smatsiievskyi/kube
1
0
Fork 0
forked from k-space/kube
Code Issues Pull Requests Packages Projects Activity

Initial commit

Browse Source
This commit is contained in:
Lauri Võsandi
2022-08-16 12:40:54 +03:00
commit 7c5cad55e1
122 changed files with 51731 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
shared/README.md Normal file
View File

@@ -0,0 +1,72 @@
# KeyDB
KeyDB can be instantiated by symlinking the generated keydb.yml,
in future this could be handled by an operator.
```
helm template keydb enapter/keydb --set persistentVolume.enabled=false > keydb.yml
```
# To regenerate base network policies
It's quite odd there is no better way to generate these.
cat << EOF > networkpolicy-base.yml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubedns
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubeprobe
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
EOF
for j in $(kubectl get nodes -o json | jq '.items[] | .spec.podCIDR' -r | cut -d "/" -f 1 | sed -e 's/\.0$/\.1\/32/' | xargs); do
cat << EOF >> networkpolicy-base.yml
- from:
- ipBlock:
cidr: $j
EOF
done
cat << EOF >> networkpolicy-base.yml
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubeapi
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 6443
to:
EOF
for j in $(kubectl get ep -n default kubernetes -o json | jq '.subsets[].addresses[].ip' -r | xargs); do
cat << EOF >> networkpolicy-base.yml
- ipBlock:
cidr: $j/32
EOF
done

77
shared/backup-service.yml Normal file
View File

@@ -0,0 +1,77 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: backup-service
spec:
replicas: 1
selector:
matchLabels:
app: backup-service
template:
metadata:
labels:
app: backup-service
spec:
serviceAccount: backup-service
containers:
- name: backup-service
image: harbor.k-space.ee/k-space/backup-service
ports:
- name: backup-service
containerPort: 5000
env:
- name: TOKEN
value: CYdCDFIvGX
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: backup-service
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: backup-service
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- apiGroups:
- mongodbcommunity.mongodb.com
resources:
- mongodbcommunity
verbs:
- get
- list
- watch
- apiGroups:
- mysql.oracle.com
resources:
- innodbclusters
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: backup-service
namespace: shared
subjects:
- kind: ServiceAccount
name: backup-service
namespace: shared
roleRef:
kind: ClusterRole
name: backup-service
apiGroup: rbac.authorization.k8s.io

