value: storage
|
||||||
|
effect: NoSchedule
|
||||||
|
containers:
|
||||||
|
- name: logmower-event-broker
|
||||||
|
image: harbor.k-space.ee/k-space/camera-event-broker
|
||||||
|
ports:
|
||||||
|
- containerPort: 3000
|
||||||
|
env:
|
||||||
|
- name: MINIO_BUCKET
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: miniobucket-camtiler-owner-secrets
|
||||||
|
key: BUCKET_NAME
|
||||||
|
- name: AWS_SECRET_ACCESS_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: miniobucket-camtiler-owner-secrets
|
||||||
|
key: AWS_SECRET_ACCESS_KEY
|
||||||
|
- name: AWS_ACCESS_KEY_ID
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: miniobucket-camtiler-owner-secrets
|
||||||
|
key: AWS_ACCESS_KEY_ID
|
||||||
|
- name: MINIO_HOSTNAME
|
||||||
|
value: 'dedicated-5ee6428f-4cb5-4c2e-90b5-364668f515c2.minio-clusters.k-space.ee'
|
||||||
|
- name: MINIO_PORT
|
||||||
|
value: '443'
|
||||||
|
- name: MINIO_SCHEMA
|
||||||
|
value: 'https'
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: logmower-frontend
|
||||||
|
spec:
|
||||||
|
revisionHistoryLimit: 0
|
||||||
|
replicas: 2
|
||||||
|
selector:
|
||||||
|
matchLabels: &selectorLabels
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: logmower-frontend
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels: *selectorLabels
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: logmower-frontend
|
||||||
|
image: harbor.k-space.ee/k-space/logmower-frontend
|
||||||
|
ports:
|
||||||
|
- containerPort: 8080
|
||||||
|
name: http
|
||||||
|
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: logmower-frontend
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: logmower-frontend
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 8080
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: logmower-eventsource
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: logmower-eventsource
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 3002
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: logmower-event-broker
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
selector:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: logmower-event-broker
|
||||||
|
ports:
|
||||||
|
- protocol: TCP
|
||||||
|
port: 80
|
||||||
|
targetPort: 3000
|
110
camtiler/mongodb.yml
Normal file
110
camtiler/mongodb.yml
Normal file
@ -0,0 +1,110 @@
|
|||||||
|
---
|
||||||
|
apiVersion: mongodbcommunity.mongodb.com/v1
|
||||||
|
kind: MongoDBCommunity
|
||||||
|
metadata:
|
||||||
|
name: mongodb
|
||||||
|
spec:
|
||||||
|
agent:
|
||||||
|
logLevel: ERROR
|
||||||
|
maxLogFileDurationHours: 1
|
||||||
|
additionalMongodConfig:
|
||||||
|
systemLog:
|
||||||
|
quiet: true
|
||||||
|
members: 2
|
||||||
|
arbiters: 1
|
||||||
|
type: ReplicaSet
|
||||||
|
version: "6.0.3"
|
||||||
|
security:
|
||||||
|
authentication:
|
||||||
|
modes: ["SCRAM"]
|
||||||
|
users:
|
||||||
|
- name: readwrite
|
||||||
|
db: application
|
||||||
|
passwordSecretRef:
|
||||||
|
name: mongodb-application-readwrite-password
|
||||||
|
roles:
|
||||||
|
- name: readWrite
|
||||||
|
db: application
|
||||||
|
scramCredentialsSecretName: mongodb-application-readwrite
|
||||||
|
- name: readonly
|
||||||
|
db: application
|
||||||
|
passwordSecretRef:
|
||||||
|
name: mongodb-application-readonly-password
|
||||||
|
roles:
|
||||||
|
- name: read
|
||||||
|
db: application
|
||||||
|
scramCredentialsSecretName: mongodb-application-readonly
|
||||||
|
statefulSet:
|
||||||
|
spec:
|
||||||
|
logLevel: WARN
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: mongod
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 512Mi
|
||||||
|
limits:
|
||||||
|
cpu: 500m
|
||||||
|
memory: 1Gi
|
||||||
|
volumeMounts:
|
||||||
|
- name: journal-volume
|
||||||
|
mountPath: /data/journal
|
||||||
|
- name: mongodb-agent
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
cpu: 1m
|
||||||
|
memory: 100Mi
|
||||||
|
limits: {}
|
||||||
|
affinity:
|
||||||
|
podAntiAffinity:
|
||||||
|
requiredDuringSchedulingIgnoredDuringExecution:
|
||||||
|
- labelSelector:
|
||||||
|
matchExpressions:
|
||||||
|
- key: app
|
||||||
|
operator: In
|
||||||
|
values:
|
||||||
|
- mongodb-svc
|
||||||
|
topologyKey: topology.kubernetes.io/zone
|
||||||
|
nodeSelector:
|
||||||
|
dedicated: storage
|
||||||
|
tolerations:
|
||||||
|
- key: dedicated
|
||||||
|
operator: Equal
|
||||||
|
value: storage
|
||||||
|
effect: NoSchedule
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- metadata:
|
||||||
|
name: logs-volume
|
||||||
|
labels:
|
||||||
|
usecase: logs
|
||||||
|
spec:
|
||||||
|
