HGKeeper

Initial revision

2018-10-30, Gary Kramlich

ce06ad43488d

Parents
Children 3146951c5965

Initial revision

16 files changed, 1445 insertions(+), 0 deletions(-)

+4 -0

.hgignore

+21 -0

00-namespaces.yaml

+121 -0

10-cert-manager.yaml

+13 -0

15-issuer-acme-imfreedom.yaml

+13 -0

15-issuer-acme-pidgin.yaml

+13 -0

15-issuer-acme-reaperworld.yaml

+202 -0

20-monitoring.yaml

+55 -0

30-pidgin-default-backend.yaml

+228 -0

50-bamboo.pidgin.im.yaml

+114 -0

50-data.imfreedom.org.yaml

+67 -0

50-imfreedom.org.yaml

+81 -0

50-ldap.imfreedom.org.yaml

+86 -0

50-reaperworld.com.yaml

+81 -0

50-status.pidgin.im.yaml

+86 -0

50-wiki.imfreedom.org.yaml

+260 -0

90-ingress.yaml

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/.hgignore Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,4 @@

+syntax: glob

+.envrc

+*secret*

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/00-namespaces.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,21 @@

+apiVersion: v1

+kind: Namespace

+metadata:

+ name: pidgin

+---

+apiVersion: v1

+kind: Namespace

+metadata:

+ name: imfreedom

+---

+apiVersion: v1

+kind: Namespace

+metadata:

+ name: reaperworld

+---

+apiVersion: v1

+kind: Namespace

+metadata:

+ name: monitoring

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/10-cert-manager.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,121 @@

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: cert-manager

+ namespace: kube-system

+ labels:

+ app: cert-manager

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: certificates.certmanager.k8s.io

+ labels:

+ app: cert-manager

+spec:

+ group: certmanager.k8s.io

+ version: v1alpha1

+ scope: Namespaced

+ names:

+ kind: Certificate

+ plural: certificates

+ shortNames:

+ - cert

+ - certs

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: clusterissuers.certmanager.k8s.io

+ labels:

+ app: cert-manager

+spec:

+ group: certmanager.k8s.io

+ version: v1alpha1

+ scope: Cluster

+ names:

+ kind: ClusterIssuer

+ plural: clusterissuers

+---

+apiVersion: apiextensions.k8s.io/v1beta1

+kind: CustomResourceDefinition

+metadata:

+ name: issuers.certmanager.k8s.io

+ labels:

+ app: cert-manager

+spec:

+ group: certmanager.k8s.io

+ version: v1alpha1

+ scope: Namespaced

+ names:

+ kind: Issuer

+ plural: issuers

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: cert-manager

+ labels:

+ app: cert-manager

+rules:

+ - apiGroups: ["certmanager.k8s.io"]

+ resources: ["certificates", "issuers", "clusterissuers", "orders", "challenges"]

+ verbs: ["*"]

+ - apiGroups: [""]

+ resources: ["configmaps", "secrets", "events", "services", "pods"]

+ verbs: ["*"]

+ - apiGroups: ["extensions"]

+ resources: ["ingresses"]

+ verbs: ["*"]

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: cert-manager

+ labels:

+ app: cert-manager

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: cert-manager

+subjects:

+ - name: cert-manager

+ namespace: kube-system

+ kind: ServiceAccount

+---

+apiVersion: apps/v1beta1

+kind: Deployment

+metadata:

+ name: cert-manager

+ namespace: kube-system

+ labels:

+ app: cert-manager

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: cert-manager

+ template:

+ metadata:

+ labels:

+ app: cert-manager

+ spec:

+ serviceAccountName: cert-manager

+ containers:

+ - name: cert-manager

+ image: "quay.io/jetstack/cert-manager-controller:v0.5.0"

+ imagePullPolicy: IfNotPresent

+ args:

+ - --cluster-resource-namespace=$(POD_NAMESPACE)

+ - --leader-election-namespace=$(POD_NAMESPACE)

+ env:

+ - name: POD_NAMESPACE

+ valueFrom:

