add k8s-lwl

author: Christian Pointner <equinox@spreadspace.org> 2020-04-29 15:55:18 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2020-04-29 15:55:18 +0200
commit: b6e0c310c410e59ae210108d33fdc66bedb7cbf1 (patch)
tree: 6a2725ae62d1edd4d5ddb061dcce755636af90e1 /contrib
parent: workaround for mysql image (diff)
34 files changed, 1257 insertions, 10 deletions
diff --git a/contrib/k8s-emc/stats-auth-secret.yml b/contrib/k8s-emc/stats-auth-secret.yml
deleted file mode 100644
index 623b9e2..0000000
--- a/contrib/k8s-emc/stats-auth-secret.yml
+++ /dev/null
@@ -1,10 +0,0 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  namespace: emc
-  name: stats-auth
-  labels:
-    tier: stats
-type: Opaque
-data:
-  auth: ZXF1aW5veDokYXByMSR4NXJ5UzdDWSR1U1hJdHp5Mm9abmlzRkpsRUg2QXkwCg==
diff --git a/contrib/k8s-lwl/acme-hack/acmetool-desired.yml b/contrib/k8s-lwl/acme-hack/acmetool-desired.yml
new file mode 100644
index 0000000..d8a67e2
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/acmetool-desired.yml
@@ -0,0 +1,3 @@
+satisfy:
+    names:
+    - <<hostname>>
diff --git a/contrib/k8s-lwl/acme-hack/do.sh b/contrib/k8s-lwl/acme-hack/do.sh
new file mode 100755
index 0000000..f4c71ce
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/do.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+declare -A domains
+domains[cdn]="cdn.lndwrbl.live"
+domains[stats]="stats.lndwrbl.live"
+domains[stream]="stream.lndwrbl.live"
+
+kubectl apply -f nginx-acme-cm.yml
+kubectl apply -f nginx-acme-deploy.yml
+kubectl apply -f nginx-acme-svc.yml
+for name in "${!domains[@]}"; do
+  cat nginx-acme-ingress.yml | sed "s/<<name>>/$name/g" | sed "s/<<hostname>>/${domains[$name]}/g" | kubectl apply -f -
+done
+
+for name in "${!domains[@]}"; do
+  cat acmetool-desired.yml | sed "s/<<hostname>>/${domains[$name]}/g" | ssh lw-live-00 "cat > /var/lib/acme/desired/${domains[$name]}"
+done
+
+### TODO: wait for all pods and then contiune the script
+#exit 0
+
+ssh lw-live-00 systemctl start acmetool
+
+for name in "${!domains[@]}"; do
+  ssh lw-live-00 kubectl -n lwl create secret tls "$name\-tls" "--cert=/var/lib/acme/live/${domains[$name]}/fullchain" "--key=/var/lib/acme/live/${domains[$name]}/privkey" --dry-run -o json | kubectl apply -f -
+done
diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml
new file mode 100644
index 0000000..7599d3c
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: lwl
+  name: nginx-acme-hack
+  labels:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+data:
+  nginx.conf: |
+    worker_processes 1;
+    pid /srv/nginx.pid;
+    error_log /dev/stderr notice;
+
+    events {
+      worker_connections 64;
+      # multi_accept on;
+    }
+
+    http {
+      sendfile on;
+      tcp_nopush on;
+      tcp_nodelay on;
+      keepalive_timeout 65;
+      types_hash_max_size 2048;
+
+      server_names_hash_bucket_size 64;
+
+      include /etc/nginx/mime.types;
+      default_type application/octet-stream;
+
+      access_log /dev/null;
+
+      server {
+        listen 8080 default_server;
+        server_name _;
+
+        root /srv/www;
+      }
+    }
diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml
new file mode 100644
index 0000000..7d52f55
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: lwl
+  name: nginx-acme-hack-lw-live-00
+  labels:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+    worker: lw-live-00
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+      type: acme-challenge
+      tier: hack
+      worker: lw-live-00
+  strategy:
+    type: Recreate
+  revisionHistoryLimit: 5
+  template:
+    metadata:
+      labels:
+        app: nginx
+        type: acme-challenge
+        tier: hack
+        worker: lw-live-00
+    spec:
+      nodeName: lw-live-00
+      securityContext:
+        runAsUser: 998
+        fsGroup: 998
+      containers:
+      - name: nginx
+        image: spreadspace/nginx:4
+        imagePullPolicy: Always
+        args:
+        - nginx
+        - -c
+        - /srv/config/nginx.conf
+        - -g
+        - "daemon off;"
+        volumeMounts:
+        - name: home
+          mountPath: /srv
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
+        - name: nginx-config
+          mountPath: /srv/config
+        - name: acme-challenge
+          mountPath: /srv/www/.well-known/acme-challenge
+      volumes:
+      - name: home
+        emptyDir:
+          medium: Memory
+      - name: nginx-lib
+        emptyDir:
+          medium: Memory
+      - name: nginx-config
+        configMap:
+          name: nginx-acme-hack