storageClassName: mongo
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 200Mi
|
||||||
|
- metadata:
|
||||||
|
name: journal-volume
|
||||||
|
labels:
|
||||||
|
usecase: journal
|
||||||
|
spec:
|
||||||
|
storageClassName: mongo
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 1Gi
|
||||||
|
- metadata:
|
||||||
|
name: data-volume
|
||||||
|
labels:
|
||||||
|
usecase: data
|
||||||
|
spec:
|
||||||
|
storageClassName: mongo
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 2Gi
|
154
camtiler/network-policies.yml
Normal file
154
camtiler/network-policies.yml
Normal file
@ -0,0 +1,154 @@
|
|||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: camera-motion-detect
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
component: camera-motion-detect
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
# - Egress # Something wrong with using minio-clusters as namespaceSelector.
|
||||||
|
ingress:
|
||||||
|
- from:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: camera-tiler
|
||||||
|
- from:
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
kubernetes.io/metadata.name: monitoring
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: prometheus
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
# Permit access to cameras outside the cluster
|
||||||
|
cidr: 100.102.0.0/16
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app: mongodb-svc
|
||||||
|
ports:
|
||||||
|
- port: 27017
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: minio
|
||||||
|
ports:
|
||||||
|
- port: 9000
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: camera-tiler
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: camera-tiler
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
component: camera-motion-detect
|
||||||
|
ports:
|
||||||
|
- port: 5000
|
||||||
|
ingress:
|
||||||
|
- from:
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
kubernetes.io/metadata.name: monitoring
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: prometheus
|
||||||
|
- from:
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
kubernetes.io/metadata.name: traefik
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: traefik
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: logmower-eventsource
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: logmower-eventsource
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
# - Egress # Something wrong with using mongodb-svc as podSelector.
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app: mongodb-svc
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
component: logmower-event-broker
|
||||||
|
ingress:
|
||||||
|
- from:
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
kubernetes.io/metadata.name: traefik
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: traefik
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: logmower-event-broker
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: logmower-event-broker
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
# Minio access via Traefik's public endpoint
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
kubernetes.io/metadata.name: traefik
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: traefik
|
||||||
|
ingress:
|
||||||
|
- from:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
component: logmower-eventsource
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: logmower-frontend
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: camtiler
|
||||||
|
component: logmower-frontend
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
|
ingress:
|
||||||
|
- from:
|
||||||
|
- namespaceSelector:
|
||||||
|
matchLabels:
|
||||||
|
kubernetes.io/metadata.name: traefik
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app.kubernetes.io/name: traefik
|
@ -1,28 +1,22 @@
|
|||||||
# cert-manager
|
# cert-manager
|
||||||
|
|
||||||
`cert-manager` is used to obtain TLS certificates from Let's Encrypt.
|
`cert-manager` is used to obtain TLS certificates from Let's Encrypt.
|
||||||
It uses DNS-01 challenge in conjunction with Bind primary
|
|
||||||
at `ns1.k-space.ee`.
|
|
||||||
Refer to the [Bind primary Ansible playbook](https://git.k-space.ee/k-space/ansible/src/branch/main/authoritative-nameserver.yaml) and
|
|
||||||
[Bind namespace on Kubernetes cluster](https://git.k-space.ee/k-space/kube/src/branch/master/bind)
|
|
||||||
for more details
|
|
||||||
|
|
||||||
# For developer
|
Added manifest with:
|
||||||
|
|
||||||
Use `Certificate` CRD of cert-manager, refer to
|
```
|
||||||
[official documentation](https://cert-manager.io/docs/usage/certificate/).