244
shared/keydb.yml Normal file
View File

@@ -0,0 +1,244 @@
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: redis
labels:
app.kubernetes.io/name: redis
spec:
maxUnavailable: 1
selector:
matchLabels:
app.kubernetes.io/name: redis
---
apiVersion: v1
kind: Secret
metadata:
name: redis-utils
labels:
app.kubernetes.io/name: redis
type: Opaque
stringData:
server.sh: |
#!/bin/bash
set -euxo pipefail
host="$(hostname)"
port="6379"
replicas=()
for node in {0..2}; do
if [ "${host}" != "redis-${node}" ]; then
replicas+=("--replicaof redis-${node}.redis-headless ${port}")
fi
done
exec keydb-server /etc/keydb/redis.conf \
--active-replica "yes" \
--multi-master "yes" \
--appendonly "no" \
--bind "0.0.0.0" \
--port "${port}" \
--protected-mode "no" \
--server-threads "2" \
--masterauth "${REDIS_PASSWORD}" \
--requirepass "${REDIS_PASSWORD}" \
"${replicas[@]}"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: redis-health
labels:
app.kubernetes.io/name: redis
data:
ping_readiness_local.sh: |-
#!/bin/bash
set -e
[[ -n "${REDIS_PASSWORD}" ]] && export REDISCLI_AUTH="${REDIS_PASSWORD}"
response="$(
timeout -s 3 "${1}" \
keydb-cli \
-h localhost \
-p 6379 \
ping
)"
if [ "${response}" != "PONG" ]; then
echo "${response}"
exit 1
fi
ping_liveness_local.sh: |-
#!/bin/bash
set -e
[[ -n "${REDIS_PASSWORD}" ]] && export REDISCLI_AUTH="${REDIS_PASSWORD}"
response="$(
timeout -s 3 "${1}" \
keydb-cli \
-h localhost \
-p 6379 \
ping
)"
if [ "${response}" != "PONG" ] && [[ ! "${response}" =~ ^.*LOADING.*$ ]]; then
echo "${response}"
exit 1
fi
cleanup_tempfiles.sh: |-
#!/bin/bash
set -e
find /data/ -type f \( -name "temp-*.aof" -o -name "temp-*.rdb" \) -mmin +60 -delete
---
apiVersion: v1
kind: Service
metadata:
name: redis-headless
labels:
app.kubernetes.io/name: redis
spec:
type: ClusterIP
clusterIP: None
ports:
- name: "server"
port: 6379
protocol: TCP
targetPort: redis
selector:
app.kubernetes.io/name: redis
---
apiVersion: v1
kind: Service
metadata:
name: redis
labels:
app.kubernetes.io/name: redis
annotations:
{}
spec:
type: ClusterIP
ports:
- name: "server"
port: 6379
protocol: TCP
targetPort: redis
- name: "redis-exporter"
port: 9121
protocol: TCP
targetPort: redis-exporter
selector:
app.kubernetes.io/name: redis
sessionAffinity: ClientIP
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: redis
labels:
app.kubernetes.io/name: redis
spec:
replicas: 3
serviceName: redis-headless
selector:
matchLabels:
app.kubernetes.io/name: redis
template:
metadata:
annotations:
prometheus.io/port: "8083"
prometheus.io/scrape: "true"
labels:
app.kubernetes.io/name: redis
spec:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- 'redis'
topologyKey: kubernetes.io/hostname
weight: 100
containers:
- name: redis
image: eqalpha/keydb:x86_64_v6.3.1
imagePullPolicy: Always
command:
- /utils/server.sh
ports:
- name: redis
containerPort: 6379
protocol: TCP
livenessProbe:
initialDelaySeconds: 20
periodSeconds: 5
# One second longer than command timeout should prevent generation of zombie processes.
timeoutSeconds: 6
successThreshold: 1
failureThreshold: 5
exec:
command:
- sh
- -c
- /health/ping_liveness_local.sh 5
readinessProbe:
initialDelaySeconds: 20
periodSeconds: 5
# One second longer than command timeout should prevent generation of zombie processes.
timeoutSeconds: 2
successThreshold: 1
failureThreshold: 5
exec:
command:
- sh
- -c
- /health/ping_readiness_local.sh 1
startupProbe:
periodSeconds: 5
# One second longer than command timeout should prevent generation of zombie processes.
timeoutSeconds: 2
failureThreshold: 24
exec:
command:
- sh
- -c
- /health/ping_readiness_local.sh 1
resources:
{}
securityContext:
{}
volumeMounts:
- name: health
mountPath: /health
- name: redis-data
mountPath: /data
- name: utils
mountPath: /utils
readOnly: true
envFrom:
- secretRef:
name: redis-secrets
- name: redis-exporter
image: quay.io/oliver006/redis_exporter
ports:
- name: metrics
containerPort: 9121
envFrom:
- secretRef:
name: redis-secrets
imagePullSecrets:
[]
securityContext:
{}
volumes:
- name: health
configMap:
name: redis-health
defaultMode: 0755
- name: utils
secret:
secretName: redis-utils
defaultMode: 0755
items:
- key: server.sh
path: server.sh
- name: redis-data
emptyDir: {}