+      - name: acme-challenge
+        hostPath:
+          type: DirectoryOrCreate
+          path: /var/run/acme/acme-challenge/
diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml
new file mode 100644
index 0000000..e7a3e0e
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml
@@ -0,0 +1,19 @@
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  namespace: lwl
+  name: nginx-acme-hack-<<name>>
+  labels:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+spec:
+  rules:
+  - host: <<hostname>>
+    http:
+      paths:
+      - path: /.well-known/acme-challenge/
+        backend:
+          serviceName: nginx-acme-hack-lw-live-00
+          servicePort: 8080
diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml
new file mode 100644
index 0000000..198a16c
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: lwl
+  name: nginx-acme-hack-lw-live-00
+  labels:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+    worker: lw-live-00
+spec:
+  selector:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+    worker: lw-live-00
+  clusterIP: None
+  ports:
+  - name: http
+    port: 8080
diff --git a/contrib/k8s-lwl/acme-hack/wipe.sh b/contrib/k8s-lwl/acme-hack/wipe.sh
new file mode 100755
index 0000000..5791f7b
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/wipe.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+kubectl --namespace lwl delete ingress -l tier=hack -l type=acme-challenge
+kubectl --namespace lwl delete svc -l tier=hack -l type=acme-challenge
+kubectl --namespace lwl delete deploy -l tier=hack -l type=acme-challenge
+kubectl --namespace lwl delete cm -l tier=hack -l type=acme-challenge
diff --git a/contrib/k8s-lwl/grafana-ingress.yml b/contrib/k8s-lwl/grafana-ingress.yml
new file mode 100644
index 0000000..b857a46
--- /dev/null
+++ b/contrib/k8s-lwl/grafana-ingress.yml
@@ -0,0 +1,23 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  namespace: lwl
+  name: stats-grafana
+  labels:
+    app: grafana
+    tier: stats
+  annotations:
+    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  tls:
+  - secretName: stats-tls
+    hosts:
+    - stats.lndwrbl.live
+  rules:
+  - host: stats.lndwrbl.live
+    http:
+      paths:
+      - path: /grafana
+        backend:
+          serviceName: stats-grafana
+          servicePort: 3000
diff --git a/contrib/k8s-lwl/grafana-statefulset.yml b/contrib/k8s-lwl/grafana-statefulset.yml
new file mode 100644
index 0000000..ca995f1
--- /dev/null
+++ b/contrib/k8s-lwl/grafana-statefulset.yml
@@ -0,0 +1,65 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  namespace: lwl
+  name: stats-grafana
+  labels:
+    app: grafana
+    tier: stats
+spec:
+  serviceName: stats-grafana
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grafana
+      tier: stats
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: grafana
+        tier: stats
+    spec:
+      nodeName: lw-master
+      initContainers:
+      - name: prepare-grafana-data
+        image: busybox
+        command: ['sh', '-c', 'mkdir -p /srv/data/lib /srv/data/log']
+        volumeMounts:
+        - name: grafana-data
+          mountPath: /srv/data
+      containers:
+      - name: grafana
+        image: grafana/grafana:6.6.2
+        imagePullPolicy: Always
+        resources:
+          limits:
+            memory: 3072Mi
+          requests:
+            memory: 2048Mi
+        env:
+        - name: GF_SERVER_ROOT_URL
+          value: https://stats.lndwrbl.live/grafana
+        - name: GF_SECURITY_ADMIN_PASSWORD
+          value: secret
+        - name: GF_ANALYTICS_CHECK_FOR_UPDATES
+          value: "false"
+        - name: GF_SECURITY_DISABLE_GRAVATAR
+          value: "true"
+        - name: GF_USERS_ALLOW_SIGN_UP
+          value: "false"
+        - name: GF_USERS_ALLOW_ORG_CREATE
+          value: "false"
+        volumeMounts:
+        - name: grafana-data
+          mountPath: /var/lib/grafana
+          subPath: lib
+        - name: grafana-data
+          mountPath: /var/log/grafana
+          subPath: log
+      volumes:
+      - name: grafana-data
+        hostPath:
+          type: DirectoryOrCreate
+          path: /srv/stats/grafana
diff --git a/contrib/k8s-lwl/grafana-svc.yml b/contrib/k8s-lwl/grafana-svc.yml
new file mode 100644
index 0000000..81b80ce
--- /dev/null
+++ b/contrib/k8s-lwl/grafana-svc.yml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: lwl
+  name: stats-grafana
+  labels:
+    app: grafana
+    tier: stats
+spec:
+  selector:
+    app: grafana
+    tier: stats
+  clusterIP: 172.18.242.42
+  ports:
+  - name: http
+    port: 3000
