HGKeeper

imfreedom/k8s-cluster

Update the allowed groups for pidgin.im xmpp

19 months ago, Gary Kramlich

f3fdd3dab6c1

Update the allowed groups for pidgin.im xmpp

Apparently groups don't matter for the group or in values in hub queries, but
the project name does? I dunno, but this seems to work fine.

---

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRouteTCP

metadata:

name: keep-ssh

spec:

entryPoints:

- keep-ssh

routes:

- match: HostSNI(`*`)

kind: Rule

services:

- name: keep

port: 22222

---

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRoute

metadata:

name: keep-http

spec:

entryPoints:

- http

routes:

- match: Host(`keep.imfreedom.org`)

kind: Rule

services:

- name: keep-http

port: 8080

middlewares:

- name: https-redirect

---

apiVersion: traefik.containo.us/v1alpha1

kind: IngressRoute

metadata:

name: keep-https

spec:

entryPoints:

- https

routes:

- match: Host(`keep.imfreedom.org`)

kind: Rule

services:

- name: keep-http

port: 8080

middlewares:

- name: common-headers

- name: hsts-headers

tls:

secretName: keep-tls

---

apiVersion: cert-manager.io/v1

kind: Certificate

metadata:

name: keep-tls

spec:

secretName: keep-tls

issuerRef:

name: letsencrypt

commonName: keep.imfreedom.org

dnsNames:

- keep.imfreedom.org

---

apiVersion: v1

kind: Service

metadata:

labels:

app: hgkeeper

name: keep-http

spec:

ports:

- port: 8080

protocol: TCP

selector:

app: hgkeeper

---

apiVersion: v1

kind: Service

metadata:

labels:

app: hgkeeper

name: keep

spec:

ports:

- port: 22222

protocol: TCP

selector:

app: hgkeeper

---

apiVersion: networking.k8s.io/v1

kind: NetworkPolicy

metadata:

name: keep

labels:

app: hgkeeper

spec:

podSelector:

matchLabels:

app: hgkeeper

ingress:

- from:

- namespaceSelector:

matchLabels:

name: kube-public

podSelector:

matchLabels:

app: traefik

role: controller

ports:

- port: 8080

protocol: TCP

- port: 22222

protocol: TCP

---

apiVersion: apps/v1

kind: Deployment

metadata:

name: keep

labels:

app: hgkeeper

spec:

replicas: 1

revisionHistoryLimit: 0

selector:

matchLabels:

app: hgkeeper

strategy:

type: Recreate

template:

metadata:

labels:

app: hgkeeper

spec:

initContainers:

- name: setup

image: docker.io/rwgrim/hgkeeper:latest

imagePullPolicy: Always

command: ["sh", "-c", "test -d /repos/hgkeeper || hgkeeper setup"]

env:

- name: HGK_ADMIN_USERNAME

value: grim

- name: HGK_ADMIN_PUBKEY

value: /config/admin-pubkey

- name: HGK_REPOS_PATH

value: /repos

volumeMounts:

- mountPath: /repos

name: keep

readOnly: false

subPath: repos

- mountPath: /config

name: keep-configmap

readOnly: true

containers:

- name: hgkeeper

image: docker.io/rwgrim/hgkeeper:latest

imagePullPolicy: Always

command: ["hgkeeper", "serve"]

env:

- name: TMPDIR

value: /tmp

- name: HGK_REPOS_PATH

value: /repos

- name: HGK_SSH_HOST_KEYS_PATH

value: /host-keys

ports:

- containerPort: 8080

- containerPort: 22222

resources:

limits:

cpu: 1500m

memory: 768Mi

requests:

cpu: 1000m

memory: 512Mi

volumeMounts:

- mountPath: /repos

name: keep

readOnly: false

subPath: repos

- mountPath: /host-keys

name: keep-ssh-host-keys

readOnly: true

- mountPath: /tmp

name: keep-tmp

readOnly: false

livenessProbe:

httpGet:

path: /hgk/health

port: 8080

scheme: HTTP

securityContext:

# fsGroup: 22271

runAsUser: 22271

volumes:

- name: keep

persistentVolumeClaim:

claimName: keep

- name: keep-configmap

configMap:

name: keep-configmap

- name: keep-ssh-host-keys

secret:

secretName: keep

- name: keep-tmp

emptyDir: {}

---

apiVersion: v1

kind: PersistentVolumeClaim

metadata:

name: keep

labels:

app: hgkeeper

spec:

accessModes:

- ReadWriteOnce

resources:

requests:

storage: 30Gi

volumeName: pvc-fdabb9b0-68d2-4c13-9d6f-6a6dbcd34a38

---

apiVersion: gemini.fairwinds.com/v1beta1

kind: SnapshotGroup

metadata:

name: keep

spec:

persistentVolumeClaim:

claimName: keep

schedule:

- every: 12 hours

keep: 2

---