forked from k-space/kube
		
	Compare commits
	
		
			695 Commits
		
	
	
		
			restore_sy
			...
			hackerspac
		
	
	| Author | SHA1 | Date | |
|---|---|---|---|
| 9ef252c8ec | |||
| c29de936af | |||
| 511f6f4ca1 | |||
| 9be8fc3a95 | |||
|  | 18d181f36a | ||
|  | 88eae1c35c | ||
|  | 79ebad6730 | ||
|  | 24229639b4 | ||
|  | 71d0667009 | ||
|  | ad35fc4828 | ||
| 3e3814efbe | |||
| b6ea5d3393 | |||
| c5fd94c41b | |||
| f5560f812b | |||
| bbf454f33d | |||
| 7af3a2f751 | |||
| ad865ad8b3 | |||
| 835ed59970 | |||
| 872469f1c6 | |||
| 6bbe84ecbb | |||
|  | 86668b80a3 | ||
| b74a9682d6 | |||
| fb4eb6e285 | |||
|  | d74e4fd76f | ||
|  | 605ad868bb | ||
| 73ecae479b | |||
| 82311c86ff | |||
| 42aef1e928 | |||
| f3ef2facdf | |||
| 796e9394ca | |||
| 5f90a41009 | |||
| c32c84f6ed | |||
|  | 20704e3a24 | ||
| 882ffdd92a | |||
| f88d4bb8e2 | |||
| c2bb1cc5ac | |||
|  | 4dc45594f1 | ||
|  | 103c4deff4 | ||
|  | 6b753d4bf1 | ||
|  | f54b5469f8 | ||
|  | 6543c61f81 | ||
|  | 5232edc303 | ||
|  | 995360f105 | ||
|  | 159a41d782 | ||
|  | 1acaa04123 | ||
|  | 2526bb5516 | ||
|  | 7e2acf3e94 | ||
|  | ee72ba4db2 | ||
| 6c6e396db1 | |||
|  | a675ad127b | ||
| 0029a7e709 | |||
| e5c914b302 | |||
| 316fbde6e6 | |||
| 2ae8c5b99e | |||
| 4f3a9058f9 | |||
| a86f5bb250 | |||
|  | 2754b4e2f7 | ||
| 28d50548bf | |||
| c65a75ee0e | |||
| 2a79309842 | |||
| 0fc47cab2a | |||
| 02b7cde355 | |||
| ea358b3883 | |||
| b4ae5d3f1f | |||
| 4dddb9622c | |||
| c51f7368e2 | |||
| 7adbf2476d | |||
| c71be24984 | |||
| 67c97adc96 | |||
| ca4de329f7 | |||
| b6098f92b0 | |||
| 02bfe1dfa2 | |||
| 541a060b6f | |||
|  | af3bd7bb41 | ||
| 31800f8ffb | |||
| 24b57de126 | |||
|  | 6317daefa1 | ||
|  | 31558db1d4 | ||
| efb467e425 | |||
| 130839ff7f | |||
| 6e6b3743a0 | |||
| 6f2220445d | |||
| bc731d98ec | |||
| 3a0747d9b8 | |||
| 792a0864a4 | |||
| 17f95e14cc | |||
| d3b85e4f24 | |||
| 8525cef4fc | |||
| c519fd3d6c | |||
| 4408c22c5b | |||
| 2041f5f80a | |||
| 84b259ace4 | |||
| f9fe0379da | |||
| 0359eedcb5 | |||
| a03ea7d208 | |||
| c7cb495451 | |||
| a6439a3bd1 | |||
| 754b2180fd | |||
| 4f35c87a6c | |||
| 266b8ee6aa | |||
| f726f8886a | |||
| fe128cf65e | |||
| 7232957a04 | |||
| 43ad7586ce | |||
| 1b34a48e81 | |||
| 0d18bfd7cc | |||
| 94751c44f9 | |||
| de36d70e68 | |||
| efc2598160 | |||
| db935de1a5 | |||
| 885f4b505e | |||
| aab40b012d | |||
| 28daa56bad | |||
| a1e1dcf827 | |||
| bb1c313a37 | |||
| d7d83b37f4 | |||
| 0ac4364157 | |||
| b8e525c3e0 | |||
| 92db22fd09 | |||
| 4466878b54 | |||
| 9b93075543 | |||
| ce2e6568b1 | |||
| f82caf1751 | |||
| d9877a9fc5 | |||
| 13cfeeff2b | |||
| 21e70685f3 | |||
| 6d7cdbd9c6 | |||
| 10585c7aff | |||
| bc301104fe | |||
| 853c9717a9 | |||
| ec81c34086 | |||
| 0b713ab321 | |||
| 541607a7bd | |||
| d9dce6cadf | |||
| 0447abecdc | |||
| 61f7d724b5 | |||
| f899283fdb | |||
| fb3123966e | |||
| 5b29fbe7cd | |||
| 9fb356b5a6 | |||
| 908f482396 | |||
| 715cb5ce4b | |||
| 48915ec26c | |||
| 06324bb583 | |||
| 877662445a | |||
| 22b67fa4fc | |||
| 006240ee1a | |||
| 2a26b4e94c | |||
| 4e59984fe4 | |||
| 7eadbee7a2 | |||
| a94fddff1e | |||
| bf44e4fa9b | |||
| f7f7d52e70 | |||
| cf9d686882 | |||
| 5bd0a57417 | |||
| e22713b282 | |||
| 37a8031bc4 | |||
| 095e00b516 | |||
| 4d84a0a5ca | |||
| 73f03dbb2a | |||
| 0c5d2bc792 | |||
| 6cf53505ad | |||
| a694463fad | |||
| d1eeba377d | |||
| 0628cb94e4 | |||
| 376e74a985 | |||
| 6eb0c20175 | |||
| 4bf08fdc7f | |||
| f05b1f1324 | |||
| 5fa3144e23 | |||
| 48054078e2 | |||
| 4cf4aecea9 | |||
| 8d1c24b80f | |||
| 0dcd26fe4f | |||
| e33053bf79 | |||
| e632b90d2b | |||
| 3b5df4cd43 | |||
| a280a19772 | |||
| 19e6f53d96 | |||
| e9efee4853 | |||
| a33d0d12b0 | |||
| dc42a9612a | |||
| 6f48e3a53a | |||
| 09423ace42 | |||
| bb802882ae | |||
| 4a7dfd6435 | |||
|  | fb7504cfee | ||
|  | a4b9bdf89d | ||
| 602b4a03f6 | |||
| f9ad582136 | |||
| 305b8ec038 | |||
| 7d71f1b29c | |||
| 0e79aa8f4e | |||
| a784f00c71 | |||
| b71a872c09 | |||
| 21beb2332c | |||
| 8eed4f66c1 | |||
| 75b9948997 | |||
| e4dfde9562 | |||
| a82193f059 | |||
| 68a75b8389 | |||
| 5368fe90eb | |||
| cded6fde3f | |||
| 402ff86fde | |||
| 272f60ab73 | |||
| 9bcad2481b | |||
| c04a7b7f67 | |||
| c23fa07c5e | |||
|  | c1822888ec | ||
|  | e26cac6d86 | ||
|  | d7ba4bc90e | ||
|  | da4df6c21d | ||
| 2964034cd3 | |||
| ae525380b1 | |||
| 4b9c3ad394 | |||
| dbebb39749 | |||
|  | 6f15e45402 | ||
|  | 36bf431259 | ||
|  | c14a313c57 | ||
|  | 15a2fd9375 | ||
|  | 5bd6cf2317 | ||
|  | 407f691152 | ||
|  | e931f490c2 | ||
|  | b96e8d16a6 | ||
|  | 15d4d44be7 | ||
|  | 52ce6eab0a | ||
| e89d045f38 | |||
| 7e70315514 | |||
| af5a048bcd | |||
| 0005219f81 | |||
| 813bb32e48 | |||
| 0efae7baf9 | |||
| be90b4e266 | |||
| 999d17c384 | |||
|  | bacef8d438 | ||
| 60d1ba9b18 | |||
| dcb80e6638 | |||
| 95e0f97db2 | |||
| f5a7b44ae6 | |||
| be7e1d9459 | |||
| cd807ebcde | |||
| eaac7f61a7 | |||
|  | a0d5a585e4 | ||
| 1f8f288f95 | |||
| 9de1881647 | |||
|  | 28904cdd63 | ||
| 0df188db36 | |||
| a42b79b5ac | |||
|  | 89875a66f8 | ||
| 927366a3d5 | |||
|  | 29212d7f14 | ||
| 1d8528b312 | |||
| 566beecb6a | |||
|  | 4c52ca88ef | ||
| b5fceb0f35 | |||
| c609b1df04 | |||
| 22d65664b2 | |||
| 59db08e891 | |||
| d8402bdec5 | |||
| a71bd5de37 | |||
| ce9891046f | |||
| fea3e8ce66 | |||
| bfeba4017b | |||
| 4b00d876ad | |||
| d1e8d8e356 | |||
| 22c6fe1979 | |||
| f53b31e030 | |||
| cb41b739cc | |||
| 91af1911c4 | |||
|  | 4532eccd6d | ||
|  | d4913aacbf | ||
|  | abe022eecc | ||
|  | 4bcb0a8856 | ||
|  | b849ac340e | ||
|  | b922412417 | ||
|  | 2661fe211e | ||
|  | a9406748c5 | ||
|  | cc92ea67f4 | ||
|  | 222d902ec2 | ||
|  | 65e30d5dec | ||
| 4210855827 | |||
| d7287018ac | |||
| 3fbecab179 | |||
|  | 024edc1c9b | ||
|  | a94a3f829c | ||
|  | 36055cc869 | ||
|  | aa91322ec6 | ||
| c6c94b1901 | |||
| 67fb6c3727 | |||
|  | 18483197c9 | ||
|  | a37d268574 | ||
| 4b5e30f51f | |||
| 78b0f1534a | |||
| 0b03a720b3 | |||
| f1a2051838 | |||
| 3280b25a83 | |||
| 0eec1fde8b | |||
| ede08c205b | |||
| 666d900128 | |||
| bc31357d5b | |||
| f3244afb20 | |||
|  | 384a60244d | ||
|  | ed25720003 | ||
|  | 5c1a894a43 | ||
| 0a9237fae9 | |||
| 69dca7e1f2 | |||
| 4d5c47e21b | |||
| b3f1eb069f | |||
| bbf421df63 | |||
|  | 9bf5e2408a | ||
| 351f0ae746 | |||
| 84bb476812 | |||
| 07a132748b | |||
| 656f28a34c | |||
| 12466b19b1 | |||
| 1d39827375 | |||
| 3f4d89b4b1 | |||
| 474ae64156 | |||
| 1fa0577ce4 | |||
| f8cd93aa9c | |||
| e22bf78b2e | |||
| be5b036ab8 | |||
| a75f703eaa | |||
| 2708e48850 | |||
| cfc5a739a1 | |||
| e5e4a07d01 | |||
| f902bbfe02 | |||
| 70e589ef45 | |||
| b0befbcd69 | |||
|  | a09f7d4f7e | ||
|  | 2f2fa1a99f | ||
|  | 66fbf32088 | ||
| 9b698ea197 | |||
| 7aa26ea236 | |||
| 7c16f84200 | |||
| c2d08d8a80 | |||
| 7c2b862ca8 | |||
|  | 68e936463b | ||
| 8a1b0b52af | |||
| 6b24ede7ac | |||
| e0cf532e42 | |||
|  | 59373041cc | ||
| 4e80899c77 | |||
|  | 9c2b5c39ee | ||
| d3eb888d58 | |||
| 3714b174e7 | |||
| a1acb06e12 | |||
| 0b6ab650a2 | |||
| 35404464f4 | |||
| 41da5931f9 | |||
| 6879a4e5a5 | |||
| 9b2c655a02 | |||
| 8876300dc4 | |||
| 8199b3b732 | |||
| 43c9b3aa93 | |||
| 504bd3012e | |||
| 75b5d39880 | |||
| 7377b62b3f | |||
| cd13de6cee | |||
| 13da9a8877 | |||
| 490770485d | |||
| ba48643a37 | |||
|  | 18a0079a21 | ||
|  | 885b13ecd7 | ||
|  | e17caa9c2d | ||
|  | 336ab2efa2 | ||
| 27a5fe14c7 | |||
| 66034d2463 | |||
| 186ea5d947 | |||
| 470d4f3459 | |||
| 8ad6b989e5 | |||
| b6bf3ab225 | |||
| 7cac31964d | |||
| a250363bb0 | |||
|  | 480ff4f426 | ||
| b737d37b9c | |||
| b4ad080e95 | |||
|  | a5ad80d8cd | ||
| 62be47c2e1 | |||
| 249ad2e9ed | |||
| 0c38d2369b | |||
| b07a5b9bc0 | |||
| 2d25377090 | |||
| 73d185b2ee | |||
| 0eb2dc6503 | |||
| 34f1b53544 | |||
| fd1aeaa1a3 | |||
| b8477de6a8 | |||
| 2f712a935e | |||
| 792ff38bea | |||
| e929b52e6d | |||
| b2b93879c2 | |||
| c222f22768 | |||
| 28ed62c40e | |||
| 74600efb4c | |||
| 79aaaf7498 | |||
| f0b78f7b17 | |||
| ba520da57e | |||
| 30503ad121 | |||
| fbe4a55251 | |||
| 37567eccf9 | |||
| d3ba1cc05f | |||
| 61b1b1d6ef | |||
| 1e8bccbfa3 | |||
| e89edca340 | |||
| 2bb13ef505 | |||
| c44cfb8bc8 | |||
| 417f3ddcb8 | |||
| 32fbd498cf | |||
| 97563e8092 | |||
| 4141c6b8ae | |||
| bd26aa46b4 | |||
| 92459ed68b | |||
| 9cf57d8bc6 | |||
| af1c78dea6 | |||
| 2e77813162 | |||
| ca623c11fd | |||
| 047cbb5c6b | |||
| 3e52f37cde | |||
| b955369e2a | |||
| 5e765e9788 | |||
| 5d4f49409c | |||
| de573721bd | |||
| c868a62ab7 | |||
| 7b6f6252a5 | |||
| 9223c956c0 | |||
| 1d4e5051d8 | |||
| 56bb5be8a9 | |||
| d895360510 | |||
| bc8de58ca8 | |||
| 8d355ff9dc | |||
|  | dc2a08dc78 | ||
| 19a0b70b9e | |||
| 9c656b0ef9 | |||
| 278817249e | |||
| cb5644c7f3 | |||
| 78ef148f83 | |||
|  | c2b9ed0368 | ||
|  | 43abf125a9 | ||
|  | 71d968a815 | ||
|  | 9b4976450f | ||
| 27eb0aa6cc | |||
| f97a77e5aa | |||
| 73faa9f89c | |||
| 51808b3c6b | |||
| 07af1aa0bd | |||
| f3cceca1c3 | |||
| 87bc4f1077 | |||
| aa4ffcd1ad | |||
| 80ffdbbb80 | |||
| 51895a2a2b | |||
| c6ea938214 | |||
| d40f7d2681 | |||
| b990861040 | |||
| 477ba83ba4 | |||
| 3672197944 | |||
| 0e884305cc | |||
| 4eb3649649 | |||
| d29a1a3531 | |||
| a055c739c1 | |||
| ab3815e653 | |||
| 8d2ec43101 | |||
| a95f00aaf2 | |||
| 3bcaa09004 | |||
| b88165d2b3 | |||
| 13d1f7bd88 | |||
| a6b1fb0752 | |||
| 4aec3b54ab | |||
| 109855231b | |||
| 0bff249397 | |||
| d2b362f57d | |||
| d92522b8e4 | |||
| 5b75e489e7 | |||
| 29c56b8d26 | |||
| cf0650db06 | |||
| b9f1c376af | |||
| 290d1176fe | |||
| ab7e4d10e4 | |||
| 776535d6d5 | |||
| f5bfc1c908 | |||
| 80370d1034 | |||
| e6456b202d | |||
| 15606ee465 | |||
| 0a9985edcc | |||
|  | 9bcffbaff3 | ||
| 3f8f141d94 | |||
| 09ff829c50 | |||
| a76cfca7f2 | |||
| 1e0bdf0559 | |||
| 6f6a132e97 | |||
| 5cf7cbb450 | |||
| 98707c0d1c | |||
| f0db5849c8 | |||
| efc76d7a10 | |||
| a0d48d4243 | |||
| 3f5b90a546 | |||
| 13a2430e9d | |||
| 4b76181210 | |||
| 473a81521c | |||
| 9a92c83b5a | |||
| f05cb6f9de | |||
| 671348a674 | |||
| 8482f77a47 | |||
| 0eafcfea18 | |||
| f40a61946d | |||
| 6dd2d17298 | |||
| 4e1dbab080 | |||
| 1995358e99 | |||
| 2c5721d5cf | |||
| abb25a7eb0 | |||
| 36932bfcaa | |||
| b11ac8bcae | |||
| 4fa554da57 | |||
| 78931bbb4b | |||
| c6eacfc9f2 | |||
| f217f8eae7 | |||
| fc92b0ce75 | |||
| ae00e766d7 | |||
| 912d15a23b | |||
| 48567f0630 | |||
| 40445c299d | |||
| 54207c482c | |||
| 09a9bc4115 | |||
| eafae2af3b | |||
| 3b31b9c94c | |||
| bec78de2f3 | |||
| 9b2631f16c | |||
| f10ff329b7 | |||
| a3539de9e0 | |||
| 0ed3010fed | |||
| b98f173441 | |||
| 2500342e47 | |||
| 430f5b0f0f | |||
| e6a903cfef | |||
| 6752ca55ae | |||
| 820c954319 | |||
| cc51f3731a | |||
| 9dae1a832b | |||
| 883da46a3b | |||
| aacbb20e13 | |||
| 90076f2dde | |||
| 06757a81e5 | |||
| f67bd391bc | |||
| e5e72de45b | |||
| 2e67269b5b | |||
| 6e2f353916 | |||
| 62661efc42 | |||
| 8f07b2ef89 | |||
| b80d566927 | |||
| b0fd37de01 | |||
| 95597c3103 | |||
| 3a69c1a210 | |||
| 1361c9ec22 | |||
| c8a7aecc2f | |||
| bc5dcce5f7 | |||
| d56348f9a6 | |||
| a828b602d6 | |||
| 14a5d703cb | |||
| 4fa49dbf8a | |||
| ebd723d8fd | |||
| d4d44bc6d3 | |||
| d6a1d48c03 | |||
| 6adcb53e96 | |||
| af83e1783b | |||
| 49412781ea | |||
| d419ac56e1 | |||
| 5df71506cf | |||
| 508c03268e | |||
| 3dce3d07fd | |||
| f9393fd0da | |||
| 4c5a58f67d | |||
| 2e49b842a9 | |||
| 46677df2a3 | |||
| ca4ded3d0d | |||
| f0c4be9b7d | |||
| ce7f5f51fb | |||
| e02a10b192 | |||
| 4d2071a5bd | |||
| ecf9111f8f | |||
| 14617aad39 | |||
| a00c85d5f6 | |||
| 0fce65b6a5 | |||
| 2ef01e2b28 | |||
| d492b400fa | |||
| 612e788d9b | |||
| b3fe86ea90 | |||
| ade71fffad | |||
| 7a92a18bba | |||
| fe25d03989 | |||
| d0bfdf5147 | |||
| 66f2a9ada0 | |||
| c338ca3bed | |||
| a97b664485 | |||
| 603b237091 | |||
| 29be7832c7 | |||
| 06de7c53ba | |||
| 79f9704cf5 | |||
| 7e1c99f12d | |||
| cf8ca7457b | |||
| 5680b4df49 | |||
| b01f073ced | |||
| 222ba974e6 | |||
| 1bf85cfd7b | |||
| aba2327740 | |||
| 19ad42bd2b | |||
| a3b2f76652 | |||
| fb55cd2ac7 | |||
| c5cae07624 | |||
| 21b583dc5b | |||
| fe662dc408 | |||
| 6a9254da33 | |||
| 5259a7df04 | |||
| 8712786cfe | |||
| b56376624e | |||
| 5c8a166218 | |||
| c90a5bbf5e | |||
| 1db064a38a | |||
| 36a7eaa805 | |||
| 5d8670104a | |||
| 0b5c14903a | |||
| 8d61764893 | |||
| 2f1c0c3cc8 | |||
| 9a2fd034bb | |||
| 6afda40b93 | |||
| dd1ab10624 | |||
| 2493266aed | |||
| 5a0821da0d | |||
| be330ad121 | |||
| 045a8bb574 | |||
| 1d3d58f1a0 | |||
| 5dc6dca28e | |||
| e82fd3f543 | |||
| 8b0719234c | |||
| 7abac4db0a | |||
| f14d2933d0 | |||
| b415b8ca56 | |||
| 8e796361c3 | |||
| a8bf83f9e5 | |||
| 0b0d9046d8 | |||
| 2343edbe6b | |||
| 41b7b509f4 | |||
| a51b041621 | |||
| 1d6cf0a521 | |||
| 19d66801df | |||
| d2a719af43 | |||
| 34369d211b | |||
| cadb38126b | |||
| 414d044909 | |||
| ea23a52d6b | |||
| 3458cbd694 | |||
| 0a40686c16 | |||
| 222fca8b8f | |||
| 75df3e2a41 | |||
| 5516ad195c | |||
| d0ac3b0361 | |||
| c7daada4f4 | |||
| 3a11207783 | |||
| 3586309c4e | |||
| 960103eb40 | |||
| 34b48308ff | |||
| d8471da75f | |||
| 3dfa8e3203 | |||
| 2a8c685345 | |||
| bccd2c6458 | |||
| c65835c6a4 | |||
| 76cfcd083b | |||
| 98ae369b41 | |||
| 4ccfd3d21a | |||
| ea9b63b7cc | |||
| b5ee891c97 | |||
| eccfb43aa1 | |||
| 8f99b1b03d | |||
| 024897a083 | |||
| 18c4764687 | |||
| 7b9cb6184b | |||
| 9dd32af3cb | |||
| a1cc066927 | |||
| 029572872e | |||
| 30f1c32815 | |||
| 0c14283136 | |||
| 587748343d | |||
| 1bcfbed130 | |||
| 3b1cda8a58 | |||
| 2fd0112c28 | |||
| 9275f745ce | |||
| 3d86b6acde | |||
| 4a94cd4af0 | |||
| a27f273c0b | |||
| 4686108f42 | |||
| 30b7e50afb | |||
| e4c9675b99 | |||
| 017bdd9fd8 | |||
| 0fd0094ba0 | |||
| d20fdf350d | |||
| bac5040d2a | 
							
								
								
									
										10
									
								
								.drone.yml
									
									
									
									
									
								
							
							
						
						
									
										10
									
								
								.drone.yml
									
									
									
									
									
								
							| @@ -1,10 +0,0 @@ | ||||
| --- | ||||
| kind: pipeline | ||||
| type: kubernetes | ||||
| name: gitleaks | ||||
|  | ||||
| steps: | ||||
| - name: gitleaks | ||||
|   image: zricethezav/gitleaks | ||||
|   commands: | ||||
|   - gitleaks detect --source=/drone/src | ||||
							
								
								
									
										5
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										5
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -1,9 +1,14 @@ | ||||
| *.keys | ||||
| *secrets.yml | ||||
| *secret.yml | ||||
| *.swp | ||||
| *.save | ||||
| *.1 | ||||
|  | ||||
| # Kustomize with Helm and secrets: | ||||
| charts/ | ||||
| *.env | ||||
|  | ||||
| ### IntelliJ IDEA ### | ||||
| .idea | ||||
| *.iml | ||||
|   | ||||
							
								
								
									
										4
									
								
								.yamllint
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										4
									
								
								.yamllint
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,4 @@ | ||||
| extends: default | ||||
| ignore-from-file: .gitignore | ||||
| rules: | ||||
|   line-length: disable | ||||
							
								
								