|
curl -L https://github.com/jetstack/cert-manager/releases/download/v1.6.1/cert-manager.yaml -O
|
||||||
|
```
|
||||||
To find usage examples in this repository use
|
|
||||||
`grep -r -A10 "^kind: Certificate" .`
|
To update certificate issuer
|
||||||
|
|
||||||
# Deployment
|
```
|
||||||
With ArgoCD. Render it locally:
|
kubectl apply -f namespace.yml -f cert-manager.yaml
|
||||||
|
kubectl apply -f issuer.yml
|
||||||
```sh
|
kubectl -n cert-manager create secret generic tsig-secret \
|
||||||
kustomize build . --enable-helm
|
--from-literal=TSIG_SECRET=<secret>
|
||||||
```
|
```
|
||||||
|
|
||||||
## Webhook timeout
|
|
||||||
Workaround for webhook timeout issue https://github.com/jetstack/cert-manager/issues/2602
|
Workaround for webhook timeout issue https://github.com/jetstack/cert-manager/issues/2602
|
||||||
It's not very clear why this is happening, deserves further investigation - presumably Calico related somehow:
|
It's not very clear why this is happening, deserves further investigation - presumably Calico related somehow:
|
||||||
|
|
||||||
|
16233
cert-manager/cert-manager.crds.yaml
Normal file
16233
cert-manager/cert-manager.crds.yaml
Normal file
File diff suppressed because it is too large
Load Diff
17329
cert-manager/cert-manager.yaml
Normal file
17329
cert-manager/cert-manager.yaml
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,21 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: ClusterIssuer
|
|
||||||
metadata:
|
|
||||||
name: default
|
|
||||||
namespace: cert-manager
|
|
||||||
spec:
|
|
||||||
acme:
|
|
||||||
email: info@k-space.ee
|
|
||||||
server: https://acme-v02.api.letsencrypt.org/directory
|
|
||||||
privateKeySecretRef:
|
|
||||||
name: example-issuer-account-key # auto-generated by cert-manager
|
|
||||||
solvers:
|
|
||||||
- dns01:
|
|
||||||
rfc2136:
|
|
||||||
nameserver: 193.40.103.2
|
|
||||||
tsigKeyName: readwrite.
|
|
||||||
tsigAlgorithm: HMACSHA512
|
|
||||||
tsigSecretSecretRef:
|
|
||||||
name: tsig-secret
|
|
||||||
key: TSIG_SECRET
|
|
19
cert-manager/issuer.yml
Normal file
19
cert-manager/issuer.yml
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: ClusterIssuer
|
||||||
|
metadata:
|
||||||
|
name: default
|
||||||
|
spec:
|
||||||
|
acme:
|
||||||
|
email: info@k-space.ee
|
||||||
|
server: https://acme-v02.api.letsencrypt.org/directory
|
||||||
|
privateKeySecretRef:
|
||||||
|
name: example-issuer-account-key
|
||||||
|
solvers:
|
||||||
|
- dns01:
|
||||||
|
rfc2136:
|
||||||
|
nameserver: 193.40.103.2
|
||||||
|
tsigKeyName: acme.
