imfreedom/k8s-cluster

Move 50-hub.imfreedom.org to kustomize

2021-06-17, Gary Kramlich
20da8b38faa3
Move 50-hub.imfreedom.org to kustomize
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: keep-ssh
namespace: roost
spec:
entryPoints:
- keep-ssh
routes:
- match: HostSNI(`*`)
kind: Rule
services:
- name: keep
port: 22222
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: keep-http
namespace: roost
spec:
entryPoints:
- http
routes:
- match: Host(`keep.imfreedom.org`)
kind: Rule
services:
- name: keep-http
port: 8080
middlewares:
- name: https-redirect
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: keep-https
namespace: roost
spec:
entryPoints:
- https
routes:
- match: Host(`keep.imfreedom.org`)
kind: Rule
services:
- name: keep-http
port: 8080
middlewares:
- name: common-headers
- name: hsts-headers
tls:
secretName: keep-tls
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
namespace: roost
name: keep-tls
spec:
secretName: keep-tls
issuerRef:
name: letsencrypt
commonName: keep.imfreedom.org
dnsNames:
- keep.imfreedom.org
---
apiVersion: v1
kind: Service
metadata:
namespace: roost
labels:
app: hgkeeper
name: keep-http
spec:
ports:
- port: 8080
protocol: TCP
selector:
app: hgkeeper
---
apiVersion: v1
kind: Service
metadata:
namespace: roost
labels:
app: hgkeeper
name: keep
spec:
ports:
- port: 22222
protocol: TCP
selector:
app: hgkeeper
---
apiVersion: v1
kind: ConfigMap
metadata:
name: keep-configmap
namespace: roost
data:
admin-pubkey: |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP/mCAuMfKq4ukgGufiERyddsPIj2/KNXzB+gDTjHBGl grim@spectre
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: roost
name: keep
labels:
app: hgkeeper
spec:
podSelector:
matchLabels:
app: hgkeeper
ingress:
- from:
- namespaceSelector:
matchLabels:
name: kube-public
podSelector:
matchLabels:
app: traefik
role: controller
ports:
- port: 8080
protocol: TCP
- port: 22222
protocol: TCP
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: roost
name: keep
labels:
app: hgkeeper
spec:
replicas: 1
selector:
matchLabels:
app: hgkeeper
strategy:
type: Recreate
template:
metadata:
labels:
app: hgkeeper
spec:
initContainers:
- name: setup
image: docker.io/rwgrim/hgkeeper:latest
imagePullPolicy: Always
command: ["sh", "-c", "test -d /repos/hgkeeper || hgkeeper setup"]
env:
- name: HGK_ADMIN_USERNAME
value: grim
- name: HGK_ADMIN_PUBKEY
value: /config/admin-pubkey
- name: HGK_REPOS_PATH
value: /repos
volumeMounts:
- mountPath: /repos
name: keep
readOnly: false
subPath: repos
- mountPath: /config
name: keep-configmap
readOnly: true
containers:
- name: hgkeeper
image: docker.io/rwgrim/hgkeeper:latest
imagePullPolicy: Always
command: ["hgkeeper", "serve"]
env:
- name: TMPDIR
value: /tmp
- name: HGK_REPOS_PATH
value: /repos
- name: HGK_SSH_HOST_KEYS_PATH
value: /host-keys
ports:
- containerPort: 8080
- containerPort: 22222
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 500m
memory: 128Mi
volumeMounts:
- mountPath: /repos
name: keep
readOnly: false
subPath: repos
- mountPath: /host-keys
name: keep-ssh-host-keys
readOnly: true
- mountPath: /tmp
name: keep-tmp
readOnly: false
securityContext:
# fsGroup: 22271
runAsUser: 22271
volumes:
- name: keep
persistentVolumeClaim:
claimName: keep
- name: keep-configmap
configMap:
name: keep-configmap
- name: keep-ssh-host-keys
secret:
secretName: keep
- name: keep-tmp
emptyDir: {}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: roost
name: keep
labels:
app: hgkeeper
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 30Gi
volumeName: pvc-fdabb9b0-68d2-4c13-9d6f-6a6dbcd34a38
---
apiVersion: gemini.fairwinds.com/v1beta1
kind: SnapshotGroup
metadata:
namespace: roost
name: keep
spec:
persistentVolumeClaim:
claimName: keep
schedule:
- every: 12 hours
keep: 2
---