imfreedom/k8s-cluster

Move 50-hub.imfreedom.org to kustomize

2021-06-17, Gary Kramlich
20da8b38faa3
Move 50-hub.imfreedom.org to kustomize
# Prosody is an xmpp server. This manifest creates a deployment for it. It
# handles virtualhosts for adium.im, imfreedom.org, as well as pidgin.im.
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: xmpp-imfreedom-http
namespace: roost
spec:
entryPoints:
- http
routes:
- match: Host(`xmpp.imfreedom.org`) || Host(`conference.imfreedom.org`)
kind: Rule
services:
- name: prosody
port: 5280
middlewares:
- name: https-redirect
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: xmpp-imfreedom
namespace: roost
spec:
entryPoints:
- https
routes:
- match: Host(`xmpp.imfreedom.org`) || Host(`conference.imfreedom.org`)
kind: Rule
services:
- name: prosody
port: 5280
tls:
secretName: imfreedom-tls
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: xmpp-pidgin-http
namespace: roost
spec:
entryPoints:
- http
routes:
- match: Host(`xmpp.pidgin.im`) || Host(`conference.pidgin.im`)
kind: Rule
services:
- name: prosody
port: 5280
middlewares:
- name: https-redirect
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: xmpp-pidgin
namespace: roost
spec:
entryPoints:
- https
routes:
- match: Host(`xmpp.pidgin.im`) || Host(`conference.pidgin.im`)
kind: Rule
services:
- name: prosody
port: 5280
tls:
secretName: pidgin-tls
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: prosody-c2s
namespace: roost
spec:
entryPoints:
- xmpp-c2s
routes:
- match: HostSNI(`*`)
kind: Rule
services:
- name: prosody
port: 5222
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: prosody-s2s
namespace: roost
spec:
entryPoints:
- xmpp-s2s
routes:
- match: HostSNI(`*`)
kind: Rule
services:
- name: prosody
port: 5269
---
apiVersion: v1
kind: Service
metadata:
namespace: roost
labels:
app: prosody
role: app
name: prosody
spec:
ports:
- name: c2s
port: 5222
protocol: TCP
- name: s2s
port: 5269
protocol: TCP
- name: http
port: 5280
protocol: TCP
- name: https
port: 5281
protocol: TCP
selector:
app: prosody
role: app
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
namespace: roost
name: prosody
labels:
app: prosody
role: app
spec:
podSelector:
matchLabels:
app: prosody
role: app
ingress:
- from:
- namespaceSelector:
matchLabels:
name: kube-public
podSelector:
matchLabels:
app: traefik
role: controller
ports:
- port: 5222
protocol: TCP
- port: 5269
protocol: TCP
- port: 5280
protocol: TCP
- from:
- namespaceSelector:
matchLabels:
name: monitoring
podSelector:
matchLabels:
app: prometheus
ports:
- port: 5280
protocol: TCP
---
apiVersion: v1
kind: ConfigMap
metadata:
name: prosody-config
namespace: roost
data:
imfreedom.cfg.lua: |
VirtualHost "imfreedom.org"
certificate = "imfreedom/tls.crt"
jetbrains_hub_groups = { "IMF Board Member", "IMF Officer", "IMF XMPP" }
http_host = "xmpp.imfreedom.org"
http_interfaces = {"*"}
http_external_url = "https://xmpp.imfreedom.org/"
ssl = {
certificate = "certs/imfreedom/tls.crt";
key = "certs/imfreedom/tls.key";
}
Component "conference.imfreedom.org" "muc"
name = "Instant Messaging Freedom MUC"
modules_enabled = { "muc_badge", "muc_mam", "muc_mam_hints", "muc_moderation", "muc_occupant_id", "vcard_muc" }
http_host = "conference.imfreedom.org"
http_external_url = "https://conference.imfreedom.org/"
ssl = {
certificate = "certs/imfreedom/tls.crt";
key = "certs/imfreedom/tls.key";
}
restrict_room_creation = "local"
Component "xmpp.imfreedom.org" "http"
http_external_url = "https://xmpp.imfreedom.org/"
http_host = "xmpp.imfreedom.org"
modules_enabled = {"bosh"}