diff --git a/contrib/k8s-lwl/graphite-cm-api.yml b/contrib/k8s-lwl/graphite-cm-api.yml
new file mode 100644
index 0000000..265bdc7
--- /dev/null
+++ b/contrib/k8s-lwl/graphite-cm-api.yml
@@ -0,0 +1,17 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  namespace: lwl
+  name: stats-graphite-api
+  labels:
+    app: graphite
+    tier: stats
+data:
+  api.yaml: |
+    search_index: /srv/index/index
+    whisper:
+      directories:
+      - /srv/data/whisper
+    carbon:
+      hosts:
+      - 127.0.0.1:7002
diff --git a/contrib/k8s-lwl/graphite-cm-carbon.yml b/contrib/k8s-lwl/graphite-cm-carbon.yml
new file mode 100644
index 0000000..7182d48
--- /dev/null
+++ b/contrib/k8s-lwl/graphite-cm-carbon.yml
@@ -0,0 +1,55 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  namespace: lwl
+  name: stats-graphite-carbon
+  labels:
+    app: graphite
+    tier: stats
+data:
+  carbon.conf: |
+    [cache]
+
+    STORAGE_DIR    = /srv/data/
+    LOCAL_DATA_DIR = /srv/data/whisper/
+    CONF_DIR       = /srv/config/
+
+    MAX_CACHE_SIZE = inf
+    MAX_UPDATES_PER_SECOND = 1000
+    # MAX_UPDATES_PER_SECOND_ON_SHUTDOWN = 5000
+
+    MAX_CREATES_PER_MINUTE = 50
+
+    LINE_RECEIVER_INTERFACE = 0.0.0.0
+    LINE_RECEIVER_PORT = 2003
+
+    ENABLE_UDP_LISTENER = False
+    PICKLE_RECEIVER_PORT = 0
+
+    LOG_LISTENER_CONNECTIONS = True
+
+    CACHE_QUERY_INTERFACE = 127.0.0.1
+    CACHE_QUERY_PORT = 7002
+
+    USE_FLOW_CONTROL = True
+
+    LOG_UPDATES = False
+    LOG_CACHE_HITS = False
+    LOG_CACHE_QUEUE_SORTS = True
+
+    CACHE_WRITE_STRATEGY = sorted
+    WHISPER_AUTOFLUSH = False
+
+    WHISPER_FALLOCATE_CREATE = True
+  storage-schemas.conf: |
+    [carbon]
+    pattern = ^carbon\.
+    retentions = 60:90d
+
+    [sfive]
+    pattern = ^sfive\.
+    retentions = 15s:10d,1m:21d,15m:5y
+
+    [default_1min_for_1day]
+    pattern = .*
+    retentions = 60s:1d
diff --git a/contrib/k8s-lwl/graphite-statefulset.yml b/contrib/k8s-lwl/graphite-statefulset.yml
new file mode 100644
index 0000000..fc883be
--- /dev/null
+++ b/contrib/k8s-lwl/graphite-statefulset.yml
@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  namespace: lwl
+  name: stats-graphite
+  labels:
+    app: graphite
+    tier: stats
+spec:
+  serviceName: stats-graphite
+  replicas: 1
+  selector:
+    matchLabels:
+      app: graphite
+      tier: stats
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: graphite
+        tier: stats
+    spec:
+      nodeName: lw-master
+      securityContext:
+        runAsUser: 998
+        fsGroup: 998
+      initContainers:
+      - name: prepare-graphite-data
+        image: busybox
+        command: ['sh', '-c', 'chown 998:998 /srv/data && chmod 700 /srv/data']
+        securityContext:
+          runAsUser: 0
+        volumeMounts:
+        - name: graphite-data
+          mountPath: /srv/data
+      containers:
+      - name: carbon
+        image: spreadspace/graphite-carbon:master-4
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: home
+          mountPath: /srv
+        - name: carbon-config
+          mountPath: /srv/config
+        - name: graphite-data
+          mountPath: /srv/data
+      - name: api
+        image: spreadspace/graphite-api:master-4
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: home
+          mountPath: /srv
+        - name: api-config
+          mountPath: /srv/config
+        - name: api-index
+          mountPath: /srv/index
+        - name: graphite-data
+          mountPath: /srv/data
+      volumes:
+      - name: home
+        emptyDir:
+          medium: Memory
+      - name: graphite-data
+        hostPath:
+          type: DirectoryOrCreate
+          path: /srv/stats/graphite
+      - name: carbon-config
+        configMap:
+          name: stats-graphite-carbon
+      - name: api-config
+        configMap:
+          name: stats-graphite-api
+      - name: api-index
+        emptyDir:
+          medium: Memory
diff --git a/contrib/k8s-lwl/graphite-svc.yml b/contrib/k8s-lwl/graphite-svc.yml
new file mode 100644
index 0000000..657eec9
--- /dev/null
+++ b/contrib/k8s-lwl/graphite-svc.yml
@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: lwl
+  name: stats-graphite
+  labels:
+    app: graphite
+    tier: stats
+spec:
+  selector:
+    app: graphite
+    tier: stats
+  clusterIP: 172.18.242.31
+  ports:
+  - name: line
+    port: 2003
+  - name: api
+    port: 8080
diff --git a/contrib/k8s-lwl/ingress-cm.yml b/contrib/k8s-lwl/ingress-cm.yml
new file mode 100644
index 0000000..0a517ea
--- /dev/null
+++ b/contrib/k8s-lwl/ingress-cm.yml