									
										137
									
								
								CLUSTER.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										137
									
								
								CLUSTER.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,137 @@ | ||||
| # Kubernetes cluster | ||||
| Kubernetes hosts run on [PVE Cluster](https://wiki.k-space.ee/en/hosting/proxmox). Hosts are listed in Ansible [inventory](ansible/inventory.yml). | ||||
|  | ||||
| ## `kubectl` | ||||
| - Authorization [ACLs](cluster-role-bindings.yml) | ||||
| - [Troubleshooting `no such host`](#systemd-resolved-issues) | ||||
|  | ||||
| Authenticate to auth.k-space.ee: | ||||
| ```bash | ||||
| kubectl krew install oidc-login | ||||
| mkdir -p ~/.kube | ||||
|  | ||||
| cat << EOF > ~/.kube/config | ||||
| apiVersion: v1 | ||||
| clusters: | ||||
| - cluster: | ||||
|     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNakEzTXpVMU1Wb1hEVE15TURReU9UQTNNelUxTVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2J2CjY3UFlXVHJMc3ZCQTZuWHUvcm55SlVhNnppTnNWTVN6N2w4ekhxM2JuQnhqWVNPUDJhN1RXTnpUTmZDanZBWngKTmlNbXJya1hpb2dYQWpVVkhSUWZlYm81TFIrb0JBOTdLWlcrN01UMFVJRXBuWVVaaTdBRHlaS01vcEJFUXlMNwp1SlU5UDhnNUR1T29FRHZieGJSMXFuV1JZRXpteFNmSFpocllpMVA3bFd4emkxR243eGRETFZaMjZjNm0xR3Y1CnViRjZyaFBXK1JSVkhiQzFKakJGeTBwRXdhYlUvUTd0Z2dic0JQUjk5NVZvMktCeElBelRmbHhVanlYVkJ3MjEKU2d3ZGI1amlpemxEM0NSbVdZZ0ZrRzd0NTVZeGF3ZmpaQjh5bW4xYjhUVjkwN3dRcG8veU8zM3RaaEE3L3BFUwpBSDJYeDk5bkpMbFVGVUtSY1A4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZKNnZKeVk1UlJ1aklQWGxIK2ZvU3g2QzFRT2RNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ04zcGtCTVM3ekkrbUhvOWdTZQp6SzdXdjl3bXlCTVE5Q3crQXBSNnRBQXg2T1VIN0d1enc5TTV2bXNkYjkrYXBKMHBlZFB4SUg3YXZ1aG9SUXNMCkxqTzRSVm9BMG9aNDBZV3J3UStBR0dvdkZuaWNleXRNcFVSNEZjRXc0ZDRmcGl6V3d0TVNlRlRIUXR6WG84V2MKNFJGWC9xUXNVR1NWa01PaUcvcVVrSFpXQVgyckdhWXZ1Tkw2eHdSRnh5ZHpsRTFSUk56TkNvQzVpTXhjaVRNagpackEvK0pqVEFWU2FuNXZnODFOSmthZEphbmNPWmEwS3JEdkZzd1JJSG5CMGpMLzh3VmZXSTV6czZURU1VZUk1ClF6dU01QXUxUFZ4VXZJUGhlMHl6UXZjWDV5RlhnMkJGU3MzKzJBajlNcENWVTZNY2dSSTl5TTRicitFTUlHL0kKY0pjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | ||||
|     server: https://master.kube.k-space.ee:6443 | ||||
|   name: kubernetes | ||||
| contexts: | ||||
| - context: | ||||
|     cluster: kubernetes | ||||
|     user: oidc | ||||
|   name: default | ||||
| current-context: default | ||||
| kind: Config | ||||
| preferences: {} | ||||
| users: | ||||
| - name: oidc | ||||
|   user: | ||||
|     exec: | ||||
|       apiVersion: client.authentication.k8s.io/v1beta1 | ||||
|       args: | ||||
|       - oidc-login | ||||
|       - get-token | ||||
|       - --oidc-issuer-url=https://auth.k-space.ee/ | ||||
|       - --oidc-client-id=passmower.kubelogin | ||||
|       - --oidc-extra-scope=profile,email,groups | ||||
|       - --listen-address=127.0.0.1:27890 | ||||
|       command: kubectl | ||||
|       env: null | ||||
|       provideClusterInfo: false | ||||
| EOF | ||||
|  | ||||
| # Test it: | ||||
| kubectl get nodes # opens browser for authentication | ||||
| ``` | ||||
|  | ||||
| ### systemd-resolved issues | ||||
| ```sh | ||||
| Unable to connect to the server: dial tcp: lookup master.kube.k-space.ee on 127.0.0.53:53: no such host | ||||
| ``` | ||||
| ``` | ||||
| Network → VPN → `IPv4` → Other nameservers (Muud nimeserverid): `172.21.0.1` | ||||
| Network → VPN → `IPv6` → Other nameservers (Muud nimeserverid): `2001:bb8:4008:21::1` | ||||
| Network → VPN → `IPv4` → Search domains (Otsingudomeenid): `kube.k-space.ee` | ||||
| Network → VPN → `IPv6` → Search domains (Otsingudomeenid): `kube.k-space.ee` | ||||
| ``` | ||||
|  | ||||
| ## Cluster formation | ||||
| Created Ubuntu 22.04 VM-s on Proxmox with local storage. | ||||
| Added some ARM64 workers by using Ubuntu 22.04 server on Raspberry Pi. | ||||
|  | ||||
| First master: | ||||
| ``` | ||||
| kubeadm init --token-ttl=120m --pod-network-cidr=10.244.0.0/16 --control-plane-endpoint "master.kube.k-space.ee:6443" --upload-certs --apiserver-cert-extra-sans master.kube.k-space.ee --node-name master1.kube.k-space.ee | ||||
| ``` | ||||
|  | ||||
| Joining nodes: | ||||
| ``` | ||||
| # On a master: | ||||
| kubeadm token create --print-join-command | ||||
|  | ||||
| # Joining node: | ||||
| <printed join command --node-name "$(hostname -f)" | ||||
| ``` | ||||
|  | ||||
| Set AZ labels: | ||||
| ``` | ||||
| for j in $(seq 1 9); do | ||||
|   for t in master mon worker; do | ||||
|     kubectl label nodes ${t}${j}.kube.k-space.ee topology.kubernetes.io/zone=node${j} | ||||
|   done | ||||
| done | ||||
| ``` | ||||
|  | ||||
| After forming the cluster add taints: | ||||
|  | ||||
| ```bash | ||||
| for j in $(seq 1 9); do | ||||
|   kubectl label nodes worker${j}.kube.k-space.ee node-role.kubernetes.io/worker='' | ||||
| done | ||||
|  | ||||
| for j in $(seq 1 4); do | ||||
|   kubectl taint nodes mon${j}.kube.k-space.ee dedicated=monitoring:NoSchedule | ||||
|   kubectl label nodes mon${j}.kube.k-space.ee dedicated=monitoring | ||||
| done | ||||
| ``` | ||||
|  | ||||
| For `arm64` nodes add suitable taint to prevent scheduling non-multiarch images on them: | ||||
|  | ||||
| ```bash | ||||
| kubectl taint nodes worker9.kube.k-space.ee arch=arm64:NoSchedule | ||||
| ``` | ||||
|  | ||||
| For door controllers: | ||||
| ``` | ||||
| for j in ground front back; do | ||||
|   kubectl taint nodes door-${j}.kube.k-space.ee dedicated=door:NoSchedule | ||||
|   kubectl label nodes door-${j}.kube.k-space.ee dedicated=door | ||||
|   kubectl taint nodes door-${j}.kube.k-space.ee arch=arm64:NoSchedule | ||||
| done | ||||
| ``` | ||||
|  | ||||
| ## Technology mapping | ||||
| Our self-hosted Kubernetes stack compared to AWS based deployments: | ||||
|  | ||||
| | Hipster startup   | Self-hosted hackerspace             | Purpose                                                             | | ||||
| |-------------------|-------------------------------------|---------------------------------------------------------------------| | ||||
| | AWS ALB           | Traefik                             | Reverse proxy also known as ingress controller in Kubernetes jargon | | ||||
| | AWS AMP           | Prometheus Operator                 | Monitoring and alerting                                             | | ||||
| | AWS CloudTrail    | ECK Operator                        | Log aggregation                                                     | | ||||
| | AWS DocumentDB    | MongoDB Community Operator          | Highly available NoSQL database                                     | | ||||
| | AWS EBS           | Longhorn                            | Block storage for arbitrary applications needing persistent storage | | ||||
| | AWS EC2           | Proxmox                             | Virtualization layer                                                | | ||||
| | AWS ECR           | Harbor                              | Docker registry                                                     | | ||||
| | AWS EKS           | kubeadm                             | Provision Kubernetes master nodes                                   | | ||||
| | AWS NLB           | MetalLB                             | L2/L3 level load balancing                                          | | ||||
| | AWS RDS for MySQL | MySQL Operator                      | Provision highly available relational databases                     | | ||||
| | AWS Route53       | Bind and RFC2136                    | DNS records and Let's Encrypt DNS validation                        | | ||||
| | AWS S3            | Minio Operator                      | Highly available object storage                                     | | ||||
| | AWS VPC           | Calico                              | Overlay network                                                     | | ||||
| | Dex               | Passmower                           | ACL mapping and OIDC provider which integrates with GitHub/Samba    | | ||||
| | GitHub Actions    | Woodpecker                          | Build Docker images                                                 | | ||||
| | GitHub            | Gitea                               | Source code management, issue tracking                              | | ||||
| | GitHub OAuth2     | Samba (Active Directory compatible) | Source of truth for authentication and authorization                | | ||||
| | Gmail             | Wildduck                            | E-mail                                                              | | ||||
| @@ -10,3 +10,4 @@ this Git repository happen: | ||||
| * Song Meo <songmeo@k-space.ee> | ||||
| * Rasmus Kallas <rasmus@k-space.ee> | ||||
| * Kristjan Kuusk <kkuusk@k-space.ee> | ||||
| * Erki Aas <eaas@k-space.ee> | ||||
|   | ||||
							
								
								
									
										297
									
								
								README.md
									
									
									
									
									
								
							
							
						
						
									
										297
									
								
								README.md
									
									
									
									
									
								
							| @@ -1,261 +1,72 @@ | ||||
| # Kubernetes cluster manifests | ||||
| # k-space.ee infrastructure | ||||
| Kubernetes manifests, Ansible [playbooks](ansible/README.md), and documentation for K-SPACE services. | ||||
|  | ||||
| ## Introduction | ||||
| <!-- TODO: Docs for adding to ArgoCD (auto-)sync --> | ||||
| - Repo is deployed with [ArgoCD](https://argocd.k-space.ee). For `kubectl` access, see [CLUSTER.md](CLUSTER.md#kubectl). | ||||
| - Debugging Kubernetes [on Wiki](https://wiki.k-space.ee/en/hosting/debugging-kubernetes) | ||||
| - Need help? → [`#kube`](https://k-space-ee.slack.com/archives/C02EYV1NTM2) | ||||
|  | ||||
| This is the Kubernetes manifests of services running on k-space.ee domains: | ||||
| Jump to docs: [inventory-app](hackerspace/README.md) / [cameras](_disabled/camtiler/README.md) / [doors](https://wiki.k-space.ee/en/hosting/doors) / [list of apps](https://auth.k-space.ee) // [all infra](ansible/inventory.yml) / [network](https://wiki.k-space.ee/en/hosting/network) / [retro](https://wiki.k-space.ee/en/hosting/retro) / [non-infra](https://wiki.k-space.ee) | ||||
|  | ||||
| - [Authelia](https://auth.k-space.ee) for authentication | ||||
| - [Drone.io](https://drone.k-space.ee) for building Docker images | ||||
| - [Harbor](https://harbor.k-space.ee) for hosting Docker images | ||||
| - [ArgoCD](https://argocd.k-space.ee) for deploying Kubernetes manifests and | ||||
|   Helm charts into the cluster | ||||
| - [camtiler](https://cams.k-space.ee) for cameras | ||||
| - [Longhorn Dashboard](https://longhorn.k-space.ee) for administering | ||||
|   Longhorn storage | ||||
| - [Kubernetes Dashboard](https://kubernetes-dashboard.k-space.ee/) for read-only overview | ||||
|   of the Kubernetes cluster | ||||
| - [Wildduck Webmail](https://webmail.k-space.ee/) | ||||
| Tip: Search the repo for `kind: xyz` for examples. | ||||
|  | ||||
| Most endpoints are protected by OIDC autentication or Authelia SSO middleware. | ||||
| ## Supporting services | ||||
| - Build [Git](https://git.k-space.ee) repositories with [Woodpecker](https://woodpecker.k-space.ee)[^nodrone]. | ||||
| - Passmower: Authz with `kind: OIDCClient` (or `kind: OIDCMiddlewareClient`[^authz]). | ||||
| - Traefik[^nonginx]: Expose services with `kind: Service` + `kind: Ingress` (TLS and DNS **included**). | ||||
|  | ||||
| [^nodrone]: Replaces Drone CI. | ||||
|  | ||||
| ## Cluster access | ||||
| ### Additional | ||||
| - bind: Manage _additional_ DNS records with `kind: DNSEndpoint`. | ||||
| - [Prometheus](https://wiki.k-space.ee/en/hosting/monitoring): Collect metrics with `kind: PodMonitor` (alerts with `kind: PrometheusRule`). | ||||
| - [Slack bots](SLACK.md) and Kubernetes [CLUSTER.md](CLUSTER.md) itself. | ||||
| <!-- TODO: Redirects: external-dns.alpha.kubernetes.io/hostname + in -extras.yaml: IngressRoute and Middleware --> | ||||
|  | ||||
| General discussion is happening in the `#kube` Slack channel. | ||||
| [^nonginx]: No nginx annotations! Use `kind: Ingress` instead. `IngressRoute` is not used as it doesn't support [`external-dns`](bind/README.md) out of the box. | ||||
| [^authz]: Applications should use OpenID Connect (`kind: OIDCClient`) for authentication, whereever possible. If not possible, use `kind: OIDCMiddlewareClient` client, which will provide authentication via a Traefik middleware (`traefik.ingress.kubernetes.io/router.middlewares: passmower-proxmox@kubernetescrd`). Sometimes you might use both for extra security. | ||||
|  | ||||
| For bootstrap access obtain `/etc/kubernetes/admin.conf` from one of the master | ||||
| nodes and place it under `~/.kube/config` on your machine. | ||||
| ### Network | ||||
|  | ||||
| Once Authelia is working, OIDC access for others can be enabled with | ||||
| running following on Kubernetes masters: | ||||
| All nodes are in Infra VLAN 21. Routing is implemented with BGP, all nodes and the router make a full-mesh. Both Serice LB IPs and Pod IPs are advertised to the router. Router does NAT for outbound pod traffic. | ||||
| See the [Calico installation](tigera-operator/application.yml) for Kube side and Routing / BGP in the router. | ||||
| Static routes for 193.40.103.36/30 have been added in pve nodes to make them communicating with Passmower via Traefik more stable - otherwise packets coming back to the PVE are routed directly via VLAN 21 internal IPs by the worker nodes, breaking TCP. | ||||
|  | ||||
| ```bash | ||||
| patch /etc/kubernetes/manifests/kube-apiserver.yaml - << EOF | ||||
| @@ -23,6 +23,10 @@ | ||||
|      - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt | ||||
|      - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key | ||||
|      - --etcd-servers=https://127.0.0.1:2379 | ||||
| +    - --oidc-issuer-url=https://auth.k-space.ee | ||||
| +    - --oidc-client-id=kubelogin | ||||
| +    - --oidc-username-claim=preferred_username | ||||
| +    - --oidc-groups-claim=groups | ||||
|      - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt | ||||
|      - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key | ||||
|      - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname | ||||
| EOF | ||||
| sudo systemctl daemon-reload | ||||
| systemctl restart kubelet | ||||
| ``` | ||||
| <!-- Linked to by https://wiki.k-space.ee/e/en/hosting/storage --> | ||||
| ### Databases / -stores: | ||||
| - Dragonfly: `kind: Dragonfly` (replaces Redis[^redisdead]) | ||||
| - Longhorn: `storageClassName: longhorn` (filesystem storage) | ||||
| - Mongo[^mongoproblems]: `kind: MongoDBCommunity` (NAS* `inventory-mongodb`) | ||||
| - Minio S3: `kind: MinioBucketClaim` with `class: dedicated` (NAS*: `class: external`) | ||||
| - MariaDB*: search for `mysql`, `mariadb`[^mariadb] (replaces MySQL) | ||||
| - Postgres*: hardcoded to [harbor/application.yml](harbor/application.yml) | ||||
| - Seeded secrets: `kind: SecretClaim` (generates random secret in templated format) | ||||
| - Secrets in git: https://git.k-space.ee/secretspace (members personal info, API credentials, see argocd/deploy_key.pub comment) | ||||
|  | ||||
| Afterwards following can be used to talk to the Kubernetes cluster using | ||||
| OIDC credentials: | ||||
| \* External, hosted directly on [nas.k-space.ee](https://wiki.k-space.ee/en/hosting/storage) | ||||
|  | ||||
| ```bash | ||||
| kubectl krew install oidc-login | ||||
| mkdir -p ~/.kube | ||||
| cat << EOF > ~/.kube/config | ||||
| apiVersion: v1 | ||||
| clusters: | ||||
| - cluster: | ||||
|     certificate-authority-data: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMvakNDQWVhZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRJeU1EVXdNakEzTXpVMU1Wb1hEVE15TURReU9UQTNNelUxTVZvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBS2J2CjY3UFlXVHJMc3ZCQTZuWHUvcm55SlVhNnppTnNWTVN6N2w4ekhxM2JuQnhqWVNPUDJhN1RXTnpUTmZDanZBWngKTmlNbXJya1hpb2dYQWpVVkhSUWZlYm81TFIrb0JBOTdLWlcrN01UMFVJRXBuWVVaaTdBRHlaS01vcEJFUXlMNwp1SlU5UDhnNUR1T29FRHZieGJSMXFuV1JZRXpteFNmSFpocllpMVA3bFd4emkxR243eGRETFZaMjZjNm0xR3Y1CnViRjZyaFBXK1JSVkhiQzFKakJGeTBwRXdhYlUvUTd0Z2dic0JQUjk5NVZvMktCeElBelRmbHhVanlYVkJ3MjEKU2d3ZGI1amlpemxEM0NSbVdZZ0ZrRzd0NTVZeGF3ZmpaQjh5bW4xYjhUVjkwN3dRcG8veU8zM3RaaEE3L3BFUwpBSDJYeDk5bkpMbFVGVUtSY1A4Q0F3RUFBYU5aTUZjd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0hRWURWUjBPQkJZRUZKNnZKeVk1UlJ1aklQWGxIK2ZvU3g2QzFRT2RNQlVHQTFVZEVRUU8KTUF5Q0NtdDFZbVZ5Ym1WMFpYTXdEUVlKS29aSWh2Y05BUUVMQlFBRGdnRUJBQ04zcGtCTVM3ekkrbUhvOWdTZQp6SzdXdjl3bXlCTVE5Q3crQXBSNnRBQXg2T1VIN0d1enc5TTV2bXNkYjkrYXBKMHBlZFB4SUg3YXZ1aG9SUXNMCkxqTzRSVm9BMG9aNDBZV3J3UStBR0dvdkZuaWNleXRNcFVSNEZjRXc0ZDRmcGl6V3d0TVNlRlRIUXR6WG84V2MKNFJGWC9xUXNVR1NWa01PaUcvcVVrSFpXQVgyckdhWXZ1Tkw2eHdSRnh5ZHpsRTFSUk56TkNvQzVpTXhjaVRNagpackEvK0pqVEFWU2FuNXZnODFOSmthZEphbmNPWmEwS3JEdkZzd1JJSG5CMGpMLzh3VmZXSTV6czZURU1VZUk1ClF6dU01QXUxUFZ4VXZJUGhlMHl6UXZjWDV5RlhnMkJGU3MzKzJBajlNcENWVTZNY2dSSTl5TTRicitFTUlHL0kKY0pjPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | ||||
|     server: https://master.kube.k-space.ee:6443 | ||||
|   name: kubernetes | ||||
| contexts: | ||||
| - context: | ||||
|     cluster: kubernetes | ||||
|     user: oidc | ||||
|   name: default | ||||
| current-context: default | ||||
| kind: Config | ||||
| preferences: {} | ||||
| users: | ||||
| - name: oidc | ||||
|   user: | ||||
|     exec: | ||||
|       apiVersion: client.authentication.k8s.io/v1beta1 | ||||
|       args: | ||||
|       - oidc-login | ||||
|       - get-token | ||||
|       - --oidc-issuer-url=https://auth.k-space.ee | ||||
|       - --oidc-client-id=kubelogin | ||||
|       - --oidc-use-pkce | ||||
|       - --oidc-extra-scope=profile,email,groups | ||||
|       - --listen-address=127.0.0.1:27890 | ||||
|       command: kubectl | ||||
|       env: null | ||||
|       provideClusterInfo: false | ||||
| EOF | ||||
| ``` | ||||
| [^mariadb]: As of 2024-07-30 used by auth, authelia, bitwarden, etherpad, freescout, git, grafana, nextcloud, wiki, woodpecker | ||||
|  | ||||
| For access control mapping see [cluster-role-bindings.yml](cluster-role-bindings.yml) | ||||
| [^redisdead]: Redis has been replaced as redis-operatori couldn't handle itself: didn't reconcile after reboots, master URI was empty, and clients complained about missing masters. Dragonfly replaces KeyDB. | ||||
|  | ||||
| [^mongoproblems]: Mongo problems: Incompatible with rawfile csi (wiredtiger.wt corrupts), complicated resizing (PVCs from statefulset PVC template). | ||||
|  | ||||
| # Technology mapping | ||||
| *** | ||||
| _This page is referenced by wiki [front page](https://wiki.k-space.ee) as **the** technical documentation for infra._ | ||||
|  | ||||
| Our self-hosted Kubernetes stack compared to AWS based deployments: | ||||
| ## nas.k-space.ee pre-migration whouses listing | ||||
| - S3: [minio-clusters](minio-clusters/README.md) | ||||
| - postgres: only harbor, 172.20.43.1 | ||||
|  | ||||
| | Hipster startup   | Self-hosted hackerspace             | Purpose                                                             | | ||||
| |-------------------|-------------------------------------|---------------------------------------------------------------------| | ||||
| | AWS ALB           | Traefik                             | Reverse proxy also known as ingress controller in Kubernetes jargon | | ||||
| | AWS AMP           | Prometheus Operator                 | Monitoring and alerting                                             | | ||||
| | AWS CloudTrail    | ECK Operator                        | Log aggregation                                                     | | ||||
| | AWS DocumentDB    | MongoDB Community Operator          | Highly available NoSQL database                                     | | ||||
| | AWS EBS           | Longhorn                            | Block storage for arbitrary applications needing persistent storage | | ||||
| | AWS EC2           | Proxmox                             | Virtualization layer                                                | | ||||
| | AWS ECR           | Harbor                              | Docker registry                                                     | | ||||
| | AWS EKS           | kubeadm                             | Provision Kubernetes master nodes                                   | | ||||
| | AWS NLB           | MetalLB                             | L2/L3 level load balancing                                          | | ||||
| | AWS RDS for MySQL | MySQL Operator                      | Provision highly available relational databases                     | | ||||
| | AWS Route53       | Bind and RFC2136                    | DNS records and Let's Encrypt DNS validation                        | | ||||
| | AWS S3            | Minio Operator                      | Highly available object storage                                     | | ||||
| | AWS VPC           | Calico                              | Overlay network                                                     | | ||||
| | Dex               | Authelia                            | ACL mapping and OIDC provider which integrates with GitHub/Samba    | | ||||
| | GitHub Actions    | Drone                               | Build Docker images                                                 | | ||||
| | GitHub            | Gitea                               | Source code management, issue tracking                              | | ||||
| | GitHub OAuth2     | Samba (Active Directory compatible) | Source of truth for authentication and authorization                | | ||||
| | Gmail             | Wildduck                            | E-mail                                                              | | ||||
| ### mongodb | ||||
| - inventory | ||||
| - wildduck | ||||
|  | ||||
|  | ||||
| External dependencies running as classic virtual machines: | ||||
|  | ||||
| - Samba as Authelia's source of truth | ||||
| - Bind as DNS server | ||||
|  | ||||
|  | ||||
| ## Adding applications | ||||
|  | ||||
| Deploy applications via [ArgoCD](https://argocd.k-space.ee) | ||||
|  | ||||
| We use Treafik with Authelia for Ingress. | ||||
| Applications where possible and where applicable should use `Remote-User` | ||||
| authentication. This prevents application exposure on public Internet. | ||||
| Otherwise use OpenID Connect for authentication, | ||||
| see Argo itself as an example how that is done. | ||||
|  | ||||
| See `kspace-camtiler/ingress.yml` for commented Ingress example. | ||||
|  | ||||
| Note that we do not use IngressRoute objects because they don't | ||||
| support `external-dns` out of the box. | ||||
| Do NOT add nginx annotations, we use Traefik. | ||||
| Do NOT manually add DNS records, they are added by `external-dns`. | ||||
| Do NOT manually create Certificate objects, | ||||
| these should be handled by `tls:` section in Ingress. | ||||
|  | ||||
|  | ||||
| ## Cluster formation | ||||
|  | ||||
| Create Ubuntu 20.04 VM-s on Proxmox with local storage. | ||||
|  | ||||
| After machines have booted up and you can reach them via SSH: | ||||
|  | ||||
| ```bash | ||||
| # Enable required kernel modules | ||||
| cat > /etc/modules << EOF | ||||
| overlay | ||||
| br_netfilter | ||||
| EOF | ||||
| cat /etc/modules | xargs -L 1 -t modprobe | ||||
|  | ||||
| # Finetune sysctl: | ||||
| cat > /etc/sysctl.d/99-k8s.conf << EOF | ||||
| net.ipv4.conf.all.accept_redirects  = 0 | ||||
| net.bridge.bridge-nf-call-iptables  = 1 | ||||
| net.ipv4.ip_forward                 = 1 | ||||
| net.bridge.bridge-nf-call-ip6tables = 1 | ||||
| EOF | ||||
| sysctl --system | ||||
|  | ||||
| # Disable Ubuntu caching DNS resolver | ||||
| systemctl disable systemd-resolved.service | ||||
| systemctl stop systemd-resolved | ||||
| rm -fv /etc/resolv.conf | ||||
| cat > /etc/resolv.conf << EOF | ||||
| nameserver 1.1.1.1 | ||||
| nameserver 8.8.8.8 | ||||
| EOF | ||||
|  | ||||
| # Disable multipathd as Longhorn handles that itself | ||||
| systemctl mask multipathd | ||||
| systemctl disable multipathd | ||||
| systemctl stop multipathd | ||||
|  | ||||
| # Disable Snapcraft | ||||
| systemctl mask snapd | ||||
| systemctl disable snapd | ||||
| systemctl stop snapd | ||||
|  | ||||
| # Permit root login | ||||
| sed -i -e 's/PermitRootLogin no/PermitRootLogin without-password/' /etc/ssh/sshd_config | ||||
| systemctl reload ssh | ||||
| cat << EOF > /root/.ssh/authorized_keys | ||||
| sk-ecdsa-sha2-nistp256@openssh.com AAAAInNrLWVjZHNhLXNoYTItbmlzdHAyNTZAb3BlbnNzaC5jb20AAAAIbmlzdHAyNTYAAABBBD4/e9SWYWYoNZMkkF+NirhbmHuUgjoCap42kAq0pLIXFwIqgVTCre03VPoChIwBClc8RspLKqr5W3j0fG8QwnQAAAAEc3NoOg== lauri@lauri-x13 | ||||
| EOF | ||||
| userdel -f ubuntu | ||||
| apt-get remove -yq cloud-init | ||||
|  | ||||
|  | ||||
| ``` | ||||
|  | ||||
| Install packages, for Raspbian set `OS=Debian_11` | ||||
|  | ||||
| ```bash | ||||
| OS=xUbuntu_20.04 | ||||
| VERSION=1.23 | ||||
| cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list | ||||
| deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ / | ||||
| EOF | ||||
| cat <<EOF | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable:cri-o:$VERSION.list | ||||
| deb http://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ / | ||||
| EOF | ||||
|  | ||||
| curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers.gpg add - | ||||
| curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/libcontainers-cri-o.gpg add - | ||||
| curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add - | ||||
| echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list | ||||
|  | ||||
| apt-get update | ||||
| apt-get install -yqq apt-transport-https curl cri-o cri-o-runc kubelet=1.23.5-00 kubectl=1.23.5-00 kubeadm=1.23.5-00 | ||||
| sudo systemctl daemon-reload | ||||
| sudo systemctl enable crio --now | ||||
| apt-mark hold kubelet kubeadm kubectl | ||||
| sed -i -e 's/unqualified-search-registries = .*/unqualified-search-registries = ["docker.io"]/' /etc/containers/registries.conf | ||||
| ``` | ||||
|  | ||||
| On master: | ||||
|  | ||||
| ``` | ||||
| kubeadm init --token-ttl=120m --pod-network-cidr=10.244.0.0/16 --control-plane-endpoint "master.kube.k-space.ee:6443" --upload-certs --apiserver-cert-extra-sans master.kube.k-space.ee --node-name master1.kube.k-space.ee | ||||
| ``` | ||||
|  | ||||
| For the `kubeadm join` command specify FQDN via `--node-name $(hostname -f)`. | ||||
|  | ||||
| After forming the cluster add taints: | ||||
|  | ||||
| ```bash | ||||
| for j in $(seq 1 9); do | ||||
|   kubectl label nodes worker${j}.kube.k-space.ee node-role.kubernetes.io/worker='' | ||||
| done | ||||
|  | ||||
| for j in $(seq 1 3); do | ||||
|   kubectl taint nodes mon${j}.kube.k-space.ee dedicated=monitoring:NoSchedule | ||||
|   kubectl label nodes mon${j}.kube.k-space.ee dedicated=monitoring | ||||
| done | ||||
|  | ||||
| for j in $(seq 1 4); do | ||||
|   kubectl taint nodes storage${j}.kube.k-space.ee dedicated=storage:NoSchedule | ||||
|   kubectl label nodes storage${j}.kube.k-space.ee dedicated=storage | ||||
| done | ||||
| ``` | ||||
|  | ||||
| On Raspberry Pi you need to take additonal steps: | ||||
|  | ||||
| * Manually enable cgroups by appending | ||||
|   `cgroup_memory=1 cgroup_enable=memory` to `/boot/cmdline.txt`, | ||||
| * Disable swap with `swapoff -a; apt-get purge -y dphys-swapfile` | ||||
| * For mounting Longhorn volumes on Rasbian install `open-iscsi` | ||||
|  | ||||
| For `arm64` nodes add suitable taint to prevent scheduling non-multiarch images on them: | ||||
|  | ||||
| ```bash | ||||
| kubectl taint nodes worker9.kube.k-space.ee arch=arm64:NoSchedule | ||||
| ``` | ||||
| ### mariadb.infra.k-space.ee (DNS from ns1 to 172.20.36.1) | ||||
| - freescout | ||||
| - gitea nb! MYSQL_ROOT_PASSWORD seems to be invalid, might be ok to reset it upstream | ||||
| - wiki | ||||
| - nextcloud | ||||
| - etherpad NB! probably NOT using kspace_etherpad_kube NB! does not take DNS likely due to netpol, hardcoded to 172.20.36.1 | ||||
| - grafana | ||||
| - woodpecker | ||||
|   | ||||
							