pidgin.cfg.lua: |
VirtualHost "pidgin.im"
certificate = "pidgin/tls.crt"
jetbrains_hub_groups = { "Pidgin Admin", "Pidgin Contributor", "Pidgin XMPP" }
http_host = "xmpp.pidgin.im"
http_interfaces = {"*"}
http_external_url = "https://xmpp.pidgin.im/"
ssl = {
certificate = "certs/pidgin/tls.crt";
key = "certs/pidgin/tls.key";
}
Component "conference.pidgin.im" "muc"
name = "Pidgin Internet Messaging MUC"
modules_enabled = { "muc_badge", "muc_mam", "muc_mam_hints", "muc_moderation", "muc_occupant_id", "vcard_muc" }
http_host = "conference.pidgin.im"
http_external_url = "https://conference.pidgin.im/"
ssl = {
certificate = "certs/pidgin/tls.crt";
key = "certs/pidgin/tls.key";
}
restrict_room_creation = "local"
Component "xmpp.pidgin.im" "http"
http_external_url = "https://xmpp.pidgin.im/"
http_host = "xmpp.pidgin.im"
modules_enabled = {"bosh"}
pidginchat.com.cfg.lua: |
VirtualHost "pidginchat.com"
modules_disabled = {"s2s"}
certificate = "pidginchat/tls.crt"
jetbrains_hub_groups = { "pidginchat.com XMPP" }
http_host = "pidginchat.com"
http_interfaces = {"*"}
http_external_url = "https://pidginchat.com/"
ssl = {
certificate = "certs/pidginchat/tls.crt";
key = "certs/pidginchat/tls.key";
}
---
apiVersion: policy/v1beta1
kind: PodDisruptionBudget
metadata:
namespace: roost
name: prosody
spec:
maxUnavailable: 1
selector:
matchLabels:
app: prosody
role: app
---
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: roost
name: prosody
labels:
app: prosody
role: app
spec:
replicas: 1
selector:
matchLabels:
app: prosody
role: app
strategy:
type: Recreate
template:
metadata:
labels:
app: prosody
role: app
spec:
containers:
- name: prosody
image: docker.io/rwgrim/prosody:latest
imagePullPolicy: Always
ports:
- containerPort: 5222
name: c2s
- containerPort: 5269
name: s2s
- containerPort: 5280
name: http
- containerPort: 5281
name: https
- containerPort: 5582
name: telnet
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts:
- mountPath: /var/lib/prosody
name: homedir
readOnly: false
subPath: home
- mountPath: /etc/prosody/secrets.d/
name: secrets
readOnly: true
- mountPath: /etc/prosody/conf.d/
name: config
readOnly: true
- mountPath: /etc/prosody/certs/imfreedom/
name: imfreedom-tls
readOnly: true
- mountPath: /etc/prosody/certs/pidgin/
name: pidgin-tls
readOnly: true
- mountPath: /etc/prosody/certs/pidginchat/
name: pidginchat-tls
readOnly: true
securityContext:
fsGroup: 101
runAsUser: 101
volumes:
- name: homedir
persistentVolumeClaim:
claimName: prosody
- name: secrets
secret:
secretName: prosody
- name: config
configMap:
name: prosody-config
- name: imfreedom-tls
secret:
secretName: imfreedom-tls
- name: pidgin-tls
secret:
secretName: pidgin-tls
- name: pidginchat-tls
secret:
secretName: pidginchat-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
namespace: roost
name: prosody
labels:
app: prosody
role: app
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
volumeName: pvc-415a206e-5484-4cf0-a655-908d18339f62
---
apiVersion: gemini.fairwinds.com/v1beta1
kind: SnapshotGroup
metadata:
namespace: roost
name: prosody
spec:
persistentVolumeClaim:
claimName: prosody
schedule:
- every: 12 hours
keep: 2
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
namespace: roost
name: prosody
labels:
app: prosody
spec:
selector:
matchLabels:
app: prosody
endpoints:
- port: https
interval: 15s
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
namespace: roost
name: prosody
labels:
app: prosody
prometheus: cluster-wide
spec:
selector:
matchLabels:
app: prosody
endpoints:
- port: http
interval: 15s
---