+ fieldRef:

+ fieldPath: metadata.namespace

+ resources:

+ requests:

+ cpu: 10m

+ memory: 32Mi

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/15-issuer-acme-imfreedom.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,13 @@

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Issuer

+metadata:

+ name: letsencrypt

+ namespace: imfreedom

+spec:

+ acme:

+ server: https://acme-v02.api.letsencrypt.org/directory

+ email: grim@reaperworld.com

+ privateKeySecretRef:

+ name: letsencrypt

+ http01: {}

+---

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/15-issuer-acme-pidgin.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,13 @@

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Issuer

+metadata:

+ name: letsencrypt

+ namespace: pidgin

+spec:

+ acme:

+ server: https://acme-v02.api.letsencrypt.org/directory

+ email: grim@reaperworld.com

+ privateKeySecretRef:

+ name: letsencrypt

+ http01: {}

+---

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/15-issuer-acme-reaperworld.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,13 @@

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Issuer

+metadata:

+ name: letsencrypt

+ namespace: reaperworld

+spec:

+ acme:

+ server: https://acme-v02.api.letsencrypt.org/directory

+ email: grim@reaperworld.com

+ privateKeySecretRef:

+ name: letsencrypt

+ http01: {}

+---

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/20-monitoring.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,202 @@

+# This manifest setups up prometheus in the monitoring namespace.

+#

+# Most of it is taken nearly verbatim from

+# https://devopscube.com/setup-prometheus-monitoring-on-kubernetes/

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: prometheus

+ namespace: monitoring

+rules:

+- apiGroups: [""]

+ resources:

+ - nodes

+ - nodes/proxy

+ - services

+ - endpoints

+ - pods

+ verbs: ["get", "list", "watch"]

+- apiGroups:

+ - extensions

+ resources:

+ - ingresses

+ verbs: ["get", "list", "watch"]

+- nonResourceURLs: ["/metrics"]

+ verbs: ["get"]

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: prometheus

+ namespace: monitoring

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: prometheus

+subjects:

+- kind: ServiceAccount

+ name: default

+ namespace: monitoring

+---

+apiVersion: v1

+kind: ConfigMap

+metadata:

+ name: prometheus-server-conf

+ namespace: monitoring

+ labels:

+ name: prometheus-server-conf

+data:

+ prometheus.yml: |-

+ global:

+ scrape_interval: 5s

+ evaluation_interval: 5s

+ scrape_configs:

+ - job_name: 'kubernetes-apiservers'

+ kubernetes_sd_configs:

+ - role: endpoints

+ scheme: https

+ tls_config:

+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token

+ relabel_configs:

+ - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]

+ action: keep

+ regex: default;kubernetes;https

+ - job_name: 'kubernetes-nodes'

+ scheme: https

+ tls_config:

+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token

+ kubernetes_sd_configs:

+ - role: node

+ relabel_configs:

+ - action: labelmap

+ regex: __meta_kubernetes_node_label_(.+)

+ - target_label: __address__

+ replacement: kubernetes.default.svc:443

+ - source_labels: [__meta_kubernetes_node_name]

+ regex: (.+)

+ target_label: __metrics_path__

+ replacement: /api/v1/nodes/${1}/proxy/metrics

+ - job_name: 'kubernetes-pods'

+ kubernetes_sd_configs:

+ - role: pod

+ relabel_configs:

+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape]

+ action: keep

+ regex: true

+ - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path]

+ action: replace

+ target_label: __metrics_path__

+ regex: (.+)

+ - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port]

+ action: replace

+ regex: ([^:]+)(?::\d+)?;(\d+)

+ replacement: $1:$2

+ target_label: __address__

+ - action: labelmap

+ regex: __meta_kubernetes_pod_label_(.+)

+ - source_labels: [__meta_kubernetes_namespace]

+ action: replace

+ target_label: kubernetes_namespace

+ - source_labels: [__meta_kubernetes_pod_name]

+ action: replace

+ target_label: kubernetes_pod_name

+ - job_name: 'kubernetes-cadvisor'