								
								
									
										28
									
								
								SLACK.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								SLACK.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,28 @@ | ||||
| ## Slack bots | ||||
| ### Doorboy3 | ||||
| https://api.slack.com/apps/A05NDB6FVJQ | ||||
| Slack app author: rasmus | ||||
|  | ||||
| Managed by inventory-app: | ||||
| - Incoming (open-commands) to `/api/slack/doorboy`, inventory-app authorizes based on command originating from #members or #work-shop && oidc access group (floor, workshop). | ||||
| - Posts logs to a private channel. Restricted to 193.40.103.0/24. | ||||
|  | ||||
| Secrets as `SLACK_DOORLOG_CALLBACK` and `SLACK_VERIFICATION_TOKEN`. | ||||
|  | ||||
| ### oidc-gateway | ||||
| https://api.slack.com/apps/A05DART9PP1 | ||||
| Slack app author: eaas | ||||
|  | ||||
| Managed by passmower: | ||||
| - Links e-mail to slackId. | ||||
| - Login via Slack (not enabled). | ||||
|  | ||||
| Secrets as `slackId` and `slack-client`. | ||||
|  | ||||
| ### podi-podi uuenduste spämmikoobas | ||||
| https://api.slack.com/apps/A033RE9TUFK | ||||
| Slack app author: rasmus | ||||
|  | ||||
| Posts Prometheus alerts to a private channel. | ||||
|  | ||||
| Secret as `slack-secrets`. | ||||
							
								
								
									
										23
									
								
								_disabled/argocd_applications/cnpg.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								_disabled/argocd_applications/cnpg.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: cnpg # aka in-cluster postgres | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: https://github.com/cloudnative-pg/cloudnative-pg | ||||
|     targetRevision: v1.25.1 | ||||
|     path: releases | ||||
|     directory: | ||||
|       include: 'cnpg-1.25.1.yaml' | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: cnpg-system | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|       - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size. | ||||
							
								
								
									
										21
									
								
								_disabled/argocd_applications/mongodb-operator.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								_disabled/argocd_applications/mongodb-operator.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: mongodb-operator | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     # also depends on git@git.k-space.ee:secretspace/kube.git | ||||
|     repoURL: git@git.k-space.ee:k-space/kube.git | ||||
|     targetRevision: HEAD | ||||
|     path: mongodb-operator | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: mongodb-operator | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								_disabled/argocd_applications/mysql-clusters.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								_disabled/argocd_applications/mysql-clusters.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: mysql-clusters | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: mysql-clusters | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: mysql-clusters | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
							
								
								
									
										1
									
								
								_disabled/asterisk/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								_disabled/asterisk/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| conf | ||||
							
								
								
									
										13
									
								
								_disabled/asterisk/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								_disabled/asterisk/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| # Asterisk | ||||
|  | ||||
| Asterisk is used as  | ||||
|  | ||||
| This application is managed by [ArgoCD](https://argocd.k-space.ee/applications/argocd/asterisk) | ||||
|  | ||||
| Should ArgoCD be down manifests here can be applied with: | ||||
|  | ||||
| ``` | ||||
| kubectl apply -n asterisk -f application.yaml | ||||
| ``` | ||||
|  | ||||
| asterisk-secrets was dumped to git.k-space.ee/secretspace/kube:_disabled/asterisk | ||||
							
								
								
									
										124
									
								
								_disabled/asterisk/application.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										124
									
								
								_disabled/asterisk/application.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,124 @@ | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: asterisk | ||||
|   annotations: | ||||
|     external-dns.alpha.kubernetes.io/hostname: voip.k-space.ee | ||||
| spec: | ||||
|   type: LoadBalancer | ||||
|   externalTrafficPolicy: Local | ||||
|   selector: | ||||
|     app: asterisk | ||||
|   ports: | ||||
|     - name: asterisk | ||||
|       protocol: UDP | ||||
|       port: 5060 | ||||
|     - name: sip-data-10000 | ||||
|       protocol: UDP | ||||
|       port: 10000 | ||||
|     - name: sip-data-10001 | ||||
|       protocol: UDP | ||||
|       port: 10001 | ||||
|     - name: sip-data-10002 | ||||
|       protocol: UDP | ||||
|       port: 10002 | ||||
|     - name: sip-data-10003 | ||||
|       protocol: UDP | ||||
|       port: 10003 | ||||
|     - name: sip-data-10004 | ||||
|       protocol: UDP | ||||
|       port: 10004 | ||||
|     - name: sip-data-10005 | ||||
|       protocol: UDP | ||||
|       port: 10005 | ||||
|     - name: sip-data-10006 | ||||
|       protocol: UDP | ||||
|       port: 10006 | ||||
|     - name: sip-data-10007 | ||||
|       protocol: UDP | ||||
|       port: 10007 | ||||
|     - name: sip-data-10008 | ||||
|       protocol: UDP | ||||
|       port: 10008 | ||||
|     - name: sip-data-10009 | ||||
|       protocol: UDP | ||||
|       port: 10009 | ||||
|     - name: sip-data-10010 | ||||
|       protocol: UDP | ||||
|       port: 10010 | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: asterisk | ||||
|   labels: | ||||
|     app: asterisk | ||||
| spec: | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: asterisk | ||||
|   replicas: 1 | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app: asterisk | ||||
|     spec: | ||||
|       containers: | ||||
|         - name: asterisk | ||||
|           image: harbor.k-space.ee/k-space/asterisk | ||||
|           command: | ||||
|             - /usr/sbin/asterisk | ||||
|           args: | ||||
|             - -TWBpvvvdddf | ||||
|           volumeMounts: | ||||
|             - name: config | ||||
|               mountPath: /etc/asterisk | ||||
|           ports: | ||||
|             - containerPort: 8088 | ||||
|               name: metrics | ||||
|       volumes: | ||||
|         - name: config | ||||
|           secret: | ||||
|             secretName: asterisk-secrets | ||||
| --- | ||||
| apiVersion: monitoring.coreos.com/v1 | ||||
| kind: PodMonitor | ||||
| metadata: | ||||
|   name: asterisk | ||||
| spec: | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: asterisk | ||||
|   podMetricsEndpoints: | ||||
|     - port: metrics | ||||
| --- | ||||
| apiVersion: monitoring.coreos.com/v1 | ||||
| kind: PrometheusRule | ||||
| metadata: | ||||
|   name: asterisk | ||||
| spec: | ||||
|   groups: | ||||
|     - name: asterisk | ||||
|       rules: | ||||
|         - alert: AsteriskPhoneNotRegistered | ||||
|           expr: asterisk_endpoints_state{resource=~"1.*"} < 2 | ||||
|           for: 5m | ||||
|           labels: | ||||
|             severity: critical | ||||
|           annotations: | ||||
|             summary: "{{ $labels.resource }} is not registered." | ||||
|         - alert: AsteriskOutboundNumberNotRegistered | ||||
|           expr: asterisk_pjsip_outbound_registration_status == 0 | ||||
|           for: 5m | ||||
|           labels: | ||||
|             severity: critical | ||||
|           annotations: | ||||
|             summary: "{{ $labels.username }} is not registered with provider." | ||||
|         - alert: AsteriskCallsPerMinuteLimitExceed | ||||
|           expr: asterisk_channels_duration_seconds > 10*60 | ||||
|           for: 20m | ||||
|           labels: | ||||
|             severity: warning | ||||
|           annotations: | ||||
|             summary: "Call at channel {{ $labels.name }} is taking longer than 10m." | ||||
							
								
								
									
										39
									
								
								_disabled/asterisk/network-policies.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										39
									
								
								_disabled/asterisk/network-policies.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,39 @@ | ||||
| --- | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: NetworkPolicy | ||||
| metadata: | ||||
|   name: asterisk | ||||
| spec: | ||||
|   podSelector: | ||||
|     matchLabels: | ||||
|       app: asterisk | ||||
|   policyTypes: | ||||
|     - Ingress | ||||
|     - Egress | ||||
|   ingress: | ||||
|     - from: | ||||
|         - namespaceSelector: | ||||
|             matchLabels: | ||||
|               kubernetes.io/metadata.name: monitoring | ||||
|           podSelector: | ||||
|             matchLabels: | ||||
|               app.kubernetes.io/name: prometheus | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 100.101.0.0/16 | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 100.102.0.0/16 | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 81.90.125.224/32 # Lauri home | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 172.20.8.241/32 # Erki A | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 212.47.211.10/32 # Elisa SIP        | ||||
|   egress: | ||||
|     - to: | ||||
|         - ipBlock: | ||||
|             cidr: 212.47.211.10/32  # Elisa SIP | ||||
							
								
								
									
										24
									
								
								_disabled/csi-proxmox/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								_disabled/csi-proxmox/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| # proxmox-csi | ||||
|  | ||||
| 1. create role in pve if it doesn't exist | ||||
| 2. create user and assign permissions, preferrably at resource pool level | ||||
|     ``` | ||||
|     pveum user add ks-kubernetes-csi@pve | ||||
|     pveum aclmod /pool/kspace_pool -user ks-kubernetes-csi@pve -role CSI | ||||
|     pveum user token add ks-kubernetes-csi@pve cs -privsep 0 | ||||
|     ``` | ||||
|     save the token! | ||||
| 3. apply `proxmox-csi-plugin.yml` and `storage-class.yaml`, delete proxmox-csi default storage classes from kube. | ||||
| 4. add the token from pve to `config.yaml` and create the secret: `kubectl -n csi-proxmox create secret generic proxmox-csi-plugin --from-file=config.yaml` | ||||
| 5. label the nodes according to allocation: | ||||
|     ```  | ||||
|     kubectl --kubeconfig ~/.kube/k-space label nodes worker1.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve1 --overwrite | ||||
|     kubectl --kubeconfig ~/.kube/k-space label nodes worker2.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve2 --overwrite | ||||
|     kubectl --kubeconfig ~/.kube/k-space label nodes worker3.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve8 --overwrite | ||||
|     kubectl --kubeconfig ~/.kube/k-space label nodes worker4.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve9 --overwrite | ||||
|  | ||||
|     kubectl --kubeconfig ~/.kube/k-space label nodes master1.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve1 --overwrite | ||||
|     kubectl --kubeconfig ~/.kube/k-space label nodes master2.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve2 --overwrite | ||||
|     kubectl --kubeconfig ~/.kube/k-space label nodes master3.kube.k-space.ee topology.kubernetes.io/region=pve-cluster topology.kubernetes.io/zone=pve8 --overwrite | ||||
|      | ||||
|     ``` | ||||
							
								
								
									
										31
									
								
								_disabled/csi-proxmox/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										31
									
								
								_disabled/csi-proxmox/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,31 @@ | ||||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||||
| kind: Kustomization | ||||
|  | ||||
| namespace: csi-proxmox | ||||
|  | ||||
| helmCharts: | ||||
|   - includeCRDs: true | ||||
|     name: &name proxmox-csi-plugin | ||||
|     releaseName: *name | ||||
|     repo: oci://ghcr.io/sergelogvinov/charts | ||||
|     valuesInline: | ||||
|       node: | ||||
|         tolerations: | ||||
|           - key: node-role.kubernetes.io/control-plane | ||||
|             effect: NoSchedule | ||||
|       storageClass: | ||||
|         - name: proxmox | ||||
|           fstype: xfs | ||||
|           storage: ks-pvs | ||||
|           cache: none | ||||
|           ssd: "true" | ||||
| # Not in use, migrating off of NAS… | ||||
| #        - name: proxmox-nas | ||||
| #          fstype: xfs | ||||
| #          storage: ks-pvs-nas | ||||
| #          cache: none | ||||
| #          # ssd is false, https://github.com/sergelogvinov/proxmox-csi-plugin/issues/404 | ||||
|     version: 0.3.12 # https://github.com/sergelogvinov/proxmox-csi-plugin/pkgs/container/charts%2Fproxmox-csi-plugin | ||||
|  | ||||
| resources: | ||||
| - ssh://git@git.k-space.ee/secretspace/kube/proxmox-csi # secrets: proxmox-csi-plugin:config.yaml (cluster info) | ||||
							
								
								
									
										382
									
								
								_disabled/discourse/application.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										382
									
								
								_disabled/discourse/application.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,382 @@ | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: Ingress | ||||
| metadata: | ||||
|   name: discourse | ||||
|   annotations: | ||||
|     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee | ||||
|     traefik.ingress.kubernetes.io/router.entrypoints: websecure | ||||
|     traefik.ingress.kubernetes.io/router.tls: "true" | ||||
| spec: | ||||
|   tls: | ||||
|     - hosts: | ||||
|         - "*.k-space.ee" | ||||
|       secretName:  | ||||
|   rules: | ||||
|     - host: "discourse.k-space.ee" | ||||
|       http: | ||||
|         paths: | ||||
|           - path: / | ||||
|             pathType: Prefix | ||||
|             backend: | ||||
|               service: | ||||
|                 name: discourse | ||||
|                 port: | ||||
|                   name: http | ||||
|  | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: discourse | ||||
| spec: | ||||
|   type: ClusterIP | ||||
|   ipFamilyPolicy: SingleStack | ||||
|   ports: | ||||
|     - name: http | ||||
|       port: 80 | ||||
|       protocol: TCP | ||||
|       targetPort: http | ||||
|   selector: | ||||
|     app.kubernetes.io/instance: discourse | ||||
|     app.kubernetes.io/name: discourse | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ServiceAccount | ||||
| metadata: | ||||
|   name: discourse | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: discourse | ||||
|   annotations: | ||||
|     reloader.stakater.com/auto: "true"    | ||||
| spec: | ||||
|   replicas: 1 | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app.kubernetes.io/instance: discourse | ||||
|       app.kubernetes.io/name: discourse | ||||
|   strategy: | ||||
|     type: Recreate | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app.kubernetes.io/instance: discourse | ||||
|         app.kubernetes.io/name: discourse | ||||
|     spec: | ||||
|       serviceAccountName: discourse | ||||
|       securityContext: | ||||
|         fsGroup: 0 | ||||
|         fsGroupChangePolicy: Always | ||||
|       initContainers: | ||||
|       containers: | ||||
|         - name: discourse | ||||
|           image: docker.io/bitnami/discourse:3.3.2-debian-12-r0 | ||||
|           imagePullPolicy: "IfNotPresent" | ||||
|           securityContext: | ||||
|             allowPrivilegeEscalation: false | ||||
|             capabilities: | ||||
|               add: | ||||
|               - CHOWN | ||||
|               - SYS_CHROOT | ||||
|               - FOWNER | ||||
|               - SETGID | ||||
|               - SETUID | ||||
|               - DAC_OVERRIDE | ||||
|               drop: | ||||
|               - ALL | ||||
|             privileged: false | ||||
|             readOnlyRootFilesystem: false | ||||
|             runAsGroup: 0 | ||||
|             runAsNonRoot: false | ||||
|             runAsUser: 0 | ||||
|             seLinuxOptions: {} | ||||
|             seccompProfile: | ||||
|               type: RuntimeDefault | ||||
|           env: | ||||
|             - name: BITNAMI_DEBUG | ||||
|               value: "true" | ||||
|             - name: DISCOURSE_USERNAME | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-password | ||||
|                   key: username                                          | ||||
|             - name: DISCOURSE_PASSWORD | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-password | ||||
|                   key: password | ||||
|             - name: DISCOURSE_PORT_NUMBER | ||||
|               value: "8080" | ||||
|             - name: DISCOURSE_EXTERNAL_HTTP_PORT_NUMBER | ||||
|               value: "80" | ||||
|             - name: DISCOURSE_DATABASE_PASSWORD | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-postgresql | ||||
|                   key: password | ||||
|             - name: POSTGRESQL_CLIENT_CREATE_DATABASE_PASSWORD | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-postgres-superuser | ||||
|                   key: password | ||||
|             - name: POSTGRESQL_CLIENT_POSTGRES_PASSWORD | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-postgres-superuser | ||||
|                   key: password | ||||
|             - name: REDIS_PASSWORD | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-redis | ||||
|                   key: redis-password | ||||
|           envFrom: | ||||
|             - configMapRef: | ||||
|                 name: discourse               | ||||
|             - secretRef: | ||||
|                 name: discourse-email    | ||||
|           ports: | ||||
|             - name: http | ||||
|               containerPort: 8080 | ||||
|               protocol: TCP | ||||
|           livenessProbe: | ||||
|             tcpSocket: | ||||
|               port: http | ||||
|             initialDelaySeconds: 500 | ||||
|             periodSeconds: 10 | ||||
|             timeoutSeconds: 5 | ||||
|             successThreshold: 1 | ||||
|             failureThreshold: 6 | ||||
|           readinessProbe: | ||||
|             httpGet: | ||||
|               path: /srv/status | ||||
|               port: http | ||||
|             initialDelaySeconds: 100 | ||||
|             periodSeconds: 10 | ||||
|             timeoutSeconds: 5 | ||||
|             successThreshold: 1 | ||||
|             failureThreshold: 6 | ||||
|           resources: | ||||
|             limits: | ||||
|               cpu: "6.0" | ||||
|               ephemeral-storage: 2Gi | ||||
|               memory: 12288Mi | ||||
|             requests: | ||||
|               cpu: "1.0" | ||||
|               ephemeral-storage: 50Mi | ||||
|               memory: 3072Mi | ||||
|           volumeMounts: | ||||
|             - name: discourse-data | ||||
|               mountPath: /bitnami/discourse | ||||
|               subPath: discourse | ||||
|         - name: sidekiq | ||||
|           image: docker.io/bitnami/discourse:3.3.2-debian-12-r0 | ||||
|           imagePullPolicy: "IfNotPresent" | ||||
|           securityContext: | ||||
|             allowPrivilegeEscalation: false | ||||
|             capabilities: | ||||
|               add: | ||||
|               - CHOWN | ||||
|               - SYS_CHROOT | ||||
|               - FOWNER | ||||
|               - SETGID | ||||
|               - SETUID | ||||
|               - DAC_OVERRIDE | ||||
|               drop: | ||||
|               - ALL | ||||
|             privileged: false | ||||
|             readOnlyRootFilesystem: false | ||||
|             runAsGroup: 0 | ||||
|             runAsNonRoot: false | ||||
|             runAsUser: 0 | ||||
|             seLinuxOptions: {} | ||||
|             seccompProfile: | ||||
|               type: RuntimeDefault | ||||
|           command: | ||||
|             - /opt/bitnami/scripts/discourse/entrypoint.sh | ||||
|           args: | ||||
|             - /opt/bitnami/scripts/discourse-sidekiq/run.sh | ||||
|           env: | ||||
|             - name: BITNAMI_DEBUG | ||||
|               value: "true" | ||||
|             - name: DISCOURSE_USERNAME | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-password | ||||
|                   key: username               | ||||
|             - name: DISCOURSE_PASSWORD | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-password | ||||
|                   key: password | ||||
|             - name: DISCOURSE_DATABASE_PASSWORD | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-postgresql | ||||
|                   key: password                   | ||||
|             - name: DISCOURSE_POSTGRESQL_PASSWORD | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-postgres-superuser | ||||
|                   key: password | ||||
|             - name: REDIS_PASSWORD | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: discourse-redis | ||||
|                   key: redis-password | ||||
|           envFrom: | ||||
|             - configMapRef: | ||||
|                 name: discourse               | ||||
|             - secretRef: | ||||
|                 name: discourse-email      | ||||
|           livenessProbe: | ||||
|             exec: | ||||
|               command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"] | ||||
|             initialDelaySeconds: 500 | ||||
|             periodSeconds: 10 | ||||
|             timeoutSeconds: 5 | ||||
|             successThreshold: 1 | ||||
|             failureThreshold: 6 | ||||
|           readinessProbe: | ||||
|             exec: | ||||
|               command: ["/bin/sh", "-c", "pgrep -f ^sidekiq"] | ||||
|             initialDelaySeconds: 30 | ||||
|             periodSeconds: 10 | ||||
|             timeoutSeconds: 5 | ||||
|             successThreshold: 1 | ||||
|             failureThreshold: 6 | ||||
|           resources: | ||||
|             limits: | ||||
|               cpu: 750m | ||||
|               ephemeral-storage: 2Gi | ||||
|               memory: 768Mi | ||||
|             requests: | ||||
|               cpu: 500m | ||||
|               ephemeral-storage: 50Mi | ||||
|               memory: 512Mi | ||||
|           volumeMounts: | ||||
|             - name: discourse-data | ||||
|               mountPath: /bitnami/discourse | ||||
|               subPath: discourse | ||||
|       volumes: | ||||
|         - name: discourse-data | ||||
|           persistentVolumeClaim: | ||||
|             claimName: discourse-data | ||||
| --- | ||||
| kind: PersistentVolumeClaim | ||||
| apiVersion: v1 | ||||
| metadata: | ||||
|   name: discourse-data | ||||
|   namespace: discourse | ||||
| spec: | ||||
|   accessModes: | ||||
|     - "ReadWriteOnce" | ||||
|   resources: | ||||
|     requests: | ||||
|       storage: "3Gi" | ||||
|   storageClassName: "proxmox-nas" | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: discourse | ||||
|   namespace: discourse | ||||
| data: | ||||
|   DISCOURSE_HOST: "discourse.k-space.ee" | ||||
|   DISCOURSE_SKIP_INSTALL: "yes" | ||||
|   DISCOURSE_PRECOMPILE_ASSETS: "no" | ||||
|   DISCOURSE_SITE_NAME: "K-Space Discourse" | ||||
|   DISCOURSE_USERNAME: "k-space" | ||||
|   DISCOURSE_EMAIL: "dos4dev@k-space.ee" | ||||
|   DISCOURSE_REDIS_HOST: "discourse-redis" | ||||
|   DISCOURSE_REDIS_PORT_NUMBER: "6379" | ||||
|   DISCOURSE_DATABASE_HOST: "discourse-postgres-rw" | ||||
|   DISCOURSE_DATABASE_PORT_NUMBER: "5432" | ||||
|   DISCOURSE_DATABASE_NAME: "discourse" | ||||
|   DISCOURSE_DATABASE_USER: "discourse" | ||||
|   POSTGRESQL_CLIENT_DATABASE_HOST: "discourse-postgres-rw" | ||||
|   POSTGRESQL_CLIENT_DATABASE_PORT_NUMBER: "5432" | ||||
|   POSTGRESQL_CLIENT_POSTGRES_USER: "postgres" | ||||
|   POSTGRESQL_CLIENT_CREATE_DATABASE_NAME: "discourse" | ||||
|   POSTGRESQL_CLIENT_CREATE_DATABASE_EXTENSIONS: "hstore,pg_trgm" | ||||
| --- | ||||
| apiVersion: codemowers.cloud/v1beta1 | ||||
| kind: OIDCClient | ||||
| metadata: | ||||
|   name: discourse | ||||
|   namespace: discourse | ||||
| spec: | ||||
|   displayName: Discourse | ||||
|   uri: https://discourse.k-space.ee | ||||
|   redirectUris: | ||||
|     - https://discourse.k-space.ee/auth/oidc/callback | ||||
|   allowedGroups: | ||||
|     - k-space:floor | ||||
|     - k-space:friends | ||||
|   grantTypes: | ||||
|     - authorization_code | ||||
|     - refresh_token | ||||
|   responseTypes: | ||||
|     - code | ||||
|   availableScopes: | ||||
|     - openid | ||||
|     - profile | ||||
|   pkce: false | ||||
| --- | ||||
| apiVersion: codemowers.cloud/v1beta1 | ||||
| kind: SecretClaim | ||||
| metadata: | ||||
|   name: discourse-redis | ||||
|   namespace: discourse | ||||
| spec: | ||||
|   size: 32 | ||||
|   mapping: | ||||
|     - key: redis-password | ||||
|       value: "%(plaintext)s" | ||||
|     - key: REDIS_URI | ||||
|       value: "redis://:%(plaintext)s@discourse-redis" | ||||
| --- | ||||
| apiVersion: dragonflydb.io/v1alpha1 | ||||
| kind: Dragonfly | ||||
| metadata: | ||||
|   name: discourse-redis | ||||
|   namespace: discourse | ||||
| spec: | ||||
|   authentication: | ||||
|     passwordFromSecret: | ||||
|       key: redis-password | ||||
|       name: discourse-redis | ||||
|   replicas: 3 | ||||
|   resources: | ||||
|     limits: | ||||
|       cpu: 1000m | ||||
|       memory: 1Gi | ||||
|   topologySpreadConstraints: | ||||
|     - maxSkew: 1 | ||||
|       topologyKey: topology.kubernetes.io/zone | ||||
|       whenUnsatisfiable: DoNotSchedule | ||||
|       labelSelector: | ||||
|         matchLabels: | ||||
|           app: discourse-redis | ||||
|           app.kubernetes.io/part-of: dragonfly               | ||||
| --- | ||||
| apiVersion: postgresql.cnpg.io/v1 | ||||
| kind: Cluster | ||||
| metadata: | ||||
|   name: discourse-postgres | ||||
|   namespace: discourse | ||||
| spec: | ||||
|   instances: 1 | ||||
|   enableSuperuserAccess: true | ||||
|   bootstrap: | ||||
|     initdb: | ||||
|       database: discourse | ||||
|       owner: discourse | ||||
|       secret: | ||||
|         name: discourse-postgresql | ||||
|       dataChecksums: true | ||||
|       encoding: 'UTF8' | ||||
|   storage: | ||||
|     size: 10Gi | ||||
|     storageClass: postgres | ||||
							