104
shared/mariadb.yml Normal file
View File

@@ -0,0 +1,104 @@
# MariaDB 10.5 is supported until 2025
# Note that MariaDB 10.6 breaks with Nextcloud
# https://help.nextcloud.com/t/update-to-next-cloud-21-0-2-has-get-an-error/117028/7
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mariadb
annotations:
keel.sh/policy: patch
keel.sh/trigger: poll
keel.sh/pollSchedule: "@midnight"
spec:
revisionHistoryLimit: 0
serviceName: mariadb
selector:
matchLabels:
app: mariadb
replicas: 1
template:
metadata:
labels:
app: mariadb
annotations:
prometheus.io/port: '9104'
prometheus.io/scrape: 'true'
spec:
containers:
- name: exporter
image: prom/mysqld-exporter:latest
env:
- name: DATA_SOURCE_NAME
value: exporter@tcp(127.0.0.1)/
- name: mariadb
image: mariadb:10.5
imagePullPolicy: Always
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_ROOT_PASSWORD
- name: MYSQL_USER
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_DATABASE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secrets
key: MYSQL_PASSWORD
volumeMounts:
- name: mariadb-data
mountPath: /var/lib/mysql
- name: mariadb-init
mountPath: /docker-entrypoint-initdb.d
volumes:
- name: mariadb-init
configMap:
name: mariadb-init-config
# Make sure MariaDB instances run on storage{1..3} nodes, as close
# as possible to Longhorn instances
tolerations:
- key: dedicated
operator: Equal
value: storage
effect: NoSchedule
nodeSelector:
dedicated: storage
volumeClaimTemplates:
- metadata:
name: mariadb-data
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: Service
metadata:
name: mariadb
spec:
ports:
- protocol: TCP
port: 3306
selector:
app: mariadb
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mariadb-init-config
data:
initdb.sql: |
CREATE USER 'exporter'@'127.0.0.1' WITH MAX_USER_CONNECTIONS 3;
GRANT PROCESS, REPLICATION CLIENT, SLAVE MONITOR, SELECT ON *.* TO 'exporter'@'127.0.0.1';

81
shared/memcached.yml Normal file
View File

@@ -0,0 +1,81 @@
apiVersion: v1
kind: ServiceAccount
automountServiceAccountToken: false
metadata:
name: memcached
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: memcached
labels:
app: memcached
spec:
revisionHistoryLimit: 0
serviceName: memcached
selector:
matchLabels:
app: memcached
replicas: 1
template:
metadata:
labels:
app: memcached
spec:
securityContext:
fsGroup: 1001
affinity:
podAffinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchLabels:
app: memcached
topologyKey: kubernetes.io/hostname
weight: 1
serviceAccountName: memcached
containers:
- name: memcached
image: memcached:1-alpine
securityContext:
runAsUser: 1001
readOnlyRootFilesystem: true
runAsNonRoot: true
livenessProbe:
tcpSocket:
port: 11211
initialDelaySeconds: 30
timeoutSeconds: 5
failureThreshold: 6
readinessProbe:
tcpSocket:
port: 11211
initialDelaySeconds: 5
timeoutSeconds: 3
periodSeconds: 5
resources:
limits: {}
requests:
cpu: 250m
memory: 256Mi
volumeMounts:
- name: tmp
mountPath: /tmp
volumes:
- name: tmp
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: memcached
labels:
app: memcached
spec:
type: ClusterIP
ports:
- name: memcache
port: 11211
selector:
app: memcached

38
shared/minio-support.yml Normal file
View File

@@ -0,0 +1,38 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: minio-operator
spec:
podSelector:
matchLabels:
v1.min.io/tenant: minio
policyTypes:
- Ingress
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: minio-operator
ports:
- protocol: TCP
port: 4222
- to:
- podSelector:
matchLabels:
v1.min.io/tenant: minio
ports:
- port: 9000
ingress:
- from:
- podSelector: {}
ports:
- port: 9000
- from:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: traefik
podSelector:
matchLabels:
app.kubernetes.io/name: traefik

89
shared/minio.yml Normal file
View File

@@ -0,0 +1,89 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: minio
annotations:
keel.sh/policy: force
keel.sh/trigger: poll
keel.sh/pollSchedule: "@midnight"
spec:
revisionHistoryLimit: 0
serviceName: minio
selector:
matchLabels:
app: minio
replicas: 1
template:
metadata:
labels:
app: minio
spec:
containers:
- name: minio
image: minio/minio:latest
command: ["minio"]
ports:
- name: minio
containerPort: 9000
- name: minio-console
containerPort: 9001
args: ["server", "/data", "--console-address", ":9001"]
env:
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: minio-secrets
key: MINIO_ROOT_PASSWORD
- name: MINIO_ROOT_USER
valueFrom:
fieldRef:
fieldPath: metadata.namespace
volumeMounts:
- mountPath: /data
name: minio-data
# Make sure Minio instances run on storage{1..3} nodes, as close
# as possible to Longhorn instances
tolerations:
- key: dedicated
operator: Equal
value: storage
effect: NoSchedule
nodeSelector:
dedicated: storage
volumeClaimTemplates:
- metadata:
name: minio-data
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
---
apiVersion: v1
kind: Service
metadata:
name: minio
annotations:
prometheus.io/scrape: 'true'
spec:
ports:
- protocol: TCP
port: 9000
selector:
app: minio
---
apiVersion: v1
kind: Service
metadata:
name: minio-console
spec:
ports:
- protocol: TCP
port: 9001
selector:
app: minio

