forked from k-space/kube
475 lines
9.9 KiB
YAML
475 lines
9.9 KiB
YAML
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: camtiler
|
|
annotations:
|
|
keel.sh/policy: force
|
|
keel.sh/trigger: poll
|
|
spec:
|
|
revisionHistoryLimit: 0
|
|
replicas: 1
|
|
selector:
|
|
matchLabels:
|
|
app: camtiler
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: camtiler
|
|
component: camtiler
|
|
spec:
|
|
serviceAccountName: camtiler
|
|
containers:
|
|
- name: camtiler
|
|
image: harbor.k-space.ee/k-space/camera-tiler:latest
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: log-viewer-frontend
|
|
annotations:
|
|
keel.sh/policy: force
|
|
keel.sh/trigger: poll
|
|
spec:
|
|
revisionHistoryLimit: 0
|
|
replicas: 2
|
|
selector:
|
|
matchLabels:
|
|
app: log-viewer-frontend
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: log-viewer-frontend
|
|
spec:
|
|
containers:
|
|
- name: log-viewer-frontend
|
|
image: harbor.k-space.ee/k-space/log-viewer-frontend:latest
|
|
# securityContext:
|
|
# readOnlyRootFilesystem: true
|
|
# runAsNonRoot: true
|
|
# runAsUser: 1000
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: Deployment
|
|
metadata:
|
|
name: log-viewer-backend
|
|
annotations:
|
|
keel.sh/policy: force
|
|
keel.sh/trigger: poll
|
|
spec:
|
|
revisionHistoryLimit: 0
|
|
replicas: 3
|
|
selector:
|
|
matchLabels:
|
|
app: log-viewer-backend
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: log-viewer-backend
|
|
spec:
|
|
containers:
|
|
- name: log-backend-backend
|
|
image: harbor.k-space.ee/k-space/log-viewer:latest
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
env:
|
|
- name: MONGO_URI
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: mongodb-application-readwrite
|
|
key: connectionString.standard
|
|
- name: MINIO_BUCKET
|
|
value: application
|
|
- name: MINIO_HOSTNAME
|
|
value: cams-s3.k-space.ee
|
|
- name: MINIO_PORT
|
|
value: "443"
|
|
- name: MINIO_SCHEME
|
|
value: "https"
|
|
- name: MINIO_SECRET_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: minio-secret
|
|
key: secretkey
|
|
- name: MINIO_ACCESS_KEY
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: minio-secret
|
|
key: accesskey
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: log-viewer-frontend
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app: log-viewer-frontend
|
|
ports:
|
|
- protocol: TCP
|
|
port: 3003
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: log-viewer-backend
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app: log-viewer-backend
|
|
ports:
|
|
- protocol: TCP
|
|
port: 3002
|
|
---
|
|
apiVersion: v1
|
|
kind: Service
|
|
metadata:
|
|
name: camtiler
|
|
annotations:
|
|
prometheus.io/scrape: 'true'
|
|
labels:
|
|
component: camtiler
|
|
spec:
|
|
type: ClusterIP
|
|
selector:
|
|
app: camtiler
|
|
component: camtiler
|
|
ports:
|
|
- protocol: TCP
|
|
port: 5001
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: camtiler
|
|
---
|
|
kind: Role
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: camtiler
|
|
rules:
|
|
- apiGroups: [""]
|
|
resources: ["services"]
|
|
verbs: ["list"]
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: camtiler
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: camtiler
|
|
apiGroup: ""
|
|
roleRef:
|
|
kind: Role
|
|
name: camtiler
|
|
apiGroup: ""
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: camtiler
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
|
|
# Following specifies the certificate issuer defined in
|
|
# ../cert-manager/issuer.yml
|
|
# This is where the HTTPS certificates for the
|
|
# `tls:` section below are obtained from
|
|
cert-manager.io/cluster-issuer: default
|
|
|
|
# This tells Traefik this Ingress object is associated with the
|
|
# https:// entrypoint
|
|
# Global http:// to https:// redirect is enabled in
|
|
# ../traefik/values.yml using `globalArguments`
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
|
|
# Following enables Authelia intercepting middleware
|
|
# which makes sure user is authenticated and then
|
|
# proceeds to inject Remote-User header for the application
|
|
traefik.ingress.kubernetes.io/router.middlewares: traefik-sso@kubernetescrd
|
|
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
|
|
# Following tells external-dns to add CNAME entry which makes
|
|
# cams.k-space.ee point to same IP address as traefik.k-space.ee
|
|
# The A record for traefik.k-space.ee is created via annotation
|
|
# added in ../traefik/ingress.yml
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
spec:
|
|
rules:
|
|
- host: cams.k-space.ee
|
|
http:
|
|
paths:
|
|
- pathType: Prefix
|
|
path: "/tiled"
|
|
backend:
|
|
service:
|
|
name: camtiler
|
|