@@ -0,0 +1,8 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  namespace: lwl
+  name: ingress-nginx-config
+  labels:
+    app: nginx
+    tier: ingress
diff --git a/contrib/k8s-lwl/ingress-default-backend.yml b/contrib/k8s-lwl/ingress-default-backend.yml
new file mode 100644
index 0000000..48d9e4c
--- /dev/null
+++ b/contrib/k8s-lwl/ingress-default-backend.yml
@@ -0,0 +1,59 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: lwl
+  name: ingress-default-http-backend
+  labels:
+    app: default-http-backend
+    tier: ingress
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: default-http-backend
+      tier: ingress
+  template:
+    metadata:
+      labels:
+        app: default-http-backend
+        tier: ingress
+    spec:
+      terminationGracePeriodSeconds: 60
+      nodeSelector:
+        streaming.spreadspace.org/zone: dist-lb
+      containers:
+      - name: backend
+        image: gcr.io/google_containers/defaultbackend:1.4
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        ports:
+        - containerPort: 8080
+        resources:
+          limits:
+            cpu: 10m
+            memory: 20Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: lwl
+  name: ingress-default-http-backend
+  labels:
+    app: default-http-backend
+    tier: ingress
+spec:
+  ports:
+  - port: 80
+    targetPort: 8080
+  selector:
+    app: default-http-backend
+    tier: ingress
diff --git a/contrib/k8s-lwl/ingress-ds.yml b/contrib/k8s-lwl/ingress-ds.yml
new file mode 100644
index 0000000..f6665c6
--- /dev/null
+++ b/contrib/k8s-lwl/ingress-ds.yml
@@ -0,0 +1,70 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  namespace: lwl
+  name: ingress-nginx-controller
+  labels:
+    app: nginx
+    tier: ingress
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+      tier: ingress
+  template:
+    metadata:
+      labels:
+        app: nginx
+        tier: ingress
+      annotations:
+        prometheus.io/port: '10254'
+        prometheus.io/scrape: 'true'
+    spec:
+      serviceAccountName: ingress-nginx
+      nodeSelector:
+        streaming.spreadspace.org/zone: dist-lb
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      containers:
+      - name: nginx-controller
+        image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.18.0
+        args:
+        - /nginx-ingress-controller
+        - --default-backend-service=$(POD_NAMESPACE)/ingress-default-http-backend
+        - --configmap=$(POD_NAMESPACE)/ingress-nginx-config
+        - --tcp-services-configmap=$(POD_NAMESPACE)/ingress-tcp-config
+        - --udp-services-configmap=$(POD_NAMESPACE)/ingress-udp-config
+        - --annotations-prefix=nginx.ingress.kubernetes.io
+        env:
+        - name: POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.namespace
+        ports:
+        - name: http
+          containerPort: 80
+        - name: https
+          containerPort: 443
+        livenessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          initialDelaySeconds: 10
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
+        readinessProbe:
+          failureThreshold: 3
+          httpGet:
+            path: /healthz
+            port: 10254
+            scheme: HTTP
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 1
diff --git a/contrib/k8s-lwl/ingress-rbac.yml b/contrib/k8s-lwl/ingress-rbac.yml
new file mode 100644
index 0000000..14e0c44
--- /dev/null
+++ b/contrib/k8s-lwl/ingress-rbac.yml
@@ -0,0 +1,133 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: lwl
+  name: ingress-nginx
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ingress-nginx
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - endpoints
+      - nodes
+      - pods
+      - secrets
+    verbs:
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - services
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+        - events
+    verbs:
+        - create
+        - patch
+  - apiGroups:
+      - "extensions"
+    resources:
+      - ingresses/status
+    verbs:
+      - update
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    name: ingress-nginx
+    namespace: lwl
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  namespace: lwl
+  name: ingress-nginx
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods
+      - secrets
+      - namespaces
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      # Defaults to "<election-id>-<ingress-class>"
+      # Here: "<ingress-controller-leader>-<nginx>"
+      # This has to be adapted if you change either parameter
+      # when launching the nginx-ingress-controller.
