imfreedom/k8s-cluster

Move 50-keep.imfreedom.org to kustomize

2021-06-17, Gary Kramlich
03598dac72ea
Parents a704541a2be8
Children 05053591ada4
Move 50-keep.imfreedom.org to kustomize
4 files changed, 245 insertions(+), 244 deletions(-)
  • +0 -244
    50-keep.imfreedom.org.yaml
  • +1 -0
    50-keep.imfreedom.org/files/admin-pubkey
  • +19 -0
    50-keep.imfreedom.org/kustomization.yaml
  • +225 -0
    50-keep.imfreedom.org/manifest.yaml
    • --- a/50-keep.imfreedom.org.yaml Thu Jun 17 03:44:29 2021 -0500
    +++ /dev/null Thu Jan 01 00:00:00 1970 +0000
    @@ -1,244 +0,0 @@
    ----
    -apiVersion: traefik.containo.us/v1alpha1
    -kind: IngressRouteTCP
    -metadata:
    - name: keep-ssh
    - namespace: roost
    -spec:
    - entryPoints:
    - - keep-ssh
    - routes:
    - - match: HostSNI(`*`)
    - kind: Rule
    - services:
    - - name: keep
    - port: 22222
    ----
    -apiVersion: traefik.containo.us/v1alpha1
    -kind: IngressRoute
    -metadata:
    - name: keep-http
    - namespace: roost
    -spec:
    - entryPoints:
    - - http
    - routes:
    - - match: Host(`keep.imfreedom.org`)
    - kind: Rule
    - services:
    - - name: keep-http
    - port: 8080
    - middlewares:
    - - name: https-redirect
    ----
    -apiVersion: traefik.containo.us/v1alpha1
    -kind: IngressRoute
    -metadata:
    - name: keep-https
    - namespace: roost
    -spec:
    - entryPoints:
    - - https
    - routes:
    - - match: Host(`keep.imfreedom.org`)
    - kind: Rule
    - services:
    - - name: keep-http
    - port: 8080
    - middlewares:
    - - name: common-headers
    - - name: hsts-headers
    - tls:
    - secretName: keep-tls
    ----
    -apiVersion: cert-manager.io/v1alpha2
    -kind: Certificate
    -metadata:
    - namespace: roost
    - name: keep-tls
    -spec:
    - secretName: keep-tls
    - issuerRef:
    - name: letsencrypt
    - commonName: keep.imfreedom.org
    - dnsNames:
    - - keep.imfreedom.org
    ----
    -apiVersion: v1
    -kind: Service
    -metadata:
    - namespace: roost
    - labels:
    - app: hgkeeper
    - name: keep-http
    -spec:
    - ports:
    - - port: 8080
    - protocol: TCP
    - selector:
    - app: hgkeeper
    ----
    -apiVersion: v1
    -kind: Service
    -metadata:
    - namespace: roost
    - labels:
    - app: hgkeeper
    - name: keep
    -spec:
    - ports:
    - - port: 22222
    - protocol: TCP
    - selector:
    - app: hgkeeper
    ----
    -apiVersion: v1
    -kind: ConfigMap
    -metadata:
    - name: keep-configmap
    - namespace: roost
    -data:
    - admin-pubkey: |
    - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP/mCAuMfKq4ukgGufiERyddsPIj2/KNXzB+gDTjHBGl grim@spectre
    ----
    -apiVersion: networking.k8s.io/v1
    -kind: NetworkPolicy
    -metadata:
    - namespace: roost
    - name: keep
    - labels:
    - app: hgkeeper
    -spec:
    - podSelector:
    - matchLabels:
    - app: hgkeeper
    - ingress:
    - - from:
    - - namespaceSelector:
    - matchLabels:
    - name: kube-public
    - podSelector:
    - matchLabels:
    - app: traefik
    - role: controller
    - ports:
    - - port: 8080
    - protocol: TCP
    - - port: 22222
    - protocol: TCP
    ----
    -apiVersion: apps/v1
    -kind: Deployment
    -metadata:
    - namespace: roost
    - name: keep
    - labels:
    - app: hgkeeper
    -spec:
    - replicas: 1
    - selector:
    - matchLabels:
    - app: hgkeeper
    - strategy:
    - type: Recreate
    - template:
    - metadata:
    - labels:
    - app: hgkeeper
    - spec:
    - initContainers:
    - - name: setup
    - image: docker.io/rwgrim/hgkeeper:latest
    - imagePullPolicy: Always
    - command: ["sh", "-c", "test -d /repos/hgkeeper || hgkeeper setup"]
    - env:
    - - name: HGK_ADMIN_USERNAME
    - value: grim