								
								
									
										1
									
								
								_disabled/freeswitch/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								_disabled/freeswitch/.gitignore
									
									
									
									
										vendored
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| PASSWORDS.xml | ||||
							
								
								
									
										14
									
								
								_disabled/freeswitch/PASSWORDS.xml.example
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										14
									
								
								_disabled/freeswitch/PASSWORDS.xml.example
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,14 @@ | ||||
| <include> | ||||
|     <X-PRE-PROCESS cmd="set" data="default_password="> | ||||
|     <X-PRE-PROCESS cmd="set" data="ipcall_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1000_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1001_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1002_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1003_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1004_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1005_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1006_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1007_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1008_password="/> | ||||
|     <X-PRE-PROCESS cmd="set" data="1009_password="/> | ||||
| </include>   | ||||
							
								
								
									
										7
									
								
								_disabled/freeswitch/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										7
									
								
								_disabled/freeswitch/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,7 @@ | ||||
| ``` | ||||
| kubectl -n freeswitch create secret generic freeswitch-passwords --from-file freeswitch/PASSWORDS.xml  | ||||
| ``` | ||||
|  | ||||
| PASSWORDS.xml is in git.k-space.ee/secretspace/kube:_disabled/freeswitch | ||||
|  | ||||
| freeswitch-sounds was extracted form of http://files.freeswitch.org/releases/sounds/freeswitch-sounds-en-us-callie-32000-1.0.53.tar.gz (with /us/ at root of the volume) | ||||
							
								
								
									
										567
									
								
								_disabled/freeswitch/application.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										567
									
								
								_disabled/freeswitch/application.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,567 @@ | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: freeswitch | ||||
|   namespace: freeswitch | ||||
|   annotations: | ||||
|     external-dns.alpha.kubernetes.io/hostname: freeswitch.k-space.ee | ||||
|     metallb.universe.tf/address-pool: eenet | ||||
|     metallb.universe.tf/ip-allocated-from-pool: eenet | ||||
| spec: | ||||
|   ports: | ||||
|     - name: sip-internal-udp | ||||
|       protocol: UDP | ||||
|       port: 5060 | ||||
|       targetPort: 5060 | ||||
|       nodePort: 31787 | ||||
|     - name: sip-nat-udp | ||||
|       protocol: UDP | ||||
|       port: 5070 | ||||
|       targetPort: 5070 | ||||
|       nodePort: 32241 | ||||
|     - name: sip-external-udp | ||||
|       protocol: UDP | ||||
|       port: 5080 | ||||
|       targetPort: 5080 | ||||
|       nodePort: 31354 | ||||
|     - name: sip-data-10000 | ||||
|       protocol: UDP | ||||
|       port: 10000 | ||||
|       targetPort: 10000 | ||||
|       nodePort: 30786 | ||||
|     - name: sip-data-10001 | ||||
|       protocol: UDP | ||||
|       port: 10001 | ||||
|       targetPort: 10001 | ||||
|       nodePort: 31788 | ||||
|     - name: sip-data-10002 | ||||
|       protocol: UDP | ||||
|       port: 10002 | ||||
|       targetPort: 10002 | ||||
|       nodePort: 30247 | ||||
|     - name: sip-data-10003 | ||||
|       protocol: UDP | ||||
|       port: 10003 | ||||
|       targetPort: 10003 | ||||
|       nodePort: 32389 | ||||
|     - name: sip-data-10004 | ||||
|       protocol: UDP | ||||
|       port: 10004 | ||||
|       targetPort: 10004 | ||||
|       nodePort: 30723 | ||||
|     - name: sip-data-10005 | ||||
|       protocol: UDP | ||||
|       port: 10005 | ||||
|       targetPort: 10005 | ||||
|       nodePort: 30295 | ||||
|     - name: sip-data-10006 | ||||
|       protocol: UDP | ||||
|       port: 10006 | ||||
|       targetPort: 10006 | ||||
|       nodePort: 30782 | ||||
|     - name: sip-data-10007 | ||||
|       protocol: UDP | ||||
|       port: 10007 | ||||
|       targetPort: 10007 | ||||
|       nodePort: 32165 | ||||
|     - name: sip-data-10008 | ||||
|       protocol: UDP | ||||
|       port: 10008 | ||||
|       targetPort: 10008 | ||||
|       nodePort: 30282 | ||||
|     - name: sip-data-10009 | ||||
|       protocol: UDP | ||||
|       port: 10009 | ||||
|       targetPort: 10009 | ||||
|       nodePort: 31325 | ||||
|     - name: sip-data-10010 | ||||
|       protocol: UDP | ||||
|       port: 10010 | ||||
|       targetPort: 10010 | ||||
|       nodePort: 31234 | ||||
|   selector: | ||||
|     app: freeswitch | ||||
|   type: LoadBalancer | ||||
|   externalTrafficPolicy: Local | ||||
|   ipFamilies: | ||||
|     - IPv4 | ||||
|   ipFamilyPolicy: SingleStack | ||||
|   internalTrafficPolicy: Cluster | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: PersistentVolumeClaim | ||||
| metadata: | ||||
|   name: freeswitch-sounds | ||||
|   namespace: freeswitch | ||||
| spec: | ||||
|   accessModes: | ||||
|     - ReadWriteMany | ||||
|   resources: | ||||
|     requests: | ||||
|       storage: 2Gi | ||||
|   storageClassName: longhorn | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: freeswitch | ||||
|   namespace: freeswitch | ||||
|   labels: | ||||
|     app: freeswitch | ||||
|   annotations: | ||||
|     reloader.stakater.com/auto: "true" # reloader is disabled in cluster, (re)deploy it to use | ||||
| spec: | ||||
|   replicas: 1 | ||||
|   strategy: | ||||
|     type: Recreate | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: freeswitch | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app: freeswitch | ||||
|     spec: | ||||
|       volumes: | ||||
|         - name: config | ||||
|           configMap: | ||||
|             name: freeswitch-config | ||||
|             defaultMode: 420 | ||||
|         - name: directory | ||||
|           configMap: | ||||
|             name: freeswitch-directory | ||||
|             defaultMode: 420 | ||||
|         - name: sounds | ||||
|           persistentVolumeClaim: | ||||
|             claimName: freeswitch-sounds | ||||
|         - name: passwords | ||||
|           secret: | ||||
|             secretName: freeswitch-passwords | ||||
|       containers: | ||||
|         - name: freeswitch | ||||
|           image: mirror.gcr.io/dheaps/freeswitch:latest | ||||
|           env: | ||||
|             - name: SOUND_TYPES | ||||
|               value: en-us-callie | ||||
|             - name: SOUND_RATES | ||||
|               value: "32000" | ||||
|           resources: {} | ||||
|           volumeMounts: | ||||
|             - name: config | ||||
|               mountPath: /etc/freeswitch/sip_profiles/external/ipcall.xml | ||||
|               subPath: ipcall.xml | ||||
|             - name: config | ||||
|               mountPath: /etc/freeswitch/dialplan/default/00_outbound_ipcall.xml | ||||
|               subPath: 00_outbound_ipcall.xml | ||||
|             - name: config | ||||
|               mountPath: /etc/freeswitch/dialplan/public.xml | ||||
|               subPath: dialplan.xml   | ||||
|             - name: config | ||||
|               mountPath: /etc/freeswitch/autoload_configs/switch.conf.xml | ||||
|               subPath: switch.xml | ||||
|             - name: config | ||||
|               mountPath: /etc/freeswitch/vars.xml | ||||
|               subPath: vars.xml | ||||
|             - name: passwords | ||||
|               mountPath: /etc/freeswitch/PASSWORDS.xml   | ||||
|               subPath: PASSWORDS.xml | ||||
|             - name: directory | ||||
|               mountPath: /etc/freeswitch/directory/default | ||||
|             - name: sounds | ||||
|               mountPath: /usr/share/freeswitch/sounds | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: freeswitch-config | ||||
|   namespace: freeswitch | ||||
| data:  | ||||
|   dialplan.xml: | | ||||
|     <!-- | ||||
|     NOTICE: | ||||
|  | ||||
|     This context is usually accessed via the external sip profile listening on port 5080. | ||||
|      | ||||
|     It is recommended to have separate inbound and outbound contexts.  Not only for security | ||||
|     but clearing up why you would need to do such a thing.  You don't want outside un-authenticated | ||||
|     callers hitting your default context which allows dialing calls thru your providers and results  | ||||
|     in Toll Fraud. | ||||
|     --> | ||||
|  | ||||
|     <!-- http://wiki.freeswitch.org/wiki/Dialplan_XML --> | ||||
|     <include> | ||||
|       <context name="public"> | ||||
|  | ||||
|         <extension name="unloop"> | ||||
|           <condition field="${unroll_loops}" expression="^true$"/> | ||||
|           <condition field="${sip_looped_call}" expression="^true$"> | ||||
|             <action application="deflect" data="${destination_number}"/> | ||||
|           </condition> | ||||
|         </extension> | ||||
|         <!-- | ||||
|             Tag anything pass thru here as an outside_call so you can make sure not | ||||
|             to create any routing loops based on the conditions that it came from  | ||||
|             the outside of the switch.   | ||||
|         --> | ||||
|         <extension name="outside_call" continue="true"> | ||||
|           <condition> | ||||
|             <action application="set" data="outside_call=true"/> | ||||
|             <action application="export" data="RFC2822_DATE=${strftime(%a, %d %b %Y %T %z)}"/> | ||||
|           </condition> | ||||
|         </extension> | ||||
|  | ||||
|         <extension name="call_debug" continue="true"> | ||||
|           <condition field="${call_debug}" expression="^true$" break="never"> | ||||
|             <action application="info"/> | ||||
|           </condition> | ||||
|         </extension> | ||||
|  | ||||
|         <extension name="public_extensions"> | ||||
|           <condition field="destination_number" expression="^(10[01][0-9])$"> | ||||
|             <action application="transfer" data="$1 XML default"/> | ||||
|           </condition> | ||||
|         </extension> | ||||
|  | ||||
|         <extension name="public_conference_extensions"> | ||||
|           <condition field="destination_number" expression="^(3[5-8][01][0-9])$"> | ||||
|             <action application="transfer" data="$1 XML default"/> | ||||
|           </condition> | ||||
|         </extension> | ||||
|          | ||||
|         <!-- | ||||
|             You can place files in the public directory to get included. | ||||
|         --> | ||||
|         <X-PRE-PROCESS cmd="include" data="public/*.xml"/> | ||||
|         <!-- | ||||
|             If you have made it this far lets challenge the caller and if they authenticate | ||||
|             lets try what they dialed in the default context. (commented out by default) | ||||
|         --> | ||||
|         <!-- TODO: | ||||
|         <extension name="check_auth" continue="true"> | ||||
|           <condition field="${sip_authorized}" expression="^true$" break="never"> | ||||
|             <anti-action application="respond" data="407"/> | ||||
|           </condition> | ||||
|         </extension> | ||||
|         --> | ||||
|         <extension name="transfer_to_default"> | ||||
|           <condition> | ||||
|             <!-- TODO: proper ring grouping --> | ||||
|             <action application="bridge" data="user/1004@freeswitch.k-space.ee,user/1003@freeswitch.k-space.ee,sofia/gateway/ipcall/53543824"/> | ||||
|           </condition> | ||||
|         </extension> | ||||
|       </context> | ||||
|     </include> | ||||
|   ipcall.xml: | | ||||
|     <include>     | ||||
|       <gateway name="ipcall"> | ||||
|         <param name="proxy" value="sip.ipcall.ee"/> | ||||
|         <param name="register" value="true"/> | ||||
|         <param name="realm" value="sip.ipcall.ee"/> | ||||
|         <param name="username" value="6659652"/> | ||||
|         <param name="password" value="$${ipcall_password}"/> | ||||
|         <param name="from-user" value="6659652"/> | ||||
|         <param name="from-domain" value="sip.ipcall.ee"/> | ||||
|         <param name="extension" value="ring_group/default"/> | ||||
|       </gateway> | ||||
|     </include> | ||||
|   00_outbound_ipcall.xml: | | ||||
|     <extension name="outbound"> | ||||
|       <!-- TODO: check toll_allow ? --> | ||||
|       <condition field="destination_number" expression="^(\d+)$"> | ||||
|         <action application="set" data="sip_invite_domain=sip.ipcall.ee"/> | ||||
|         <action application="bridge" data="sofia/gateway/ipcall/${destination_number}"/> | ||||
|       </condition> | ||||
|     </extension>       | ||||
|   switch.xml: | | ||||
|     <configuration name="switch.conf" description="Core Configuration"> | ||||
|       <cli-keybindings> | ||||
|         <key name="1" value="help"/> | ||||
|         <key name="2" value="status"/> | ||||
|         <key name="3" value="show channels"/> | ||||
|         <key name="4" value="show calls"/> | ||||
|         <key name="5" value="sofia status"/> | ||||
|         <key name="6" value="reloadxml"/> | ||||
|         <key name="7" value="console loglevel 0"/> | ||||
|         <key name="8" value="console loglevel 7"/> | ||||
|         <key name="9" value="sofia status profile internal"/> | ||||
|         <key name="10" value="sofia profile internal siptrace on"/> | ||||
|         <key name="11" value="sofia profile internal siptrace off"/> | ||||
|         <key name="12" value="version"/> | ||||
|       </cli-keybindings> | ||||
|       <default-ptimes> | ||||
|       </default-ptimes> | ||||
|       <settings> | ||||
|         <param name="colorize-console" value="true"/> | ||||
|         <param name="dialplan-timestamps" value="false"/> | ||||
|         <param name="max-db-handles" value="50"/> | ||||
|         <param name="db-handle-timeout" value="10"/> | ||||
|         <param name="max-sessions" value="1000"/> | ||||
|         <param name="sessions-per-second" value="30"/> | ||||
|         <param name="loglevel" value="debug"/> | ||||
|         <param name="mailer-app" value="sendmail"/> | ||||
|         <param name="mailer-app-args" value="-t"/> | ||||
|         <param name="dump-cores" value="yes"/> | ||||
|         <param name="rtp-start-port" value="10000"/> | ||||
|         <param name="rtp-end-port" value="10010"/> | ||||
|       </settings> | ||||
|     </configuration>   | ||||
|   vars.xml: | | ||||
|     <include> | ||||
|       <X-PRE-PROCESS cmd="set" data="disable_system_api_commands=true"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="sound_prefix=$${sounds_dir}/en/us/callie"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="domain=freeswitch.k-space.ee"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="domain_name=$${domain}"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="hold_music=local_stream://moh"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="use_profile=external"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="rtp_sdes_suites=AEAD_AES_256_GCM_8|AEAD_AES_128_GCM_8|AES_CM_256_HMAC_SHA1_80|AES_CM_192_HMAC_SHA1_80|AES_CM_128_HMAC_SHA1_80|AES_CM_256_HMAC_SHA1_32|AES_CM_192_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_32|AES_CM_128_NULL_AUTH"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="global_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="outbound_codec_prefs=OPUS,G722,PCMU,PCMA,H264,VP8"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="xmpp_client_profile=xmppc"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="xmpp_server_profile=xmpps"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="bind_server_ip=auto"/> | ||||
|       <X-PRE-PROCESS cmd="stun-set" data="external_rtp_ip=host:freeswitch.k-space.ee"/> | ||||
|       <X-PRE-PROCESS cmd="stun-set" data="external_sip_ip=host:freeswitch.k-space.ee"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="unroll_loops=true"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="outbound_caller_name=FreeSWITCH"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="outbound_caller_id=0000000000"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="call_debug=false"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="console_loglevel=info"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="default_areacode=372"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="default_country=EE"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="presence_privacy=false"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="au-ring=%(400,200,383,417);%(400,2000,383,417)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="be-ring=%(1000,3000,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="ca-ring=%(2000,4000,440,480)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="cn-ring=%(1000,4000,450)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="cy-ring=%(1500,3000,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="cz-ring=%(1000,4000,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="de-ring=%(1000,4000,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="dk-ring=%(1000,4000,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="dz-ring=%(1500,3500,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="eg-ring=%(2000,1000,475,375)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="es-ring=%(1500,3000,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="fi-ring=%(1000,4000,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="fr-ring=%(1500,3500,440)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="hk-ring=%(400,200,440,480);%(400,3000,440,480)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="hu-ring=%(1250,3750,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="il-ring=%(1000,3000,400)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="in-ring=%(400,200,425,375);%(400,2000,425,375)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="jp-ring=%(1000,2000,420,380)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="ko-ring=%(1000,2000,440,480)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="pk-ring=%(1000,2000,400)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="pl-ring=%(1000,4000,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="ro-ring=%(1850,4150,475,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="rs-ring=%(1000,4000,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="ru-ring=%(800,3200,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="sa-ring=%(1200,4600,425)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="tr-ring=%(2000,4000,450)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="uk-ring=%(400,200,400,450);%(400,2000,400,450)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="us-ring=%(2000,4000,440,480)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="bong-ring=v=-7;%(100,0,941.0,1477.0);v=-7;>=2;+=.1;%(1400,0,350,440)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="beep=%(1000,0,640)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="sit=%(274,0,913.8);%(274,0,1370.6);%(380,0,1776.7)"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="df_us_ssn=(?!219099999|078051120)(?!666|000|9\d{2})\d{3}(?!00)\d{2}(?!0{4})\d{4}"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="df_luhn=?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11}"/> | ||||
|       <XX-PRE-PROCESS cmd="set" data="digits_dialed_filter=(($${df_luhn})|($${df_us_ssn}))"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="default_provider=sip.ipcall.ee"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="default_provider_username="/> | ||||
|       <X-PRE-PROCESS cmd="set" data="default_provider_password="/> | ||||
|       <X-PRE-PROCESS cmd="set" data="default_provider_from_domain=sip.ipcall.ee"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="default_provider_register=true"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="default_provider_contact=1004"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="sip_tls_version=tlsv1,tlsv1.1,tlsv1.2"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="sip_tls_ciphers=ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="internal_auth_calls=true"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="internal_sip_port=5060"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="internal_tls_port=5061"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="internal_ssl_enable=false"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="external_auth_calls=false"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="external_sip_port=5080"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="external_tls_port=5081"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="external_ssl_enable=false"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_in=3mb"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="rtp_video_max_bandwidth_out=3mb"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="suppress_cng=true"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="rtp_liberal_dtmf=true"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="video_mute_png=$${images_dir}/default-mute.png"/> | ||||
|       <X-PRE-PROCESS cmd="set" data="video_no_avatar_png=$${images_dir}/default-avatar.png"/> | ||||
|       <X-PRE-PROCESS cmd="include" data="PASSWORDS.xml"/> | ||||
|     </include>   | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: freeswitch-directory | ||||
|   namespace: freeswitch | ||||
| data: | ||||
|   1000.xml: | | ||||
|     <include> | ||||
|       <user id="1000"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1000_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1000"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value=""/> | ||||
|           <variable name="effective_caller_id_number" value="1000"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables> | ||||
|       </user> | ||||
|     </include> | ||||
|   1001.xml: | | ||||
|     <include> | ||||
|       <user id="1001"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1001_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1001"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value=""/> | ||||
|           <variable name="effective_caller_id_number" value="1001"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables> | ||||
|       </user> | ||||
|     </include> | ||||
|   1002.xml: | | ||||
|     <include> | ||||
|       <user id="1002"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1002_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1002"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value=""/> | ||||
|           <variable name="effective_caller_id_number" value="1002"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables> | ||||
|       </user> | ||||
|     </include>         | ||||
|   1003.xml: | | ||||
|     <include> | ||||
|       <user id="1003"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1003_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1003"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value="Erki A"/> | ||||
|           <variable name="effective_caller_id_number" value="1003"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables> | ||||
|       </user> | ||||
|     </include> | ||||
|   1004.xml: | | ||||
|     <include> | ||||
|       <user id="1004"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1004_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1004"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value="Erki A"/> | ||||
|           <variable name="effective_caller_id_number" value="1004"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables>           | ||||
|       </user> | ||||
|     </include>     | ||||
|   1005.xml: | | ||||
|     <include> | ||||
|       <user id="1005"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1005_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1005"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value=""/> | ||||
|           <variable name="effective_caller_id_number" value="1005"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables>           | ||||
|       </user> | ||||
|     </include>     | ||||
|   1006.xml: | | ||||
|     <include> | ||||
|       <user id="1006"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1006_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1006"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value=""/> | ||||
|           <variable name="effective_caller_id_number" value="1006"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables>           | ||||
|       </user> | ||||
|     </include>           | ||||
|   1007.xml: | | ||||
|     <include> | ||||
|       <user id="1007"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1007_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1007"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value=""/> | ||||
|           <variable name="effective_caller_id_number" value="1007"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables>           | ||||
|       </user> | ||||
|     </include>         | ||||
|   1008.xml: | | ||||
|     <include> | ||||
|       <user id="1008"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1008_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1008"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value=""/> | ||||
|           <variable name="effective_caller_id_number" value="1008"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables>           | ||||
|       </user> | ||||
|     </include>         | ||||
|   1009.xml: | | ||||
|     <include> | ||||
|       <user id="1009"> | ||||
|         <params> | ||||
|           <param name="password" value="$${1009_password}"/> | ||||
|         </params> | ||||
|         <variables> | ||||
|           <variable name="toll_allow" value="domestic,local"/> | ||||
|           <variable name="accountcode" value="1009"/> | ||||
|           <variable name="user_context" value="default"/> | ||||
|           <variable name="effective_caller_id_name" value=""/> | ||||
|           <variable name="effective_caller_id_number" value="1009"/> | ||||
|           <variable name="outbound_caller_id_name" value="$${outbound_caller_name}"/> | ||||
|           <variable name="outbound_caller_id_number" value="$${outbound_caller_id}"/> | ||||
|         </variables>           | ||||
|       </user> | ||||
|     </include>         | ||||
|    | ||||
							