+      - "ingress-controller-leader-nginx"
+    verbs:
+      - get
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - create
+  - apiGroups:
+      - ""
+    resources:
+      - endpoints
+    verbs:
+      - get
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  namespace: lwl
+  name: ingress-nginx
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: ingress-nginx
+subjects:
+  - kind: ServiceAccount
+    name: ingress-nginx
+    namespace: lwl
diff --git a/contrib/k8s-lwl/ingress-tcp-cm.yml b/contrib/k8s-lwl/ingress-tcp-cm.yml
new file mode 100644
index 0000000..33db990
--- /dev/null
+++ b/contrib/k8s-lwl/ingress-tcp-cm.yml
@@ -0,0 +1,8 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  namespace: lwl
+  name: ingress-tcp-config
+  labels:
+    app: tcp-services
+    tier: ingress
diff --git a/contrib/k8s-lwl/ingress-udp-cm.yml b/contrib/k8s-lwl/ingress-udp-cm.yml
new file mode 100644
index 0000000..ecd7faf
--- /dev/null
+++ b/contrib/k8s-lwl/ingress-udp-cm.yml
@@ -0,0 +1,8 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  namespace: lwl
+  name: ingress-udp-config
+  labels:
+    app: udp-services
+    tier: ingress
diff --git a/contrib/k8s-lwl/matomo-cm.yml b/contrib/k8s-lwl/matomo-cm.yml
new file mode 100644
index 0000000..6a0a2cb
--- /dev/null
+++ b/contrib/k8s-lwl/matomo-cm.yml
@@ -0,0 +1,132 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: lwl
+  name: stats-matomo
+  labels:
+    app: matomo
+    tier: stats
+data:
+  nginx.conf: |
+    worker_processes 4;
+    pid /srv/nginx.pid;
+    error_log /dev/stderr notice;
+
+    events {
+      worker_connections 768;
+      # multi_accept on;
+    }
+
+    http {
+      sendfile on;
+      tcp_nopush on;
+      tcp_nodelay on;
+      keepalive_timeout 65;
+      types_hash_max_size 2048;
+
+      server_names_hash_bucket_size 64;
+
+      include /etc/nginx/mime.types;
+      default_type application/octet-stream;
+
+      access_log /dev/null;
+
+      server {
+        listen 8080 default_server;
+        listen [::]:8080 default_server;
+
+        server_name _;
+
+        add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-XSS-Protection "1; mode=block" always;
+
+        root /var/www/html;
+
+        index index.php;
+
+        ## only allow accessing the following php files
+        location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php {
+          try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here.