    - - name: HGK_ADMIN_PUBKEY
    - value: /config/admin-pubkey
    - - name: HGK_REPOS_PATH
    - value: /repos
    - volumeMounts:
    - - mountPath: /repos
    - name: keep
    - readOnly: false
    - subPath: repos
    - - mountPath: /config
    - name: keep-configmap
    - readOnly: true
    - containers:
    - - name: hgkeeper
    - image: docker.io/rwgrim/hgkeeper:latest
    - imagePullPolicy: Always
    - command: ["hgkeeper", "serve"]
    - env:
    - - name: TMPDIR
    - value: /tmp
    - - name: HGK_REPOS_PATH
    - value: /repos
    - - name: HGK_SSH_HOST_KEYS_PATH
    - value: /host-keys
    - ports:
    - - containerPort: 8080
    - - containerPort: 22222
    - resources:
    - limits:
    - cpu: 1000m
    - memory: 512Mi
    - requests:
    - cpu: 500m
    - memory: 128Mi
    - volumeMounts:
    - - mountPath: /repos
    - name: keep
    - readOnly: false
    - subPath: repos
    - - mountPath: /host-keys
    - name: keep-ssh-host-keys
    - readOnly: true
    - - mountPath: /tmp
    - name: keep-tmp
    - readOnly: false
    - securityContext:
    - # fsGroup: 22271
    - runAsUser: 22271
    - volumes:
    - - name: keep
    - persistentVolumeClaim:
    - claimName: keep
    - - name: keep-configmap
    - configMap:
    - name: keep-configmap
    - - name: keep-ssh-host-keys
    - secret:
    - secretName: keep
    - - name: keep-tmp
    - emptyDir: {}
    ----
    -apiVersion: v1
    -kind: PersistentVolumeClaim
    -metadata:
    - namespace: roost
    - name: keep
    - labels:
    - app: hgkeeper
    -spec:
    - accessModes:
    - - ReadWriteOnce
    - resources:
    - requests:
    - storage: 30Gi
    - volumeName: pvc-fdabb9b0-68d2-4c13-9d6f-6a6dbcd34a38
    ----
    -apiVersion: gemini.fairwinds.com/v1beta1
    -kind: SnapshotGroup
    -metadata:
    - namespace: roost
    - name: keep
    -spec:
    - persistentVolumeClaim:
    - claimName: keep
    - schedule:
    - - every: 12 hours
    - keep: 2
    ----
    --- /dev/null Thu Jan 01 00:00:00 1970 +0000
    +++ b/50-keep.imfreedom.org/files/admin-pubkey Thu Jun 17 04:06:39 2021 -0500
    @@ -0,0 +1,1 @@
    +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP/mCAuMfKq4ukgGufiERyddsPIj2/KNXzB+gDTjHBGl
    --- /dev/null Thu Jan 01 00:00:00 1970 +0000
    +++ b/50-keep.imfreedom.org/kustomization.yaml Thu Jun 17 04:06:39 2021 -0500
    @@ -0,0 +1,19 @@
    +---
    +namespace: roost
    +configMapGenerator:
    + - name: keep-configmap
    + files:
    + - files/admin-pubkey
    + options:
    + disableNameSuffixHash: true
    +resources:
    + - manifest.yaml
    +secretGenerator:
    + - name: keep
    + files:
    + - secrets/ssh_host_ecdsa_key
    + - secrets/ssh_host_ed25519_key
    + - secrets/ssh_host_rsa_key
    + options:
    + disableNameSuffixHash: true
    +---
    --- /dev/null Thu Jan 01 00:00:00 1970 +0000
    +++ b/50-keep.imfreedom.org/manifest.yaml Thu Jun 17 04:06:39 2021 -0500
    @@ -0,0 +1,225 @@
    +---
    +apiVersion: traefik.containo.us/v1alpha1
    +kind: IngressRouteTCP
    +metadata:
    + name: keep-ssh
    +spec:
    + entryPoints:
    + - keep-ssh
    + routes:
    + - match: HostSNI(`*`)
    + kind: Rule
    + services:
    + - name: keep
    + port: 22222
    +---
    +apiVersion: traefik.containo.us/v1alpha1
    +kind: IngressRoute
    +metadata:
    + name: keep-http
    +spec:
    + entryPoints:
    + - http
    + routes:
    + - match: Host(`keep.imfreedom.org`)
    + kind: Rule
    + services:
    + - name: keep-http
    + port: 8080
    + middlewares:
    + - name: https-redirect
    +---
    +apiVersion: traefik.containo.us/v1alpha1
    +kind: IngressRoute
    +metadata:
    + name: keep-https
    +spec:
    + entryPoints:
    + - https
    + routes:
    + - match: Host(`keep.imfreedom.org`)
    + kind: Rule
    + services:
    + - name: keep-http