|
||||||
|
tsigAlgorithm: HMACSHA512
|
||||||
|
tsigSecretSecretRef:
|
||||||
|
name: tsig-secret
|
||||||
|
key: TSIG_SECRET
|
@ -1,21 +0,0 @@
|
|||||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
|
||||||
kind: Kustomization
|
|
||||||
|
|
||||||
namespace: cert-manager
|
|
||||||
|
|
||||||
# spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
|
|
||||||
helmCharts:
|
|
||||||
- includeCRDs: true
|
|
||||||
name: &name cert-manager
|
|
||||||
releaseName: *name
|
|
||||||
repo: https://charts.jetstack.io
|
|
||||||
valuesInline:
|
|
||||||
namespace: *name
|
|
||||||
global:
|
|
||||||
leaderElection:
|
|
||||||
namespace: *name
|
|
||||||
version: v1.18.1
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- ssh://git@git.k-space.ee/secretspace/kube/cert-manager # secrets (.env): tsig-secret
|
|
||||||
- ./default.yaml
|
|
8
cnpg-system/README.md
Normal file
8
cnpg-system/README.md
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
# CloudNativePG
|
||||||
|
|
||||||
|
To deploy:
|
||||||
|
|
||||||
|
```
|
||||||
|
wget https://raw.githubusercontent.com/cloudnative-pg/cloudnative-pg/release-1.20/releases/cnpg-1.20.2.yaml -O application.yml
|
||||||
|
kubectl apply -f application.yml
|
||||||
|
```
|
13215
cnpg-system/application.yml
Normal file
13215
cnpg-system/application.yml
Normal file
File diff suppressed because it is too large
Load Diff
@ -1,44 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: netshoot
|
|
||||||
spec:
|
|
||||||
replicas: 1
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: netshoot
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
creationTimestamp: null
|
|
||||||
labels:
|
|
||||||
app: netshoot
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: netshoot
|
|
||||||
image: mirror.gcr.io/nicolaka/netshoot:latest
|
|
||||||
command:
|
|
||||||
- /bin/bash
|
|
||||||
args:
|
|
||||||
- '-c'
|
|
||||||
- while true; do ping localhost; sleep 60;done
|
|
||||||
resources: {}
|
|
||||||
terminationMessagePath: /dev/termination-log
|
|
||||||
terminationMessagePolicy: File
|
|
||||||
imagePullPolicy: Always
|
|
||||||
securityContext:
|
|
||||||
capabilities:
|
|
||||||
add:
|
|
||||||
- NET_ADMIN
|
|
||||||
- NET_RAW
|
|
||||||
restartPolicy: Always
|
|
||||||
terminationGracePeriodSeconds: 30
|
|
||||||
dnsPolicy: ClusterFirst
|
|
||||||
securityContext: {}
|
|
||||||
schedulerName: default-scheduler
|
|
||||||
strategy:
|
|
||||||
type: RollingUpdate
|
|
||||||
rollingUpdate:
|
|
||||||
maxUnavailable: 25%
|
|
||||||
maxSurge: 25%
|
|
||||||
revisionHistoryLimit: 10
|
|
||||||
progressDeadlineSeconds: 600
|
|
@ -1,26 +0,0 @@
|
|||||||
# Dragonfly Operator
|
|
||||||
Dragonfly operator is the preferred way to add Redis support to your application
|
|
||||||
as it is modern Go rewrite and it supports high availability.
|
|
||||||
|
|
||||||
Following alternatives were considered, but are discouraged:
|
|
||||||
|
|
||||||
* Vanilla Redis without replication is unusable during pod reschedule or Kubernetes worker outage
|
|
||||||
* Vanilla Redis' replication is clunky and there is no reliable operator for Kubernetes
|
|
||||||
to use vanilla redis
|
|
||||||
* KeyDB Cluster was unable to guarantee strong consistency
|
|
||||||
|
|
||||||
Note that vanilla Redis
|
|
||||||
[has changed it's licensing policy](https://redis.io/blog/redis-adopts-dual-source-available-licensing/)
|
|
||||||
|
|
||||||
# For users
|
|
||||||
Refer to [official documentation on usage](https://www.dragonflydb.io/docs/getting-started/kubernetes-operator#create-a-dragonfly-instance-with-replicas)
|
|
||||||
For example deployment see
|
|
||||||
[here](https://git.k-space.ee/k-space/kube/src/branch/master/passmower/dragonfly.yaml).
|
|
||||||
To find other instances in this repository use `grep -r "kind: Dragonfly"`
|
|
||||||
|
|
||||||
Use storage class `redis` for persistent instances.
|
|
||||||
To achieve high availabilllity use 2+ replicas with correctly configured
|
|
||||||
`topologySpreadConstraints`.
