MirrorMirror
/
riju
mirror of https://github.com/radian-software/riju.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Rearrange more, delete old files

This commit is contained in:
Radon Rosborough 2023-04-21 16:57:19 -07:00
parent dd8d658f00
commit aad6e34df9
16 changed files with 83 additions and 4490 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

125
k8s/00-base/secrets.in.yaml
View File

@ -1,125 +0,0 @@
---
kind: Secret
apiVersion: v1
metadata:
namespace: metallb
name: metallb-memberlist
data:
secretkey: "{{ .metallb.secretkey | b64enc }}"
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: s3-auth
stringData:
access-key: "{{ .s3.accessKey }}"
secret-key: "{{ .s3.secretKey }}"
---
kind: ConfigMap
apiVersion: v1
metadata:
namespace: riju
name: s3-config
data:
bucket: "{{ .s3.bucket }}"
region: "{{ .s3.region }}"
endpoint: "{{ .s3.endpoint }}"
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: registry-http-secret
stringData:
http-secret: "{{ .registry.httpSecret }}"
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: registry-auth
data:
htpasswd: "{{ .registry.htpasswd | println | b64enc }}"
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: registry-login
type: kubernetes.io/dockerconfigjson
stringData:
.dockerconfigjson: |
{
"auths": {
"localhost:30999": {
"username": "admin",
"password": "{{ .registry.password }}",
"auth": "{{ .registry.password | printf "admin:%s" | b64enc }}"
}
}
}
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju-user
name: registry-user-login
type: kubernetes.io/dockerconfigjson
stringData:
.dockerconfigjson: |
{
"auths": {
"localhost:30999": {
"username": "admin",
"password": "{{ .registry.password }}",
"auth": "{{ .registry.password | printf "admin:%s" | b64enc }}"
}
}
}
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: minio-keys
stringData:
access-key: "{{ .minio.accessKey }}"
secret-key: "{{ .minio.secretKey }}"
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju-user
name: minio-user-login
stringData:
config.json: |
{
"version": "10",
"aliases": {
"riju": {
"url": "http://minio.riju.svc",
"accessKey": "{{ .minio.accessKey }}",
"secretKey": "{{ .minio.secretKey }}",
"api": "s3v4",
"path": "auto"
}
}
}
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: riju-proxy-auth
data:
htpasswd: "{{ .proxy.htpasswd | println | b64enc }}"

0
k8s/00-base/namespaces.yaml → k8s/00-namespaces/00-namespaces.yaml
View File

9
k8s/01-ingress/metallb-config.in.yaml
View File

@ -1,9 +0,0 @@
---
kind: IPAddressPool
apiVersion: metallb.io/v1beta1
metadata:
namespace: metallb
name: self
spec:
addresses:
- "{{ .networking.ip }}/32"