108
shared/mongo.yml Normal file
View File

@@ -0,0 +1,108 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mongo
annotations:
keel.sh/policy: force
keel.sh/trigger: poll
keel.sh/pollSchedule: "@midnight"
spec:
revisionHistoryLimit: 0
serviceName: mongo
selector:
matchLabels:
app: mongo
replicas: 1
template:
metadata:
labels:
app: mongo
spec:
securityContext:
fsGroup: 999
containers:
- name: mongo
image: mongo:5
command:
- mongod
- --quiet
- --replSet
- rs0
- --bind_ip_all
ports:
- name: mongo
containerPort: 27017
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
volumeMounts:
- name: tmp
mountPath: /tmp
- name: mongo-data
mountPath: /data/db
- name: exporter
image: percona/mongodb_exporter:0.30.0
args:
- --compatible-mode
- --mongodb.direct-connect=false
ports:
- name: mongo-exporter
containerPort: 9216
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 65535
env:
- name: MONGODB_URI
value: mongodb://mongo
# Make sure MongoDB instances run on storage{1..3} nodes, as close
# as possible to Longhorn instances
tolerations:
- key: dedicated
operator: Equal
value: storage
effect: NoSchedule
nodeSelector:
dedicated: storage
volumes:
- name: tmp
emptyDir: {}
volumeClaimTemplates:
- metadata:
name: mongo-data
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: Service
metadata:
name: mongo-exporter
annotations:
prometheus.io/scrape: 'true'
spec:
ports:
- protocol: TCP
port: 9216
selector:
app: mongo
---
apiVersion: batch/v1
kind: Job
metadata:
name: mongo-rs0-init
spec:
template:
spec:
containers:
- name: mongo-rs0-init
image: mongo
command: ["mongo", "--eval", "rs.initiate();", "mongodb://mongo-0.mongo"]
restartPolicy: OnFailure
backoffLimit: 4

45
shared/mongoexpress.yml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mongoexpress
spec:
revisionHistoryLimit: 0
replicas: 1
selector:
matchLabels:
app: mongoexpress
template:
metadata:
labels:
app: mongoexpress
spec:
containers:
- name: mongoexpress
image: mongo-express
ports:
- name: mongoexpress
containerPort: 8081
env:
- name: ME_CONFIG_MONGODB_URL
valueFrom:
secretKeyRef:
name: mongodb-application-readwrite
key: connectionString.standard
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: mongoexpress
spec:
podSelector:
matchLabels:
app: mongoexpress
policyTypes:
- Egress
egress:
- to:
- podSelector:
matchLabels:
app: mongodb-svc
ports:
- port: 27017