+
+          fastcgi_param  SCRIPT_FILENAME    $document_root$fastcgi_script_name;
+          fastcgi_param  QUERY_STRING       $query_string;
+          fastcgi_param  REQUEST_METHOD     $request_method;
+          fastcgi_param  CONTENT_TYPE       $content_type;
+          fastcgi_param  CONTENT_LENGTH     $content_length;
+
+          fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
+          fastcgi_param  REQUEST_URI        $request_uri;
+          fastcgi_param  DOCUMENT_URI       $document_uri;
+          fastcgi_param  DOCUMENT_ROOT      $document_root;
+          fastcgi_param  SERVER_PROTOCOL    $server_protocol;
+          fastcgi_param  REQUEST_SCHEME     $scheme;
+          fastcgi_param  HTTPS              $https if_not_empty;
+
+          fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
+          fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;
+
+          fastcgi_param  REMOTE_ADDR        $remote_addr;
+          fastcgi_param  REMOTE_PORT        $remote_port;
+          fastcgi_param  SERVER_ADDR        $server_addr;
+          fastcgi_param  SERVER_PORT        $server_port;
+          fastcgi_param  SERVER_NAME        $server_name;
+
+          # PHP only, required if PHP was built with --enable-force-cgi-redirect
+          fastcgi_param  REDIRECT_STATUS    200;
+
+          fastcgi_param  HTTP_PROXY         "";
+          #fastcgi_param  HTTP_X_FORWARDED_URI    /matomo;
+          fastcgi_intercept_errors on;
+          fastcgi_pass 127.0.0.1:9000;
+        }
+
+        ## deny access to all other .php files
+        location ~* ^.+\.php$ {
+          deny all;
+          return 403;
+        }
+
+        location / {
+          try_files $uri $uri/ =404;
+        }
+
+        ## disable all access to the following directories
+        location ~ /(config|tmp|core|lang) {
+          deny all;
+          return 403; # replace with 404 to not show these directories exist
+        }
+
+        location ~ /\.ht {
+          deny  all;
+          return 403;
+        }
+
+        location ~ js/container_.*_preview\.js$ {
+          expires off;
+          add_header Cache-Control 'private, no-cache, no-store';
+        }
+
+        location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
+          allow all;
+          ## Cache images,CSS,JS and webfonts for an hour
+          ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+          expires 1h;
+          add_header Pragma public;
+          add_header Cache-Control "public";
+        }
+
+        location ~ /(libs|vendor|plugins|misc/user) {
+          deny all;
+          return 403;
+        }
+
+        ## properly display textfiles in root directory
+        location ~/(.*\.md|LEGALNOTICE|LICENSE) {
+          default_type text/plain;
+        }
+
+        location ~ \.php$ {
+        }
+      }
+    }
diff --git a/contrib/k8s-lwl/matomo-deploy.yml b/contrib/k8s-lwl/matomo-deploy.yml
new file mode 100644
index 0000000..4e01229
--- /dev/null
+++ b/contrib/k8s-lwl/matomo-deploy.yml
@@ -0,0 +1,75 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: lwl
+  name: stats-matomo
+  labels:
+    app: matomo
+    tier: stats
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: matomo
+      tier: stats
+  strategy:
+    type: Recreate
+  revisionHistoryLimit: 5
+  template:
+    metadata:
+      labels:
+        app: matomo
+        tier: stats
+    spec:
+      nodeName: lw-master
+      securityContext:
+        runAsUser: 998
+        fsGroup: 998
+      initContainers:
+      - name: prepare-matomo-html
+        image: busybox
+        command: ['sh', '-c', 'chown 998:998 /srv/html && chmod 700 /srv/html']
+        securityContext:
+          runAsUser: 0
+        volumeMounts:
+        - name: matomo-html
+          mountPath: /srv/html
+      containers:
+      - name: matomo
+        image: spreadspace/matomo:4
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: matomo-html
+          mountPath: /var/www/html
+      - name: nginx
+        image: spreadspace/nginx:4
+        imagePullPolicy: Always
+        args:
+        - nginx
+        - -c
+        - /srv/config/nginx.conf
+        - -g
+        - "daemon off;"
+        volumeMounts:
+        - name: home
+          mountPath: /srv
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
+        - name: nginx-config
+          mountPath: /srv/config
+        - name: matomo-html
+          mountPath: /var/www/html
+      volumes:
+      - name: home
+        emptyDir:
+          medium: Memory
+      - name: nginx-lib
+        emptyDir:
+          medium: Memory
+      - name: nginx-config
+        configMap:
+          name: stats-matomo
+      - name: matomo-html
+        hostPath:
+          type: DirectoryOrCreate
+          path: /srv/stats/matomo
diff --git a/contrib/k8s-lwl/matomo-ingress.yml b/contrib/k8s-lwl/matomo-ingress.yml
new file mode 100644
index 0000000..14044a6
--- /dev/null
+++ b/contrib/k8s-lwl/matomo-ingress.yml
@@ -0,0 +1,24 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  namespace: lwl
+  name: stats-matomo
+  labels:
+    app: matomo
+    tier: stats
+#  annotations:
+#    nginx.ingress.kubernetes.io/rewrite-target: /
+spec:
+  tls:
+  - secretName: stats-tls
+    hosts:
+    - stats.lndwrbl.live
+  rules:
+  - host: stats.lndwrbl.live
+    http:
+      paths:
+#      - path: /matomo
+      - path: /
+        backend:
+          serviceName: stats-matomo
+          servicePort: 8080
diff --git a/contrib/k8s-lwl/matomo-svc.yml b/contrib/k8s-lwl/matomo-svc.yml
new file mode 100644
index 0000000..c619424
--- /dev/null
+++ b/contrib/k8s-lwl/matomo-svc.yml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: lwl
+  name: stats-matomo
+  labels:
+    app: matomo
+    tier: stats
+spec:
+  selector:
+    app: matomo
+    tier: stats
+  clusterIP: 172.18.242.14
+  ports:
+  - name: http
+    port: 8080
diff --git a/contrib/k8s-lwl/mysql-secret.yml b/contrib/k8s-lwl/mysql-secret.yml
new file mode 100644
index 0000000..34ab96e
--- /dev/null
+++ b/contrib/k8s-lwl/mysql-secret.yml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: lwl
+  name: stats-mysql-root
+  labels:
+    app: mysql
+    tier: stats
+type: Opaque
+data:
+  password: Y2hhbmdlLW1lCg==  # change-me
diff --git a/contrib/k8s-lwl/mysql-statefulset.yml b/contrib/k8s-lwl/mysql-statefulset.yml
new file mode 100644
index 0000000..92d603c
--- /dev/null
+++ b/contrib/k8s-lwl/mysql-statefulset.yml
@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  namespace: lwl
+  name: stats-mysql
+  labels:
+    app: mysql
+    tier: stats
+spec:
+  serviceName: stats-mysql
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mysql
+      tier: stats
+  updateStrategy:
+    type: RollingUpdate
+  template:
+    metadata:
+      labels:
+        app: mysql
+        tier: stats
+    spec:
+      nodeName: lw-master
+      securityContext:
+        runAsUser: 27
+        fsGroup: 27
+      initContainers:
+      - name: prepare-mysql-volumes
+        image: busybox
+        command: ['sh', '-c', 'chown 27:27 /srv/lib && chmod 700 /srv/lib && mkdir -p /srv/tmp/log /srv/tmp/run /srv/tmp/files && ln -sf /dev/stderr /srv/tmp/log/mysqld.log && chown 27:27 /srv/tmp/log/mysqld.log /srv/tmp/run /srv/tmp/files']
+        securityContext:
+          runAsUser: 0
+        volumeMounts:
+        - name: mysql-lib
+          mountPath: /srv/lib
+        - name: mysql-tmp
+          mountPath: /srv/tmp
+      containers:
+      - name: mysql
+        image: quay.io/neith00/mysql-docker:s2streamstats
+        imagePullPolicy: IfNotPresent
+        env:
+        - name: MYSQL_ROOT_PASSWORD
+          value: /var/run/mysql-secret/password
+        volumeMounts:
+        - name: mysql-lib
+          mountPath: /var/lib/mysql
+        - name: mysql-tmp
+          subPath: log
+          mountPath: /var/log
+        - name: mysql-tmp
+          subPath: run
+          mountPath: /var/run/mysqld
+        - name: mysql-tmp
+          subPath: files
+          mountPath: /var/lib/mysql-files/
+        - name: mysql-secret
+          mountPath: /var/run/mysql-secret/
+      volumes:
+      - name: mysql-lib
+        hostPath:
+          type: DirectoryOrCreate
+          path: /srv/stats/mysql
+      - name: mysql-tmp
+        emptyDir:
+          medium: Memory
+      - name: mysql-secret
+        secret:
+          secretName: stats-mysql-root
+          defaultMode: 0400
diff --git a/contrib/k8s-lwl/mysql-svc.yml b/contrib/k8s-lwl/mysql-svc.yml
new file mode 100644
index 0000000..2471c64
--- /dev/null
+++ b/contrib/k8s-lwl/mysql-svc.yml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: lwl
+  name: stats-mysql
+  labels:
+    app: mysql
+    tier: stats
+spec:
+  selector:
+    app: mysql
+    tier: stats
+  clusterIP: 172.18.242.23
+  ports:
+  - name: mysql
+    port: 3306
diff --git a/contrib/k8s-lwl/node-labels.sh b/contrib/k8s-lwl/node-labels.sh
new file mode 100755
index 0000000..62b2761
--- /dev/null
+++ b/contrib/k8s-lwl/node-labels.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+for node in lw-dione lw-helene; do
+  kubectl label --overwrite node "$node" streaming.spreadspace.org/zone=source
+done
+
+kubectl label --overwrite node "lw-live-dist0" streaming.spreadspace.org/zone=dist-root
+# for idx in $(seq 1 x); do