1108
k8s/01-ingress/metallb-crds.yaml
View File

File diff suppressed because it is too large Load Diff

352
k8s/01-ingress/metallb-rbac.yaml
View File

@ -1,352 +0,0 @@
# Based on bitnami/metallb helm chart 4.1.12 for metallb 0.13.7
---
kind: ServiceAccount
apiVersion: v1
metadata:
namespace: metallb
name: metallb-controller
automountServiceAccountToken: true
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: metallb-controller
rules:
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- update
- apiGroups:
- ""
resources:
- services/status
verbs:
- update
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- policy
resourceNames:
- metallb-controller
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
- mutatingwebhookconfigurations
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metallb-controller
subjects:
- kind: ServiceAccount
namespace: metallb
name: metallb-controller
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: metallb-controller
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: metallb
name: metallb-controller
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- get
- list
- watch
- apiGroups:
- ""
resources:
- secrets
resourceNames:
- metallb-memberlist
verbs:
- list
- apiGroups:
- apps
resources:
- deployments
resourceNames:
- metallb-controller
verbs:
- get
- apiGroups:
- ""
resources:
- secrets
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- metallb.io
resources:
- addresspools
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- ipaddresspools
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- bgppeers
verbs:
- get
- list
- apiGroups:
- metallb.io
resources:
- bgpadvertisements
verbs:
- get
- list
- apiGroups:
- metallb.io
resources:
- l2advertisements
verbs:
- get
- list
- apiGroups:
- metallb.io
resources:
- communities
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- bfdprofiles
verbs:
- get
- list
- watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: metallb
name: metallb-controller
subjects:
- kind: ServiceAccount
namespace: metallb
name: metallb-controller
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: metallb-controller
---
kind: ServiceAccount
apiVersion: v1
metadata:
namespace: metallb
name: metallb-speaker
automountServiceAccountToken: true
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: metallb-speaker
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- policy
resourceNames:
- metallb-speaker
resources:
- podsecuritypolicies
verbs:
- use
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: metallb-speaker
subjects:
- kind: ServiceAccount
namespace: metallb
name: metallb-speaker
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: metallb-speaker
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: metallb
name: metallb-pod-lister
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- list
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- addresspools
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- bfdprofiles
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- bgppeers
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- l2advertisements
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- bgpadvertisements
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- ipaddresspools
verbs:
- get
- list
- watch
- apiGroups:
- metallb.io
resources:
- communities
verbs:
- get
- list
- watch
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: metallb
name: metallb-pod-lister
roleRef:
kind: Role
apiGroup: rbac.authorization.k8s.io
name: metallb-pod-lister
subjects:
- kind: ServiceAccount
name: metallb-speaker

326
k8s/01-ingress/metallb.yaml
View File

@ -1,326 +0,0 @@
# Based on bitnami/metallb helm chart 4.1.12 for metallb 0.13.7
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
namespace: metallb
name: metallb-speaker
spec:
updateStrategy:
type: RollingUpdate
selector:
matchLabels:
app: metallb-speaker
template:
metadata:
labels:
app: metallb-speaker
spec:
serviceAccountName: metallb-speaker
hostNetwork: true
securityContext:
fsGroup: 0
terminationGracePeriodSeconds: 2
containers:
- name: metallb-speaker
image: "docker.io/bitnami/metallb-speaker:0.13.7-debian-11-r8"
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
drop:
- ALL
readOnlyRootFilesystem: true
runAsUser: 0
args:
- "--port=7472"
env:
- name: METALLB_NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: METALLB_HOST
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: METALLB_ML_BIND_ADDR
valueFrom:
fieldRef:
fieldPath: status.podIP
- name: METALLB_ML_LABELS
value: app=metallb-speaker
- name: METALLB_ML_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: METALLB_ML_SECRET_KEY
valueFrom:
secretKeyRef:
name: metallb-memberlist
key: secretkey
ports:
- name: metrics
containerPort: 7472
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
httpGet:
path: /metrics
port: metrics
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
httpGet:
path: /metrics
port: metrics
resources: {}
---
kind: Secret
apiVersion: v1
metadata:
namespace: metallb
name: webhook-server-cert
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: metallb
name: metallb-controller
labels:
app.kubernetes.io/name: metallb
spec:
replicas: 1
strategy:
type: RollingUpdate
revisionHistoryLimit: 3
selector:
matchLabels:
app: metallb-controller
template:
metadata:
labels:
app: metallb-controller
spec:
serviceAccountName: metallb-controller
securityContext:
fsGroup: 1001
volumes:
- name: cert
secret:
defaultMode: 420
secretName: webhook-server-cert
containers:
- name: metallb-controller
image: "docker.io/bitnami/metallb-controller:0.13.7-debian-11-r9"
imagePullPolicy: IfNotPresent
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001
args:
- --port=7472
- --cert-service-name=metallb-webhook-service
ports:
- name: webhook-server
containerPort: 9443
- name: metrics
containerPort: 7472
volumeMounts:
- name: cert
mountPath: /tmp/k8s-webhook-server/serving-certs
readOnly: true
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
httpGet:
path: /metrics
port: metrics
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
httpGet:
path: /metrics
port: metrics
resources: {}
---
kind: Service
apiVersion: v1
metadata:
namespace: metallb
name: metallb-webhook-service
spec:
ports:
- port: 443
targetPort: 9443
selector:
app: metallb-controller
---
kind: ValidatingWebhookConfiguration
apiVersion: admissionregistration.k8s.io/v1
metadata:
name: metallb-webhook-configuration
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
namespace: metallb
name: metallb-webhook-service
path: /validate-metallb-io-v1beta1-addresspool
failurePolicy: Fail
name: addresspoolvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- addresspools
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
namespace: metallb
name: metallb-webhook-service
path: /validate-metallb-io-v1beta2-bgppeer
failurePolicy: Fail
name: bgppeervalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta2
operations:
- CREATE
- UPDATE
resources:
- bgppeers
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
namespace: metallb
name: metallb-webhook-service
path: /validate-metallb-io-v1beta1-ipaddresspool
failurePolicy: Fail
name: ipaddresspoolvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- ipaddresspools
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
namespace: metallb
name: metallb-webhook-service
path: /validate-metallb-io-v1beta1-bgpadvertisement
failurePolicy: Fail
name: bgpadvertisementvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- bgpadvertisements
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
namespace: metallb
name: metallb-webhook-service
path: /validate-metallb-io-v1beta1-community
failurePolicy: Fail
name: communityvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- communities
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
namespace: metallb
name: metallb-webhook-service
path: /validate-metallb-io-v1beta1-bfdprofile
failurePolicy: Fail
name: bfdprofileyvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- DELETE
resources:
- bfdprofiles
sideEffects: None
- admissionReviewVersions:
- v1
clientConfig:
service:
namespace: metallb
name: metallb-webhook-service
path: /validate-metallb-io-v1beta1-l2advertisement
failurePolicy: Fail
name: l2advertisementvalidationwebhook.metallb.io
rules:
- apiGroups:
- metallb.io
apiVersions:
- v1beta1
operations:
- CREATE
- UPDATE
resources:
- l2advertisements
sideEffects: None