|
|
||||||
|
|
||||||
# For administrators
|
|
||||||
See [/argocd/applications/dragonfly.yaml](/argocd/applications/dragonfly.yaml)
|
|
13
drone-execution/README.md
Normal file
13
drone-execution/README.md
Normal file
@ -0,0 +1,13 @@
|
|||||||
|
To deply:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl apply -n drone-execution -f application.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
To bootstrap secrets:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl create secret generic -n drone-execution application-secrets \
|
||||||
|
--from-literal=DRONE_RPC_SECRET=$(kubectl get secret -n drone application-secrets -o jsonpath="{.data.DRONE_RPC_SECRET}" | base64 -d) \
|
||||||
|
--from-literal=DRONE_SECRET_PLUGIN_TOKEN=$(cat /dev/urandom | base64 | head -c 30)
|
||||||
|
```
|
177
drone-execution/application.yml
Normal file
177
drone-execution/application.yml
Normal file
@ -0,0 +1,177 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: ServiceAccount
|
||||||
|
metadata:
|
||||||
|
name: drone-runner-kube
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: application-config
|
||||||
|
data:
|
||||||
|
DRONE_DEBUG: "false"
|
||||||
|
DRONE_TRACE: "false"
|
||||||
|
DRONE_NAMESPACE_DEFAULT: "drone-execution"
|
||||||
|
DRONE_RPC_HOST: "drone.k-space.ee"
|
||||||
|
DRONE_RPC_PROTO: "https"
|
||||||
|
PLUGIN_MTU: "1300"
|
||||||
|
DRONE_SECRET_PLUGIN_ENDPOINT: "http://secrets:3000"
|
||||||
|
---
|
||||||
|
kind: Role
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: drone-runner-kube
|
||||||
|
namespace: "drone-execution"
|
||||||
|
labels:
|
||||||
|
app: drone-runner-kube
|
||||||
|
rules:
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- secrets
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- apiGroups:
|
||||||
|
- ""
|
||||||
|
resources:
|
||||||
|
- pods
|
||||||
|
- pods/log
|
||||||
|
verbs:
|
||||||
|
- get
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- list
|
||||||
|
- watch
|
||||||
|
- update
|
||||||
|
---
|
||||||
|
kind: RoleBinding
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
metadata:
|
||||||
|
name: drone-runner-kube
|
||||||
|
namespace: drone-execution
|
||||||
|
labels:
|
||||||
|
app: drone-runner-kube
|
||||||
|
subjects:
|
||||||
|
- kind: ServiceAccount
|
||||||
|
name: drone-runner-kube
|
||||||
|
namespace: drone-execution
|
||||||
|
roleRef:
|
||||||
|
kind: Role
|
||||||
|
name: drone-runner-kube
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: drone-runner-kube
|
||||||
|
labels:
|
||||||
|
app: drone-runner-kube
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- port: 3000
|
||||||
|
targetPort: http
|
||||||
|
protocol: TCP
|
||||||
|
name: http
|
||||||
|
selector:
|
||||||
|
app: drone-runner-kube
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: drone-runner-kube
|
||||||
|
annotations:
|
||||||
|
keel.sh/policy: force
|
||||||
|
keel.sh/trigger: poll
|
||||||
|
keel.sh/pollSchedule: "@midnight"
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: drone-runner-kube
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: drone-runner-kube
|
||||||
|
spec:
|
||||||
|
serviceAccountName: drone-runner-kube
|
||||||
|
terminationGracePeriodSeconds: 3600
|
||||||
|
containers:
|
||||||
|
- name: server
|
||||||
|
securityContext:
|
||||||
|
{}
|
||||||
|
image: drone/drone-runner-kube
|
||||||
|
imagePullPolicy: Always
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: 3000
|
||||||
|
protocol: TCP
|
||||||
|
envFrom:
|
||||||
|
- configMapRef:
|
||||||
|
name: application-config
|
||||||
|
- secretRef:
|
||||||
|
name: application-secrets