90
shared/networkpolicy-base.yml Normal file
View File

@@ -0,0 +1,90 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubedns
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- to:
- namespaceSelector:
matchLabels:
kubernetes.io/metadata.name: kube-system
ports:
- protocol: UDP
port: 53
- protocol: TCP
port: 53
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubeprobe
spec:
podSelector: {}
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.244.0.1/32
- from:
- ipBlock:
cidr: 10.244.1.1/32
- from:
- ipBlock:
cidr: 10.244.2.1/32
- from:
- ipBlock:
cidr: 10.244.9.1/32
- from:
- ipBlock:
cidr: 10.244.4.1/32
- from:
- ipBlock:
cidr: 10.244.3.1/32
- from:
- ipBlock:
cidr: 10.244.5.1/32
- from:
- ipBlock:
cidr: 10.244.7.1/32
- from:
- ipBlock:
cidr: 10.244.11.1/32
- from:
- ipBlock:
cidr: 10.244.12.1/32
- from:
- ipBlock:
cidr: 10.244.6.1/32
- from:
- ipBlock:
cidr: 10.244.10.1/32
- from:
- ipBlock:
cidr: 10.244.8.1/32
- from:
- ipBlock:
cidr: 10.244.13.1/32
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: kubeapi
spec:
podSelector: {}
policyTypes:
- Egress
egress:
- ports:
- port: 6443
to:
- ipBlock:
cidr: 172.21.3.51/32
- ipBlock:
cidr: 172.21.3.52/32
- ipBlock:
cidr: 172.21.3.53/32

67
shared/pgweb.yml Normal file
View File

@@ -0,0 +1,67 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgweb
spec:
replicas: 3
selector:
matchLabels:
app: pgweb
template:
metadata:
labels:
app: pgweb
spec:
containers:
- name: pgweb
image: sosedoff/pgweb
env:
- name: PMA_PORT
value: "3306"
- name: PMA_HOSTS
value: mariadb,mariadb.etherpad.svc.cluster.local
- name: MYSQL_ROOT_PASSWORD
value: password
---
apiVersion: v1
kind: Service
metadata:
name: pgweb
annotations:
prometheus.io/scrape: 'true'
spec:
selector:
app: pgweb
ports:
- protocol: TCP
port: 8081
targetPort: 8081
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pgweb
annotations:
kubernetes.io/ingress.class: traefik
cert-manager.io/cluster-issuer: default
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: authelia-chain-k6-authelia-auth@kubernetescrd
traefik.ingress.kubernetes.io/router.tls: "true"
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
spec:
rules:
- host: postgres.k-space.ee
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: pgweb
port:
number: 8081
tls:
- hosts:
- postgres.k-space.ee
secretName: postgres-tls

86
shared/postgres.yml Normal file
View File

@@ -0,0 +1,86 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres
spec:
serviceName: postgres
selector:
matchLabels:
app: postgres
replicas: 1
template:
metadata:
labels:
app: postgres
spec:
containers:
- name: exporter
image: prometheuscommunity/postgres-exporter:latest
env:
- name: DATA_SOURCE_NAME
value: exporter@tcp(127.0.0.1)/
- name: postgres
image: postgres:latest
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
env:
- name: POSTGRES_USER
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POSTGRES_DB
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-secrets
key: POSTGRES_PASSWORD
volumeMounts:
- mountPath: /var/lib/postgresql
name: postgres-data
- mountPath: /var/run/postgresql
name: postgres-run
volumes:
- name: postgres-run
emptyDir:
medium: Memory
sizeLimit: 1Mi
volumeClaimTemplates:
- metadata:
name: postgres-data
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: Service
metadata:
name: postgres
spec:
ports:
- protocol: TCP
port: 5432
selector:
app: postgres
---
apiVersion: v1
kind: Service
metadata:
name: postgres-exporter
annotations:
prometheus.io/scrape: 'true'
spec:
ports:
- protocol: TCP
port: 9187
selector:
app: exporter

44
shared/redis-noauth.yml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: redis
spec:
serviceName: redis
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:alpine
ports:
- containerPort: 6379
name: client
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
command: ["redis-server", "--save"]
env:
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
---
apiVersion: v1
kind: Service
metadata:
name: redis
spec:
type: ClusterIP
ports:
- port: 6379
targetPort: 6379
name: client
selector:
app: redis

49
shared/redis.yml Normal file
View File

@@ -0,0 +1,49 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: redis
spec:
serviceName: redis
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:alpine
ports:
- containerPort: 6379
name: client
securityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 999
command: ["redis-server", "--save", "", "--requirepass", "$(REDIS_PASSWORD)"]
env:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: redis-secrets
key: REDIS_PASSWORD
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
---
apiVersion: v1
kind: Service
metadata:
name: redis
spec:
type: ClusterIP
ports:
- port: 6379
targetPort: 6379
name: client
selector:
app: redis