60
k8s/01-ingress/traefik-config.in.yaml
View File

@ -1,60 +0,0 @@
---
kind: ConfigMap
apiVersion: v1
metadata:
namespace: traefik
name: traefik-config
data:
traefik.yaml: |
entryPoints:
proxy:
address: ":1869"
http:
tls:
certResolver: riju
domains:
- main: k8s.riju.codes
http:
address: ":8000"
https:
address: ":8443"
http:
tls:
certResolver: riju
domains:
- main: k8s.riju.codes
healthcheck:
address: ":9000"
metrics:
address: ":9100"
docker:
address: ":31000"
http:
tls:
certResolver: riju
domains:
- main: k8s.riju.codes
minio:
address: ":32000"
http:
tls:
certResolver: riju
domains:
- main: k8s.riju.codes
ping:
entryPoint: "healthcheck"
metrics:
prometheus:
entryPoint: "metrics"
providers:
kubernetesCRD: {}
certificatesResolvers:
riju:
acme:
{{- if not .contact.letsEncryptProductionEnabled }}
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
{{- end }}
email: "{{ .contact.letsEncryptEmail }}"
storage: /data/acme.json
httpChallenge:
entryPoint: http

2288
k8s/01-ingress/traefik-crds.yaml
View File

File diff suppressed because it is too large Load Diff

72
k8s/01-ingress/traefik-rbac.yaml
View File

@ -1,72 +0,0 @@
# Based on traefik/traefik helm chart 20.8.0 for traefik v2.9.6
---
kind: ServiceAccount
apiVersion: v1
metadata:
namespace: traefik
name: traefik
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik
rules:
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingressclasses
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.containo.us
resources:
- ingressroutes
- ingressroutetcps
- ingressrouteudps
- middlewares
- middlewaretcps
- tlsoptions
- tlsstores
- traefikservices
- serverstransports
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik
roleRef:
kind: ClusterRole
apiGroup: rbac.authorization.k8s.io
name: traefik
subjects:
- namespace: traefik
kind: ServiceAccount
name: traefik