port:
|
|
number: 5001
|
|
- pathType: Prefix
|
|
path: "/events"
|
|
backend:
|
|
service:
|
|
name: log-viewer-backend
|
|
port:
|
|
number: 3002
|
|
- pathType: Prefix
|
|
path: "/"
|
|
backend:
|
|
service:
|
|
name: log-viewer-frontend
|
|
port:
|
|
number: 3003
|
|
tls:
|
|
- hosts:
|
|
- cams.k-space.ee
|
|
secretName: camtiler-tls
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata:
|
|
name: camera-operator
|
|
annotations:
|
|
keel.sh/policy: force
|
|
keel.sh/trigger: poll
|
|
spec:
|
|
revisionHistoryLimit: 0
|
|
replicas: 1
|
|
serviceName: camera-operator
|
|
selector:
|
|
matchLabels:
|
|
app: camera-operator
|
|
template:
|
|
metadata:
|
|
labels:
|
|
app: camera-operator
|
|
spec:
|
|
serviceAccount: camera-operator
|
|
containers:
|
|
- name: camera-operator
|
|
image: harbor.k-space.ee/k-space/camera-operator:latest
|
|
securityContext:
|
|
readOnlyRootFilesystem: true
|
|
runAsNonRoot: true
|
|
runAsUser: 1000
|
|
env:
|
|
- name: MY_POD_NAMESPACE
|
|
valueFrom:
|
|
fieldRef:
|
|
fieldPath: metadata.namespace
|
|
---
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
kind: Role
|
|
metadata:
|
|
name: camera-operator
|
|
rules:
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- secrets
|
|
verbs:
|
|
- get
|
|
- apiGroups:
|
|
- ""
|
|
resources:
|
|
- services
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- list
|
|
- update
|
|
- apiGroups:
|
|
- apps
|
|
resources:
|
|
- deployments
|
|
verbs:
|
|
- create
|
|
- delete
|
|
- list
|
|
- update
|
|
- apiGroups:
|
|
- k-space.ee
|
|
resources:
|
|
- cams
|
|
verbs:
|
|
- get
|
|
- list
|
|
- watch
|
|
---
|
|
kind: RoleBinding
|
|
apiVersion: rbac.authorization.k8s.io/v1
|
|
metadata:
|
|
name: camera-operator
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
name: camera-operator
|
|
roleRef:
|
|
kind: Role
|
|
name: camera-operator
|
|
apiGroup: rbac.authorization.k8s.io
|
|
---
|
|
apiVersion: v1
|
|
kind: ServiceAccount
|
|
metadata:
|
|
name: camera-operator
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: camera-motion-detect
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
component: camdetect
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
- from:
|
|
- podSelector:
|
|
matchLabels:
|
|
component: camtiler
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: monitoring
|
|
podSelector:
|
|
matchLabels:
|
|
app: prometheus
|
|
egress:
|
|
- to:
|
|
- ipBlock:
|
|
# Permit access to cameras outside the cluster
|
|
cidr: 100.102.0.0/16
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: mongodb-svc
|
|
ports:
|
|
- port: 27017
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
v1.min.io/tenant: minio
|
|
ports:
|
|
- port: 9000
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: camera-tiler
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
component: camtiler
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
component: camdetect
|
|
ports:
|
|
- port: 5000
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: monitoring
|
|
podSelector:
|
|
matchLabels:
|
|
app: prometheus
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: traefik
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: traefik
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: log-viewer-backend
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: log-viewer-backend
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
egress:
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
app: mongodb-svc
|
|
- to:
|
|
- podSelector:
|
|
matchLabels:
|
|
v1.min.io/tenant: minio
|
|
ports:
|
|
- port: 9000
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: traefik
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: traefik
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: NetworkPolicy
|
|
metadata:
|
|
name: log-viewer-frontend
|
|
spec:
|
|
podSelector:
|
|
matchLabels:
|
|
app: log-viewer-frontend
|
|
policyTypes:
|
|
- Ingress
|
|
- Egress
|
|
ingress:
|
|
- from:
|
|
- namespaceSelector:
|
|
matchLabels:
|
|
kubernetes.io/metadata.name: traefik
|
|
podSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: traefik
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: minio
|
|
annotations:
|
|
kubernetes.io/ingress.class: traefik
|
|
cert-manager.io/cluster-issuer: default
|
|
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
|
traefik.ingress.kubernetes.io/router.tls: "true"
|
|
external-dns.alpha.kubernetes.io/target: traefik.k-space.ee
|
|
spec:
|
|
rules:
|
|
- host: cams-s3.k-space.ee
|
|
http:
|
|
paths:
|
|
- pathType: Prefix
|
|
path: "/"
|
|
backend:
|
|
service:
|
|
name: minio
|
|
port:
|
|
number: 80
|
|
tls:
|
|
- hosts:
|
|
- cams-s3.k-space.ee
|
|
secretName: cams-s3-tls
|