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: Deployment
|
||||||
|
metadata:
|
||||||
|
name: drone-kubernetes-secrets
|
||||||
|
annotations:
|
||||||
|
keel.sh/policy: force
|
||||||
|
keel.sh/trigger: poll
|
||||||
|
keel.sh/pollSchedule: "@midnight"
|
||||||
|
spec:
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: drone-kubernetes-secrets
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: drone-kubernetes-secrets
|
||||||
|
spec:
|
||||||
|
containers:
|
||||||
|
- name: secrets
|
||||||
|
image: drone/kubernetes-secrets
|
||||||
|
imagePullPolicy: Always
|
||||||
|
ports:
|
||||||
|
- containerPort: 3000
|
||||||
|
env:
|
||||||
|
- name: SECRET_KEY
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: application-secrets
|
||||||
|
key: DRONE_SECRET_PLUGIN_TOKEN
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: drone-kubernetes-secrets
|
||||||
|
spec:
|
||||||
|
podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app: drone-kubernetes-secrets
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
ingress:
|
||||||
|
- from:
|
||||||
|
- podSelector:
|
||||||
|
matchLabels:
|
||||||
|
app: drone-runner-kube
|
||||||
|
ports:
|
||||||
|
- port: 3000
|
||||||
|
---
|
||||||
|
# Following should block access to pods in other namespaces, but should permit
|
||||||
|
# Git checkout, pip install, talking to Traefik via public IP etc
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: drone-runner-kube
|
||||||
|
spec:
|
||||||
|
podSelector: {}
|
||||||
|
policyTypes:
|
||||||
|
- Egress
|
||||||
|
egress:
|
||||||
|
- to:
|
||||||
|
- ipBlock:
|
||||||
|
cidr: 0.0.0.0/0
|
25
drone/.helmignore
Normal file
25
drone/.helmignore
Normal file
@ -0,0 +1,25 @@
|
|||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
||||||
|
.vscode/
|
||||||
|
# Chart dirs/files
|
||||||
|
docs/
|
||||||
|
ci/
|
155
drone/README.md
Normal file
155
drone/README.md
Normal file
@ -0,0 +1,155 @@
|
|||||||
|
# Deployment
|
||||||
|
|
||||||
|
To deploy:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl apply -n drone -f application.yml
|
||||||
|
```
|
||||||
|
|
||||||
|
To bootstrap secrets:
|
||||||
|
|
||||||
|
```
|
||||||
|
kubectl create secret generic -n drone application-secrets \
|
||||||
|
--from-literal=DRONE_GITEA_CLIENT_ID=... \
|
||||||
|
--from-literal=DRONE_GITEA_CLIENT_SECRET=... \
|
||||||
|
--from-literal=DRONE_RPC_SECRET=$(cat /dev/urandom | base64 | head -c 30)
|
||||||
|
```
|
||||||
|
|
||||||
|
# Integrating with Docker registry
|
||||||
|
|
||||||
|
We use harbor.k-space.ee to host own images.
|
||||||
|
|
||||||
|
Set up robot account `robot$k-space+drone` in Harbor first.
|
||||||
|
|
||||||
|
In Drone associate `docker_username` and `docker_password` secrets with the
|
||||||
|
`k-space`.
|
||||||
|
|
||||||
|
Instead of click marathon you can also pull the CLI configuration for Drone
|
||||||
|
from https://drone.k-space.ee/account
|
||||||
|
|
||||||
|
```
|
||||||
|
drone orgsecret add k-space docker_username 'robot$k-space+drone'
|
||||||
|
drone orgsecret add k-space docker_password '...'
|
||||||
|
```
|
||||||
|
|
||||||
|
# Integrating with e-mail
|
||||||
|
|
||||||
|
To (re)set e-mail credentials:
|
||||||
|
|
||||||
|
```
|
||||||
|
drone orgsecret add k-space email_password '...'
|
||||||
|
```
|
||||||
|
|
||||||
|
To issue build hit the button in Drone web interface or alternatively:
|
||||||
|
|
||||||
|
```
|
||||||
|
drone build create k-space/...
|
||||||
|
```
|
||||||
|
|
||||||
|
# Using templates
|
||||||
|
|
||||||
|
Templates unfortunately aren't pulled in from this Git repo.