    + port: 8080
    + middlewares:
    + - name: common-headers
    + - name: hsts-headers
    + tls:
    + secretName: keep-tls
    +---
    +apiVersion: cert-manager.io/v1alpha2
    +kind: Certificate
    +metadata:
    + name: keep-tls
    +spec:
    + secretName: keep-tls
    + issuerRef:
    + name: letsencrypt
    + commonName: keep.imfreedom.org
    + dnsNames:
    + - keep.imfreedom.org
    +---
    +apiVersion: v1
    +kind: Service
    +metadata:
    + labels:
    + app: hgkeeper
    + name: keep-http
    +spec:
    + ports:
    + - port: 8080
    + protocol: TCP
    + selector:
    + app: hgkeeper
    +---
    +apiVersion: v1
    +kind: Service
    +metadata:
    + labels:
    + app: hgkeeper
    + name: keep
    +spec:
    + ports:
    + - port: 22222
    + protocol: TCP
    + selector:
    + app: hgkeeper
    +---
    +apiVersion: networking.k8s.io/v1
    +kind: NetworkPolicy
    +metadata:
    + name: keep
    + labels:
    + app: hgkeeper
    +spec:
    + podSelector:
    + matchLabels:
    + app: hgkeeper
    + ingress:
    + - from:
    + - namespaceSelector:
    + matchLabels:
    + name: kube-public
    + podSelector:
    + matchLabels:
    + app: traefik
    + role: controller
    + ports:
    + - port: 8080
    + protocol: TCP
    + - port: 22222
    + protocol: TCP
    +---
    +apiVersion: apps/v1
    +kind: Deployment
    +metadata:
    + name: keep
    + labels:
    + app: hgkeeper
    +spec:
    + replicas: 1
    + selector:
    + matchLabels:
    + app: hgkeeper
    + strategy:
    + type: Recreate
    + template:
    + metadata:
    + labels:
    + app: hgkeeper
    + spec:
    + initContainers:
    + - name: setup
    + image: docker.io/rwgrim/hgkeeper:latest
    + imagePullPolicy: Always
    + command: ["sh", "-c", "test -d /repos/hgkeeper || hgkeeper setup"]
    + env:
    + - name: HGK_ADMIN_USERNAME
    + value: grim
    + - name: HGK_ADMIN_PUBKEY
    + value: /config/admin-pubkey
    + - name: HGK_REPOS_PATH
    + value: /repos
    + volumeMounts:
    + - mountPath: /repos
    + name: keep
    + readOnly: false
    + subPath: repos
    + - mountPath: /config
    + name: keep-configmap
    + readOnly: true
    + containers:
    + - name: hgkeeper
    + image: docker.io/rwgrim/hgkeeper:latest
    + imagePullPolicy: Always
    + command: ["hgkeeper", "serve"]
    + env:
    + - name: TMPDIR
    + value: /tmp
    + - name: HGK_REPOS_PATH
    + value: /repos
    + - name: HGK_SSH_HOST_KEYS_PATH
    + value: /host-keys
    + ports:
    + - containerPort: 8080
    + - containerPort: 22222
    + resources:
    + limits:
    + cpu: 1000m
    + memory: 512Mi
    + requests:
    + cpu: 500m
    + memory: 128Mi
    + volumeMounts:
    + - mountPath: /repos
    + name: keep
    + readOnly: false
    + subPath: repos
    + - mountPath: /host-keys
    + name: keep-ssh-host-keys
    + readOnly: true
    + - mountPath: /tmp
    + name: keep-tmp
    + readOnly: false
    + securityContext:
    + # fsGroup: 22271
    + runAsUser: 22271
    + volumes:
    + - name: keep
    + persistentVolumeClaim:
    + claimName: keep
    + - name: keep-configmap
    + configMap:
    + name: keep-configmap
    + - name: keep-ssh-host-keys
    + secret:
    + secretName: keep
    + - name: keep-tmp
    + emptyDir: {}
    +---
    +apiVersion: v1
    +kind: PersistentVolumeClaim
    +metadata:
    + name: keep
    + labels:
    + app: hgkeeper
    +spec:
    + accessModes:
    + - ReadWriteOnce
    + resources:
    + requests:
    + storage: 30Gi
    + volumeName: pvc-fdabb9b0-68d2-4c13-9d6f-6a6dbcd34a38
    +---
    +apiVersion: gemini.fairwinds.com/v1beta1
    +kind: SnapshotGroup
    +metadata:
    + name: keep
    +spec:
    + persistentVolumeClaim:
    + claimName: keep
    + schedule:
    + - every: 12 hours
    + keep: 2
    +---