imfreedom/k8s-cluster

Update to cert-manager v0.11.0

2019-11-25, Gary Kramlich
066d5bdd0b2e
Update to cert-manager v0.11.0
# Prosody is an xmpp server. This manifest creates a deployment for it. It
# handles virtualhosts for adium.im, imfreedom.org, as well as pidgin.im.
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
namespace: imfreedom
name: prosody
annotations:
cert-manager.io/issuer: letsencrypt
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Frame-Options: SAMEORIGIN";
labels:
app: prosody
role: app
spec:
rules:
- host: xmpp.imfreedom.org
http:
paths:
- backend:
serviceName: prosody
servicePort: 5280
path: /
tls:
- hosts:
- xmpp.imfreedom.org
- conference.imfreedom.org
secretName: prosody-tls-imfreedom
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
namespace: imfreedom
name: prosody
spec:
secretName: prosody-tls-imfreedom
issuerRef:
name: letsencrypt
commonName: xmpp.imfreedom.org
dnsNames:
- xmpp.imfreedom.org
- conference.imfreedom.org
---
apiVersion: v1
kind: Service
metadata:
namespace: imfreedom
labels:
app: prosody
role: app
name: prosody
spec:
ports:
- name: c2s
port: 5222
protocol: TCP
- name: s2s
port: 5269
protocol: TCP
- name: http
port: 5280
protocol: TCP
selector:
app: prosody
role: app
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: imfreedom
name: prosody
labels:
app: prosody
role: app
spec:
podSelector:
matchLabels:
app: prosody
role: app
ingress:
- from:
- namespaceSelector:
matchLabels:
name: kube-public
podSelector:
matchLabels:
app: ingress
role: controller
ports:
- port: 5222
protocol: TCP
- port: 5269
protocol: TCP
- port: 5280
protocol: TCP
---
apiVersion: v1
kind: ConfigMap
metadata:
name: prosody-config
namespace: imfreedom
data:
imfreedom.cfg.lua: |
VirtualHost "imfreedom.org"
certificate = "imfreedom/tls.crt"
jetbrains_hub_groups = { "IMF Board Member", "IMF Officer" }
http_host = "xmpp.imfreedom.org"
http_external_url = "https://xmpp.imfreedom.org/"
ssl = {
certificate = "certs/imfreedom/tls.crt";
key = "certs/imfreedom/tls.key";
}
Component "conference.imfreedom.org" "muc"
ssl = {
certificate = "certs/imfreedom/tls.crt";
key = "certs/imfreedom/tls.key";
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: imfreedom
name: prosody
labels:
app: prosody
role: app
spec:
replicas: 1
selector:
matchLabels:
app: prosody
role: app
strategy:
type: Recreate
template:
metadata:
labels:
app: prosody
role: app
spec:
containers:
- name: prosody
image: docker.io/rwgrim/prosody:latest
ports:
- containerPort: 5222
- containerPort: 5269
- containerPort: 5280
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts:
- mountPath: /var/lib/prosody
name: homedir
readOnly: false
subPath: home
- mountPath: /etc/prosody/secrets.d/
name: secrets
readOnly: true
- mountPath: /etc/prosody/conf.d/
name: config
readOnly: true
- mountPath: /etc/prosody/certs/imfreedom/
name: tls-imfreedom
readOnly: true
securityContext:
fsGroup: 101
runAsUser: 101
volumes:
- name: homedir
persistentVolumeClaim:
claimName: prosody
- name: secrets
secret:
secretName: prosody
- name: config
configMap:
name: prosody-config
- name: tls-imfreedom
secret:
secretName: prosody-tls-imfreedom
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: imfreedom
name: prosody
labels:
app: prosody
role: app
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
---