imfreedom/k8s-cluster
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/.hgignore Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,4 @@
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/00-namespaces.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,21 @@
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/10-cert-manager.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,121 @@
+apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + name: certificates.certmanager.k8s.io + group: certmanager.k8s.io +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + name: clusterissuers.certmanager.k8s.io + group: certmanager.k8s.io +apiVersion: apiextensions.k8s.io/v1beta1 +kind: CustomResourceDefinition + name: issuers.certmanager.k8s.io + group: certmanager.k8s.io +apiVersion: rbac.authorization.k8s.io/v1beta1 + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "issuers", "clusterissuers", "orders", "challenges"] + resources: ["configmaps", "secrets", "events", "services", "pods"] + - apiGroups: ["extensions"] + resources: ["ingresses"] +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + apiGroup: rbac.authorization.k8s.io +apiVersion: apps/v1beta1 + serviceAccountName: cert-manager + image: "quay.io/jetstack/cert-manager-controller:v0.5.0" + imagePullPolicy: IfNotPresent + - --cluster-resource-namespace=$(POD_NAMESPACE) + - --leader-election-namespace=$(POD_NAMESPACE) + fieldPath: metadata.namespace --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/15-issuer-acme-imfreedom.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,13 @@
+apiVersion: certmanager.k8s.io/v1alpha1 + server: https://acme-v02.api.letsencrypt.org/directory + email: grim@reaperworld.com --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/15-issuer-acme-pidgin.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,13 @@
+apiVersion: certmanager.k8s.io/v1alpha1 + server: https://acme-v02.api.letsencrypt.org/directory + email: grim@reaperworld.com --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/15-issuer-acme-reaperworld.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,13 @@
+apiVersion: certmanager.k8s.io/v1alpha1 + server: https://acme-v02.api.letsencrypt.org/directory + email: grim@reaperworld.com --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/20-monitoring.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,202 @@
+# This manifest setups up prometheus in the monitoring namespace. +# Most of it is taken nearly verbatim from +# https://devopscube.com/setup-prometheus-monitoring-on-kubernetes/ +apiVersion: rbac.authorization.k8s.io/v1beta1 + verbs: ["get", "list", "watch"] + verbs: ["get", "list", "watch"] +- nonResourceURLs: ["/metrics"] +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + apiGroup: rbac.authorization.k8s.io + name: prometheus-server-conf + name: prometheus-server-conf + evaluation_interval: 5s + - job_name: 'kubernetes-apiservers' + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name] + regex: default;kubernetes;https + - job_name: 'kubernetes-nodes' + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics + - job_name: 'kubernetes-pods' + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_scrape] + - source_labels: [__meta_kubernetes_pod_annotation_prometheus_io_path] + target_label: __metrics_path__ + - source_labels: [__address__, __meta_kubernetes_pod_annotation_prometheus_io_port] + regex: ([^:]+)(?::\d+)?;(\d+) + target_label: __address__ + regex: __meta_kubernetes_pod_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_pod_name] + target_label: kubernetes_pod_name + - job_name: 'kubernetes-cadvisor' + ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token + regex: __meta_kubernetes_node_label_(.+) + - target_label: __address__ + replacement: kubernetes.default.svc:443 + - source_labels: [__meta_kubernetes_node_name] + target_label: __metrics_path__ + replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor + - job_name: 'kubernetes-service-endpoints' + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape] + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme] + target_label: __scheme__ + - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path] + target_label: __metrics_path__ + - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port] + target_label: __address__ + regex: ([^:]+)(?::\d+)?;(\d+) + regex: __meta_kubernetes_service_label_(.+) + - source_labels: [__meta_kubernetes_namespace] + target_label: kubernetes_namespace + - source_labels: [__meta_kubernetes_service_name] + target_label: kubernetes_name +apiVersion: extensions/v1beta1 + image: prom/prometheus:v2.2.1 + - "--config.file=/etc/prometheus/prometheus.yml" + - "--storage.tsdb.path=/prometheus/" + - name: prometheus-config-volume + mountPath: /etc/prometheus/ + - name: prometheus-storage-volume + mountPath: /prometheus/ + - name: prometheus-config-volume + name: prometheus-server-conf + - name: prometheus-storage-volume + name: prometheus-service + prometheus.io/scrape: 'true' + prometheus.io/port: '8080' --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/30-pidgin-default-backend.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,55 @@
