diff options
32 files changed, 571 insertions, 438 deletions
diff --git a/chaos-at-home/ch-hroottest.yml b/chaos-at-home/ch-hroottest.yml index 064bea36..d8bc019a 100644 --- a/chaos-at-home/ch-hroottest.yml +++ b/chaos-at-home/ch-hroottest.yml @@ -10,6 +10,8 @@ - role: zfs/base - role: apt-repo/spreadspace - role: zfs/sanoid - - role: vm/host - - role: installer/debian/base - - role: installer/openbsd/base + # - role: vm/host + # - role: installer/debian/base + # - role: installer/openbsd/base + - role: kubernetes/base + - role: kubernetes/standalone/base diff --git a/dan/ele-thetys.yml b/dan/ele-thetys.yml index 60e8555e..66ca1d76 100644 --- a/dan/ele-thetys.yml +++ b/dan/ele-thetys.yml @@ -11,4 +11,4 @@ - role: blackmagic-desktopvideo - role: apt-repo/spreadspace - role: kubernetes/base - - role: kubernetes/standalone + - role: kubernetes/standalone/base diff --git a/dan/sk-cloudia.yml b/dan/sk-cloudia.yml index f3a46e7c..e58669d1 100644 --- a/dan/sk-cloudia.yml +++ b/dan/sk-cloudia.yml @@ -13,7 +13,7 @@ # - role: core/admin-users # - role: zfs/base # - role: kubernetes/base - # - role: kubernetes/standalone + # - role: kubernetes/standalone/base # - role: apt-repo/spreadspace # - role: acmetool/base # - role: nginx/base diff --git a/dan/sk-tomnext-nc.yml b/dan/sk-tomnext-nc.yml index 326dcf4b..3924551a 100644 --- a/dan/sk-tomnext-nc.yml +++ b/dan/sk-tomnext-nc.yml @@ -11,7 +11,7 @@ - role: apt-repo/spreadspace - role: zfs/sanoid - role: kubernetes/base - - role: kubernetes/standalone + - role: kubernetes/standalone/base - role: acmetool/base - role: nginx/base - role: postfix/simple diff --git a/inventory/host_vars/ch-hroottest.yml b/inventory/host_vars/ch-hroottest.yml index f07198b1..7c08fe04 100644 --- a/inventory/host_vars/ch-hroottest.yml +++ b/inventory/host_vars/ch-hroottest.yml @@ -30,8 +30,26 @@ zfs_zpools: mountpoint: /srv/storage create_vdevs: mirror /dev/disk/by-id/ata-SAMSUNG_HD753LJ_S13UJ1LS801071-part3 /dev/disk/by-id/ata-SAMSUNG_HD753LJ_S13UJ1BQ802393-part3 -zfs_sanoid_modules: - storage/vm: - use_template: production - recursive: yes - process_children_only: yes +# zfs_sanoid_modules: +# storage/vm: +# use_template: production +# recursive: yes +# process_children_only: yes + +docker_zfs: + pool: storage + name: docker + properties: + quota: 15G + +kubelet_zfs: + pool: storage + name: kubelet + properties: + quota: 15G + +kubernetes_version: 1.18.5 +kubernetes_container_runtime: docker +kubernetes_standalone_max_pods: 15 +kubernetes_standalone_pod_cidr: 192.168.255.0/24 +kubernetes_standalone_cni_variant: with-portmap diff --git a/inventory/hosts.ini b/inventory/hosts.ini index c3f1c7ee..3718d7d2 100644 --- a/inventory/hosts.ini +++ b/inventory/hosts.ini @@ -357,6 +357,7 @@ sk-cloudia ele-thetys lw-thetys sk-tomnext-nc +ch-hroottest [kubernetes:children] kubernetes-cluster diff --git a/roles/apps/collabora/code/tasks/main.yml b/roles/apps/collabora/code/tasks/main.yml index 57bdfa34..74f3240a 100644 --- a/roles/apps/collabora/code/tasks/main.yml +++ b/roles/apps/collabora/code/tasks/main.yml @@ -21,19 +21,26 @@ when: "'custom_image' in item.value" include_tasks: custom-image.yml -- name: generate pod manifests +- name: install pod manifest loop: "{{ collabora_code_instances | dict2items }}" loop_control: label: "{{ item.key }}" - template: - src: "pod.yml.j2" - dest: "/etc/kubernetes/manifests/collabora-code-{{ item.key }}.yml" - mode: 0600 + vars: + kubernetes_standalone_pod: + name: "collabora-code-{{ item.key }}" + spec: "{{ lookup('template', 'pod-spec.yml.j2') }}" + mode: "0600" + config_hash_items: + - path: "{{ collabora_code_base_path }}/{{ item.key }}/config/loolwsd.xml" + properties: + - checksum + include_role: + name: kubernetes/standalone/pod - name: configure nginx vhost loop: "{{ collabora_code_instances | dict2items }}" - include_role: - name: nginx/vhost + loop_control: + label: "{{ item.key }}" vars: nginx_vhost: name: "collabora-code-{{ item.key }}" @@ -41,3 +48,5 @@ acme: true hostnames: - "{{ item.value.hostname }}" + include_role: + name: nginx/vhost diff --git a/roles/apps/collabora/code/templates/pod-spec.yml.j2 b/roles/apps/collabora/code/templates/pod-spec.yml.j2 new file mode 100644 index 00000000..04d2d25a --- /dev/null +++ b/roles/apps/collabora/code/templates/pod-spec.yml.j2 @@ -0,0 +1,25 @@ +containers: +- name: collabora-code + image: "collabora/code{% if 'custom_image' in item.value %}/{{ item.key }}{% endif %}:{{ item.value.version }}" + resources: + limits: + memory: "4Gi" + env: + - name: "DONT_GEN_SSL_CERT" + value: "1" + - name: "extra_params" + value: "--o:ssl.enable=false --o:ssl.termination=true" + volumeMounts: + - name: config + mountPath: /etc/loolwsd/loolwsd.xml + subPath: loolwsd.xml + readOnly: true + ports: + - containerPort: 9980 + hostPort: {{ item.value.port }} + hostIP: 127.0.0.1 +volumes: +- name: config + hostPath: + path: "{{ collabora_code_base_path }}/{{ item.key }}/config/" + type: Directory diff --git a/roles/apps/collabora/code/templates/pod.yml.j2 b/roles/apps/collabora/code/templates/pod.yml.j2 deleted file mode 100644 index 53fb4c0d..00000000 --- a/roles/apps/collabora/code/templates/pod.yml.j2 +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "collabora-code-{{ item.key }}" -spec: - containers: - - name: collabora-code - image: "collabora/code{% if 'custom_image' in item.value %}/{{ item.key }}{% endif %}:{{ item.value.version }}" - resources: - limits: - memory: "4Gi" - env: - - name: "DONT_GEN_SSL_CERT" - value: "1" - - name: "extra_params" - value: "--o:ssl.enable=false --o:ssl.termination=true" - volumeMounts: - - name: config - mountPath: /etc/loolwsd/loolwsd.xml - subPath: loolwsd.xml - readOnly: true - ports: - - containerPort: 9980 - hostPort: {{ item.value.port }} - hostIP: 127.0.0.1 - volumes: - - name: config - hostPath: - path: "{{ collabora_code_base_path }}/{{ item.key }}/config/" - type: Directory diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index 132e4847..176be664 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -68,8 +68,15 @@ include_role: name: nginx/vhost -- name: generate pod manifests - template: - src: "pod.yml.j2" - dest: "/etc/kubernetes/manifests/coturn-{{ coturn_realm }}.yml" - mode: 0600 +- name: install pod manifest + vars: + kubernetes_standalone_pod: + name: "coturn-{{ coturn_realm }}" + spec: "{{ lookup('template', 'pod-spec.yml.j2') }}" + mode: "0600" + config_hash_items: + - path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/turnserver.conf" + properties: + - checksum + include_role: + name: kubernetes/standalone/pod diff --git a/roles/apps/coturn/templates/pod-spec.yml.j2 b/roles/apps/coturn/templates/pod-spec.yml.j2 new file mode 100644 index 00000000..d157af37 --- /dev/null +++ b/roles/apps/coturn/templates/pod-spec.yml.j2 @@ -0,0 +1,32 @@ +securityContext: + allowPrivilegeEscalation: false + runAsUser: {{ coturn_uid }} + runAsGroup: {{ coturn_gid }} +hostNetwork: true +containers: +- name: coturn + image: "instrumentisto/coturn:{{ coturn_version }}" + args: + - --log-file=stdout + resources: + limits: + memory: "1Gi" + volumeMounts: + - name: config + mountPath: /etc/coturn/ + readOnly: true + - name: run + mountPath: /var/run + - name: lib + mountPath: /var/lib/coturn +volumes: +- name: config + hostPath: + path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/" + type: Directory +- name: run + emptyDir: + medium: Memory +- name: lib + emptyDir: + medium: Memory diff --git a/roles/apps/coturn/templates/pod.yml.j2 b/roles/apps/coturn/templates/pod.yml.j2 deleted file mode 100644 index 7c127c13..00000000 --- a/roles/apps/coturn/templates/pod.yml.j2 +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "coturn-{{ coturn_realm }}" -spec: - securityContext: - allowPrivilegeEscalation: false - runAsUser: {{ coturn_uid }} - runAsGroup: {{ coturn_gid }} - hostNetwork: true - containers: - - name: coturn - image: "instrumentisto/coturn:{{ coturn_version }}" - args: - - --log-file=stdout - resources: - limits: - memory: "1Gi" - volumeMounts: - - name: config - mountPath: /etc/coturn/ - readOnly: true - - name: run - mountPath: /var/run - - name: lib - mountPath: /var/lib/coturn - volumes: - - name: config - hostPath: - path: "{{ coturn_base_path }}/{{ coturn_realm }}/config/" - type: Directory - - name: run - emptyDir: - medium: Memory - - name: lib - emptyDir: - medium: Memory diff --git a/roles/apps/etherpad-lite/tasks/main.yml b/roles/apps/etherpad-lite/tasks/main.yml index 0beeb1e1..105b89d9 100644 --- a/roles/apps/etherpad-lite/tasks/main.yml +++ b/roles/apps/etherpad-lite/tasks/main.yml @@ -92,24 +92,29 @@ owner: "{{ etherpad_lite_app_uid }}" group: "{{ etherpad_lite_app_gid }}" - -- name: generate pod manifests +- name: install pod manifest loop: "{{ etherpad_lite_instances | dict2items }}" loop_control: label: "{{ item.key }}" - template: - src: "pod-with-{{ item.value.database.type }}.yml.j2" - dest: "/etc/kubernetes/manifests/etherpad-lite-{{ item.key }}.yml" - mode: 0600 - + vars: + kubernetes_standalone_pod: + name: "etherpad-lite-{{ item.key }}" + spec: "{{ lookup('template', 'pod-spec-with-{{ item.value.database.type }}.yml.j2') }}" + mode: "0600" + config_hash_items: + - path: "{{ etherpad_lite_base_path }}/{{ item.key }}/config/settings.json" + properties: + - checksum + include_role: + name: kubernetes/standalone/pod - name: configure nginx vhost loop: "{{ etherpad_lite_instances | dict2items }}" - include_role: - name: nginx/vhost vars: nginx_vhost: name: "etherpad-lite-{{ item.key }}" content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" acme: true hostnames: "{{ item.value.hostnames }}" + include_role: + name: nginx/vhost diff --git a/roles/apps/etherpad-lite/templates/pod-spec-with-mariadb.yml.j2 b/roles/apps/etherpad-lite/templates/pod-spec-with-mariadb.yml.j2 new file mode 100644 index 00000000..f608d6ab --- /dev/null +++ b/roles/apps/etherpad-lite/templates/pod-spec-with-mariadb.yml.j2 @@ -0,0 +1,49 @@ +securityContext: + allowPrivilegeEscalation: false +containers: +- name: etherpad-lite + image: spreadspace/etherpad-lite:{{ item.value.version }} + # securityContext: + # runAsUser: {{ etherpad_lite_app_uid }} + # runAsGroup: {{ etherpad_lite_app_gid }} + resources: + limits: + memory: "4Gi" + volumeMounts: + - name: config + mountPath: /opt/etherpad-lite/settings.json + subPath: settings.json + readOnly: true + ports: + - containerPort: 9001 + hostPort: {{ item.value.port }} + hostIP: 127.0.0.1 +- name: database + image: "mariadb:{{ item.value.database.version }}" + securityContext: + runAsUser: {{ etherpad_lite_db_uid }} + runAsGroup: {{ etherpad_lite_db_gid }} + resources: + limits: + memory: "4Gi" + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "true" + - name: MYSQL_DATABASE + value: etherpad-lite + - name: MYSQL_USER + value: etherpad-lite + - name: MYSQL_PASSWORD + value: "{{ item.value.database.password }}" + volumeMounts: + - name: database + mountPath: /var/lib/mysql +volumes: +- name: config + hostPath: + path: "{{ etherpad_lite_base_path }}/{{ item.key }}/config/" + type: Directory +- name: database + hostPath: + path: "{{ etherpad_lite_base_path }}/{{ item.key }}/{{ item.value.database.type }}" + type: Directory diff --git a/roles/apps/etherpad-lite/templates/pod-with-mariadb.yml.j2 b/roles/apps/etherpad-lite/templates/pod-with-mariadb.yml.j2 deleted file mode 100644 index 9391290f..00000000 --- a/roles/apps/etherpad-lite/templates/pod-with-mariadb.yml.j2 +++ /dev/null @@ -1,54 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "etherpad-lite-{{ item.key }}" -spec: - securityContext: - allowPrivilegeEscalation: false - containers: - - name: etherpad-lite - image: spreadspace/etherpad-lite:{{ item.value.version }} - # securityContext: - # runAsUser: {{ etherpad_lite_app_uid }} - # runAsGroup: {{ etherpad_lite_app_gid }} - resources: - limits: - memory: "4Gi" - volumeMounts: - - name: config - mountPath: /opt/etherpad-lite/settings.json - subPath: settings.json - readOnly: true - ports: - - containerPort: 9001 - hostPort: {{ item.value.port }} - hostIP: 127.0.0.1 - - name: database - image: "mariadb:{{ item.value.database.version }}" - securityContext: - runAsUser: {{ etherpad_lite_db_uid }} - runAsGroup: {{ etherpad_lite_db_gid }} - resources: - limits: - memory: "4Gi" - env: - - name: MYSQL_RANDOM_ROOT_PASSWORD - value: "true" - - name: MYSQL_DATABASE - value: etherpad-lite - - name: MYSQL_USER - value: etherpad-lite - - name: MYSQL_PASSWORD - value: "{{ item.value.database.password }}" - volumeMounts: - - name: database - mountPath: /var/lib/mysql - volumes: - - name: config - hostPath: - path: "{{ etherpad_lite_base_path }}/{{ item.key }}/config/" - type: Directory - - name: database - hostPath: - path: "{{ etherpad_lite_base_path }}/{{ item.key }}/{{ item.value.database.type }}" - type: Directory diff --git a/roles/apps/jitsi/meet/tasks/main.yml b/roles/apps/jitsi/meet/tasks/main.yml index 66644f8f..16e05ced 100644 --- a/roles/apps/jitsi/meet/tasks/main.yml +++ b/roles/apps/jitsi/meet/tasks/main.yml @@ -17,11 +17,18 @@ dest: "{{ jitsi_meet_base_path }}/{{ jitsi_meet_inst_name }}/scripts/prosody/cont-init.sh" mode: 0755 -- name: generate pod manifests - template: - src: "pod.yml.j2" - dest: "/etc/kubernetes/manifests/jitsi-meet-{{ jitsi_meet_inst_name }}.yml" - mode: 0600 +- name: install pod manifest + vars: + kubernetes_standalone_pod: + name: "jitsi-meet-{{ jitsi_meet_inst_name }}" + spec: "{{ lookup('template', 'pod-spec.yml.j2') }}" + mode: "0600" + config_hash_items: + - path: "{{ jitsi_meet_base_path }}/{{ jitsi_meet_inst_name }}/scripts/prosody/cont-init.sh" + properties: + - checksum + include_role: + name: kubernetes/standalone/pod ## TODO: https://github.com/jitsi/jitsi-meet/blob/master/doc/turn.md diff --git a/roles/apps/jitsi/meet/templates/pod-spec.yml.j2 b/roles/apps/jitsi/meet/templates/pod-spec.yml.j2 new file mode 100644 index 00000000..7461658f --- /dev/null +++ b/roles/apps/jitsi/meet/templates/pod-spec.yml.j2 @@ -0,0 +1,185 @@ +initContainers: +- name: prepare-config + image: busybox + workingDir: /config + command: + - sh + - -c + - mkdir -p jicofo prosody web jvb + volumeMounts: + - name: config + mountPath: /config +containers: +- name: jicofo + image: "jitsi/jicofo:{{ jitsi_meet_version }}" + resources: + requests: + memory: "1Gi" + limits: + memory: "4Gi" + volumeMounts: + - name: config + subPath: jicofo + mountPath: /config + env: + - name: XMPP_SERVER + value: 127.0.0.1 + - name: XMPP_DOMAIN + value: meet.jitsi + - name: XMPP_AUTH_DOMAIN + value: auth.meet.jitsi + - name: XMPP_INTERNAL_MUC_DOMAIN + value: internal-muc.meet.jitsi + + - name: JICOFO_COMPONENT_SECRET + value: "{{ jitsi_meet_secrets.jicofo_component_secret }}" + - name: JICOFO_AUTH_USER + value: focus + - name: JICOFO_AUTH_PASSWORD + value: "{{ jitsi_meet_secrets.jicofo_auth_password }}" + + - name: JVB_BREWERY_MUC + value: jvbbrewery + + - name: TZ + value: {{ jitsi_meet_timezone }} + +- name: prosody + image: "jitsi/prosody:{{ jitsi_meet_version }}" + resources: + requests: + memory: "128Mi" + limits: + memory: "512Mi" + volumeMounts: + - name: scripts + subPath: prosody/cont-init.sh + mountPath: /etc/cont-init.d/99-k8s + - name: config + subPath: prosody + mountPath: /config + env: + - name: XMPP_DOMAIN + value: meet.jitsi + - name: XMPP_AUTH_DOMAIN + value: auth.meet.jitsi + - name: XMPP_MUC_DOMAIN + value: muc.meet.jitsi + - name: XMPP_INTERNAL_MUC_DOMAIN + value: internal-muc.meet.jitsi + + - name: JICOFO_COMPONENT_SECRET + value: "{{ jitsi_meet_secrets.jicofo_component_secret }}" + - name: JICOFO_AUTH_USER + value: focus + - name: JICOFO_AUTH_PASSWORD + value: "{{ jitsi_meet_secrets.jicofo_auth_password }}" + + - name: JVB_AUTH_USER + value: jvb + - name: JVB_AUTH_PASSWORD + value: "{{ jitsi_meet_secrets.jvb_auth_password }}" + - name: JVB_TCP_HARVESTER_DISABLED + value: "true" + + - name: TZ + value: {{ jitsi_meet_timezone }} + +- name: web + image: "jitsi/web:{{ jitsi_meet_version }}" + resources: + requests: + memory: "256Mi" + limits: + memory: "1Gi" + ports: + - protocol: TCP + containerPort: 80 + hostPort: {{ jitsi_meet_http_port }} + hostIP: 127.0.0.1 + volumeMounts: + - name: config + subPath: web + mountPath: /config + env: + - name: DISABLE_HTTPS + value: "1" + - name: ENABLE_HTTP_REDIRECT + value: "0" + + - name: XMPP_SERVER + value: 127.0.0.1 + - name: XMPP_DOMAIN + value: meet.jitsi + - name: XMPP_AUTH_DOMAIN + value: auth.meet.jitsi + - name: XMPP_INTERNAL_MUC_DOMAIN + value: internal-muc.meet.jitsi + - name: XMPP_BOSH_URL_BASE + value: http://127.0.0.1:5280 + - name: XMPP_MUC_DOMAIN + value: muc.meet.jitsi + + - name: JICOFO_AUTH_USER + value: focus + + - name: JVB_TCP_HARVESTER_DISABLED + value: "true" + + - name: TZ + value: {{ jitsi_meet_timezone }} + +- name: jvb + image: "jitsi/jvb:{{ jitsi_meet_version }}" + resources: + requests: + memory: "1Gi" + limits: + memory: "4Gi" + ports: + - protocol: UDP + containerPort: {{ jitsi_meet_jvb_port }} + hostPort: {{ jitsi_meet_jvb_port }} + hostIP: "{{ external_ip | default(ansible_default_ipv4.address) }}" + volumeMounts: + - name: config + subPath: jvb + mountPath: /config + env: + - name: XMPP_SERVER + value: 127.0.0.1 + - name: XMPP_DOMAIN + value: meet.jitsi + - name: XMPP_AUTH_DOMAIN + value: auth.meet.jitsi + - name: XMPP_INTERNAL_MUC_DOMAIN + value: internal-muc.meet.jitsi + + - name: JICOFO_AUTH_USER + value: focus + - name: JICOFO_AUTH_PASSWORD + value: "{{ jitsi_meet_secrets.jicofo_auth_password }}" + + - name: JVB_AUTH_USER + value: jvb + - name: JVB_AUTH_PASSWORD + value: "{{ jitsi_meet_secrets.jvb_auth_password }}" + - name: JVB_BREWERY_MUC + value: jvbbrewery + - name: JVB_PORT + value: "{{ jitsi_meet_jvb_port }}" + - name: JVB_TCP_HARVESTER_DISABLED + value: "true" + - name: DOCKER_HOST_ADDRESS + value: "{{ external_ip | default(ansible_default_ipv4.address) }}" + + - name: TZ + value: {{ jitsi_meet_timezone }} + +volumes: +- name: scripts + hostPath: + path: "{{ jitsi_meet_base_path }}/{{ jitsi_meet_inst_name }}/scripts" +- name: config + emptyDir: + medium: Memory diff --git a/roles/apps/jitsi/meet/templates/pod.yml.j2 b/roles/apps/jitsi/meet/templates/pod.yml.j2 deleted file mode 100644 index 1504211a..00000000 --- a/roles/apps/jitsi/meet/templates/pod.yml.j2 +++ /dev/null @@ -1,190 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "jitsi-meet-{{ jitsi_meet_inst_name }}" -spec: - initContainers: - - name: prepare-config - image: busybox - workingDir: /config - command: - - sh - - -c - - mkdir -p jicofo prosody web jvb - volumeMounts: - - name: config - mountPath: /config - containers: - - name: jicofo - image: "jitsi/jicofo:{{ jitsi_meet_version }}" - resources: - requests: - memory: "1Gi" - limits: - memory: "4Gi" - volumeMounts: - - name: config - subPath: jicofo - mountPath: /config - env: - - name: XMPP_SERVER - value: 127.0.0.1 - - name: XMPP_DOMAIN - value: meet.jitsi - - name: XMPP_AUTH_DOMAIN - value: auth.meet.jitsi - - name: XMPP_INTERNAL_MUC_DOMAIN - value: internal-muc.meet.jitsi - - - name: JICOFO_COMPONENT_SECRET - value: "{{ jitsi_meet_secrets.jicofo_component_secret }}" - - name: JICOFO_AUTH_USER - value: focus - - name: JICOFO_AUTH_PASSWORD - value: "{{ jitsi_meet_secrets.jicofo_auth_password }}" - - - name: JVB_BREWERY_MUC - value: jvbbrewery - - - name: TZ - value: {{ jitsi_meet_timezone }} - - - name: prosody - image: "jitsi/prosody:{{ jitsi_meet_version }}" - resources: - requests: - memory: "128Mi" - limits: - memory: "512Mi" - volumeMounts: - - name: scripts - subPath: prosody/cont-init.sh - mountPath: /etc/cont-init.d/99-k8s - - name: config - subPath: prosody - mountPath: /config - env: - - name: XMPP_DOMAIN - value: meet.jitsi - - name: XMPP_AUTH_DOMAIN - value: auth.meet.jitsi - - name: XMPP_MUC_DOMAIN - value: muc.meet.jitsi - - name: XMPP_INTERNAL_MUC_DOMAIN - value: internal-muc.meet.jitsi - - - name: JICOFO_COMPONENT_SECRET - value: "{{ jitsi_meet_secrets.jicofo_component_secret }}" - - name: JICOFO_AUTH_USER - value: focus - - name: JICOFO_AUTH_PASSWORD - value: "{{ jitsi_meet_secrets.jicofo_auth_password }}" - - - name: JVB_AUTH_USER - value: jvb - - name: JVB_AUTH_PASSWORD - value: "{{ jitsi_meet_secrets.jvb_auth_password }}" - - name: JVB_TCP_HARVESTER_DISABLED - value: "true" - - - name: TZ - value: {{ jitsi_meet_timezone }} - - - name: web - image: "jitsi/web:{{ jitsi_meet_version }}" - resources: - requests: - memory: "256Mi" - limits: - memory: "1Gi" - ports: - - protocol: TCP - containerPort: 80 - hostPort: {{ jitsi_meet_http_port }} - hostIP: 127.0.0.1 - volumeMounts: - - name: config - subPath: web - mountPath: /config - env: - - name: DISABLE_HTTPS - value: "1" - - name: ENABLE_HTTP_REDIRECT - value: "0" - - - name: XMPP_SERVER - value: 127.0.0.1 - - name: XMPP_DOMAIN - value: meet.jitsi - - name: XMPP_AUTH_DOMAIN - value: auth.meet.jitsi - - name: XMPP_INTERNAL_MUC_DOMAIN - value: internal-muc.meet.jitsi - - name: XMPP_BOSH_URL_BASE - value: http://127.0.0.1:5280 - - name: XMPP_MUC_DOMAIN - value: muc.meet.jitsi - - - name: JICOFO_AUTH_USER - value: focus - - - name: JVB_TCP_HARVESTER_DISABLED - value: "true" - - - name: TZ - value: {{ jitsi_meet_timezone }} - - - name: jvb - image: "jitsi/jvb:{{ jitsi_meet_version }}" - resources: - requests: - memory: "1Gi" - limits: - memory: "4Gi" - ports: - - protocol: UDP - containerPort: {{ jitsi_meet_jvb_port }} - hostPort: {{ jitsi_meet_jvb_port }} - hostIP: "{{ external_ip | default(ansible_default_ipv4.address) }}" - volumeMounts: - - name: config - subPath: jvb - mountPath: /config - env: - - name: XMPP_SERVER - value: 127.0.0.1 - - name: XMPP_DOMAIN - value: meet.jitsi - - name: XMPP_AUTH_DOMAIN - value: auth.meet.jitsi - - name: XMPP_INTERNAL_MUC_DOMAIN - value: internal-muc.meet.jitsi - - - name: JICOFO_AUTH_USER - value: focus - - name: JICOFO_AUTH_PASSWORD - value: "{{ jitsi_meet_secrets.jicofo_auth_password }}" - - - name: JVB_AUTH_USER - value: jvb - - name: JVB_AUTH_PASSWORD - value: "{{ jitsi_meet_secrets.jvb_auth_password }}" - - name: JVB_BREWERY_MUC - value: jvbbrewery - - name: JVB_PORT - value: "{{ jitsi_meet_jvb_port }}" - - name: JVB_TCP_HARVESTER_DISABLED - value: "true" - - name: DOCKER_HOST_ADDRESS - value: "{{ external_ip | default(ansible_default_ipv4.address) }}" - - - name: TZ - value: {{ jitsi_meet_timezone }} - - volumes: - - name: scripts - hostPath: - path: "{{ jitsi_meet_base_path }}/{{ jitsi_meet_inst_name }}/scripts" - - name: config - emptyDir: - medium: Memory diff --git a/roles/apps/nextcloud/tasks/main.yml b/roles/apps/nextcloud/tasks/main.yml index b08ce2d0..325fa15d 100644 --- a/roles/apps/nextcloud/tasks/main.yml +++ b/roles/apps/nextcloud/tasks/main.yml @@ -102,14 +102,24 @@ when: "'custom_image' in item.value" include_tasks: custom-image.yml -- name: generate pod manifests +- name: install pod manifest loop: "{{ nextcloud_instances | dict2items }}" loop_control: label: "{{ item.key }}" - template: - src: "pod-with-{{ item.value.database.type }}.yml.j2" - dest: "/etc/kubernetes/manifests/nextcloud-{{ item.key }}.yml" - mode: 0600 + vars: + kubernetes_standalone_pod: + name: "nextcloud-{{ item.key }}" + spec: "{{ lookup('template', 'pod-spec-with-{{ item.value.database.type }}.yml.j2') }}" + mode: "0600" + config_hash_items: + - path: "{{ nextcloud_base_path }}/{{ item.key }}/config/apache-site.conf" + properties: + - checksum + - path: "{{ nextcloud_base_path }}/{{ item.key }}/config/ports.conf" + properties: + - checksum + include_role: + name: kubernetes/standalone/pod - name: install cron trigger script @@ -141,8 +151,8 @@ - name: configure nginx vhost loop: "{{ nextcloud_instances | dict2items }}" - include_role: - name: nginx/vhost + loop_control: + label: "{{ item.key }}" vars: nginx_vhost: name: "nextcloud-{{ item.key }}" @@ -156,6 +166,8 @@ replacement: "https://$host/" - redirect: "http://$host:8080/" replacement: "https://$host/" + include_role: + name: nginx/vhost - name: install management scripts diff --git a/roles/apps/nextcloud/templates/pod-spec-with-mariadb.yml.j2 b/roles/apps/nextcloud/templates/pod-spec-with-mariadb.yml.j2 new file mode 100644 index 00000000..b587cad3 --- /dev/null +++ b/roles/apps/nextcloud/templates/pod-spec-with-mariadb.yml.j2 @@ -0,0 +1,77 @@ +securityContext: + allowPrivilegeEscalation: false +containers: +- name: nextcloud + image: "nextcloud{% if 'custom_image' in item.value %}/{{ item.key }}{% endif %}:{{ item.value.version }}" + securityContext: + runAsUser: {{ nextcloud_app_uid }} + runAsGroup: {{ nextcloud_app_gid }} + resources: + limits: + memory: "4Gi" +{% if 'new' in item.value and item.value.new %} + env: + - name: NEXTCLOUD_TRUSTED_DOMAINS + value: "{{ item.value.hostnames | join(' ') }}" + - name: MYSQL_HOST + value: 127.0.0.1 + - name: MYSQL_DATABASE + value: nextcloud + - name: MYSQL_USER + value: nextcloud + - name: MYSQL_PASSWORD + value: "{{ item.value.database.password }}" +{% endif %} + volumeMounts: + - name: nextcloud + mountPath: /var/www/html + - name: config + mountPath: /etc/apache2/sites-available/000-default.conf + subPath: apache-site.conf + readOnly: true + - name: config + mountPath: /etc/apache2/ports.conf + subPath: ports.conf + readOnly: true + ports: + - containerPort: 8080 + hostPort: {{ item.value.port }} + hostIP: 127.0.0.1 +- name: database + image: "mariadb:{{ item.value.database.version }}" + args: + - --transaction-isolation=READ-COMMITTED + - --binlog-format=ROW + securityContext: + runAsUser: {{ nextcloud_db_uid }} + runAsGroup: {{ nextcloud_db_gid }} + resources: + limits: + memory: "2Gi" +{% if 'new' in item.value and item.value.new %} + env: + - name: MYSQL_RANDOM_ROOT_PASSWORD + value: "true" + - name: MYSQL_DATABASE + value: nextcloud + - name: MYSQL_USER + value: nextcloud + - name: MYSQL_PASSWORD + value: "{{ item.value.database.password }}" +{% endif %} + volumeMounts: + - name: database + mountPath: /var/lib/mysql +volumes: +- name: config + hostPath: + path: "{{ nextcloud_base_path }}/{{ item.key }}/config/" + type: Directory +- name: nextcloud + hostPath: + path: "{{ nextcloud_base_path }}/{{ item.key }}/nextcloud" + type: Directory +- name: database + hostPath: + path: "{{ nextcloud_base_path }}/{{ item.key }}/{{ item.value.database.type }}" + type: Directory diff --git a/roles/apps/nextcloud/templates/pod-with-mariadb.yml.j2 b/roles/apps/nextcloud/templates/pod-with-mariadb.yml.j2 deleted file mode 100644 index 20752490..00000000 --- a/roles/apps/nextcloud/templates/pod-with-mariadb.yml.j2 +++ /dev/null @@ -1,82 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: "nextcloud-{{ item.key }}" -spec: - securityContext: - allowPrivilegeEscalation: false - containers: - - name: nextcloud - image: "nextcloud{% if 'custom_image' in item.value %}/{{ item.key }}{% endif %}:{{ item.value.version }}" - securityContext: - runAsUser: {{ nextcloud_app_uid }} - runAsGroup: {{ nextcloud_app_gid }} - resources: - limits: - memory: "4Gi" -{% if 'new' in item.value and item.value.new %} - env: - - name: NEXTCLOUD_TRUSTED_DOMAINS - value: "{{ item.value.hostnames | join(' ') }}" - - name: MYSQL_HOST - value: 127.0.0.1 - - name: MYSQL_DATABASE - value: nextcloud - - name: MYSQL_USER - value: nextcloud - - name: MYSQL_PASSWORD - value: "{{ item.value.database.password }}" -{% endif %} - volumeMounts: - - name: nextcloud - mountPath: /var/www/html - - name: config - mountPath: /etc/apache2/sites-available/000-default.conf - subPath: apache-site.conf - readOnly: true - - name: config - mountPath: /etc/apache2/ports.conf - subPath: ports.conf - readOnly: true - ports: - - containerPort: 8080 - hostPort: {{ item.value.port }} - hostIP: 127.0.0.1 - - name: database - image: "mariadb:{{ item.value.database.version }}" - args: - - --transaction-isolation=READ-COMMITTED - - --binlog-format=ROW - securityContext: - runAsUser: {{ nextcloud_db_uid }} - runAsGroup: {{ nextcloud_db_gid }} - resources: - limits: - memory: "2Gi" -{% if 'new' in item.value and item.value.new %} - env: - - name: MYSQL_RANDOM_ROOT_PASSWORD - value: "true" - - name: MYSQL_DATABASE - value: nextcloud - - name: MYSQL_USER - value: nextcloud - - name: MYSQL_PASSWORD - value: "{{ item.value.database.password }}" -{% endif %} - volumeMounts: - - name: database - mountPath: /var/lib/mysql - volumes: - - name: config - hostPath: - path: "{{ nextcloud_base_path }}/{{ item.key }}/config/" - type: Directory - - name: nextcloud - hostPath: - path: "{{ nextcloud_base_path }}/{{ item.key }}/nextcloud" - type: Directory - - name: database - hostPath: - path: "{{ nextcloud_base_path }}/{{ item.key }}/{{ item.value.database.type }}" - type: Directory diff --git a/roles/kubernetes/standalone/defaults/main.yml b/roles/kubernetes/standalone/base/defaults/main.yml index b0c14b11..b0c14b11 100644 --- a/roles/kubernetes/standalone/defaults/main.yml +++ b/roles/kubernetes/standalone/base/defaults/main.yml diff --git a/roles/kubernetes/standalone/handlers/main.yml b/roles/kubernetes/standalone/base/handlers/main.yml index 26438551..26438551 100644 --- a/roles/kubernetes/standalone/handlers/main.yml +++ b/roles/kubernetes/standalone/base/handlers/main.yml diff --git a/roles/kubernetes/standalone/tasks/main.yml b/roles/kubernetes/standalone/base/tasks/main.yml index 241c3136..241c3136 100644 --- a/roles/kubernetes/standalone/tasks/main.yml +++ b/roles/kubernetes/standalone/base/tasks/main.yml diff --git a/roles/kubernetes/standalone/templates/cni-no-portmap.conflist.j2 b/roles/kubernetes/standalone/base/templates/cni-no-portmap.conflist.j2 index be47f216..be47f216 100644 --- a/roles/kubernetes/standalone/templates/cni-no-portmap.conflist.j2 +++ b/roles/kubernetes/standalone/base/templates/cni-no-portmap.conflist.j2 diff --git a/roles/kubernetes/standalone/templates/cni-with-localonly-portmap.conflist.j2 b/roles/kubernetes/standalone/base/templates/cni-with-localonly-portmap.conflist.j2 index acaf7eba..acaf7eba 100644 --- a/roles/kubernetes/standalone/templates/cni-with-localonly-portmap.conflist.j2 +++ b/roles/kubernetes/standalone/base/templates/cni-with-localonly-portmap.conflist.j2 diff --git a/roles/kubernetes/standalone/templates/cni-with-portmap.conflist.j2 b/roles/kubernetes/standalone/base/templates/cni-with-portmap.conflist.j2 index 9f9b2b9a..9f9b2b9a 100644 --- a/roles/kubernetes/standalone/templates/cni-with-portmap.conflist.j2 +++ b/roles/kubernetes/standalone/base/templates/cni-with-portmap.conflist.j2 