								
								
									
										49
									
								
								_disabled/freeswitch/network-policies.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										49
									
								
								_disabled/freeswitch/network-policies.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,49 @@ | ||||
| --- | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: NetworkPolicy | ||||
| metadata: | ||||
|   name: freeswitch | ||||
| spec: | ||||
|   podSelector: | ||||
|     matchLabels: | ||||
|       app: freeswitch | ||||
|   policyTypes: | ||||
|     - Ingress | ||||
|     - Egress | ||||
|   ingress: | ||||
|     - from: | ||||
|         - namespaceSelector: | ||||
|             matchLabels: | ||||
|               kubernetes.io/metadata.name: monitoring | ||||
|           podSelector: | ||||
|             matchLabels: | ||||
|               app.kubernetes.io/name: prometheus | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 100.101.0.0/16 | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 100.102.0.0/16 | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 81.90.125.224/32 # Lauri home | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 172.20.8.241/32 # Erki A | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 212.47.211.10/32 # Elisa SIP | ||||
|     - from: | ||||
|         - ipBlock: | ||||
|             cidr: 212.47.211.10/32 # Elisa SIP         | ||||
|   egress: | ||||
|     - to: | ||||
|         - ipBlock: | ||||
|             cidr: 212.47.211.10/32  # Elisa SIP | ||||
|     - to: | ||||
|         - ipBlock: | ||||
|             cidr: 195.222.16.38/32  # Elisa SIP | ||||
|     - to: | ||||
|       ports: | ||||
|         - port: 53 | ||||
|           protocol: UDP | ||||
| @@ -62,7 +62,7 @@ spec: | ||||
|       serviceAccountName: local-path-provisioner-service-account | ||||
|       containers: | ||||
|         - name: local-path-provisioner | ||||
|           image: rancher/local-path-provisioner:v0.0.22 | ||||
|           image: mirror.gcr.io/rancher/local-path-provisioner:v0.0.22 | ||||
|           imagePullPolicy: IfNotPresent | ||||
|           command: | ||||
|             - local-path-provisioner | ||||
| @@ -151,7 +151,7 @@ data: | ||||
|     spec: | ||||
|       containers: | ||||
|       - name: helper-pod | ||||
|         image: busybox | ||||
|         image: mirror.gcr.io/library/busybox | ||||
|         imagePullPolicy: IfNotPresent | ||||
| 
 | ||||
| 
 | ||||
| @@ -1,5 +1,7 @@ | ||||
| # Logging infrastructure | ||||
| 
 | ||||
| Note: This is deprecated since we moved to [Logmower stack](https://github.com/logmower) | ||||
| 
 | ||||
| ## Background | ||||
| 
 | ||||
| Fluent Bit picks up the logs from Kubernetes workers and sends them to Graylog | ||||
							
								
								
									
										21
									
								
								_disabled/mongodb-operator/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								_disabled/mongodb-operator/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| # MongoDB Community Kubernetes Operator | ||||
|  | ||||
| ## Derployment | ||||
|  | ||||
| With ArgoCD. Render it locally: | ||||
|  | ||||
| ```sh | ||||
| kustomize build . --enable-helm | ||||
| ``` | ||||
|  | ||||
| # Instantiating databases | ||||
| For each application include mongodb-netpol.yaml and kustomization in resources: | ||||
| ```yaml | ||||
| resources: | ||||
|  - https://git.k-space.ee/k-space/kube//mongodb-operator/mongodb-netpol.yaml | ||||
|  - https://github.com/mongodb/mongodb-kubernetes-operator//config/rbac/?ref=v0.13.0 | ||||
| ``` | ||||
|  | ||||
| ``` | ||||
| kubectl create secret generic -n <application> mongodb-application-user-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)" | ||||
| ``` | ||||
							
								
								
									
										13
									
								
								_disabled/mongodb-operator/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										13
									
								
								_disabled/mongodb-operator/kustomization.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,13 @@ | ||||
| apiVersion: kustomize.config.k8s.io/v1beta1 | ||||
| kind: Kustomization | ||||
|  | ||||
| namespace: mongodb-operator | ||||
|  | ||||
| # spec: https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_ | ||||
| helmCharts: | ||||
| - includeCRDs: true | ||||
|   name: &name community-operator | ||||
|   releaseName: *name | ||||
|   repo: https://mongodb.github.io/helm-charts | ||||
|   valuesFile: values.yaml | ||||
|   version: 0.13.0 # helm search repo mongodb/community-operator --versions | ||||
							
								
								
									
										25
									
								
								_disabled/mongodb-operator/mongodb-netpol.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								_disabled/mongodb-operator/mongodb-netpol.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| # Allow any pod in this namespace to connect to MongoDB and | ||||
| # allow cluster members to talk to eachother | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: NetworkPolicy | ||||
| metadata: | ||||
|   name: mongodb-operator | ||||
| spec: | ||||
|   podSelector: | ||||
|     matchLabels: | ||||
|       app: mongodb-svc | ||||
|   policyTypes: | ||||
|   - Ingress | ||||
|   - Egress | ||||
|   ingress: | ||||
|     - from: | ||||
|       - podSelector: {} | ||||
|       ports: | ||||
|       - port: 27017 | ||||
|   egress: | ||||
|     - to: | ||||
|       - podSelector: | ||||
|           matchLabels: | ||||
|             app: mongodb-svc | ||||
|       ports: | ||||
|       - port: 27017 | ||||
							
								
								
									
										10
									
								
								_disabled/mysql-clusters/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								_disabled/mysql-clusters/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,10 @@ | ||||
| # MariaDB clusters | ||||
|  | ||||
| This is namespace for MariaDB clusters managed by Codemowers' sample | ||||
| [mysql-database-operator](https://github.com/codemowers/operatorlib/tree/main/samples/mysql-database-operator) | ||||
| which is deployed via [ArgoCD](https://argocd.k-space.ee/applications/argocd/mysql-database-operator) | ||||
|  | ||||
| ``` | ||||
| kubectl create namespace mysql-clusters | ||||
| kubectl apply -n mysql-clusters -f application.yaml | ||||
| ``` | ||||
							
								
								
									
										24
									
								
								_disabled/mysql-clusters/dedicated.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								_disabled/mysql-clusters/dedicated.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| --- | ||||
| apiVersion: codemowers.cloud/v1beta1 | ||||
| kind: MysqlDatabaseClass | ||||
| metadata: | ||||
|   name: dedicated | ||||
|   annotations: | ||||
|     kubernetes.io/description: "Dedicated MySQL cluster" | ||||
| spec: | ||||
|   reclaimPolicy: Retain | ||||
|   replicas: 3 | ||||
|   routers: 2 | ||||
|   storageClass: mysql | ||||
|   podSpec: | ||||
|     containers: | ||||
|       - name: mariadb | ||||
|         image: mirror.gcr.io/library/mariadb:10.9.7@sha256:198c7a5fea3d7285762042a628fe8f83f0a7ccef559605b4cc9502e65210880b | ||||
|         imagePullPolicy: IfNotPresent | ||||
|     nodeSelector: | ||||
|       dedicated: storage | ||||
|     tolerations: | ||||
|       - effect: NoSchedule | ||||
|         key: dedicated | ||||
|         operator: Equal | ||||
|         value: storage | ||||
							
								
								
									
										40
									
								
								_disabled/mysql-clusters/external.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										40
									
								
								_disabled/mysql-clusters/external.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,40 @@ | ||||
| --- | ||||
| apiVersion: codemowers.cloud/v1beta1 | ||||
| kind: MysqlDatabaseClass | ||||
| metadata: | ||||
|   name: external | ||||
|   annotations: | ||||
|     kubernetes.io/description: "External MySQL cluster" | ||||
| spec: | ||||
|   reclaimPolicy: Retain | ||||
|   shared: true | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: primary-external | ||||
| spec: | ||||
|   clusterIP: None | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: external | ||||
| spec: | ||||
|   clusterIP: None | ||||
| --- | ||||
| kind: Endpoints | ||||
| apiVersion: v1 | ||||
| metadata: | ||||
|   name: primary-external | ||||
| subsets: | ||||
|   - addresses: | ||||
|       - ip: 172.20.36.1 | ||||
| --- | ||||
| kind: Endpoints | ||||
| apiVersion: v1 | ||||
| metadata: | ||||
|   name: external | ||||
| subsets: | ||||
|   - addresses: | ||||
|       - ip: 172.20.36.1 | ||||
| @@ -1,9 +1,21 @@ | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: phpmyadmin | ||||
|   namespace: mysql-clusters | ||||
| data: | ||||
|   config.user.inc.php: | | ||||
|     <?php | ||||
|     for ($i = 1; isset($hosts[$i - 1]); $i++) { | ||||
|       $cfg['Servers'][$i]['ssl'] = true; | ||||
|     } | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: phpmyadmin | ||||
|   labels: | ||||
|     app: phpmyadmin | ||||
|   namespace: mysql-clusters | ||||
| spec: | ||||
|   # phpMyAdmin session handling is not really compatible with more replicas | ||||
|   replicas: 1 | ||||
| @@ -17,34 +29,56 @@ spec: | ||||
|     spec: | ||||
|       containers: | ||||
|         - name: phpmyadmin | ||||
|           image: phpmyadmin/phpmyadmin | ||||
|           image: mirror.gcr.io/phpmyadmin/phpmyadmin | ||||
|           ports: | ||||
|             - name: web | ||||
|               containerPort: 80 | ||||
|               protocol: TCP | ||||
|           env: | ||||
|             - name: PMA_ARBITRARY | ||||
|               value: "1" | ||||
|             - name: PMA_HOSTS | ||||
|               value: mysql-cluster.authelia,mysql-cluster.etherpad,mariadb.authelia,mariadb.nextcloud,172.20.36.1 | ||||
|               valueFrom: | ||||
|                 configMapKeyRef: | ||||
|                   name: phpmyadmin-connections | ||||
|                   key: PMA_HOSTS | ||||
|             - name: PMA_PORTS | ||||
|               value: 6446,6446,3306,3306,3306 | ||||
|               valueFrom: | ||||
|                 configMapKeyRef: | ||||
|                   name: phpmyadmin-connections | ||||
|                   key: PMA_HOSTS | ||||
|             - name: PMA_ABSOLUTE_URI | ||||
|               value: https://phpmyadmin.k-space.ee/ | ||||
|             - name: UPLOAD_LIMIT | ||||
|               value: 10G | ||||
|       volumes: | ||||
|         - name: config | ||||
|           configMap: | ||||
|             name: phpmyadmin | ||||
| --- | ||||
| apiVersion: codemowers.cloud/v1beta1 | ||||
| kind: OIDCMiddlewareClient | ||||
| metadata: | ||||
|   name: phpmyadmin | ||||
| spec: | ||||
|   displayName: phpMyAdmin | ||||
|   uri: 'https://phpmyadmin.k-space.ee' | ||||
|   headerMapping: | ||||
|     email: Remote-Email | ||||
|     groups: Remote-Groups | ||||
|     name: Remote-Name | ||||
|     user: Remote-Username | ||||
|   allowedGroups: | ||||
|     - k-space:floor | ||||
| --- | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: Ingress | ||||
| metadata: | ||||
|   name: phpmyadmin | ||||
|   namespace: mysql-clusters | ||||
|   annotations: | ||||
|     kubernetes.io/ingress.class: traefik | ||||
|     cert-manager.io/cluster-issuer: default | ||||
|     traefik.ingress.kubernetes.io/router.entrypoints: websecure | ||||
|     traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd | ||||
|     traefik.ingress.kubernetes.io/router.tls: "true" | ||||
|     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee | ||||
|     traefik.ingress.kubernetes.io/router.middlewares: mysql-clusters-phpmyadmin@kubernetescrd | ||||
| spec: | ||||
|   rules: | ||||
|   - host: phpmyadmin.k-space.ee | ||||
| @@ -59,15 +93,13 @@ spec: | ||||
|               number: 80 | ||||
|   tls: | ||||
|   - hosts: | ||||
|     - phpmyadmin.k-space.ee | ||||
|     secretName: phpmyadmin-tls | ||||
|     - "*.k-space.ee" | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: phpmyadmin | ||||
|   labels: | ||||
|     app: phpmyadmin | ||||
|   namespace: mysql-clusters | ||||
| spec: | ||||
|   selector: | ||||
|     app: phpmyadmin | ||||
| @@ -75,36 +107,3 @@ spec: | ||||
|   - protocol: TCP | ||||
|     port: 80 | ||||
|     targetPort: 80 | ||||
| --- | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: NetworkPolicy | ||||
| metadata: | ||||
|   name: phpmyadmin | ||||
| spec: | ||||
|   podSelector: | ||||
|     matchLabels: | ||||
|       app: phpmyadmin | ||||
|   policyTypes: | ||||
|   - Ingress | ||||
|   - Egress | ||||
|   ingress: | ||||
|     - from: | ||||
|         - namespaceSelector: | ||||
|             matchLabels: | ||||
|               kubernetes.io/metadata.name: traefik | ||||
|       ports: | ||||
|         - protocol: TCP | ||||
|           port: 80 | ||||
|   egress: | ||||
|   - # Allow connecting to MySQL instance in any namespace | ||||
|     to: | ||||
|     - namespaceSelector: {} | ||||
|     ports: | ||||
|     - port: 6446 | ||||
|   - # Allow connecting to any MySQL instance outside the cluster | ||||
|     to: | ||||
|     - ipBlock: | ||||
|         cidr: 0.0.0.0/0 | ||||
|     ports: | ||||
|     - protocol: TCP | ||||
|       port: 3306 | ||||
							
								
								
									
										25
									
								
								_disabled/mysql-clusters/shared.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										25
									
								
								_disabled/mysql-clusters/shared.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,25 @@ | ||||
| --- | ||||
| apiVersion: codemowers.cloud/v1beta1 | ||||
| kind: MysqlDatabaseClass | ||||
| metadata: | ||||
|   name: shared | ||||
|   annotations: | ||||
|     kubernetes.io/description: "Shared MySQL cluster" | ||||
| spec: | ||||
|   reclaimPolicy: Retain | ||||
|   shared: true | ||||
|   replicas: 3 | ||||
|   routers: 2 | ||||
|   storageClass: mysql | ||||
|   podSpec: | ||||
|     containers: | ||||
|       - name: mariadb | ||||
|         image: mirror.gcr.io/library/mariadb:10.9.7@sha256:198c7a5fea3d7285762042a628fe8f83f0a7ccef559605b4cc9502e65210880b | ||||
|         imagePullPolicy: IfNotPresent | ||||
|     nodeSelector: | ||||
|       dedicated: storage | ||||
|     tolerations: | ||||
|       - effect: NoSchedule | ||||
|         key: dedicated | ||||
|         operator: Equal | ||||
|         value: storage | ||||
							
								
								
									
										20
									
								
								_disabled/mysql-clusters/storageclass.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								_disabled/mysql-clusters/storageclass.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: storage.k8s.io/v1 | ||||
| kind: StorageClass | ||||
| metadata: | ||||
|   name: mysql | ||||
|   annotations: | ||||
|     kubernetes.io/description: | | ||||
|       Storage class for MySQL, MariaDB and similar applications that | ||||
|       implement high availability in application layer. | ||||
|       This storage class uses XFS, has no block level redundancy and | ||||
|       has block device level caching disabled. | ||||
| provisioner: csi.proxmox.sinextra.dev | ||||
| reclaimPolicy: Retain | ||||
| volumeBindingMode: WaitForFirstConsumer | ||||
| allowVolumeExpansion: true | ||||
| parameters: | ||||
|   csi.storage.k8s.io/fstype: xfs | ||||
|   storage: ks-pvs | ||||
|   cache: none | ||||
|   ssd: "true" | ||||
							
								
								
									
										20
									
								
								_disabled/openebs/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								_disabled/openebs/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| # XFS hostpath based local PV-s | ||||
|  | ||||
| ``` | ||||
| wget https://openebs.github.io/charts/openebs-operator-lite.yaml | ||||
| kubectl apply -f openebs-operator-lite.yaml -f storage-class.yaml | ||||
|  | ||||
| ``` | ||||
|  | ||||
| # Raw file based local PV-s | ||||
|  | ||||
| ### TO BE DEPRECATED | ||||
|  | ||||
| The manifests were rendered using Helm template from https://github.com/openebs/rawfile-localpv | ||||
| and subsequently modified | ||||
|  | ||||
| ``` | ||||
| kubectl create namespace openebs | ||||
| kubectl apply -n openebs -f rawfile.yaml | ||||
| ``` | ||||
|  | ||||
							
								
								
									
										937
									
								
								_disabled/openebs/openebs-operator-lite.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										937
									