+ name: ingress-default-backend + name: ingress-default-backend + - image: gcr.io/google_containers/defaultbackend:1.4 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/50-bamboo.pidgin.im.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,228 @@
+ imagePullPolicy: Always + - name: POSTGRES_PASSWORD + - mountPath: /var/lib/postgresql/data + - name: bamboo-postgres + claimName: bamboo-postgres +kind: PersistentVolumeClaim +apiVersion: extensions/v1beta1 + certmanager.k8s.io/issuer: letsencrypt + - host: bamboo.pidgin.im + serviceName: bamboo-http +apiVersion: certmanager.k8s.io/v1alpha1 + commonName: bamboo.pidgin.im + image: rwgrim/atlassian-bamboo:latest + imagePullPolicy: Always + - name: BAMBOO_PROXY_NAME + value: bamboo.pidgin.im + - name: BAMBOO_PROXY_PORT +kind: PersistentVolumeClaim --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/50-data.imfreedom.org.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,114 @@
+apiVersion: extensions/v1beta1 + certmanager.k8s.io/issuer: letsencrypt + nginx.ingress.kubernetes.io/proxy-body-size: 200m + - host: data.imfreedom.org +apiVersion: certmanager.k8s.io/v1alpha1 + commonName: data.imfreedom.org + image: minio/minio:latest + imagePullPolicy: Always + - /usr/bin/healthcheck.sh +kind: PersistentVolumeClaim --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/50-imfreedom.org.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,67 @@
+ imagePullPolicy: Always + - mountPath: /var/lib/mysql/ +kind: PersistentVolumeClaim --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/50-ldap.imfreedom.org.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,81 @@
+ image: rwgrim/ldap:latest + imagePullPolicy: Always + initialDelaySeconds: 30 + - mountPath: /var/lib/ldap +kind: PersistentVolumeClaim --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/50-reaperworld.com.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,86 @@
+apiVersion: extensions/v1beta1 + certmanager.k8s.io/issuer: letsencrypt + - host: reaperworld.com + - host: www.reaperworld.com +apiVersion: certmanager.k8s.io/v1alpha1 + commonName: reaperworld.com + image: rwgrim/www.reaperworld.com + imagePullPolicy: Always --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/50-status.pidgin.im.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,81 @@
+apiVersion: extensions/v1beta1 + name: status-reverse-proxy + certmanager.k8s.io/issuer: letsencrypt + app: status-reverse-proxy + - host: status.pidgin.im + serviceName: status-reverse-proxy + app: status-reverse-proxy + name: status-reverse-proxy + app: status-reverse-proxy +apiVersion: certmanager.k8s.io/v1alpha1 + commonName: status.pidgin.im + ingress: status-reverse-proxy + name: status-reverse-proxy + app: status-reverse-proxy + app: status-reverse-proxy + app: status-reverse-proxy + - name: status-reverse-proxy + image: pidgin/status-reverse-proxy:latest + imagePullPolicy: Always --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/50-wiki.imfreedom.org.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,86 @@
+apiVersion: extensions/v1beta1 + certmanager.k8s.io/issuer: letsencrypt + - host: www.imfreedom.org +apiVersion: certmanager.k8s.io/v1alpha1 + commonName: imfreedom.org + image: imfreedom/www:latest + imagePullPolicy: Always --- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/90-ingress.yaml Tue Oct 30 22:39:23 2018 -0500
@@ -0,0 +1,260 @@
+ name: ingress-tcp-services + 54663: pidgin/bamboo-agent:54663 + name: ingress-configuration + name: ingress-serviceaccount +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: ingress-clusterrole +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding + name: ingress-clusterrole-nisa-binding + apiGroup: rbac.authorization.k8s.io + name: ingress-clusterrole + name: ingress-serviceaccount +apiVersion: rbac.authorization.k8s.io/v1beta1 + # Defaults to "<election-id>-<ingress-class>" + # Here: "<ingress-controller-leader>-<nginx>" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "ingress-controller-leader-nginx" +apiVersion: rbac.authorization.k8s.io/v1beta1 + name: ingress-role-nisa-binding + apiGroup: rbac.authorization.k8s.io + name: ingress-serviceaccount +apiVersion: extensions/v1beta1 + name: ingress-controller + serviceAccountName: ingress-serviceaccount + - name: nginx-ingress-controller + image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.20.0 + - /nginx-ingress-controller + - --configmap=$(POD_NAMESPACE)/ingress-configuration + - --publish-service=$(POD_NAMESPACE)/ingress + - --annotations-prefix=nginx.ingress.kubernetes.io + - --tcp-services-configmap=$(POD_NAMESPACE)/ingress-tcp-services + fieldPath: metadata.name + fieldPath: metadata.namespace + initialDelaySeconds: 10 + targetPort: bamboo-agent