|
||||||
|
|
||||||
|
Current `docker.yaml` template includes following:
|
||||||
|
|
||||||
|
```
|
||||||
|
kind: pipeline
|
||||||
|
type: kubernetes
|
||||||
|
name: build-arm64
|
||||||
|
platform:
|
||||||
|
arch: arm64
|
||||||
|
os: linux
|
||||||
|
node_selector:
|
||||||
|
kubernetes.io/arch: arm64
|
||||||
|
tolerations:
|
||||||
|
- key: arch
|
||||||
|
operator: Equal
|
||||||
|
value: arm64
|
||||||
|
effect: NoSchedule
|
||||||
|
steps:
|
||||||
|
- name: submodules
|
||||||
|
image: alpine/git
|
||||||
|
commands:
|
||||||
|
- touch .gitmodules
|
||||||
|
- sed -i -e 's/git@git.k-space.ee:/https:\\/\\/git.k-space.ee\\//g' .gitmodules
|
||||||
|
- git submodule update --init --recursive
|
||||||
|
- echo "ENV GIT_COMMIT=$(git rev-parse HEAD)" >> Dockerfile
|
||||||
|
- echo "ENV GIT_COMMIT_TIMESTAMP=$(git log -1 --format=%cd --date=iso-strict)" >> Dockerfile
|
||||||
|
- cat Dockerfile
|
||||||
|
- name: docker
|
||||||
|
image: harbor.k-space.ee/k-space/drone-kaniko
|
||||||
|
settings:
|
||||||
|
repo: ${DRONE_REPO}
|
||||||
|
tags: latest-arm64
|
||||||
|
registry: harbor.k-space.ee
|
||||||
|
username:
|
||||||
|
from_secret: docker_username
|
||||||
|
password:
|
||||||
|
from_secret: docker_password
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
type: kubernetes
|
||||||
|
name: build-amd64
|
||||||
|
platform:
|
||||||
|
arch: amd64
|
||||||
|
os: linux
|
||||||
|
node_selector:
|
||||||
|
kubernetes.io/arch: amd64
|
||||||
|
steps:
|
||||||
|
- name: submodules
|
||||||
|
image: alpine/git
|
||||||
|
commands:
|
||||||
|
- touch .gitmodules
|
||||||
|
- sed -i -e 's/git@git.k-space.ee:/https:\\/\\/git.k-space.ee\\//g' .gitmodules
|
||||||
|
- git submodule update --init --recursive
|
||||||
|
- echo "ENV GIT_COMMIT=$(git rev-parse HEAD)" >> Dockerfile
|
||||||
|
- echo "ENV GIT_COMMIT_TIMESTAMP=$(git log -1 --format=%cd --date=iso-strict)" >> Dockerfile
|
||||||
|
- cat Dockerfile
|
||||||
|
- name: docker
|
||||||
|
image: harbor.k-space.ee/k-space/drone-kaniko
|
||||||
|
settings:
|
||||||
|
repo: ${DRONE_REPO}
|
||||||
|
tags: latest-amd64
|
||||||
|
registry: harbor.k-space.ee
|
||||||
|
storage_driver: vfs
|
||||||
|
username:
|
||||||
|
from_secret: docker_username
|
||||||
|
password:
|
||||||
|
from_secret: docker_password
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
type: kubernetes
|
||||||
|
name: manifest
|
||||||
|
steps:
|
||||||
|
- name: manifest
|
||||||
|
image: plugins/manifest
|
||||||
|
settings:
|
||||||
|
target: ${DRONE_REPO}:latest
|
||||||
|
template: ${DRONE_REPO}:latest-ARCH
|
||||||
|
platforms:
|
||||||
|
- linux/amd64
|
||||||
|
- linux/arm64
|
||||||
|
username:
|
||||||
|
from_secret: docker_username
|
||||||
|
password:
|
||||||
|
from_secret: docker_password
|
||||||
|
depends_on:
|
||||||
|
- build-amd64
|
||||||
|
- build-arm64
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
type: kubernetes
|
||||||
|
name: gitlint
|
||||||
|
steps:
|
||||||
|
- name: gitlint
|
||||||
|
image: harbor.k-space.ee/k-space/gitlint-bundle
|
||||||
|
# https://git.k-space.ee/k-space/gitlint-bundle
|
||||||
|
---
|
||||||
|
kind: pipeline
|
||||||
|
type: kubernetes
|
||||||
|
name: flake8
|
||||||
|
steps:
|
||||||
|
- name: flake8
|
||||||
|
image: harbor.k-space.ee/k-space/flake8-bundle
|
||||||
|
# https://git.k-space.ee/k-space/flake8-bundle
|
||||||
|
```
|
117
drone/application.yml
Normal file
117
drone/application.yml
Normal file
@ -0,0 +1,117 @@
|
|||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Service
|
||||||
|
metadata:
|
||||||
|
name: drone
|
||||||
|
spec:
|
||||||
|
type: ClusterIP
|
||||||
|
ports:
|
||||||
|
- port: 80
|
||||||