								
								_disabled/openebs/openebs-operator-lite.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,937 @@ | ||||
| # This manifest deploys the OpenEBS control plane components, with associated CRs & RBAC rules | ||||
| # NOTE: On GKE, deploy the openebs-operator.yaml in admin context | ||||
|  | ||||
| # Create the OpenEBS namespace | ||||
| apiVersion: v1 | ||||
| kind: Namespace | ||||
| metadata: | ||||
|   name: openebs | ||||
| --- | ||||
| # Create Maya Service Account | ||||
| apiVersion: v1 | ||||
| kind: ServiceAccount | ||||
| metadata: | ||||
|   name: openebs-maya-operator | ||||
|   namespace: openebs | ||||
| --- | ||||
| # Define Role that allows operations on K8s pods/deployments | ||||
| kind: ClusterRole | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| metadata: | ||||
|   name: openebs-maya-operator | ||||
| rules: | ||||
| - apiGroups: ["*"] | ||||
|   resources: ["nodes", "nodes/proxy"] | ||||
|   verbs: ["*"] | ||||
| - apiGroups: ["*"] | ||||
|   resources: ["namespaces", "services", "pods", "pods/exec", "deployments", "deployments/finalizers", "replicationcontrollers", "replicasets", "events", "endpoints", "configmaps", "secrets", "jobs", "cronjobs"] | ||||
|   verbs: ["*"] | ||||
| - apiGroups: ["*"] | ||||
|   resources: ["statefulsets", "daemonsets"] | ||||
|   verbs: ["*"] | ||||
| - apiGroups: ["*"] | ||||
|   resources: ["resourcequotas", "limitranges"] | ||||
|   verbs: ["list", "watch"] | ||||
| - apiGroups: ["*"] | ||||
|   resources: ["ingresses", "horizontalpodautoscalers", "verticalpodautoscalers", "poddisruptionbudgets", "certificatesigningrequests"] | ||||
|   verbs: ["list", "watch"] | ||||
| - apiGroups: ["*"] | ||||
|   resources: ["storageclasses", "persistentvolumeclaims", "persistentvolumes"] | ||||
|   verbs: ["*"] | ||||
| - apiGroups: ["apiextensions.k8s.io"] | ||||
|   resources: ["customresourcedefinitions"] | ||||
|   verbs: [ "get", "list", "create", "update", "delete", "patch"] | ||||
| - apiGroups: ["openebs.io"] | ||||
|   resources: [ "*"] | ||||
|   verbs: ["*"] | ||||
| - apiGroups: ["coordination.k8s.io"] | ||||
|   resources: ["leases"] | ||||
|   verbs: ["get", "create", "update"] | ||||
| - nonResourceURLs: ["/metrics"] | ||||
|   verbs: ["get"] | ||||
| --- | ||||
| # Bind the Service Account with the Role Privileges. | ||||
| # TODO: Check if default account also needs to be there | ||||
| kind: ClusterRoleBinding | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| metadata: | ||||
|   name: openebs-maya-operator | ||||
| subjects: | ||||
| - kind: ServiceAccount | ||||
|   name: openebs-maya-operator | ||||
|   namespace: openebs | ||||
| roleRef: | ||||
|   kind: ClusterRole | ||||
|   name: openebs-maya-operator | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
| --- | ||||
| apiVersion: apiextensions.k8s.io/v1 | ||||
| kind: CustomResourceDefinition | ||||
| metadata: | ||||
|   annotations: | ||||
|     controller-gen.kubebuilder.io/version: v0.5.0 | ||||
|   creationTimestamp: null | ||||
|   name: blockdevices.openebs.io | ||||
| spec: | ||||
|   group: openebs.io | ||||
|   names: | ||||
|     kind: BlockDevice | ||||
|     listKind: BlockDeviceList | ||||
|     plural: blockdevices | ||||
|     shortNames: | ||||
|     - bd | ||||
|     singular: blockdevice | ||||
|   scope: Namespaced | ||||
|   versions: | ||||
|   - additionalPrinterColumns: | ||||
|     - jsonPath: .spec.nodeAttributes.nodeName | ||||
|       name: NodeName | ||||
|       type: string | ||||
|     - jsonPath: .spec.path | ||||
|       name: Path | ||||
|       priority: 1 | ||||
|       type: string | ||||
|     - jsonPath: .spec.filesystem.fsType | ||||
|       name: FSType | ||||
|       priority: 1 | ||||
|       type: string | ||||
|     - jsonPath: .spec.capacity.storage | ||||
|       name: Size | ||||
|       type: string | ||||
|     - jsonPath: .status.claimState | ||||
|       name: ClaimState | ||||
|       type: string | ||||
|     - jsonPath: .status.state | ||||
|       name: Status | ||||
|       type: string | ||||
|     - jsonPath: .metadata.creationTimestamp | ||||
|       name: Age | ||||
|       type: date | ||||
|     name: v1alpha1 | ||||
|     schema: | ||||
|       openAPIV3Schema: | ||||
|         description: BlockDevice is the Schema for the blockdevices API | ||||
|         properties: | ||||
|           apiVersion: | ||||
|             description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||||
|             type: string | ||||
|           kind: | ||||
|             description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||||
|             type: string | ||||
|           metadata: | ||||
|             type: object | ||||
|           spec: | ||||
|             description: DeviceSpec defines the properties and runtime status of a BlockDevice | ||||
|             properties: | ||||
|               aggregateDevice: | ||||
|                 description: AggregateDevice was intended to store the hierarchical information in cases of LVM. However this is currently not implemented and may need to be re-looked into for better design. To be deprecated | ||||
|                 type: string | ||||
|               capacity: | ||||
|                 description: Capacity | ||||
|                 properties: | ||||
|                   logicalSectorSize: | ||||
|                     description: LogicalSectorSize is blockdevice logical-sector size in bytes | ||||
|                     format: int32 | ||||
|                     type: integer | ||||
|                   physicalSectorSize: | ||||
|                     description: PhysicalSectorSize is blockdevice physical-Sector size in bytes | ||||
|                     format: int32 | ||||
|                     type: integer | ||||
|                   storage: | ||||
|                     description: Storage is the blockdevice capacity in bytes | ||||
|                     format: int64 | ||||
|                     type: integer | ||||
|                 required: | ||||
|                 - storage | ||||
|                 type: object | ||||
|               claimRef: | ||||
|                 description: ClaimRef is the reference to the BDC which has claimed this BD | ||||
|                 properties: | ||||
|                   apiVersion: | ||||
|                     description: API version of the referent. | ||||
|                     type: string | ||||
|                   fieldPath: | ||||
|                     description: 'If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.' | ||||
|                     type: string | ||||
|                   kind: | ||||
|                     description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||||
|                     type: string | ||||
|                   name: | ||||
|                     description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names' | ||||
|                     type: string | ||||
|                   namespace: | ||||
|                     description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/' | ||||
|                     type: string | ||||
|                   resourceVersion: | ||||
|                     description: 'Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency' | ||||
|                     type: string | ||||
|                   uid: | ||||
|                     description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids' | ||||
|                     type: string | ||||
|                 type: object | ||||
|               details: | ||||
|                 description: Details contain static attributes of BD like model,serial, and so forth | ||||
|                 properties: | ||||
|                   compliance: | ||||
|                     description: Compliance is standards/specifications version implemented by device firmware  such as SPC-1, SPC-2, etc | ||||
|                     type: string | ||||
|                   deviceType: | ||||
|                     description: DeviceType represents the type of device like sparse, disk, partition, lvm, crypt | ||||
|                     enum: | ||||
|                     - disk | ||||
|                     - partition | ||||
|                     - sparse | ||||
|                     - loop | ||||
|                     - lvm | ||||
|                     - crypt | ||||
|                     - dm | ||||
|                     - mpath | ||||
|                     type: string | ||||
|                   driveType: | ||||
|                     description: DriveType is the type of backing drive, HDD/SSD | ||||
|                     enum: | ||||
|                     - HDD | ||||
|                     - SSD | ||||
|                     - Unknown | ||||
|                     - "" | ||||
|                     type: string | ||||
|                   firmwareRevision: | ||||
|                     description: FirmwareRevision is the disk firmware revision | ||||
|                     type: string | ||||
|                   hardwareSectorSize: | ||||
|                     description: HardwareSectorSize is the hardware sector size in bytes | ||||
|                     format: int32 | ||||
|                     type: integer | ||||
|                   logicalBlockSize: | ||||
|                     description: LogicalBlockSize is the logical block size in bytes reported by /sys/class/block/sda/queue/logical_block_size | ||||
|                     format: int32 | ||||
|                     type: integer | ||||
|                   model: | ||||
|                     description: Model is model of disk | ||||
|                     type: string | ||||
|                   physicalBlockSize: | ||||
|                     description: PhysicalBlockSize is the physical block size in bytes reported by /sys/class/block/sda/queue/physical_block_size | ||||
|                     format: int32 | ||||
|                     type: integer | ||||
|                   serial: | ||||
|                     description: Serial is serial number of disk | ||||
|                     type: string | ||||
|                   vendor: | ||||
|                     description: Vendor is vendor of disk | ||||
|                     type: string | ||||
|                 type: object | ||||
|               devlinks: | ||||
|                 description: DevLinks contains soft links of a block device like /dev/by-id/... /dev/by-uuid/... | ||||
|                 items: | ||||
|                   description: DeviceDevLink holds the mapping between type and links like by-id type or by-path type link | ||||
|                   properties: | ||||
|                     kind: | ||||
|                       description: Kind is the type of link like by-id or by-path. | ||||
|                       enum: | ||||
|                       - by-id | ||||
|                       - by-path | ||||
|                       type: string | ||||
|                     links: | ||||
|                       description: Links are the soft links | ||||
|                       items: | ||||
|                         type: string | ||||
|                       type: array | ||||
|                   type: object | ||||
|                 type: array | ||||
|               filesystem: | ||||
|                 description: FileSystem contains mountpoint and filesystem type | ||||
|                 properties: | ||||
|                   fsType: | ||||
|                     description: Type represents the FileSystem type of the block device | ||||
|                     type: string | ||||
|                   mountPoint: | ||||
|                     description: MountPoint represents the mountpoint of the block device. | ||||
|                     type: string | ||||
|                 type: object | ||||
|               nodeAttributes: | ||||
|                 description: NodeAttributes has the details of the node on which BD is attached | ||||
|                 properties: | ||||
|                   nodeName: | ||||
|                     description: NodeName is the name of the Kubernetes node resource on which the device is attached | ||||
|                     type: string | ||||
|                 type: object | ||||
|               parentDevice: | ||||
|                 description: "ParentDevice was intended to store the UUID of the parent Block Device as is the case for partitioned block devices. \n For example: /dev/sda is the parent for /dev/sda1 To be deprecated" | ||||
|                 type: string | ||||
|               partitioned: | ||||
|                 description: Partitioned represents if BlockDevice has partitions or not (Yes/No) Currently always default to No. To be deprecated | ||||
|                 enum: | ||||
|                 - "Yes" | ||||
|                 - "No" | ||||
|                 type: string | ||||
|               path: | ||||
|                 description: Path contain devpath (e.g. /dev/sdb) | ||||
|                 type: string | ||||
|             required: | ||||
|             - capacity | ||||
|             - devlinks | ||||
|             - nodeAttributes | ||||
|             - path | ||||
|             type: object | ||||
|           status: | ||||
|             description: DeviceStatus defines the observed state of BlockDevice | ||||
|             properties: | ||||
|               claimState: | ||||
|                 description: ClaimState represents the claim state of the block device | ||||
|                 enum: | ||||
|                 - Claimed | ||||
|                 - Unclaimed | ||||
|                 - Released | ||||
|                 type: string | ||||
|               state: | ||||
|                 description: State is the current state of the blockdevice (Active/Inactive/Unknown) | ||||
|                 enum: | ||||
|                 - Active | ||||
|                 - Inactive | ||||
|                 - Unknown | ||||
|                 type: string | ||||
|             required: | ||||
|             - claimState | ||||
|             - state | ||||
|             type: object | ||||
|         type: object | ||||
|     served: true | ||||
|     storage: true | ||||
|     subresources: {} | ||||
| status: | ||||
|   acceptedNames: | ||||
|     kind: "" | ||||
|     plural: "" | ||||
|   conditions: [] | ||||
|   storedVersions: [] | ||||
|  | ||||
| --- | ||||
| apiVersion: apiextensions.k8s.io/v1 | ||||
| kind: CustomResourceDefinition | ||||
| metadata: | ||||
|   annotations: | ||||
|     controller-gen.kubebuilder.io/version: v0.5.0 | ||||
|   creationTimestamp: null | ||||
|   name: blockdeviceclaims.openebs.io | ||||
| spec: | ||||
|   group: openebs.io | ||||
|   names: | ||||
|     kind: BlockDeviceClaim | ||||
|     listKind: BlockDeviceClaimList | ||||
|     plural: blockdeviceclaims | ||||
|     shortNames: | ||||
|     - bdc | ||||
|     singular: blockdeviceclaim | ||||
|   scope: Namespaced | ||||
|   versions: | ||||
|   - additionalPrinterColumns: | ||||
|     - jsonPath: .spec.blockDeviceName | ||||
|       name: BlockDeviceName | ||||
|       type: string | ||||
|     - jsonPath: .status.phase | ||||
|       name: Phase | ||||
|       type: string | ||||
|     - jsonPath: .metadata.creationTimestamp | ||||
|       name: Age | ||||
|       type: date | ||||
|     name: v1alpha1 | ||||
|     schema: | ||||
|       openAPIV3Schema: | ||||
|         description: BlockDeviceClaim is the Schema for the blockdeviceclaims API | ||||
|         properties: | ||||
|           apiVersion: | ||||
|             description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' | ||||
|             type: string | ||||
|           kind: | ||||
|             description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' | ||||
|             type: string | ||||
|           metadata: | ||||
|             type: object | ||||
|           spec: | ||||
|             description: DeviceClaimSpec defines the request details for a BlockDevice | ||||
|             properties: | ||||
|               blockDeviceName: | ||||
|                 description: BlockDeviceName is the reference to the block-device backing this claim | ||||
|                 type: string | ||||
|               blockDeviceNodeAttributes: | ||||
|                 description: BlockDeviceNodeAttributes is the attributes on the node from which a BD should be selected for this claim. It can include nodename, failure domain etc. | ||||
|                 properties: | ||||
|                   hostName: | ||||
|                     description: HostName represents the hostname of the Kubernetes node resource where the BD should be present | ||||
|                     type: string | ||||
|                   nodeName: | ||||
|                     description: NodeName represents the name of the Kubernetes node resource where the BD should be present | ||||
|                     type: string | ||||
|                 type: object | ||||
|               deviceClaimDetails: | ||||
|                 description: Details of the device to be claimed | ||||
|                 properties: | ||||
|                   allowPartition: | ||||
|                     description: AllowPartition represents whether to claim a full block device or a device that is a partition | ||||
|                     type: boolean | ||||
|                   blockVolumeMode: | ||||
|                     description: 'BlockVolumeMode represents whether to claim a device in Block mode or Filesystem mode. These are use cases of BlockVolumeMode: 1) Not specified: VolumeMode check will not be effective 2) VolumeModeBlock: BD should not have any filesystem or mountpoint 3) VolumeModeFileSystem: BD should have a filesystem and mountpoint. If DeviceFormat is    specified then the format should match with the FSType in BD' | ||||
|                     type: string | ||||
|                   formatType: | ||||
|                     description: Format of the device required, eg:ext4, xfs | ||||
|                     type: string | ||||
|                 type: object | ||||
|               deviceType: | ||||
|                 description: DeviceType represents the type of drive like SSD, HDD etc., | ||||
|                 nullable: true | ||||
|                 type: string | ||||
|               hostName: | ||||
|                 description: Node name from where blockdevice has to be claimed. To be deprecated. Use NodeAttributes.HostName instead | ||||
|                 type: string | ||||
|               resources: | ||||
|                 description: Resources will help with placing claims on Capacity, IOPS | ||||
|                 properties: | ||||
|                   requests: | ||||
|                     additionalProperties: | ||||
|                       anyOf: | ||||
|                       - type: integer | ||||
|                       - type: string | ||||
|                       pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ | ||||
|                       x-kubernetes-int-or-string: true | ||||
|                     description: 'Requests describes the minimum resources required. eg: if storage resource of 10G is requested minimum capacity of 10G should be available TODO for validating' | ||||
|                     type: object | ||||
|                 required: | ||||
|                 - requests | ||||
|                 type: object | ||||
|               selector: | ||||
|                 description: Selector is used to find block devices to be considered for claiming | ||||
|                 properties: | ||||
|                   matchExpressions: | ||||
|                     description: matchExpressions is a list of label selector requirements. The requirements are ANDed. | ||||
|                     items: | ||||
|                       description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. | ||||
|                       properties: | ||||
|                         key: | ||||
|                           description: key is the label key that the selector applies to. | ||||
|                           type: string | ||||
|                         operator: | ||||
|                           description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. | ||||
|                           type: string | ||||
|                         values: | ||||
|                           description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. | ||||
|                           items: | ||||
|                             type: string | ||||
|                           type: array | ||||
|                       required: | ||||
|                       - key | ||||
|                       - operator | ||||
|                       type: object | ||||
|                     type: array | ||||
|                   matchLabels: | ||||
|                     additionalProperties: | ||||
|                       type: string | ||||
|                     description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. | ||||
|                     type: object | ||||
|                 type: object | ||||
|             type: object | ||||
|           status: | ||||
|             description: DeviceClaimStatus defines the observed state of BlockDeviceClaim | ||||
|             properties: | ||||
|               phase: | ||||
|                 description: Phase represents the current phase of the claim | ||||
|                 type: string | ||||
|             required: | ||||
|             - phase | ||||
|             type: object | ||||
|         type: object | ||||
|     served: true | ||||
|     storage: true | ||||
|     subresources: {} | ||||
| status: | ||||
|   acceptedNames: | ||||
|     kind: "" | ||||
|     plural: "" | ||||
|   conditions: [] | ||||
|   storedVersions: [] | ||||
| --- | ||||
| # This is the node-disk-manager related config. | ||||
| # It can be used to customize the disks probes and filters | ||||
| apiVersion: v1 | ||||
| kind: ConfigMap | ||||
| metadata: | ||||
|   name: openebs-ndm-config | ||||
|   namespace: openebs | ||||
|   labels: | ||||
|     openebs.io/component-name: ndm-config | ||||
| data: | ||||
|   # udev-probe is default or primary probe it should be enabled to run ndm | ||||
|   # filterconfigs contains configs of filters. To provide a group of include | ||||
|   # and exclude values add it as , separated string | ||||
|   node-disk-manager.config: | | ||||
|     probeconfigs: | ||||
|       - key: udev-probe | ||||
|         name: udev probe | ||||
|         state: true | ||||
|       - key: seachest-probe | ||||
|         name: seachest probe | ||||
|         state: false | ||||
|       - key: smart-probe | ||||
|         name: smart probe | ||||
|         state: true | ||||
|     filterconfigs: | ||||
|       - key: os-disk-exclude-filter | ||||
|         name: os disk exclude filter | ||||
|         state: true | ||||
|         exclude: "/,/etc/hosts,/boot" | ||||
|       - key: vendor-filter | ||||
|         name: vendor filter | ||||
|         state: true | ||||
|         include: "" | ||||
|         exclude: "CLOUDBYT,OpenEBS" | ||||
|       - key: path-filter | ||||
|         name: path filter | ||||
|         state: true | ||||
|         include: "" | ||||
|         exclude: "/dev/loop,/dev/fd0,/dev/sr0,/dev/ram,/dev/md,/dev/dm-,/dev/rbd,/dev/zd" | ||||
|     # metconfig can be used to decorate the block device with different types of labels | ||||
|     # that are available on the node or come in a device properties. | ||||
|     # node labels - the node where bd is discovered. A whitlisted label prefixes | ||||
|     # attribute labels - a property of the BD can be added as a ndm label as ndm.io/<property>=<property-value> | ||||
|     metaconfigs: | ||||
|       - key: node-labels | ||||
|         name: node labels | ||||
|         pattern: "" | ||||
|       - key: device-labels | ||||
|         name: device labels | ||||
|         type: "" | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: DaemonSet | ||||
| metadata: | ||||
|   name: openebs-ndm | ||||
|   namespace: openebs | ||||
|   labels: | ||||
|     name: openebs-ndm | ||||
|     openebs.io/component-name: ndm | ||||
|     openebs.io/version: 3.5.0 | ||||
| spec: | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       name: openebs-ndm | ||||
|       openebs.io/component-name: ndm | ||||
|   updateStrategy: | ||||
|     type: RollingUpdate | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         name: openebs-ndm | ||||
|         openebs.io/component-name: ndm | ||||
|         openebs.io/version: 3.5.0 | ||||
|     spec: | ||||
|       # By default the node-disk-manager will be run on all kubernetes nodes | ||||
|       # If you would like to limit this to only some nodes, say the nodes | ||||
|       # that have storage attached, you could label those node and use | ||||
|       # nodeSelector. | ||||
|       # | ||||
|       # e.g. label the storage nodes with - "openebs.io/nodegroup"="storage-node" | ||||
|       # kubectl label node <node-name> "openebs.io/nodegroup"="storage-node" | ||||
|       #nodeSelector: | ||||
|       #  "openebs.io/nodegroup": "storage-node" | ||||
|       serviceAccountName: openebs-maya-operator | ||||
|       hostNetwork: true | ||||
|       # host PID is used to check status of iSCSI Service when the NDM | ||||
|       # API service is enabled | ||||
|       #hostPID: true | ||||
|       containers: | ||||
|       - name: node-disk-manager | ||||
|         image: openebs/node-disk-manager:2.1.0 | ||||
|         args: | ||||
|           - -v=4 | ||||
|         # The feature-gate is used to enable the new UUID algorithm. | ||||
|           - --feature-gates="GPTBasedUUID" | ||||
|         # Use partition table UUID instead of create single partition to get | ||||
|         # partition UUID. Require `GPTBasedUUID` to be enabled with. | ||||
|         # - --feature-gates="PartitionTableUUID" | ||||
|         # Detect changes to device size, filesystem and mount-points without restart. | ||||
|         # - --feature-gates="ChangeDetection" | ||||
|         # The feature gate is used to start the gRPC API service. The gRPC server | ||||
|         # starts at 9115 port by default. This feature is currently in Alpha state | ||||
|         # - --feature-gates="APIService" | ||||
|         # The feature gate is used to enable NDM, to create blockdevice resources | ||||
|         # for unused partitions on the OS disk | ||||
|         # - --feature-gates="UseOSDisk" | ||||
|         imagePullPolicy: IfNotPresent | ||||
|         securityContext: | ||||
|           privileged: true | ||||
|         volumeMounts: | ||||
|         - name: config | ||||
|           mountPath: /host/node-disk-manager.config | ||||
|           subPath: node-disk-manager.config | ||||
|           readOnly: true | ||||
|           # make udev database available inside container | ||||
|         - name: udev | ||||
|           mountPath: /run/udev | ||||
|         - name: procmount | ||||
|           mountPath: /host/proc | ||||
|           readOnly: true | ||||
|         - name: devmount | ||||
|           mountPath: /dev | ||||
|         - name: basepath | ||||
|           mountPath: /var/openebs/ndm | ||||
|         - name: sparsepath | ||||
|           mountPath: /var/openebs/sparse | ||||
|         env: | ||||
|         # namespace in which NDM is installed will be passed to NDM Daemonset | ||||
|         # as environment variable | ||||
|         - name: NAMESPACE | ||||
|           valueFrom: | ||||
|             fieldRef: | ||||
|               fieldPath: metadata.namespace | ||||
|         # pass hostname as env variable using downward API to the NDM container | ||||
|         - name: NODE_NAME | ||||
|           valueFrom: | ||||
|             fieldRef: | ||||
|               fieldPath: spec.nodeName | ||||
|         # specify the directory where the sparse files need to be created. | ||||
|         # if not specified, then sparse files will not be created. | ||||
|         - name: SPARSE_FILE_DIR | ||||
|           value: "/var/openebs/sparse" | ||||
|         # Size(bytes) of the sparse file to be created. | ||||
|         - name: SPARSE_FILE_SIZE | ||||
|           value: "10737418240" | ||||
|         # Specify the number of sparse files to be created | ||||
|         - name: SPARSE_FILE_COUNT | ||||
|           value: "0" | ||||
|         livenessProbe: | ||||
|           exec: | ||||
|             command: | ||||
|             - pgrep | ||||
|             - "ndm" | ||||
|           initialDelaySeconds: 30 | ||||
|           periodSeconds: 60 | ||||
|       volumes: | ||||
|       - name: config | ||||
|         configMap: | ||||
|           name: openebs-ndm-config | ||||
|       - name: udev | ||||
|         hostPath: | ||||
|           path: /run/udev | ||||
|           type: Directory | ||||
|       # mount /proc (to access mount file of process 1 of host) inside container | ||||
|       # to read mount-point of disks and partitions | ||||
|       - name: procmount | ||||
|         hostPath: | ||||
|           path: /proc | ||||
|           type: Directory | ||||
|       - name: devmount | ||||
|       # the /dev directory is mounted so that we have access to the devices that | ||||
|       # are connected at runtime of the pod. | ||||
|         hostPath: | ||||
|           path: /dev | ||||
|           type: Directory | ||||
|       - name: basepath | ||||
|         hostPath: | ||||
|           path: /var/openebs/ndm | ||||
|           type: DirectoryOrCreate | ||||
|       - name: sparsepath | ||||
|         hostPath: | ||||
|           path: /var/openebs/sparse | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: openebs-ndm-operator | ||||
|   namespace: openebs | ||||
|   labels: | ||||
|     name: openebs-ndm-operator | ||||
|     openebs.io/component-name: ndm-operator | ||||
|     openebs.io/version: 3.5.0 | ||||
| spec: | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       name: openebs-ndm-operator | ||||
|       openebs.io/component-name: ndm-operator | ||||
|   replicas: 1 | ||||
|   strategy: | ||||
|     type: Recreate | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         name: openebs-ndm-operator | ||||
|         openebs.io/component-name: ndm-operator | ||||
|         openebs.io/version: 3.5.0 | ||||
|     spec: | ||||
|       serviceAccountName: openebs-maya-operator | ||||
|       containers: | ||||
|         - name: node-disk-operator | ||||
|           image: openebs/node-disk-operator:2.1.0 | ||||
|           imagePullPolicy: IfNotPresent | ||||
|           env: | ||||
|             - name: WATCH_NAMESPACE | ||||
|               valueFrom: | ||||
|                 fieldRef: | ||||
|                   fieldPath: metadata.namespace | ||||
|             - name: POD_NAME | ||||
|               valueFrom: | ||||
|                 fieldRef: | ||||
|                   fieldPath: metadata.name | ||||
|             # the service account of the ndm-operator pod | ||||
|             - name: SERVICE_ACCOUNT | ||||
|               valueFrom: | ||||
|                 fieldRef: | ||||
|                   fieldPath: spec.serviceAccountName | ||||
|             - name: OPERATOR_NAME | ||||
|               value: "node-disk-operator" | ||||
|             - name: CLEANUP_JOB_IMAGE | ||||
|               value: "openebs/linux-utils:3.5.0" | ||||
|             # OPENEBS_IO_IMAGE_PULL_SECRETS environment variable is used to pass the image pull secrets | ||||
|             # to the cleanup pod launched by NDM operator | ||||
|             #- name: OPENEBS_IO_IMAGE_PULL_SECRETS | ||||
|             #  value: "" | ||||
|           livenessProbe: | ||||
|             httpGet: | ||||
|               path: /healthz | ||||
|               port: 8585 | ||||
|             initialDelaySeconds: 15 | ||||
|             periodSeconds: 20 | ||||
|           readinessProbe: | ||||
|             httpGet: | ||||
|               path: /readyz | ||||
|               port: 8585 | ||||
|             initialDelaySeconds: 5 | ||||
|             periodSeconds: 10 | ||||
| --- | ||||
| # Create NDM cluster exporter deployment. | ||||
| # This is an optional component and is not required for the basic | ||||
| # functioning of NDM | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: openebs-ndm-cluster-exporter | ||||
|   namespace: openebs | ||||
|   labels: | ||||
|     name: openebs-ndm-cluster-exporter | ||||
|     openebs.io/component-name: ndm-cluster-exporter | ||||
|     openebs.io/version: 3.5.0 | ||||
| spec: | ||||
|   replicas: 1 | ||||
|   strategy: | ||||
|     type: Recreate | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       name: openebs-ndm-cluster-exporter | ||||
|       openebs.io/component-name: ndm-cluster-exporter | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         name: openebs-ndm-cluster-exporter | ||||
|         openebs.io/component-name: ndm-cluster-exporter | ||||
|         openebs.io/version: 3.5.0 | ||||
|     spec: | ||||
|       serviceAccountName: openebs-maya-operator | ||||
|       containers: | ||||
|         - name: ndm-cluster-exporter | ||||
|           image: openebs/node-disk-exporter:2.1.0 | ||||
|           command: | ||||
|             - /usr/local/bin/exporter | ||||
|           args: | ||||
|             - "start" | ||||
|             - "--mode=cluster" | ||||
|             - "--port=$(METRICS_LISTEN_PORT)" | ||||
|             - "--metrics=/metrics" | ||||
|           ports: | ||||
|             - containerPort: 9100 | ||||
|               protocol: TCP | ||||
|               name: metrics | ||||
|           imagePullPolicy: IfNotPresent | ||||
|           env: | ||||
|             - name: NAMESPACE | ||||
|               valueFrom: | ||||
|                 fieldRef: | ||||
|                   fieldPath: metadata.namespace | ||||
|             - name: METRICS_LISTEN_PORT | ||||
|               value: :9100 | ||||
| --- | ||||
| # Create NDM cluster exporter service | ||||
| # This is optional and required only when | ||||
| # ndm-cluster-exporter deployment is used | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: openebs-ndm-cluster-exporter-service | ||||
|   namespace: openebs | ||||
|   labels: | ||||
|     name: openebs-ndm-cluster-exporter-service | ||||
|     openebs.io/component-name: ndm-cluster-exporter | ||||
|     app: openebs-ndm-exporter | ||||
| spec: | ||||
|   clusterIP: None | ||||
|   ports: | ||||
|     - name: metrics | ||||
|       port: 9100 | ||||
|       targetPort: 9100 | ||||
|   selector: | ||||
|     name: openebs-ndm-cluster-exporter | ||||
| --- | ||||
| # Create NDM node exporter daemonset. | ||||
| # This is an optional component used for getting disk level | ||||
| # metrics from each of the storage nodes | ||||
| apiVersion: apps/v1 | ||||
| kind: DaemonSet | ||||
| metadata: | ||||
|   name: openebs-ndm-node-exporter | ||||
|   namespace: openebs | ||||
|   labels: | ||||
|     name: openebs-ndm-node-exporter | ||||
|     openebs.io/component-name: ndm-node-exporter | ||||
|     openebs.io/version: 3.5.0 | ||||
| spec: | ||||
|   updateStrategy: | ||||
|     type: RollingUpdate | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       name: openebs-ndm-node-exporter | ||||
|       openebs.io/component-name: ndm-node-exporter | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         name: openebs-ndm-node-exporter | ||||
|         openebs.io/component-name: ndm-node-exporter | ||||
|         openebs.io/version: 3.5.0 | ||||
|     spec: | ||||
|       serviceAccountName: openebs-maya-operator | ||||
|       containers: | ||||
|         - name: node-disk-exporter | ||||
|           image: openebs/node-disk-exporter:2.1.0 | ||||
|           command: | ||||
|             - /usr/local/bin/exporter | ||||
|           args: | ||||
|             - "start" | ||||
|             - "--mode=node" | ||||
|             - "--port=$(METRICS_LISTEN_PORT)" | ||||
|             - "--metrics=/metrics" | ||||
|           ports: | ||||
|             - containerPort: 9101 | ||||
|               protocol: TCP | ||||
|               name: metrics | ||||
|           imagePullPolicy: IfNotPresent | ||||
|           securityContext: | ||||
|             privileged: true | ||||
|           env: | ||||
|             - name: NAMESPACE | ||||
|               valueFrom: | ||||
|                 fieldRef: | ||||
|                   fieldPath: metadata.namespace | ||||
|             - name: METRICS_LISTEN_PORT | ||||
|               value: :9101 | ||||
| --- | ||||
| # Create NDM node exporter service | ||||
| # This is optional and required only when | ||||
| # ndm-node-exporter daemonset is used | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: openebs-ndm-node-exporter-service | ||||
|   namespace: openebs | ||||
|   labels: | ||||
|     name: openebs-ndm-node-exporter | ||||
|     openebs.io/component: openebs-ndm-node-exporter | ||||
|     app: openebs-ndm-exporter | ||||
| spec: | ||||
|   clusterIP: None | ||||
|   ports: | ||||
|     - name: metrics | ||||
|       port: 9101 | ||||
|       targetPort: 9101 | ||||
|   selector: | ||||
|     name: openebs-ndm-node-exporter | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: openebs-localpv-provisioner | ||||
|   namespace: openebs | ||||
|   labels: | ||||
|     name: openebs-localpv-provisioner | ||||
|     openebs.io/component-name: openebs-localpv-provisioner | ||||
|     openebs.io/version: 3.5.0 | ||||
| spec: | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       name: openebs-localpv-provisioner | ||||
|       openebs.io/component-name: openebs-localpv-provisioner | ||||
|   replicas: 1 | ||||
|   strategy: | ||||
|     type: Recreate | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         name: openebs-localpv-provisioner | ||||
|         openebs.io/component-name: openebs-localpv-provisioner | ||||
|         openebs.io/version: 3.5.0 | ||||
|     spec: | ||||
|       serviceAccountName: openebs-maya-operator | ||||
|       containers: | ||||
|       - name: openebs-provisioner-hostpath | ||||
|         imagePullPolicy: IfNotPresent | ||||
|         image: openebs/provisioner-localpv:3.5.0 | ||||
|         args: | ||||
|           - "--bd-time-out=$(BDC_BD_BIND_RETRIES)" | ||||
|         env: | ||||
|         # OPENEBS_IO_K8S_MASTER enables openebs provisioner to connect to K8s | ||||
|         # based on this address. This is ignored if empty. | ||||
|         # This is supported for openebs provisioner version 0.5.2 onwards | ||||
|         #- name: OPENEBS_IO_K8S_MASTER | ||||
|         #  value: "http://10.128.0.12:8080" | ||||
|         # OPENEBS_IO_KUBE_CONFIG enables openebs provisioner to connect to K8s | ||||
|         # based on this config. This is ignored if empty. | ||||
|         # This is supported for openebs provisioner version 0.5.2 onwards | ||||
|         #- name: OPENEBS_IO_KUBE_CONFIG | ||||
|         #  value: "/home/ubuntu/.kube/config" | ||||
|         # This sets the number of times the provisioner should try  | ||||
|         # with a polling interval of 5 seconds, to get the Blockdevice | ||||
|         # Name from a BlockDeviceClaim, before the BlockDeviceClaim | ||||
|         # is deleted. E.g. 12 * 5 seconds = 60 seconds timeout | ||||
|         - name: BDC_BD_BIND_RETRIES | ||||
|           value: "12" | ||||
|         - name: NODE_NAME | ||||
|           valueFrom: | ||||
|             fieldRef: | ||||
|               fieldPath: spec.nodeName | ||||
|         - name: OPENEBS_NAMESPACE | ||||
|           valueFrom: | ||||
|             fieldRef: | ||||
|               fieldPath: metadata.namespace | ||||
|         # OPENEBS_SERVICE_ACCOUNT provides the service account of this pod as | ||||
|         # environment variable | ||||
|         - name: OPENEBS_SERVICE_ACCOUNT | ||||
|           valueFrom: | ||||
|             fieldRef: | ||||
|               fieldPath: spec.serviceAccountName | ||||
|         - name: OPENEBS_IO_ENABLE_ANALYTICS | ||||
|           value: "true" | ||||
|         - name: OPENEBS_IO_INSTALLER_TYPE | ||||
|           value: "openebs-operator-lite" | ||||
|         - name: OPENEBS_IO_HELPER_IMAGE | ||||
|           value: "openebs/linux-utils:3.5.0" | ||||
|         - name: OPENEBS_IO_BASE_PATH | ||||
|           value: "/var/openebs/local" | ||||
|         # LEADER_ELECTION_ENABLED is used to enable/disable leader election. By default | ||||
|         # leader election is enabled. | ||||
|         #- name: LEADER_ELECTION_ENABLED | ||||
|         #  value: "true" | ||||
|         # OPENEBS_IO_IMAGE_PULL_SECRETS environment variable is used to pass the image pull secrets | ||||
|         # to the helper pod launched by local-pv hostpath provisioner | ||||
|         #- name: OPENEBS_IO_IMAGE_PULL_SECRETS | ||||
|         #  value: "" | ||||
|         # Process name used for matching is limited to the 15 characters | ||||
|         # present in the pgrep output. | ||||
|         # So fullname can't be used here with pgrep (>15 chars).A regular expression | ||||
|         # that matches the entire command name has to specified. | ||||
|         # Anchor `^` : matches any string that starts with `provisioner-loc` | ||||
|         # `.*`: matches any string that has `provisioner-loc` followed by zero or more char | ||||
|         livenessProbe: | ||||
|           exec: | ||||
|             command: | ||||
|             - sh | ||||
|             - -c | ||||
|             - test `pgrep -c "^provisioner-loc.*"` = 1 | ||||
|           initialDelaySeconds: 30 | ||||
|           periodSeconds: 60 | ||||
| --- | ||||
|  | ||||
							