+#   kubectl label --overwrite node "lw-live-dist$idx" streaming.spreadspace.org/zone=dist-level1
+# done
+
+# for idx in $(seq -w 01 03); do
+#   kubectl label --overwrite node "lw-live-$idx" streaming.spreadspace.org/zone=dist-leaf
+# done
+
+kubectl label --overwrite node "lw-live-00" streaming.spreadspace.org/zone=dist-lb
diff --git a/contrib/k8s-lwl/ns.yml b/contrib/k8s-lwl/ns.yml
new file mode 100644
index 0000000..766e2f8
--- /dev/null
+++ b/contrib/k8s-lwl/ns.yml
@@ -0,0 +1,5 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: lwl
diff --git a/contrib/k8s-lwl/stream-site-cm.yml b/contrib/k8s-lwl/stream-site-cm.yml
new file mode 100644
index 0000000..a9d7631
--- /dev/null
+++ b/contrib/k8s-lwl/stream-site-cm.yml
@@ -0,0 +1,44 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: lwl
+  name: stream-site-public
+  labels:
+    app: nginx
+    type: stream-site
+    tier: live
+    stream: public
+data:
+  nginx.conf: |
+    worker_processes 4;
+    pid /srv/nginx.pid;
+    error_log /dev/stderr notice;
+
+    events {
+      worker_connections 768;
+      # multi_accept on;
+    }
+
+    http {
+      sendfile on;
+      tcp_nopush on;
+      tcp_nodelay on;
+      keepalive_timeout 65;
+      types_hash_max_size 2048;
+
+      server_names_hash_bucket_size 64;
+
+      include /etc/nginx/mime.types;
+      default_type application/octet-stream;
+
+      access_log /dev/null;
+
+      server {
+        listen 8080 default_server;
+        listen [::]:8080 default_server;
+
+        server_name _;
+
+        root /srv/www;
+      }
+    }
diff --git a/contrib/k8s-lwl/stream-site-deploy.yml b/contrib/k8s-lwl/stream-site-deploy.yml
new file mode 100644
index 0000000..04526d6
--- /dev/null
+++ b/contrib/k8s-lwl/stream-site-deploy.yml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: lwl
+  name: stream-site-public
+  labels:
+    app: nginx
+    type: stream-site
+    tier: live
+    stream: public
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+      type: stream-site
+      tier: live
+      stream: public
+  strategy:
+    type: Recreate
+  revisionHistoryLimit: 5
+  template:
+    metadata:
+      labels:
+        app: nginx
+        type: stream-site
+        tier: live
+        stream: public
+    spec:
+      nodeName: lw-live-00
+      securityContext:
+        runAsUser: 998
+        fsGroup: 998
+      containers:
+      - name: nginx
+        image: spreadspace/nginx-streaming:4
+        imagePullPolicy: Always
+        args:
+        - nginx
+        - -c
+        - /srv/config/nginx.conf
+        - -g
+        - "daemon off;"
+        volumeMounts:
+        - name: home
+          mountPath: /srv
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
+        - name: nginx-config
+          mountPath: /srv/config
+        - name: www
+          mountPath: /srv/www
+      volumes:
+      - name: home
+        emptyDir:
+          medium: Memory
+      - name: nginx-lib
+        emptyDir:
+          medium: Memory
+      - name: nginx-config
+        configMap:
+          name: stream-site-public
+      - name: www
+        hostPath:
+          type: Directory
+          path: /srv/www/stream-site
diff --git a/contrib/k8s-lwl/stream-site-ingress.yml b/contrib/k8s-lwl/stream-site-ingress.yml
new file mode 100644
index 0000000..d0cbfcd
--- /dev/null
+++ b/contrib/k8s-lwl/stream-site-ingress.yml
@@ -0,0 +1,23 @@
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  namespace: lwl
+  name: stream-site-public
+  labels:
+    app: nginx
+    type: stream-site
+    tier: live
+    stream: public
+spec:
+  tls:
+  - hosts:
+    - stream.lndwrbl.live
+    secretName: stream-tls
+  rules:
+  - host: stream.lndwrbl.live
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: stream-site-public
+          servicePort: 8080
diff --git a/contrib/k8s-lwl/stream-site-svc.yml b/contrib/k8s-lwl/stream-site-svc.yml
new file mode 100644
index 0000000..0ee57ac
--- /dev/null
+++ b/contrib/k8s-lwl/stream-site-svc.yml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: lwl
+  name: stream-site-public
+  labels:
+    app: nginx
+    type: stream-site
+    tier: live
+    stream: public
+spec:
+  selector:
+    app: nginx
+    type: stream-site
+    tier: live
+    stream: public
+  type: ClusterIP
+  clusterIP: None
+  ports:
+  - name: http
+    port: 8080
author	Christian Pointner <equinox@spreadspace.org>	2020-04-29 15:55:18 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2020-04-29 15:55:18 +0200
commit	b6e0c310c410e59ae210108d33fdc66bedb7cbf1 (patch)
tree	6a2725ae62d1edd4d5ddb061dcce755636af90e1 /contrib
parent	workaround for mysql image (diff)