|
targetPort: http
|
||||||
|
protocol: TCP
|
||||||
|
name: http
|
||||||
|
selector:
|
||||||
|
app: drone
|
||||||
|
---
|
||||||
|
apiVersion: apps/v1
|
||||||
|
kind: StatefulSet
|
||||||
|
metadata:
|
||||||
|
name: drone
|
||||||
|
annotations:
|
||||||
|
keel.sh/policy: minor
|
||||||
|
keel.sh/trigger: poll
|
||||||
|
keel.sh/pollSchedule: "@midnight"
|
||||||
|
spec:
|
||||||
|
serviceName: drone
|
||||||
|
replicas: 1
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
app: drone
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app: drone
|
||||||
|
spec:
|
||||||
|
automountServiceAccountToken: false
|
||||||
|
securityContext:
|
||||||
|
{}
|
||||||
|
containers:
|
||||||
|
- name: server
|
||||||
|
securityContext:
|
||||||
|
{}
|
||||||
|
image: drone/drone:2
|
||||||
|
ports:
|
||||||
|
- name: http
|
||||||
|
containerPort: 80
|
||||||
|
protocol: TCP
|
||||||
|
livenessProbe:
|
||||||
|
httpGet:
|
||||||
|
path: /
|
||||||
|
port: http
|
||||||
|
env:
|
||||||
|
- name: DRONE_GITEA_SERVER
|
||||||
|
value: https://git.k-space.ee
|
||||||
|
- name: DRONE_GIT_ALWAYS_AUTH
|
||||||
|
value: "false"
|
||||||
|
- name: DRONE_SERVER_HOST
|
||||||
|
value: drone.k-space.ee
|
||||||
|
- name: DRONE_SERVER_PROTO
|
||||||
|
value: https
|
||||||
|
- name: DRONE_USER_CREATE
|
||||||
|
value: username:lauri,admin:true
|
||||||
|
- name: DRONE_DEBUG
|
||||||
|
value: "true"
|
||||||
|
- name: DRONE_TRACE
|
||||||
|
value: "true"
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: application-secrets
|
||||||
|
volumeMounts:
|
||||||
|
- name: drone-data
|
||||||
|
mountPath: /data
|
||||||
|
volumeClaimTemplates:
|
||||||
|
- metadata:
|
||||||
|
name: drone-data
|
||||||
|
spec:
|
||||||
|
storageClassName: longhorn
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteOnce
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 8Gi
|
||||||
|
---
|
||||||
|
apiVersion: traefik.io/v1alpha1
|
||||||
|
kind: Middleware
|
||||||
|
metadata:
|
||||||
|
name: redirect
|
||||||
|
spec:
|
||||||
|
redirectRegex:
|
||||||
|
regex: ^https://(.*)/register$
|
||||||
|
replacement: https://${1}/
|
||||||
|
permanent: false
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: drone
|
||||||
|
annotations:
|
||||||
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
||||||
|
kubernetes.io/ingress.class: traefik
|
||||||
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
||||||
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||||
|
traefik.ingress.kubernetes.io/router.middlewares: drone-redirect@kubernetescrd
|
||||||
|
spec:
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- "*.k-space.ee"
|
||||||
|
rules:
|
||||||
|
- host: "drone.k-space.ee"
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- pathType: Prefix
|
||||||
|
path: /
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: drone
|
||||||
|
port:
|
||||||
|
number: 80
|
2
elastic-system/.gitignore
vendored
2
elastic-system/.gitignore
vendored
@ -1,2 +0,0 @@
|
|||||||
crds.yaml
|
|
||||||
operator.yaml
|
|
@ -1,7 +1,7 @@
|
|||||||
# elastic-operator
|
# elastic-operator
|
||||||
|
|
||||||
```
|
```
|
||||||
wget https://download.elastic.co/downloads/eck/2.13.0/crds.yaml
|
wget https://download.elastic.co/downloads/eck/2.4.0/crds.yaml
|
||||||
wget https://download.elastic.co/downloads/eck/2.13.0/operator.yaml
|
wget https://download.elastic.co/downloads/eck/2.4.0/operator.yaml
|
||||||
kubectl apply -n elastic-system -f application.yml -f crds.yaml -f operator.yaml
|
kubectl apply -n elastic-system -f application.yml -f crds.yaml -f operator.yaml
|
||||||
```
|
```
|
||||||
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user