								
								
									
										16
									
								
								_disabled/openebs/storage-class.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										16
									
								
								_disabled/openebs/storage-class.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,16 @@ | ||||
| apiVersion: storage.k8s.io/v1 | ||||
| kind: StorageClass | ||||
| metadata: | ||||
|   name: openebs-hostpath-xfs | ||||
|   annotations: | ||||
|     openebs.io/cas-type: local | ||||
|     cas.openebs.io/config: | | ||||
|       - name: StorageType | ||||
|         value: "hostpath" | ||||
|       - name: BasePath | ||||
|         value: "/var/openebs/local/" | ||||
|       - name: XFSQuota | ||||
|         enabled: "true" | ||||
| provisioner: openebs.io/local | ||||
| volumeBindingMode: WaitForFirstConsumer | ||||
| reclaimPolicy: Delete | ||||
							
								
								
									
										10
									
								
								_disabled/playground/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										10
									
								
								_disabled/playground/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,10 @@ | ||||
| # Playground | ||||
|  | ||||
| Playground namespace is accessible to `Developers` AD group. | ||||
|  | ||||
| Novel log aggregator is being developer in this namespace: | ||||
|  | ||||
| ``` | ||||
| kubectl create secret generic -n playground mongodb-application-readwrite-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)" | ||||
| kubectl create secret generic -n playground mongodb-application-readonly-password --from-literal="password=$(cat /dev/urandom | base64 | head -c 30)" | ||||
| kubectl apply -n playground -f logging.yml -f mongodb-support.yml -f mongoexpress.yml -f networkpolicy-base.yml | ||||
							
								
								
									
										263
									
								
								_disabled/playground/logging.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										263
									
								
								_disabled/playground/logging.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,263 @@ | ||||
| --- | ||||
| apiVersion: mongodbcommunity.mongodb.com/v1 | ||||
| kind: MongoDBCommunity | ||||
| metadata: | ||||
|   name: mongodb | ||||
| spec: | ||||
|   additionalMongodConfig: | ||||
|     systemLog: | ||||
|       quiet: true | ||||
|   members: 3 | ||||
|   type: ReplicaSet | ||||
|   version: "5.0.13" | ||||
|   security: | ||||
|     authentication: | ||||
|       modes: ["SCRAM"] | ||||
|   users: | ||||
|     - name: readwrite | ||||
|       db: application | ||||
|       passwordSecretRef: | ||||
|         name: mongodb-application-readwrite-password | ||||
|       roles: | ||||
|         - name: readWrite | ||||
|           db: application | ||||
|       scramCredentialsSecretName: mongodb-application-readwrite | ||||
|     - name: readonly | ||||
|       db: application | ||||
|       passwordSecretRef: | ||||
|         name: mongodb-application-readonly-password | ||||
|       roles: | ||||
|         - name: readOnly | ||||
|           db: application | ||||
|       scramCredentialsSecretName: mongodb-application-readonly | ||||
|   statefulSet: | ||||
|     spec: | ||||
|       logLevel: WARN | ||||
|       template: | ||||
|         spec: | ||||
|           containers: | ||||
|             - name: mongod | ||||
|               resources: | ||||
|                 requests: | ||||
|                   cpu: 100m | ||||
|                   memory: 2Gi | ||||
|                 limits: | ||||
|                   cpu: 2000m | ||||
|                   memory: 2Gi | ||||
|             - name: mongodb-agent | ||||
|               resources: | ||||
|                 requests: | ||||
|                   cpu: 1m | ||||
|                   memory: 100Mi | ||||
|                 limits: {} | ||||
|           affinity: | ||||
|             podAntiAffinity: | ||||
|               requiredDuringSchedulingIgnoredDuringExecution: | ||||
|                 - labelSelector: | ||||
|                     matchExpressions: | ||||
|                       - key: app | ||||
|                         operator: In | ||||
|                         values: | ||||
|                           - mongodb-svc | ||||
|                   topologyKey: kubernetes.io/hostname | ||||
|           nodeSelector: | ||||
|             dedicated: monitoring | ||||
|           tolerations: | ||||
|             - key: dedicated | ||||
|               operator: Equal | ||||
|               value: monitoring | ||||
|               effect: NoSchedule | ||||
|       volumeClaimTemplates: | ||||
|         - metadata: | ||||
|             name: logs-volume | ||||
|           spec: | ||||
|             storageClassName: local-path | ||||
|             accessModes: | ||||
|             - ReadWriteOnce | ||||
|             resources: | ||||
|               requests: | ||||
|                 storage: 512Mi | ||||
|         - metadata: | ||||
|             name: data-volume | ||||
|           spec: | ||||
|             storageClassName: local-path | ||||
|             accessModes: | ||||
|             - ReadWriteOnce | ||||
|             resources: | ||||
|               requests: | ||||
|                 storage: 2Gi | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: DaemonSet | ||||
| metadata: | ||||
|   name: log-shipper | ||||
| spec: | ||||
|   updateStrategy: | ||||
|     type: RollingUpdate | ||||
|     rollingUpdate: | ||||
|       maxUnavailable: 50% | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: log-shipper | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app: log-shipper | ||||
|     spec: | ||||
|       serviceAccountName: log-shipper | ||||
|       containers: | ||||
|         - name: log-shipper | ||||
|           image: harbor.k-space.ee/k-space/log-shipper | ||||
|           securityContext: | ||||
|             runAsUser: 0 | ||||
|           env: | ||||
|             - name: MY_POD_NAMESPACE | ||||
|               valueFrom: | ||||
|                 fieldRef: | ||||
|                   fieldPath: metadata.namespace | ||||
|             - name: NODE_NAME | ||||
|               valueFrom: | ||||
|                 fieldRef: | ||||
|                   fieldPath: spec.nodeName | ||||
|             - name: MONGODB_HOST | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: mongodb-application-readwrite | ||||
|                   key: connectionString.standard | ||||
|           ports: | ||||
|             - containerPort: 8000 | ||||
|               name: metrics | ||||
|           resources: | ||||
|             limits: | ||||
|               memory: 200Mi | ||||
|             requests: | ||||
|               cpu: 100m | ||||
|               memory: 100Mi | ||||
|           volumeMounts: | ||||
|             - name: etcmachineid | ||||
|               mountPath: /etc/machine-id | ||||
|               readOnly: true | ||||
|             - name: varlibdockercontainers | ||||
|               mountPath: /var/lib/docker/containers | ||||
|               readOnly: true | ||||
|             - name: varlog | ||||
|               mountPath: /var/log | ||||
|               readOnly: true | ||||
|       volumes: | ||||
|         - name: etcmachineid | ||||
|           hostPath: | ||||
|             path: /etc/machine-id | ||||
|         - name: varlibdockercontainers | ||||
|           hostPath: | ||||
|             path: /var/lib/docker/containers | ||||
|         - name: varlog | ||||
|           hostPath: | ||||
|             path: /var/log | ||||
|       tolerations: | ||||
|         - operator: "Exists" | ||||
|           effect: "NoExecute" | ||||
|         - operator: "Exists" | ||||
|           effect: "NoSchedule" | ||||
| --- | ||||
| apiVersion: rbac.authorization.k8s.io/v1 | ||||
| kind: ClusterRoleBinding | ||||
| metadata: | ||||
|   name: logging-log-shipper | ||||
| subjects: | ||||
|   - kind: ServiceAccount | ||||
|     name: log-shipper | ||||
|     namespace: playground | ||||
| roleRef: | ||||
|   kind: ClusterRole | ||||
|   name: filebeat | ||||
|   apiGroup: rbac.authorization.k8s.io | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: ServiceAccount | ||||
| metadata: | ||||
|   name: log-shipper | ||||
|   labels: | ||||
|     app: log-shipper | ||||
| --- | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: NetworkPolicy | ||||
| metadata: | ||||
|   name: log-shipper | ||||
| spec: | ||||
|   podSelector: | ||||
|     matchLabels: | ||||
|       app: log-shipper | ||||
|   policyTypes: | ||||
|     - Ingress | ||||
|     - Egress | ||||
|   ingress: | ||||
|     - from: | ||||
|         - namespaceSelector: | ||||
|             matchLabels: | ||||
|               kubernetes.io/metadata.name: prometheus-operator | ||||
|           podSelector: | ||||
|             matchLabels: | ||||
|               app.kubernetes.io/name: prometheus | ||||
|   egress: | ||||
|     - to: | ||||
|         - podSelector: | ||||
|             matchLabels: | ||||
|               app: mongodb-svc | ||||
|       ports: | ||||
|         - port: 27017 | ||||
| --- | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: NetworkPolicy | ||||
| metadata: | ||||
|   name: log-viewer-backend | ||||
| spec: | ||||
|   podSelector: | ||||
|     matchLabels: | ||||
|       app: log-viewer-backend | ||||
|   policyTypes: | ||||
|     - Ingress | ||||
|     - Egress | ||||
|   egress: | ||||
|     - to: | ||||
|         - podSelector: | ||||
|             matchLabels: | ||||
|               app: mongodb-svc | ||||
|   ingress: | ||||
|     - from: | ||||
|         - namespaceSelector: | ||||
|             matchLabels: | ||||
|               kubernetes.io/metadata.name: traefik | ||||
|           podSelector: | ||||
|             matchLabels: | ||||
|               app.kubernetes.io/name: traefik | ||||
| --- | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: NetworkPolicy | ||||
| metadata: | ||||
|   name: log-viewer-frontend | ||||
| spec: | ||||
|   podSelector: | ||||
|     matchLabels: | ||||
|       app: log-viewer-frontend | ||||
|   policyTypes: | ||||
|     - Ingress | ||||
|     - Egress | ||||
|   ingress: | ||||
|     - from: | ||||
|         - namespaceSelector: | ||||
|             matchLabels: | ||||
|               kubernetes.io/metadata.name: traefik | ||||
|           podSelector: | ||||
|             matchLabels: | ||||
|               app.kubernetes.io/name: traefik | ||||
| --- | ||||
| apiVersion: monitoring.coreos.com/v1 | ||||
| kind: PodMonitor | ||||
| metadata: | ||||
|   name: log-shipper | ||||
| spec: | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: log-shipper | ||||
|   podMetricsEndpoints: | ||||
|     - port: metrics | ||||
							
								
								
									
										103
									
								
								_disabled/whoami-oidc/application.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										103
									
								
								_disabled/whoami-oidc/application.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,103 @@ | ||||
| --- | ||||
| apiVersion: codemowers.cloud/v1beta1 | ||||
| kind: OIDCClient | ||||
| metadata: | ||||
|   name: whoami-oidc | ||||
|   namespace: whoami-oidc | ||||
| spec: | ||||
|   displayName: Whoami OIDC | ||||
|   uri: https://whoami-oidc.k-space.ee | ||||
|   redirectUris: | ||||
|     - https://whoami-oidc.k-space.ee/auth/callback | ||||
|   grantTypes: | ||||
|     - authorization_code | ||||
|     - refresh_token | ||||
|   responseTypes: | ||||
|     - code | ||||
|   availableScopes: | ||||
|     - openid | ||||
|     - profile | ||||
|   pkce: false | ||||
| --- | ||||
| apiVersion: apps/v1 | ||||
| kind: Deployment | ||||
| metadata: | ||||
|   name: whoami-oidc | ||||
|   labels: | ||||
|     app.kubernetes.io/name: whoami-oidc | ||||
| spec: | ||||
|   replicas: 1 | ||||
|   revisionHistoryLimit: 0 | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app.kubernetes.io/name: whoami-oidc | ||||
|   template: | ||||
|     metadata: | ||||
|       labels: | ||||
|         app.kubernetes.io/name: whoami-oidc | ||||
|     spec: | ||||
|       containers: | ||||
|         - name: whoami-oidc | ||||
|           image: harbor.k-space.ee/rasmus/oidctest:latest@sha256:55927b9a50580fb087277af25fbc492b5ab4abcc1926c29ed40c190a99ced77b | ||||
|           env: | ||||
|             - name: OIDC_ROOT_URL | ||||
|               value: https://whoami-oidc.k-space.ee | ||||
|             - name: OIDC_PROVIDER | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: oidc-client-whoami-oidc-owner-secrets | ||||
|                   key: OIDC_GATEWAY_URI | ||||
|             - name: OIDC_CLIENT_ID | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: oidc-client-whoami-oidc-owner-secrets | ||||
|                   key: OIDC_CLIENT_ID | ||||
|             - name: OIDC_CLIENT_SECRET | ||||
|               valueFrom: | ||||
|                 secretKeyRef: | ||||
|                   name: oidc-client-whoami-oidc-owner-secrets | ||||
|                   key: OIDC_CLIENT_SECRET | ||||
|           ports: | ||||
|             - containerPort: 9009 | ||||
|               name: http | ||||
|           resources: | ||||
|             limits: | ||||
|               cpu: "1" | ||||
|               memory: "512Mi" | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Service | ||||
| metadata: | ||||
|   name: whoami-oidc | ||||
| spec: | ||||
|   selector: | ||||
|     app.kubernetes.io/name: whoami-oidc | ||||
|   ports: | ||||
|   - port: 80 | ||||
|     name: http | ||||
|     targetPort: http | ||||
| --- | ||||
| apiVersion: networking.k8s.io/v1 | ||||
| kind: Ingress | ||||
| metadata: | ||||
|   name: whoami-oidc | ||||
|   annotations: | ||||
|     kubernetes.io/ingress.class: traefik | ||||
|     traefik.ingress.kubernetes.io/router.entrypoints: websecure | ||||
|     traefik.ingress.kubernetes.io/router.tls: "true" | ||||
|     external-dns.alpha.kubernetes.io/target: traefik.k-space.ee | ||||
| spec: | ||||
|   rules: | ||||
|     - host: whoami-oidc.k-space.ee | ||||
|       http: | ||||
|         paths: | ||||
|           - pathType: Prefix | ||||
|             path: "/" | ||||
|             backend: | ||||
|               service: | ||||
|                 name: whoami-oidc | ||||
|                 port: | ||||
|                   name: http | ||||
|   tls: | ||||
|     - hosts: | ||||
|         - "*.k-space.ee" | ||||
							
								
								
									
										1
									
								
								argocd-image-updater/README.md
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										1
									
								
								argocd-image-updater/README.md
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1 @@ | ||||
| argocd/appications/argocd-image-updater.yaml | ||||
| @@ -1,51 +1,58 @@ | ||||
| # Workflow | ||||
|  | ||||
| Most applications in our Kubernetes cluster are managed by ArgoCD. | ||||
| Most notably operators are NOT managed by ArgoCD. | ||||
|  | ||||
| ## Managing applications | ||||
| Update apps (see TODO below): | ||||
|  | ||||
| # Deployment | ||||
| ``` | ||||
| for j in asterisk bind camtiler etherpad freescout gitea grafana hackerspace nextcloud nyancat rosdump traefik wiki wildduck; do | ||||
| cat << EOF >> applications/$j.yaml | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: $j | ||||
|   namespace: argocd | ||||
|   annotations: | ||||
|     # Works with only Kustomize and Helm. Kustomize is easy, see https://github.com/argoproj-labs/argocd-image-updater/tree/master/manifests/base for an example. | ||||
|     argocd-image-updater.argoproj.io/image-list: TODO:^2 # semver 2.*.* | ||||
|     argocd-image-updater.argoproj.io/write-back-method: git | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: $j | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: $j | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
| EOF | ||||
| done | ||||
| find applications -name "*.yaml" -exec kubectl apply -n argocd -f {} \; | ||||
| ``` | ||||
|  | ||||
| To deploy ArgoCD: | ||||
| ### Repository secrets | ||||
| 1. Generate keys locally with `ssh-keygen -f argo` | ||||
| 2. Add `argo.pub` in `git.k-space.ee/<your>/<repo>` → Settings → Deploy keys | ||||
| 3. Add `argo` (private key) at https://argocd.k-space.ee/settings/repos along with referenced repo. | ||||
|  | ||||
| ## Argo Deployment | ||||
| To deploy ArgoCD itself: | ||||
|  | ||||
| ```bash | ||||
| helm repo add argo-cd https://argoproj.github.io/argo-helm | ||||
| kubectl create secret -n argocd generic argocd-secret # Initialize empty secret for sessions | ||||
| kubectl create secret -n argocd generic argocd-secret # Empty secret for sessions | ||||
| kubectl label -n argocd secret oidc-client-argocd-owner-secrets app.kubernetes.io/part-of=argocd | ||||
|  | ||||
| helm template -n argocd --release-name k6 argo-cd/argo-cd --include-crds -f values.yaml > argocd.yml | ||||
| kubectl apply -f argocd.yml -n argocd | ||||
| kubectl -n argocd rollout restart deployment/k6-argocd-redis | ||||
| kubectl -n argocd rollout restart deployment/k6-argocd-repo-server | ||||
| kubectl -n argocd rollout restart deployment/k6-argocd-server | ||||
| kubectl -n argocd rollout restart deployment/k6-argocd-notifications-controller | ||||
| kubectl -n argocd rollout restart statefulset/k6-argocd-application-controller | ||||
| kubectl apply -f argocd.yml -f application-extras.yml -f redis.yaml -f monitoring.yml -n argocd | ||||
|  | ||||
| kubectl -n argocd rollout restart deployment/k6-argocd-redis deployment/k6-argocd-repo-server deployment/k6-argocd-server deployment/k6-argocd-notifications-controller statefulset/k6-argocd-application-controller | ||||
| ``` | ||||
|  | ||||
| Note: Refer to Authelia README for OIDC secret setup | ||||
|  | ||||
|  | ||||
| # Setting up Git secrets | ||||
|  | ||||
| Generate SSH key to access Gitea: | ||||
|  | ||||
| ``` | ||||
| ssh-keygen -t ecdsa -f id_ecdsa -C argocd.k-space.ee -P '' | ||||
| kubectl -n argocd create secret generic gitea-kube \ | ||||
|   --from-literal=type=git \ | ||||
|   --from-literal=url=git@git.k-space.ee:k-space/kube \ | ||||
|   --from-file=sshPrivateKey=id_ecdsa | ||||
| kubectl -n argocd create secret generic gitea-kube-staging \ | ||||
|   --from-literal=type=git \ | ||||
|   --from-literal=url=git@git.k-space.ee:k-space/kube-staging \ | ||||
|   --from-file=sshPrivateKey=id_ecdsa | ||||
| kubectl -n argocd create secret generic gitea-kube-members \ | ||||
|   --from-literal=type=git \ | ||||
|   --from-literal=url=git@git.k-space.ee:k-space/kube-members \ | ||||
|   --from-file=sshPrivateKey=id_ecdsa | ||||
| kubectl label -n argocd secret gitea-kube argocd.argoproj.io/secret-type=repository | ||||
| kubectl label -n argocd secret gitea-kube-staging argocd.argoproj.io/secret-type=repository | ||||
| kubectl label -n argocd secret gitea-kube-members argocd.argoproj.io/secret-type=repository | ||||
| rm -fv id_ecdsa | ||||
| ``` | ||||
|  | ||||
| Have Gitea admin reset password for user `argocd` and log in with that account. | ||||
| Add the SSH key for user `argocd` from file `id_ecdsa.pub`. | ||||
| Delete any other SSH keys associated with Gitea user `argocd`. | ||||
| WARN: ArgoCD doesn't host its own redis, Dragonfly must be able to independently cold-start. | ||||
|   | ||||
							
								
								
									
										38
									
								
								argocd/application-extras.yml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										38
									
								
								argocd/application-extras.yml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,38 @@ | ||||
| --- | ||||
| apiVersion: codemowers.cloud/v1beta1 | ||||
| kind: OIDCClient | ||||
| metadata: | ||||
|   name: argocd | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   displayName: Argo CD | ||||
|   uri: https://argocd.k-space.ee | ||||
|   redirectUris: | ||||
|     - https://argocd.k-space.ee/auth/callback | ||||
|     - http://localhost:8085/auth/callback | ||||
|   allowedGroups: | ||||
|     - k-space:kubernetes:admins | ||||
|   grantTypes: | ||||
|     - authorization_code | ||||
|     - refresh_token | ||||
|   responseTypes: | ||||
|     - code | ||||
|   availableScopes: | ||||
|     - openid | ||||
|     - profile | ||||
|   pkce: false | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: AppProject | ||||
| metadata: | ||||
|   namespace: argocd | ||||
|   name: k-space.ee | ||||
| spec: | ||||
|   clusterResourceWhitelist: | ||||
|     - group: '*' | ||||
|       kind: '*' | ||||
|   destinations: | ||||
|     - namespace: '*' | ||||
|       server: '*' | ||||
|   sourceRepos: | ||||
|     - '*' | ||||
							
								
								
									
										18
									
								
								argocd/applications/argocd-applications.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										18
									
								
								argocd/applications/argocd-applications.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,18 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: argocd-applications | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: argocd/applications | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: argocd | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: false | ||||
							
								
								
									
										20
									
								
								argocd/applications/argocd-image-updater.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/argocd-image-updater.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: argocd-image-updater | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'https://github.com/argoproj-labs/argocd-image-updater.git' | ||||
|     path: manifests/base | ||||
|     targetRevision: stable | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: argocd | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
| @@ -1,17 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: drone-execution | ||||
|   name: bind | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: drone-execution | ||||
|     path: bind | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: drone-execution | ||||
|     namespace: bind | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|     - CreateNamespace=true | ||||
							
								
								
									
										21
									
								
								argocd/applications/cert-manager.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								argocd/applications/cert-manager.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: cert-manager | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     # also depends on git@git.k-space.ee:secretspace/kube.git | ||||
|     repoURL: git@git.k-space.ee:k-space/kube.git | ||||
|     targetRevision: HEAD | ||||
|     path: cert-manager | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: cert-manager | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										23
									
								
								argocd/applications/dragonfly.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										23
									
								
								argocd/applications/dragonfly.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,23 @@ | ||||
| # See [/dragonfly/README.md](/dragonfly-operator-system/README.md) | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: dragonfly # replaces redis and keydb | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: https://github.com/dragonflydb/dragonfly-operator | ||||
|     targetRevision: v1.1.11 # https://github.com/dragonflydb/dragonfly-operator/releases | ||||
|     path: manifests | ||||
|     directory: | ||||
|       include: 'dragonfly-operator.yaml' | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: dragonfly-operator-system | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
| @@ -1,22 +0,0 @@ | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: elastic-system | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: elastic-system | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: elastic-system | ||||
|   syncPolicy: | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|   ignoreDifferences: | ||||
|     - group: admissionregistration.k8s.io | ||||
|       kind: ValidatingWebhookConfiguration | ||||
|       jqPathExpressions: | ||||
|         - '.webhooks[]?.clientConfig.caBundle' | ||||
| @@ -1,10 +1,11 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: etherpad | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: etherpad | ||||
| @@ -13,5 +14,7 @@ spec: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: etherpad | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|     - CreateNamespace=true | ||||
| @@ -1,17 +0,0 @@ | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: external-dns | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: external-dns | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: external-dns | ||||
|   syncPolicy: | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										21
									
								
								argocd/applications/external-snapshotter.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								argocd/applications/external-snapshotter.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: external-snapshotter | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     # also depends on git@git.k-space.ee:secretspace/kube.git | ||||
|     repoURL: git@git.k-space.ee:k-space/kube.git | ||||
|     targetRevision: HEAD | ||||
|     path: external-snapshotter | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: kube-system | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/freescout.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/freescout.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: freescout | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: freescout | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: freescout | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
							
