--- apiVersion: apps/v1 kind: StatefulSet metadata: name: etherpad namespace: etherpad annotations: keel.sh/policy: minor keel.sh/trigger: poll keel.sh/pollSchedule: "@midnight" spec: # Etherpad does NOT support running multiple replicas due to # in-application caching https://github.com/ether/etherpad-lite/issues/3680 replicas: 1 serviceName: etherpad selector: matchLabels: app: etherpad template: metadata: labels: app: etherpad spec: containers: - name: etherpad image: etherpad/etherpad:1 securityContext: # Etherpad writes session key during start readOnlyRootFilesystem: false runAsNonRoot: true runAsUser: 5001 ports: - containerPort: 9001 env: - name: DB_TYPE value: mysql - name: DB_HOST value: 172.20.36.1 - name: DB_NAME value: kspace_etherpad - name: DB_USER value: kspace_etherpad - name: PAD_OPTIONS_NO_COLORS value: "true" - name: PAD_OPTIONS_USE_MONOSPACE_FONT value: "true" - name: PAD_OPTIONS_SHOW_CHAT value: "false" - name: TRUST_PROXY value: "true" - name: ADMIN_PASSWORD valueFrom: secretKeyRef: name: application-secrets key: ADMIN_PASSWORD - name: DB_PASS valueFrom: secretKeyRef: name: mariadb-secrets key: MYSQL_PASSWORD --- apiVersion: v1 kind: Service metadata: name: etherpad namespace: etherpad spec: type: ClusterIP selector: app: etherpad ports: - protocol: TCP port: 9001 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: etherpad namespace: etherpad annotations: kubernetes.io/ingress.class: traefik cert-manager.io/cluster-issuer: default traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" external-dns.alpha.kubernetes.io/target: traefik.k-space.ee spec: rules: - host: pad.k-space.ee http: paths: - pathType: Prefix path: "/" backend: service: name: etherpad port: number: 9001 tls: - hosts: - pad.k-space.ee secretName: pad-tls --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: etherpad namespace: etherpad spec: podSelector: matchLabels: app: etherpad policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik ports: - protocol: TCP port: 9001 egress: - to: - ipBlock: cidr: 172.20.36.1/32 ports: - protocol: TCP port: 3306 --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: mysql-operator spec: podSelector: matchLabels: app: etherpad policyTypes: - Ingress - Egress ingress: - # TODO: Not sure why mysql-operator needs to be able to connect from: - namespaceSelector: matchExpressions: - key: kubernetes.io/metadata.name operator: In values: - mysql-operator ports: - protocol: TCP port: 3306 - # Allow connecting from other MySQL pods in same namespace from: - podSelector: matchLabels: app.kubernetes.io/managed-by: mysql-operator ports: - protocol: TCP port: 3306 egress: - # Allow connecting to other MySQL pods in same namespace to: - podSelector: matchLabels: app.kubernetes.io/managed-by: mysql-operator ports: - protocol: TCP port: 3306 --- apiVersion: mysql.oracle.com/v2 kind: InnoDBCluster metadata: name: mysql-cluster spec: secretName: mysql-secrets instances: 3 router: instances: 1 tlsUseSelfSigned: true datadirVolumeClaimTemplate: storageClassName: local-path accessModes: - ReadWriteOnce resources: requests: storage: "10Gi" podSpec: affinity: podAntiAffinity: requiredDuringSchedulingIgnoredDuringExecution: - labelSelector: matchExpressions: - key: app.kubernetes.io/managed-by operator: In values: - mysql-operator topologyKey: kubernetes.io/hostname nodeSelector: dedicated: storage tolerations: - key: dedicated operator: Equal value: storage effect: NoSchedule