+ scheme: https

+ tls_config:

+ ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt

+ bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token

+ kubernetes_sd_configs:

+ - role: node

+ relabel_configs:

+ - action: labelmap

+ regex: __meta_kubernetes_node_label_(.+)

+ - target_label: __address__

+ replacement: kubernetes.default.svc:443

+ - source_labels: [__meta_kubernetes_node_name]

+ regex: (.+)

+ target_label: __metrics_path__

+ replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor

+ - job_name: 'kubernetes-service-endpoints'

+ kubernetes_sd_configs:

+ - role: endpoints

+ relabel_configs:

+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]

+ action: keep

+ regex: true

+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]

+ action: replace

+ target_label: __scheme__

+ regex: (https?)

+ - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]

+ action: replace

+ target_label: __metrics_path__

+ regex: (.+)

+ - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]

+ action: replace

+ target_label: __address__

+ regex: ([^:]+)(?::\d+)?;(\d+)

+ replacement: $1:$2

+ - action: labelmap

+ regex: __meta_kubernetes_service_label_(.+)

+ - source_labels: [__meta_kubernetes_namespace]

+ action: replace

+ target_label: kubernetes_namespace

+ - source_labels: [__meta_kubernetes_service_name]

+ action: replace

+ target_label: kubernetes_name

+---

+apiVersion: extensions/v1beta1

+kind: Deployment

+metadata:

+ name: prometheus

+ namespace: monitoring

+spec:

+ replicas: 1

+ template:

+ metadata:

+ labels:

+ app: prometheus-server

+ spec:

+ containers:

+ - name: prometheus

+ image: prom/prometheus:v2.2.1

+ args:

+ - "--config.file=/etc/prometheus/prometheus.yml"

+ - "--storage.tsdb.path=/prometheus/"

+ ports:

+ - containerPort: 9090

+ volumeMounts:

+ - name: prometheus-config-volume

+ mountPath: /etc/prometheus/

+ - name: prometheus-storage-volume

+ mountPath: /prometheus/

+ volumes:

+ - name: prometheus-config-volume

+ configMap:

+ defaultMode: 420

+ name: prometheus-server-conf

+ - name: prometheus-storage-volume

+ emptyDir: {}

+---

+apiVersion: v1

+kind: Service

+metadata:

+ name: prometheus-service

+ namespace: monitoring

+ annotations:

+ prometheus.io/scrape: 'true'

+ prometheus.io/path: /

+ prometheus.io/port: '8080'

+spec:

+ selector:

+ app: prometheus-server

+ type: NodePort

+ ports:

+ - port: 8080

+ targetPort: 9090

+ nodePort: 30000

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/30-pidgin-default-backend.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,55 @@

+apiVersion: v1

+kind: Service

+metadata:

+ name: ingress-default-backend

+ labels:

+ app: ingress

+ role: default-backend

+spec:

+ ports:

+ - port: 80

+ targetPort: http

+ selector:

+ app: ingress

+ role: default-backend

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ name: ingress-default-backend

+ labels:

+ app: ingress

+ role: default-backend

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: ingress

+ role: default-backend

+ template:

+ metadata:

+ labels:

+ app: ingress

+ role: default-backend

+ spec:

+ containers:

+ - image: gcr.io/google_containers/defaultbackend:1.4

+ livenessProbe:

+ httpGet:

+ path: /healthz

+ port: 8080

+ name: default-backend

+ ports:

+ - name: http

+ containerPort: 8080

+ resources:

+ limits:

+ cpu: 30m

+ memory: 50Mi

+ requests:

+ cpu: 30m

+ memory: 49Mi

+ securityContext:

+ runAsUser: 65534

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/50-bamboo.pidgin.im.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,228 @@

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: pidgin

+ labels:

+ app: bamboo

+ role: postgres

+ name: bamboo-postgres

+spec:

+ ports:

+ - port: 5432

+ protocol: TCP

+ selector:

+ app: bamboo

+ role: postgres

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ namespace: pidgin

+ name: bamboo-postgres

+ labels:

+ app: bamboo

+ role: postgres

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: bamboo

+ role: postgres

+ strategy:

+ type: Recreate

+ template:

+ metadata:

+ labels:

+ app: bamboo

+ role: postgres

+ spec:

+ containers:

+ - name: postgres

+ image: postgres:9.6

+ imagePullPolicy: Always

+ env:

+ - name: POSTGRES_USER

+ valueFrom:

+ secretKeyRef:

+ name: bamboo-postgres

+ key: username

+ - name: POSTGRES_PASSWORD

+ valueFrom:

+ secretKeyRef:

+ name: bamboo-postgres

+ key: password

+ - name: POSTGRES_DB

+ valueFrom:

+ secretKeyRef:

+ name: bamboo-postgres

+ key: db

+ ports:

+ - containerPort: 5432

+ volumeMounts:

+ - mountPath: /var/lib/postgresql/data

+ name: bamboo-postgres

+ readOnly: false

+ subPath: postgresql

+ volumes:

+ - name: bamboo-postgres

+ persistentVolumeClaim:

+ claimName: bamboo-postgres

+---

+apiVersion: v1

+kind: PersistentVolumeClaim

+metadata:

+ namespace: pidgin

+ name: bamboo-postgres

+ labels:

+ app: bamboo

+ role: postgres

+spec:

+ accessModes:

+ - ReadWriteOnce

+ resources:

+ requests:

+ storage: 1Gi

+---

+apiVersion: extensions/v1beta1

+kind: Ingress

+metadata:

+ namespace: pidgin

+ name: bamboo

+ annotations:

+ certmanager.k8s.io/issuer: letsencrypt

+

+ labels:

+ app: bamboo

+spec:

+ rules:

+ - host: bamboo.pidgin.im

+ http:

+ paths:

+ - backend:

+ serviceName: bamboo-http

+ servicePort: 8085

+ path: /

+ tls:

+ - hosts:

+ - bamboo.pidgin.im

+ secretName: bamboo-tls

+---

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: pidgin

+ labels:

+ app: bamboo

+ role: http

+ name: bamboo-http

+spec:

+ ports:

+ - port: 8085

+ protocol: TCP

+ selector:

+ app: bamboo

+ role: app

+---

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: pidgin

+ labels:

+ app: bamboo

+ role: agent

+ name: bamboo-agent

+spec:

+ ports:

+ - port: 54663

+ protocol: TCP

+ selector:

+ app: bamboo

+ role: app

+---

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Certificate

+metadata:

+ namespace: pidgin

+ name: bamboo

+spec:

+ secretname: bamboo-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: bamboo.pidgin.im

+ dnsNames:

+ - bamboo.pidgin.im

+ acme:

+ config:

+ - http01:

+ ingress: bamboo

+ domains:

+ - bamboo.pidgin.im

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ namespace: pidgin

+ name: bamboo

+ labels:

+ app: bamboo

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: bamboo

+ role: app

+ strategy:

+ type: Recreate

+ template:

+ metadata:

+ labels:

+ app: bamboo

+ role: app

+ spec:

+ containers:

+ - name: bamboo

+ image: rwgrim/atlassian-bamboo:latest

+ imagePullPolicy: Always

+ env:

+ - name: BAMBOO_SCHEME

+ value: https

+ - name: BAMBOO_PROXY_NAME

+ value: bamboo.pidgin.im

+ - name: BAMBOO_PROXY_PORT

+ value: "443"

+ ports:

+ - containerPort: 8085

+ - containerPort: 54663

+ resources:

+ limits:

+ cpu: 1

+ memory: 1792Mi

+ requests:

+ cpu: 1

+ memory: 1536Mi

+ volumeMounts:

+ - mountPath: /bamboo

+ name: bamboo

+ readOnly: false

+ securityContext:

+ fsGroup: 1000

+ runAsUser: 1000

+ volumes:

+ - name: bamboo

+ persistentVolumeClaim:

+ claimName: bamboo

+---

+apiVersion: v1

+kind: PersistentVolumeClaim

+metadata:

+ namespace: pidgin

+ name: bamboo

+ labels:

+ app: bamboo

+spec:

+ accessModes:

+ - ReadWriteOnce

+ resources:

+ requests:

+ storage: 5Gi

+---

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/50-data.imfreedom.org.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,114 @@

+apiVersion: extensions/v1beta1

+kind: Ingress

+metadata:

+ namespace: imfreedom

+ name: data

+ annotations:

+ certmanager.k8s.io/issuer: letsencrypt

+ nginx.ingress.kubernetes.io/proxy-body-size: 200m

+ labels:

+ app: data

+spec:

+ rules:

+ - host: data.imfreedom.org

+ http:

+ paths:

+ - backend:

+ serviceName: data

+ servicePort: 9000

+ path: /

+ tls:

+ - hosts:

+ - data.imfreedom.org

+ secretName: data-tls

+---

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: imfreedom

+ labels:

+ app: data

+ name: data

+spec:

+ ports:

+ - port: 9000

+ protocol: TCP

+ selector:

+ app: data

+---

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Certificate

+metadata:

+ namespace: imfreedom

+ name: data

+spec:

+ secretname: data-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: data.imfreedom.org

+ dnsNames:

+ - data.imfreedom.org

+ acme:

+ config:

+ - http01:

+ ingress: data

+ domains:

+ - data.imfreedom.org

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ namespace: imfreedom

+ name: data

+ labels:

+ app: data

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: data

+ strategy:

+ type: Recreate

+ template:

+ metadata:

+ labels:

+ app: data

+ spec:

+ containers:

+ - name: minio

+ image: minio/minio:latest

+ imagePullPolicy: Always

+ livenessProbe:

+ exec:

+ command:

+ - /usr/bin/healthcheck.sh

+ command:

+ - minio

+ - server

+ - /data

+ ports:

+ - containerPort: 9000

+ volumeMounts:

+ - mountPath: /data

+ name: data

+ readOnly: false

+ volumes:

+ - name: data

+ persistentVolumeClaim:

+ claimName: data

+---

+apiVersion: v1

+kind: PersistentVolumeClaim

+metadata:

+ namespace: imfreedom

+ name: data

+ labels:

+ app: data

+spec:

+ accessModes:

+ - ReadWriteOnce

+ resources:

+ requests:

+ storage: 2Gi

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/50-imfreedom.org.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,67 @@

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: imfreedom

+ labels:

+ app: wiki

+ role: database

+ name: wiki-database

+spec:

+ ports:

+ - port: 3306

+ protocol: TCP

+ selector:

+ app: wiki

+ role: wiki-database

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ namespace: imfreedom

+ name: wiki

+ labels:

+ app: wiki

+ role: database

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: wiki

+ role: database

+ template:

+ metadata:

+ labels:

+ app: wiki

+ role: database

+ spec:

+ containers:

+ - name: mariadb

+ image: mariadb:10

+ imagePullPolicy: Always

+ ports:

+ - containerPort: 3306

+ volumeMounts:

+ - mountPath: /var/lib/mysql/

+ name: data

+ readOnly: false

+ volumes:

+ - name: data

+ persistentVolumeClaim:

+ claimName: wiki-data

+---

+apiVersion: v1

+kind: PersistentVolumeClaim

+metadata:

+ namespace: imfreedom

+ name: wiki-database

+ labels:

+ app: wiki

+ role: database

+spec:

+ accessModes:

+ - ReadWriteOnce

+ resources:

+ requests:

+ storage: 2Gi

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/50-ldap.imfreedom.org.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,81 @@

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: imfreedom

+ labels:

+ app: ldap

+ name: ldap

+spec:

+ ports:

+ - port: 3389

+ protocol: TCP

+ selector:

+ app: ldap

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ namespace: imfreedom

+ name: ldap

+ labels:

+ app: ldap

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: ldap

+ strategy:

+ type: Recreate

+ template:

+ metadata:

+ labels:

+ app: ldap

+ spec:

+ containers:

+ - name: ldap

+ env:

+ - name: DOMAIN

+ value: pidgin.im

+ - name: ADMIN_PASSWD

+ value: abc123

+ image: rwgrim/ldap:latest

+ imagePullPolicy: Always

+ readinessProbe:

+ tcpSocket:

+ port: 3389

+ periodSeconds: 10

+ initialDelaySeconds: 1

+ livenessProbe:

+ tcpSocket:

+ port: 3389

+ periodSeconds: 30

+ initialDelaySeconds: 30

+ ports:

+ - containerPort: 3389

+ volumeMounts:

+ - mountPath: /var/lib/ldap

+ name: data

+ readOnly: false

+ securityContext:

+ fsGroup: 101

+ runAsUser: 101

+ volumes:

+ - name: data

+ persistentVolumeClaim:

+ claimName: ldap-data

+---

+apiVersion: v1

+kind: PersistentVolumeClaim

+metadata:

+ namespace: imfreedom

+ name: ldap-data

+ labels:

+ app: ldap

+spec:

+ accessModes:

+ - ReadWriteOnce

+ resources:

+ requests:

+ storage: 1Gi

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/50-reaperworld.com.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,86 @@

+apiVersion: extensions/v1beta1

+kind: Ingress

+metadata:

+ namespace: reaperworld

+ name: www

+ annotations:

+ certmanager.k8s.io/issuer: letsencrypt

+ labels:

+ app: www

+spec:

+ rules:

+ - host: reaperworld.com

+ http: &http_rules

+ paths:

+ - backend:

+ serviceName: www

+ servicePort: 80

+ path: /

+ - host: www.reaperworld.com

+ http: *http_rules

+ tls:

+ - hosts:

+ - reaperworld.com

+ - www.reaperworld.com

+ secretName: www-tls

+---

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: reaperworld

+ labels:

+ app: www

+ name: www

+spec:

+ ports:

+ - port: 80

+ protocol: TCP

+ selector:

+ app: www

+---

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Certificate

+metadata:

+ namespace: reaperworld

+ name: www

+spec:

+ secretname: www-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: reaperworld.com

+ dnsNames:

+ - reaperworld.com

+ - www.reaperworld.com

+ acme:

+ config:

+ - http01:

+ ingress: www

+ domains:

+ - reaperworld.com

+ - www.reaperworld.com

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ namespace: reaperworld

+ name: www

+ labels:

+ app: www

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: www

+ template:

+ metadata:

+ labels:

+ app: www

+ spec:

+ containers:

+ - name: www

+ image: rwgrim/www.reaperworld.com

+ imagePullPolicy: Always

+ ports:

+ - containerPort: 80

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/50-status.pidgin.im.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,81 @@

+apiVersion: extensions/v1beta1

+kind: Ingress

+metadata:

+ namespace: pidgin

+ name: status-reverse-proxy

+ annotations:

+ certmanager.k8s.io/issuer: letsencrypt

+ labels:

+ app: status-reverse-proxy

+spec:

+ rules:

+ - host: status.pidgin.im

+ http:

+ paths:

+ - backend:

+ serviceName: status-reverse-proxy

+ servicePort: 80

+ path: /

+ tls:

+ - hosts:

+ - status.pidgin.im

+ secretName: status-tls

+---

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: pidgin

+ labels:

+ app: status-reverse-proxy

+ name: status-reverse-proxy

+spec:

+ ports:

+ - port: 80

+ protocol: TCP

+ selector:

+ app: status-reverse-proxy

+---

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Certificate

+metadata:

+ namespace: pidgin

+ name: status

+spec:

+ secretname: status-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: status.pidgin.im

+ dnsNames:

+ - status.pidgin.im

+ acme:

+ config:

+ - http01:

+ ingress: status-reverse-proxy

+ domains:

+ - status.pidgin.im

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ namespace: pidgin

+ name: status-reverse-proxy

+ labels:

+ app: status-reverse-proxy

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: status-reverse-proxy

+ template:

+ metadata:

+ labels:

+ app: status-reverse-proxy

+ spec:

+ containers:

+ - name: status-reverse-proxy

+ image: pidgin/status-reverse-proxy:latest

+ imagePullPolicy: Always

+ ports:

+ - containerPort: 80

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/50-wiki.imfreedom.org.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,86 @@

+apiVersion: extensions/v1beta1

+kind: Ingress

+metadata:

+ namespace: imfreedom

+ name: www

+ annotations:

+ certmanager.k8s.io/issuer: letsencrypt

+ labels:

+ app: www

+spec:

+ rules:

+ - host: imfreedom.org

+ http: &http_rules

+ paths:

+ - backend:

+ serviceName: www

+ servicePort: 80

+ path: /

+ - host: www.imfreedom.org

+ http: *http_rules

+ tls:

+ - hosts:

+ - imfreedom.org

+ - www.imfreedom.org

+ secretName: www-tls

+---

+apiVersion: v1

+kind: Service

+metadata:

+ namespace: imfreedom

+ labels:

+ app: www

+ name: www

+spec:

+ ports:

+ - port: 80

+ protocol: TCP

+ selector:

+ app: www

+---

+apiVersion: certmanager.k8s.io/v1alpha1

+kind: Certificate

+metadata:

+ namespace: imfreedom

+ name: www

+spec:

+ secretname: www-tls

+ issuerRef:

+ name: letsencrypt

+ commonName: imfreedom.org

+ dnsNames:

+ - imfreedom.org

+ - www.imfreedom.org

+ acme:

+ config:

+ - http01:

+ ingress: www

+ domains:

+ - imfreedom.org

+ - www.imfreedom.org

+---

+apiVersion: apps/v1

+kind: Deployment

+metadata:

+ namespace: imfreedom

+ name: www

+ labels:

+ app: www

+spec:

+ replicas: 1

+ selector:

+ matchLabels:

+ app: www

+ template:

+ metadata:

+ labels:

+ app: www

+ spec:

+ containers:

+ - name: www

+ image: imfreedom/www:latest

+ imagePullPolicy: Always

+ ports:

+ - containerPort: 80

+---

+

~~--- /dev/null Thu Jan 01 00:00:00 1970 +0000~~

+++ b/90-ingress.yaml Tue Oct 30 22:39:23 2018 -0500

@@ -0,0 +1,260 @@

+apiVersion: v1

+kind: ConfigMap

+metadata:

+ name: ingress-tcp-services

+ namespace: kube-public

+ labels:

+ app: ingress

+ role: controller

+data:

+ 54663: pidgin/bamboo-agent:54663

+---

+apiVersion: v1

+kind: ConfigMap

+metadata:

+ name: ingress-configuration

+ namespace: kube-public

+ labels:

+ app: ingress

+ role: controller

+---

+apiVersion: v1

+kind: ServiceAccount

+metadata:

+ name: ingress-serviceaccount

+ namespace: kube-public

+ labels:

+ app: ingress

+ role: controller

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRole

+metadata:

+ name: ingress-clusterrole

+ labels:

+ app: ingress

+ role: controller

+rules:

+ - apiGroups:

+ - ""

+ resources:

+ - configmaps

+ - endpoints

+ - nodes

+ - pods

+ - secrets

+ verbs:

+ - list

+ - watch

+ - apiGroups:

+ - ""

+ resources:

+ - nodes

+ verbs:

+ - get

+ - apiGroups:

+ - ""

+ resources:

+ - services

+ verbs:

+ - get

+ - list

+ - watch

+ - apiGroups:

+ - "extensions"

+ resources:

+ - ingresses

+ verbs:

+ - get

+ - list

+ - watch

+ - apiGroups:

+ - ""

+ resources:

+ - events

+ verbs:

+ - create

+ - patch

+ - apiGroups:

+ - "extensions"

+ resources:

+ - ingresses/status

+ verbs:

+ - update

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: ClusterRoleBinding

+metadata:

+ name: ingress-clusterrole-nisa-binding

+ labels:

+ app: ingress

+ role: controller

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: ClusterRole

+ name: ingress-clusterrole

+subjects:

+ - kind: ServiceAccount

+ name: ingress-serviceaccount

+ namespace: kube-public

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: Role

+metadata:

+ name: ingress-role

+ namespace: kube-public

+ labels:

+ app: ingress

+ role: controller

+rules:

+ - apiGroups:

+ - ""

+ resources:

+ - configmaps

+ - pods

+ - secrets

+ - namespaces

+ verbs:

+ - get

+ - apiGroups:

+ - ""

+ resources:

+ - configmaps

+ resourceNames:

+ # Defaults to "<election-id>-<ingress-class>"

+ # Here: "<ingress-controller-leader>-<nginx>"

+ # This has to be adapted if you change either parameter

+ # when launching the nginx-ingress-controller.

+ - "ingress-controller-leader-nginx"

+ verbs:

+ - get

+ - update

+ - apiGroups:

+ - ""

+ resources:

+ - configmaps

+ verbs:

+ - create

+ - apiGroups:

+ - ""

+ resources:

+ - endpoints

+ verbs:

+ - get

+---

+apiVersion: rbac.authorization.k8s.io/v1beta1

+kind: RoleBinding

+metadata:

+ name: ingress-role-nisa-binding

+ namespace: kube-public

+ labels:

+ app: ingress

+ role: controller

+roleRef:

+ apiGroup: rbac.authorization.k8s.io

+ kind: Role

+ name: ingress-role

+subjects:

+ - kind: ServiceAccount

+ name: ingress-serviceaccount

+ namespace: kube-public

+---

+apiVersion: extensions/v1beta1

+kind: Deployment

+metadata:

+ name: ingress-controller

+ namespace: kube-public

+ labels:

+ app: ingress

+ role: public

+spec:

+ replicas: 2

+ selector:

+ matchLabels:

+ app: ingress

+ role: controller

+ template:

+ metadata:

+ labels:

+ app: ingress

+ role: controller

+ spec:

+ serviceAccountName: ingress-serviceaccount

+ containers:

+ - name: nginx-ingress-controller

+ image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0

+ args:

+ - /nginx-ingress-controller

+ - --configmap=$(POD_NAMESPACE)/ingress-configuration

+ - --publish-service=$(POD_NAMESPACE)/ingress

+ - --annotations-prefix=nginx.ingress.kubernetes.io

+ - --tcp-services-configmap=$(POD_NAMESPACE)/ingress-tcp-services

+ securityContext:

+ capabilities:

+ drop:

+ - ALL

+ add:

+ - NET_BIND_SERVICE

+ # www-data -> 33

+ runAsUser: 33

+ env:

+ - name: POD_NAME

+ valueFrom:

+ fieldRef:

+ fieldPath: metadata.name

+ - name: POD_NAMESPACE

+ valueFrom:

+ fieldRef:

+ fieldPath: metadata.namespace

+ ports:

+ - name: http

+ containerPort: 80

+ - name: https

+ containerPort: 443

+ - name: bamboo-agent

+ containerPort: 54663

+ livenessProbe:

+ failureThreshold: 3

+ httpGet:

+ path: /healthz

+ port: 10254

+ scheme: HTTP

+ initialDelaySeconds: 10

+ periodSeconds: 10

+ successThreshold: 1

+ timeoutSeconds: 1

+ readinessProbe:

+ failureThreshold: 3

+ httpGet:

+ path: /healthz

+ port: 10254

+ scheme: HTTP

+ periodSeconds: 10

+ successThreshold: 1

+ timeoutSeconds: 1

+---

+apiVersion: v1

+kind: Service

+metadata:

+ name: ingress

+ namespace: kube-public

+ labels:

+ app: ingress

+ role: controller

+spec:

+ type: LoadBalancer

+ selector:

+ app: ingress

+ role: controller

+ ports:

+ - name: http

+ port: 80

+ targetPort: http

+ - name: https

+ port: 443

+ targetPort: https

+ - name: bamboo-agent

+ port: 54663

+ targetPort: bamboo-agent

+---

+

imfreedom/k8s-cluster