								
								
									
										21
									
								
								argocd/applications/frigate.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								argocd/applications/frigate.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: frigate | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     # also depends on git@git.k-space.ee:secretspace/kube.git | ||||
|     repoURL: git@git.k-space.ee:k-space/kube.git | ||||
|     targetRevision: HEAD | ||||
|     path: frigate | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: frigate | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/gitea.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/gitea.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: gitea | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: gitea | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: gitea | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
							
								
								
									
										21
									
								
								argocd/applications/grafana.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								argocd/applications/grafana.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: grafana | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     # also depends on git@git.k-space.ee:secretspace/kube.git | ||||
|     repoURL: git@git.k-space.ee:k-space/kube.git | ||||
|     targetRevision: HEAD | ||||
|     path: grafana | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: grafana | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
| @@ -1,17 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: camtiler | ||||
|   name: hackerspace | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: camtiler | ||||
|     path: hackerspace | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: camtiler | ||||
|     namespace: hackerspace | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										21
									
								
								argocd/applications/harbor-operator.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								argocd/applications/harbor-operator.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: harbor-operator | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     # also depends on git@git.k-space.ee:secretspace/kube.git | ||||
|     repoURL: git@git.k-space.ee:k-space/kube.git | ||||
|     targetRevision: HEAD | ||||
|     path: harbor-operator | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: harbor-operator | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|      prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
| @@ -1,17 +0,0 @@ | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: keel | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: keel | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: keel | ||||
|   syncPolicy: | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/kube-system.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/kube-system.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: kube-system | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: kube-system | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: kube-system | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
| @@ -1,10 +1,11 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: kubernetes-dashboard | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: kubernetes-dashboard | ||||
| @@ -13,5 +14,7 @@ spec: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: kubernetes-dashboard | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
| @@ -1,17 +0,0 @@ | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: logging | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: logging | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: logging | ||||
|   syncPolicy: | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
| @@ -1,22 +1,21 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: metallb-system | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: metallb-system | ||||
|     # also depends on git@git.k-space.ee:secretspace/kube.git | ||||
|     repoURL: git@git.k-space.ee:k-space/kube.git | ||||
|     targetRevision: HEAD | ||||
|     path: metallb-system | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: metallb-system | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|   ignoreDifferences: | ||||
|     - group: apiextensions.k8s.io | ||||
|       kind: CustomResourceDefinition | ||||
|       jqPathExpressions: | ||||
|         - '.spec.conversion.webhook.clientConfig.caBundle' | ||||
							
								
								
									
										20
									
								
								argocd/applications/minio-clusters.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/minio-clusters.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: minio-clusters | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: minio-clusters | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: minio-clusters | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/monitoring.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/monitoring.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: monitoring | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: monitoring | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: monitoring | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
| @@ -1,17 +0,0 @@ | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: mysql-operator | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: mysql-operator | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: mysql-operator | ||||
|   syncPolicy: | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/nextcloud.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/nextcloud.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: nextcloud | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: nextcloud | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: nextcloud | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/nyancat.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/nyancat.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: nyancat | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: nyancat | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: nyancat | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
| @@ -1,17 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: members | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube-members.git' | ||||
|     path: . | ||||
|     repoURL: 'git@git.k-space.ee:secretspace/members.git' | ||||
|     path: members | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: members | ||||
|     namespace: passmower | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|     - CreateNamespace=true | ||||
| @@ -1,17 +1,18 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: harbor | ||||
|   name: passmower | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: harbor | ||||
|     path: passmower | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: harbor | ||||
|     namespace: passmower | ||||
|   syncPolicy: | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|     automated: | ||||
|       prune: true | ||||
							
								
								
									
										20
									
								
								argocd/applications/pgweb.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/pgweb.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: pgweb | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: pgweb | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: pgweb | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
| @@ -1,17 +0,0 @@ | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: phpmyadmin | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: phpmyadmin | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: phpmyadmin | ||||
|   syncPolicy: | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										24
									
								
								argocd/applications/prometheus-operator.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								argocd/applications/prometheus-operator.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| # Note: Do not put any Prometheus instances or exporters in this namespace, instead have them in `monitoring` namespace | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: prometheus-operator | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: https://github.com/prometheus-operator/prometheus-operator.git | ||||
|     targetRevision: v0.82.0 | ||||
|     path: . | ||||
|     kustomize: | ||||
|       namespace: prometheus-operator | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: prometheus-operator | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|       - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size. | ||||
| @@ -1,14 +0,0 @@ | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: prometheus-operator | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: prometheus-operator | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: prometheus-operator | ||||
| @@ -1,17 +0,0 @@ | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: reloader | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: reloader | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: reloader | ||||
|   syncPolicy: | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/ripe87.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/ripe87.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: ripe87 | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: ripe87 | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: ripe87 | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/rook-ceph.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/rook-ceph.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: rook-ceph | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: rook-ceph | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: rook-ceph | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
| @@ -1,10 +1,11 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: rosdump | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: rosdump | ||||
| @@ -13,5 +14,7 @@ spec: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: rosdump | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|     - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/secret-claim-operator.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/secret-claim-operator.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: secret-claim-operator | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: https://github.com/codemowers/operatorlib | ||||
|     path: samples/secret-claim-operator | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: secret-claim-operator | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										20
									
								
								argocd/applications/signs.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/signs.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: signs | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: signs | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: signs | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
							
								
								
									
										24
									
								
								argocd/applications/tigera-operator.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										24
									
								
								argocd/applications/tigera-operator.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,24 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: tigera-operator | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     # also depends on git@git.k-space.ee:secretspace/kube.git | ||||
|     repoURL: git@git.k-space.ee:k-space/kube.git | ||||
|     targetRevision: HEAD | ||||
|     path: tigera-operator | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: tigera-operator | ||||
|     # also houses calico-system and calico-apiserver | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
|       - ServerSideApply=true # Resource is too big to fit in 262144 bytes allowed annotation size. | ||||
|       - Force=true # `--force-conflicts`, according to https://docs.tigera.io/calico/latest/operations/upgrading/kubernetes-upgrade | ||||
							
								
								
									
										20
									
								
								argocd/applications/traefik.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								argocd/applications/traefik.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: traefik | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: traefik | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: traefik | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|     - CreateNamespace=true | ||||
| @@ -1,17 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: authelia | ||||
|   name: whoami | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: authelia | ||||
|     path: whoami | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: authelia | ||||
|     namespace: whoami | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
| @@ -1,17 +1,20 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: drone | ||||
|   name: wiki | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: drone | ||||
|     path: wiki | ||||
|     targetRevision: HEAD | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: drone | ||||
|     namespace: wiki | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
| @@ -1,10 +1,11 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: wildduck | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: default | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     repoURL: 'git@git.k-space.ee:k-space/kube.git' | ||||
|     path: wildduck | ||||
| @@ -13,5 +14,7 @@ spec: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: wildduck | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										21
									
								
								argocd/applications/woodpecker.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										21
									
								
								argocd/applications/woodpecker.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,21 @@ | ||||
| --- | ||||
| apiVersion: argoproj.io/v1alpha1 | ||||
| kind: Application | ||||
| metadata: | ||||
|   name: woodpecker | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   project: k-space.ee | ||||
|   source: | ||||
|     # also depends on git@git.k-space.ee:secretspace/kube.git | ||||
|     repoURL: git@git.k-space.ee:k-space/kube.git | ||||
|     targetRevision: HEAD | ||||
|     path: woodpecker | ||||
|   destination: | ||||
|     server: 'https://kubernetes.default.svc' | ||||
|     namespace: woodpecker | ||||
|   syncPolicy: | ||||
|     automated: | ||||
|       prune: true | ||||
|     syncOptions: | ||||
|       - CreateNamespace=true | ||||
							
								
								
									
										2
									
								
								argocd/deploy_key.pub
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										2
									
								
								argocd/deploy_key.pub
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,2 @@ | ||||
| # used for git.k-space: k-space/kube, secretspace/kube, secretspace/members | ||||
| ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOxYpFf85Vnxw7WNb/V5dtZT0PJ4VbBhdBNscDd8TVv/ argocd.k-space.ee | ||||
							
								
								
									
										50
									
								
								argocd/redis.yaml
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										50
									
								
								argocd/redis.yaml
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,50 @@ | ||||
| --- | ||||
| apiVersion: codemowers.cloud/v1beta1 | ||||
| kind: SecretClaim | ||||
| metadata: | ||||
|   name: argocd-redis | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   size: 32 | ||||
|   mapping: | ||||
|     - key: redis-password | ||||
|       value: "%(plaintext)s" | ||||
|     - key: REDIS_URI | ||||
|       value: "redis://:%(plaintext)s@argocd-redis" | ||||
| --- | ||||
| apiVersion: dragonflydb.io/v1alpha1 | ||||
| kind: Dragonfly | ||||
| metadata: | ||||
|   name: argocd-redis | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   authentication: | ||||
|     passwordFromSecret: | ||||
|       key: redis-password | ||||
|       name: argocd-redis | ||||
|   replicas: 3 | ||||
|   resources: | ||||
|     limits: | ||||
|       cpu: 1000m | ||||
|       memory: 1Gi | ||||
|   topologySpreadConstraints: | ||||
|     - maxSkew: 1 | ||||
|       topologyKey: topology.kubernetes.io/zone | ||||
|       whenUnsatisfiable: DoNotSchedule | ||||
|       labelSelector: | ||||
|         matchLabels: | ||||
|           app: argocd-redis | ||||
|           app.kubernetes.io/part-of: dragonfly | ||||
| --- | ||||
| apiVersion: monitoring.coreos.com/v1 | ||||
| kind: PodMonitor | ||||
| metadata: | ||||
|   name: argocd-redis | ||||
|   namespace: argocd | ||||
| spec: | ||||
|   selector: | ||||
|     matchLabels: | ||||
|       app: argocd-redis | ||||
|       app.kubernetes.io/part-of: dragonfly | ||||
|   podMetricsEndpoints: | ||||
|     - port: admin | ||||
| @@ -1,79 +1,29 @@ | ||||
| global: | ||||
|   logLevel: warn | ||||
|   domain: argocd.k-space.ee | ||||
|  | ||||
| # We use Authelia OIDC instead of Dex | ||||
| dex: | ||||
|   enabled: false | ||||
|  | ||||
| # Maybe one day switch to Redis HA? | ||||
| redis: | ||||
|   enabled: false | ||||
| redis-ha: | ||||
|   enabled: false | ||||
| externalRedis: | ||||
|   host: argocd-redis | ||||
|   existingSecret: argocd-redis | ||||
|  | ||||
| server: | ||||
|   # HTTPS is implemented by Traefik | ||||
|   extraArgs: | ||||
|     - --insecure | ||||
|   ingress: | ||||
|     enabled: true | ||||
|     annotations: | ||||
|       cert-manager.io/cluster-issuer: default | ||||
|       external-dns.alpha.kubernetes.io/target: traefik.k-space.ee | ||||
|       traefik.ingress.kubernetes.io/router.entrypoints: websecure | ||||
|       traefik.ingress.kubernetes.io/router.tls: "true" | ||||
|     hosts: | ||||
|     - argocd.k-space.ee | ||||
|     tls: | ||||
|     extraTls: | ||||
|      - hosts: | ||||
|        - argocd.k-space.ee | ||||
|        secretName: argocd-server-tls | ||||
|   configEnabled: true | ||||
|   config: | ||||
|     admin.enabled: "false" | ||||
|     url: https://argocd.k-space.ee | ||||
|     application.instanceLabelKey: argocd.argoproj.io/instance | ||||
|     oidc.config: | | ||||
|        name: Authelia | ||||
|        issuer: https://auth.k-space.ee | ||||
|        clientID: argocd | ||||
|        cliClientID: argocd | ||||
|        clientSecret: $oidc.config.clientSecret | ||||
|        requestedIDTokenClaims: | ||||
|          groups: | ||||
|            essential: true | ||||
|        requestedScopes: | ||||
|          - openid | ||||
|          - profile | ||||
|          - email | ||||
|          - groups | ||||
|     resource.customizations: | | ||||
|       # https://github.com/argoproj/argo-cd/issues/1704 | ||||
|       networking.k8s.io/Ingress: | ||||
|           health.lua: | | ||||
|             hs = {} | ||||
|             hs.status = "Healthy" | ||||
|             return hs | ||||
|  | ||||
|   # Members of ArgoCD Admins group in AD/Samba are allowed to administer Argo | ||||
|   rbacConfig: | ||||
|     policy.default: role:readonly | ||||
|     policy.csv: | | ||||
|       # Map AD groups to ArgoCD roles | ||||
|       g, Developers, role:developers | ||||
|       g, ArgoCD Admins, role:admin | ||||
|       # Allow developers to read objects | ||||
|       p, role:developers, applications, get, */*, allow | ||||
|       p, role:developers, certificates, get, *, allow | ||||
|       p, role:developers, clusters, get, *, allow | ||||
|       p, role:developers, repositories, get, *, allow | ||||
|       p, role:developers, projects, get, *, allow | ||||
|       p, role:developers, accounts, get, *, allow | ||||
|       p, role:developers, gpgkeys, get, *, allow | ||||
|       p, role:developers, logs, get, */*, allow | ||||
|       p, role:developers, applications, restart, default/camtiler, allow | ||||
|       p, role:developers, applications, override, default/camtiler, allow | ||||
|       p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow | ||||
|       p, role:developers, applications, sync, default/camtiler, allow | ||||
|       p, role:developers, applications, update, default/camtiler, allow | ||||
|        - "*.k-space.ee" | ||||
|  | ||||
|   metrics: | ||||
|     enabled: true | ||||
| @@ -95,11 +45,64 @@ controller: | ||||
|     enabled: true | ||||
|  | ||||
| configs: | ||||
|   params: | ||||
|     server.insecure: true | ||||
|   rbac: | ||||
|     policy.default: role:admin | ||||
|     policy.csv: | | ||||
|       # Map AD groups to ArgoCD roles | ||||
|       g, Developers, role:developers | ||||
|       g, ArgoCD Admins, role:admin | ||||
|       # Allow developers to read objects | ||||
|       p, role:developers, applications, get, */*, allow | ||||
|       p, role:developers, certificates, get, *, allow | ||||
|       p, role:developers, clusters, get, *, allow | ||||
|       p, role:developers, repositories, get, *, allow | ||||
|       p, role:developers, projects, get, *, allow | ||||
|       p, role:developers, accounts, get, *, allow | ||||
|       p, role:developers, gpgkeys, get, *, allow | ||||
|       p, role:developers, logs, get, */*, allow | ||||
|       p, role:developers, applications, restart, default/camtiler, allow | ||||
|       p, role:developers, applications, override, default/camtiler, allow | ||||
|       p, role:developers, applications, action/apps/Deployment/restart, default/camtiler, allow | ||||
|       p, role:developers, applications, sync, default/camtiler, allow | ||||
|       p, role:developers, applications, update, default/camtiler, allow | ||||
|       # argocd-image-updater | ||||
|       p, role:image-updater, applications, get, */*, allow | ||||
|       p, role:image-updater, applications, update, */*, allow | ||||
|       g, image-updater, role:image-updater | ||||
|   cm: | ||||
|     kustomize.buildOptions: --enable-helm | ||||
|     admin.enabled: "false" | ||||
|     resource.customizations: | | ||||
|       # https://github.com/argoproj/argo-cd/issues/1704 | ||||
|       networking.k8s.io/Ingress: | ||||
|           health.lua: | | ||||
|             hs = {} | ||||
|             hs.status = "Healthy" | ||||
|             return hs | ||||
|       apiextensions.k8s.io/CustomResourceDefinition: | ||||
|           ignoreDifferences: | | ||||
|             jsonPointers: | ||||
|               - "x-kubernetes-validations" | ||||
|     oidc.config: | | ||||
|        name: OpenID Connect | ||||
|        issuer: https://auth.k-space.ee/ | ||||
|        clientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID | ||||
|        cliClientID: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_ID | ||||
|        clientSecret: $oidc-client-argocd-owner-secrets:OIDC_CLIENT_SECRET | ||||
|        requestedIDTokenClaims: | ||||
|          groups: | ||||
|            essential: true | ||||
|        requestedScopes: | ||||
|          - openid | ||||
|          - profile | ||||
|          - email | ||||
|          - groups | ||||
|   secret: | ||||
|     createSecret: false | ||||
|   knownHosts: | ||||
|     data: | ||||
|       ssh_known_hosts: | | ||||
|   ssh: | ||||
|     knownHosts: | | ||||
|         # Copy-pasted from `ssh-keyscan git.k-space.ee` | ||||
|         git.k-space.ee ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCF1+/TDRXuGwsu4SZQQwQuJusb7W1OciGAQp/ZbTTvKD+0p7fV6dXyUlWjdFmITrFNYDreDnMiOS+FvE62d2Z0= | ||||
|         git.k-space.ee ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDsLyRuubdIUnTKEqOipu+9x+FforrC8+oxulVrl0ECgdIRBQnLQXIspTNwuC3MKJ4z+DPbndSt8zdN33xWys8UNEs3V5/W6zsaW20tKiaX75WK5eOL4lIDJi/+E97+c0aZBXamhxTrgkRVJ5fcAkY6C5cKEmVM5tlke3v3ihLq78/LpJYv+P947NdnthYE2oc+XGp/elZ0LNfWRPnd///+ykbwWirvQm+iiDz7PMVKkb+Q7l3vw4+zneKJWAyFNrm+aewyJV9lFZZJuHliwlHGTriSf6zhMAWyJzvYqDAN6iT5yi9KGKw60J6vj2GLuK4ULVblTyP9k9+3iELKSWW5 | ||||
|   | ||||
							
								
								
									
										2
									
								
								authelia/.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								authelia/.gitignore
									
									
									
									
										vendored
									
									
								
							| @@ -1,2 +0,0 @@ | ||||
| application-secrets.y*ml | ||||
| oidc-secrets.y*ml | ||||
| @@ -1,171 +0,0 @@ | ||||
| # Authelia | ||||
|  | ||||
| ## Background | ||||
|  | ||||
| Authelia works in conjunction with Traefik to provide SSO with | ||||
| credentials stored in Samba (Active Directory compatible) directory tree. | ||||
|  | ||||
| Samba resides outside Kubernetes cluster as it's difficuilt to containerize | ||||
| while keeping it usable from outside the cluster due to Samba's networking. | ||||
|  | ||||
| The MariaDB instance is used to store MFA tokens. | ||||
| KeyDB is used to store session info. | ||||
|  | ||||
|  | ||||
| ## Deployment | ||||
|  | ||||
| Inspect changes with `git diff` and proceed to deploy: | ||||
|  | ||||
| ``` | ||||
| kubectl apply -n authelia -f application.yml | ||||
| kubectl create secret generic -n authelia mysql-secrets \ | ||||
|     --from-literal=rootPassword=$(cat /dev/urandom | base64 | head -c 30) | ||||
| kubectl create secret generic -n authelia mariadb-secrets \ | ||||
|     --from-literal=MYSQL_ROOT_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) \ | ||||
|     --from-literal=MYSQL_PASSWORD=$(cat /dev/urandom | base64 | head -c 30) | ||||
| kubectl -n authelia rollout restart deployment/authelia | ||||
| ``` | ||||
|  | ||||
| To change secrets create `secret.yml`: | ||||
|  | ||||
| ``` | ||||
| --- | ||||
| apiVersion: v1 | ||||
| kind: Secret | ||||
| type: Opaque | ||||
| metadata: | ||||
|   name: application-secrets | ||||
| data: | ||||
|   JWT_TOKEN: ... | ||||
|   SESSION_ENCRYPTION_KEY: ... | ||||
|   STORAGE_PASSWORD: ... | ||||
|   STORAGE_ENCRYPTION_KEY: ... | ||||
|   LDAP_PASSWORD: ... | ||||
|   STORAGE_PASSWORD: ... | ||||
|   SMTP_PASSWORD: ... | ||||
| ``` | ||||
|  | ||||
| Apply with: | ||||
|  | ||||
| ``` | ||||
| kubectl apply -n authelia -f application-secrets.yml  | ||||
| kubectl annotate -n authelia secret application-secrets reloader.stakater.com/match=true | ||||
| ``` | ||||
|  | ||||
| ## OIDC secrets | ||||
|  | ||||
| OIDC secrets are separated from the main configuration until | ||||
| Authelia will add CRD-s for these. | ||||
|  | ||||
| Generally speaking for untrusted applications, that is stuff that is running | ||||
| outside the Kubernetes cluster eg web browser based (JS) and | ||||
| local command line clients one | ||||
| should use `public: true` and omit `secret: ...`. | ||||
|  | ||||
| Populate `oidc-secrets.yml` with approximately following: | ||||
|  | ||||
| ``` | ||||
| identity_providers: | ||||
|   oidc: | ||||
|     clients: | ||||
|     - id: kubelogin | ||||
|       description: Kubernetes cluster | ||||
|       secret: ... | ||||
|       authorization_policy: two_factor | ||||
|       redirect_uris: | ||||
|       - http://localhost:27890 | ||||
|       scopes: | ||||
|       - openid | ||||
|       - groups | ||||
|       - email | ||||
|       - profile | ||||
|     - id: proxmox | ||||
|       description: Proxmox Virtual Environment | ||||
|       secret: ... | ||||
|       authorization_policy: two_factor | ||||
|       redirect_uris: | ||||
|       - https://pve.k-space.ee | ||||
|       scopes: | ||||
|       - openid | ||||
|       - groups | ||||
|       - email | ||||
|       - profile | ||||
|     - id: argocd | ||||
|       description: ArgoCD | ||||
|       secret: ... | ||||
|       authorization_policy: two_factor | ||||
|       redirect_uris: | ||||
|       - https://argocd.k-space.ee/auth/callback | ||||
|       scopes: | ||||
|       - openid | ||||
|       - groups | ||||
|       - email | ||||
|       - profile | ||||
|     - id: harbor | ||||
|       description: Harbor | ||||
|       secret: ... | ||||
|       authorization_policy: two_factor | ||||
|       redirect_uris: | ||||
|       - https://harbor.k-space.ee/c/oidc/callback | ||||
|       scopes: | ||||
|       - openid | ||||
|       - groups | ||||
|       - email | ||||
|       - profile | ||||
|     - id: gitea | ||||
|       description: Gitea | ||||
|       secret: ... | ||||
|       authorization_policy: one_factor | ||||
|       redirect_uris: | ||||
|       - https://git.k-space.ee/user/oauth2/authelia/callback | ||||
|       scopes: | ||||
|       - openid | ||||
|       - profile | ||||
|       - email | ||||
|       - groups | ||||
|       grant_types: | ||||
|       - refresh_token | ||||
|       - authorization_code | ||||
|       response_types: | ||||
|       - code | ||||
|       userinfo_signing_algorithm: none | ||||
|     - id: grafana | ||||
|       description: Grafana | ||||
|       secret: ... | ||||
|       authorization_policy: one_factor | ||||
|       redirect_uris: | ||||
|       - https://grafana.k-space.ee/login/generic_oauth | ||||
|       scopes: | ||||
|       - openid | ||||
|       - groups | ||||
|       - email | ||||
|       - profile | ||||
| ``` | ||||
|  | ||||
| To upload the file to Kubernetes secrets: | ||||
|  | ||||
| ``` | ||||
| kubectl -n authelia delete secret oidc-secrets | ||||
| kubectl -n authelia create secret generic oidc-secrets \ | ||||
|     --from-file=oidc-secrets.yml=oidc-secrets.yml | ||||
| kubectl annotate -n authelia secret oidc-secrets reloader.stakater.com/match=true | ||||
| kubectl -n authelia rollout restart deployment/authelia | ||||
| ``` | ||||
|  | ||||
| Synchronize OIDC secrets: | ||||
|  | ||||
| ``` | ||||
| kubectl -n argocd delete secret argocd-secret | ||||
| kubectl -n argocd create secret generic argocd-secret \ | ||||
|     --from-literal=server.secretkey=$(cat /dev/urandom | base64 | head -c 30) \ | ||||
|     --from-literal=oidc.config.clientSecret=$( \ | ||||
|       kubectl get secret -n authelia oidc-secrets -o json \ | ||||
|         | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \ | ||||
|         | jq '.identity_providers.oidc.clients[] | select(.id == "argocd") | .secret' -r) | ||||
| kubectl -n monitoring delete secret oidc-secret | ||||
| kubectl -n monitoring create secret generic oidc-secret \ | ||||
|     --from-literal=GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$( \ | ||||
|       kubectl get secret -n authelia oidc-secrets -o json \ | ||||
|         | jq '.data."oidc-secrets.yml"' -r | base64 -d | yq -o json \ | ||||
|         | jq '.identity_providers.oidc.clients[] | select(.id == "grafana") | .secret' -r) | ||||
| ``` | ||||
Some files were not shown because too many files have changed in this diff Show More
		Reference in New Issue
	
	Block a user