diff --git a/roles/kubernetes/standalone/templates/kubelet-config.yml.j2 b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2 index d6af0f24..d6af0f24 100644 --- a/roles/kubernetes/standalone/templates/kubelet-config.yml.j2 +++ b/roles/kubernetes/standalone/base/templates/kubelet-config.yml.j2 diff --git a/roles/kubernetes/standalone/templates/kubelet.service.override.j2 b/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2 index fe8bfb4c..fe8bfb4c 100644 --- a/roles/kubernetes/standalone/templates/kubelet.service.override.j2 +++ b/roles/kubernetes/standalone/base/templates/kubelet.service.override.j2 diff --git a/roles/kubernetes/standalone/pod/defaults/main.yml b/roles/kubernetes/standalone/pod/defaults/main.yml new file mode 100644 index 00000000..2eae33a3 --- /dev/null +++ b/roles/kubernetes/standalone/pod/defaults/main.yml @@ -0,0 +1,23 @@ +--- +# kubernetes_standalone_pod: +# name: example +# labels: +# foo: bar +# annotations: +# hello: world +# spec: | +# containers: +# - name: test +# image: "debian:stable" +# command: +# - /bin/bash +# - -c +# - "sleep inf" +# mode: "0600" +# config_hash_items: +# - path: /path/to/configfile +# properties: +# - checksum +# - mode +# - uid +# - gid diff --git a/roles/kubernetes/standalone/pod/tasks/main.yml b/roles/kubernetes/standalone/pod/tasks/main.yml new file mode 100644 index 00000000..7f87cf3f --- /dev/null +++ b/roles/kubernetes/standalone/pod/tasks/main.yml @@ -0,0 +1,74 @@ +--- +- name: generate config-hash + when: "'config_hash_items' in kubernetes_standalone_pod" + block: + - name: create directory for config-hash files + file: + path: /etc/kubernetes/config-hashes + state: directory + + - name: gather stats for config-hash items + loop: "{{ kubernetes_standalone_pod.config_hash_items }}" + loop_control: + loop_var: config_hash_item + label: "{{ config_hash_item.path }} ({{ config_hash_item.properties | sort | join(', ') }})" + stat: + path: "{{ config_hash_item.path }}" + get_checksum: yes + checksum_algorithm: sha256 + register: config_hash_items_stat + + - assert: + msg: "at least one config-hash item does not exist" + that: false not in (config_hash_items_stat.results | map(attribute='stat.exists')) + + - name: generate config-hash file + copy: + content: | + {% for result in config_hash_items_stat.results %} + {{ result.config_hash_item.path }}: + {% for property in (result.config_hash_item.properties | sort) %} + {{ property }}: {{ result.stat[property] }} + {% endfor %} + {% endfor %} + dest: "/etc/kubernetes/config-hashes/{{ kubernetes_standalone_pod.name }}.yml" + + - name: compute config-hash value from file + stat: + path: "/etc/kubernetes/config-hashes/{{ kubernetes_standalone_pod.name }}.yml" + get_checksum: yes + checksum_algorithm: sha256 + register: config_hash_file_stat + + - name: set config-hash value + set_fact: + config_hash_value: "{{ config_hash_file_stat.stat.checksum }}" + +- name: remove config-hash file + when: "'config_hash_items' not in kubernetes_standalone_pod" + file: + path: "/etc/kubernetes/config-hashes/{{ kubernetes_standalone_pod.name }}.yml" + state: absent + +- name: generate pod manifest + copy: + content: | + apiVersion: v1 + kind: Pod + metadata: + name: "{{ kubernetes_standalone_pod.name }}" + {% if 'labels' in kubernetes_standalone_pod %} + labels: + {{ kubernetes_standalone_pod.labels | to_nice_yaml(indent=2) | indent(4) }}{% endif %} + {% if config_hash_value is defined or'annotations' in kubernetes_standalone_pod %} + annotations: + {% if config_hash_value is defined %} + config-hash: "{{ config_hash_value }}" + {% endif %} + {% if 'annotations' in kubernetes_standalone_pod %} + {{ kubernetes_standalone_pod.annotations | default({}) | to_nice_yaml(indent=2) | indent(4) }}{% endif %} + {% endif %} + spec: + {{ kubernetes_standalone_pod.spec | indent(2) }} + dest: "/etc/kubernetes/manifests/{{ kubernetes_standalone_pod.name }}.yml" + mode: "{{ kubernetes_standalone_pod.mode | default(omit) }}" diff --git a/spreadspace/lw-thetys.yml b/spreadspace/lw-thetys.yml index 4adbb893..3c177627 100644 --- a/spreadspace/lw-thetys.yml +++ b/spreadspace/lw-thetys.yml @@ -11,5 +11,5 @@ - role: blackmagic-desktopvideo - role: apt-repo/spreadspace - role: kubernetes/base - - role: kubernetes/standalone + - role: kubernetes/standalone/base - role: wireguard/base |