150
k8s/01-ingress/traefik.yaml
View File

@ -1,150 +0,0 @@
# Based on traefik/traefik helm chart 20.8.0 for traefik v2.9.6
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
namespace: traefik
name: traefik-data
spec:
accessModes: [ReadWriteOnce]
resources:
requests:
storage: 128Mi
storageClassName: openebs-hostpath
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: traefik
name: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
minReadySeconds: 0
template:
metadata:
annotations:
prometheus.io/scrape: "true"
prometheus.io/path: "/metrics"
prometheus.io/port: "9100"
labels:
app: traefik
spec:
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
hostNetwork: false
initContainers:
- name: volume-permissions
image: busybox:1.35
command:
- "sh"
- "-c"
- "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"
volumeMounts:
- name: data
mountPath: /data
containers:
- image: traefik:v2.9.6
imagePullPolicy: IfNotPresent
name: traefik
resources: {}
readinessProbe:
httpGet:
path: /ping
port: 9000
scheme: HTTP
failureThreshold: 1
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
livenessProbe:
httpGet:
path: /ping
port: 9000
scheme: HTTP
failureThreshold: 3
initialDelaySeconds: 2
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
ports:
- name: http
containerPort: 8000
- name: https
containerPort: 8443
- name: ping
containerPort: 9000
- name: docker
containerPort: 31000
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
volumeMounts:
- name: config
mountPath: /etc/traefik
- name: data
mountPath: /data
- name: tmp
mountPath: /tmp
volumes:
- name: config
configMap:
name: traefik-config
- name: data
persistentVolumeClaim:
claimName: traefik-data
- name: tmp
emptyDir: {}
securityContext:
fsGroup: 65532
---
kind: Service
apiVersion: v1
metadata:
namespace: traefik
name: traefik
annotations:
metallb.universe.tf/allow-shared-ip: main
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- port: 80
name: http
targetPort: 8000
- port: 443
name: https
targetPort: 8443
- port: 1869
name: proxy
- port: 31000
name: docker
- port: 32000
name: minio
---
kind: IngressClass
apiVersion: networking.k8s.io/v1
metadata:
name: traefik
annotations:
ingressclass.kubernetes.io/is-default-class: "true"
spec:
controller: traefik.io/ingress-controller

20
k8s/01-secrets/00-s3.in.yaml Normal file
View File

@ -0,0 +1,20 @@
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: s3-auth
stringData:
access-key: "{{ .s3.accessKey }}"
secret-key: "{{ .s3.secretKey }}"
---
kind: ConfigMap
apiVersion: v1
metadata:
namespace: riju
name: s3-config
data:
bucket: "{{ .s3.bucket }}"
region: "{{ .s3.region }}"
endpoint: "{{ .s3.endpoint }}"

55
k8s/01-secrets/01-docker-registry.in.yaml Normal file
View File

@ -0,0 +1,55 @@
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: registry-http-secret
stringData:
http-secret: "{{ .registry.httpSecret }}"
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: registry-auth
data:
htpasswd: "{{ .registry.htpasswd | println | b64enc }}"
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: registry-login
type: kubernetes.io/dockerconfigjson
stringData:
.dockerconfigjson: |
{
"auths": {
"localhost:30999": {
"username": "admin",
"password": "{{ .registry.password }}",
"auth": "{{ .registry.password | printf "admin:%s" | b64enc }}"
}
}
}
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju-user
name: registry-user-login
type: kubernetes.io/dockerconfigjson
stringData:
.dockerconfigjson: |
{
"auths": {
"localhost:30999": {
"username": "admin",
"password": "{{ .registry.password }}",
"auth": "{{ .registry.password | printf "admin:%s" | b64enc }}"
}
}
}

8
k8s/01-secrets/02-riju-proxy.in.yaml Normal file
View File

@ -0,0 +1,8 @@
---
kind: Secret
apiVersion: v1
metadata:
namespace: riju
name: riju-proxy-auth
data:
htpasswd: "{{ .proxy.htpasswd | println | b64enc }}"

0
k8s/02-services/riju-docker-registry.yaml → k8s/04-docker-registry/00-docker-registry.yaml
View File

0
k8s/02-services/riju-proxy.yaml → k8s/05-riju-proxy/00-riju-proxy.yaml
View File

0
k8s/02-services/riju-server.yaml → k8s/06-riju-server/00-riju-server.yaml
View File