diff options
-rwxr-xr-x | contrib/k8s-emc/acme-hack/do.sh | 33 | ||||
-rw-r--r-- | contrib/k8s-emc/acme-hack/nginx-acme-deploy.yml | 10 | ||||
-rw-r--r-- | contrib/k8s-emc/acme-hack/nginx-acme-ingress.yml | 2 | ||||
-rw-r--r-- | contrib/k8s-emc/acme-hack/nginx-acme-svc.yml | 6 | ||||
-rw-r--r-- | contrib/k8s-emc/grafana-ingress.yml | 6 | ||||
-rw-r--r-- | contrib/k8s-emc/grafana-statefulset.yml | 6 | ||||
-rw-r--r-- | contrib/k8s-emc/graphite-statefulset.yml | 2 | ||||
-rw-r--r-- | contrib/k8s-emc/ingress-default-backend.yml | 2 | ||||
-rw-r--r-- | contrib/k8s-emc/ingress-ds.yml | 2 | ||||
-rw-r--r-- | contrib/k8s-emc/matomo-cm.yml | 90 | ||||
-rw-r--r-- | contrib/k8s-emc/matomo-deploy.yml | 4 | ||||
-rw-r--r-- | contrib/k8s-emc/matomo-ingress.yml | 13 | ||||
-rw-r--r-- | contrib/k8s-emc/mysql-statefulset.yml | 2 |
13 files changed, 116 insertions, 62 deletions
diff --git a/contrib/k8s-emc/acme-hack/do.sh b/contrib/k8s-emc/acme-hack/do.sh index beaae3a..3c2b5e3 100755 --- a/contrib/k8s-emc/acme-hack/do.sh +++ b/contrib/k8s-emc/acme-hack/do.sh @@ -1,22 +1,23 @@ #!/bin/bash -if [ -z "$1" ]; then - echo "usage: $0 (create|replace)" - exit 1 -fi +declare -A domains +domains[emc-live]="emc-live.elev8.at" +domains[emc-stats]="emc-stats.elev8.at" +domains[stream-elev8]="stream.elev8.at" +domains[stream-elevate]="stream.elevate.at" -#HOSTS="emc-00 emc-01 emc-02 emc-03 emc-04 emc-05 emc-06 helene" -HOSTS="emc-00" - -kubectl "$1" -f nginx-acme-cm.yml -for node in $HOSTS; do - cat nginx-acme-deploy.yml | sed "s/<<node>>/$node/g" | kubectl "$1" -f - - cat nginx-acme-svc.yml | sed "s/<<node>>/$node/g" | kubectl "$1" -f - - cat nginx-acme-ingress.yml | sed "s/<<name>>/$node/g" | sed "s/<<node>>/$node/g" | sed "s/<<hostname>>/$node.spreadspace.org/g" | kubectl "$1" -f - +kubectl apply -f nginx-acme-cm.yml +kubectl apply -f nginx-acme-deploy.yml +kubectl apply -f nginx-acme-svc.yml +for name in "${!domains[@]}"; do + cat nginx-acme-ingress.yml | sed "s/<<name>>/$name/g" | sed "s/<<hostname>>/${domains[$name]}/g" | kubectl apply -f - done -cat nginx-acme-ingress.yml | sed "s/<<name>>/elevate-live/g" | sed "s/<<node>>/emc-00/g" | sed "s/<<hostname>>/elevate-live.spreadspace.org/g" | kubectl "$1" -f - -cat nginx-acme-ingress.yml | sed "s/<<name>>/elevate-stats/g" | sed "s/<<node>>/emc-00/g" | sed "s/<<hostname>>/elevate-stats.spreadspace.org/g" | kubectl "$1" -f - -cat nginx-acme-ingress.yml | sed "s/<<name>>/elevate-stream/g" | sed "s/<<node>>/emc-00/g" | sed "s/<<hostname>>/stream.elevate.at/g" | kubectl "$1" -f - +### TODO: wait for all pods and then contiune the script +#exit 0 + +ssh emc-00 systemctl start acmetool -cat nginx-acme-ingress.yml | sed "s/<<name>>/elevate-feed/g" | sed "s/<<node>>/helene/g" | sed "s/<<hostname>>/elevate-feed.spreadspace.org/g" | kubectl "$1" -f - +for name in "${!domains[@]}"; do + ssh emc-00 kubectl -n emc create secret tls "$name\-tls" "--cert=/var/lib/acme/live/${domains[$name]}/fullchain" "--key=/var/lib/acme/live/${domains[$name]}/privkey" --dry-run -o json | kubectl apply -f - +done diff --git a/contrib/k8s-emc/acme-hack/nginx-acme-deploy.yml b/contrib/k8s-emc/acme-hack/nginx-acme-deploy.yml index 7800b32..3549f0d 100644 --- a/contrib/k8s-emc/acme-hack/nginx-acme-deploy.yml +++ b/contrib/k8s-emc/acme-hack/nginx-acme-deploy.yml @@ -2,12 +2,12 @@ apiVersion: apps/v1 kind: Deployment metadata: namespace: emc - name: nginx-acme-hack-<<node>> + name: nginx-acme-hack-emc-00 labels: app: nginx type: acme-challenge tier: hack - worker: <<node>> + worker: emc-00 spec: replicas: 1 selector: @@ -15,7 +15,7 @@ spec: app: nginx type: acme-challenge tier: hack - worker: <<node>> + worker: emc-00 strategy: type: Recreate revisionHistoryLimit: 5 @@ -25,9 +25,9 @@ spec: app: nginx type: acme-challenge tier: hack - worker: <<node>> + worker: emc-00 spec: - nodeName: <<node>> + nodeName: emc-00 securityContext: runAsUser: 998 fsGroup: 998 diff --git a/contrib/k8s-emc/acme-hack/nginx-acme-ingress.yml b/contrib/k8s-emc/acme-hack/nginx-acme-ingress.yml index 4e47cf2..c6c2b0b 100644 --- a/contrib/k8s-emc/acme-hack/nginx-acme-ingress.yml +++ b/contrib/k8s-emc/acme-hack/nginx-acme-ingress.yml @@ -15,5 +15,5 @@ spec: paths: - path: /.well-known/acme-challenge/ backend: - serviceName: nginx-acme-hack-<<node>> + serviceName: nginx-acme-hack-emc-00 servicePort: 8080 diff --git a/contrib/k8s-emc/acme-hack/nginx-acme-svc.yml b/contrib/k8s-emc/acme-hack/nginx-acme-svc.yml index 318d1ca..7bc3540 100644 --- a/contrib/k8s-emc/acme-hack/nginx-acme-svc.yml +++ b/contrib/k8s-emc/acme-hack/nginx-acme-svc.yml @@ -2,18 +2,18 @@ apiVersion: v1 kind: Service metadata: namespace: emc - name: nginx-acme-hack-<<node>> + name: nginx-acme-hack-emc-00 labels: app: nginx type: acme-challenge tier: hack - worker: <<node>> + worker: emc-00 spec: selector: app: nginx type: acme-challenge tier: hack - worker: <<node>> + worker: emc-00 clusterIP: None ports: - name: http diff --git a/contrib/k8s-emc/grafana-ingress.yml b/contrib/k8s-emc/grafana-ingress.yml index 1d2ee9a..8724a1d 100644 --- a/contrib/k8s-emc/grafana-ingress.yml +++ b/contrib/k8s-emc/grafana-ingress.yml @@ -10,11 +10,11 @@ metadata: nginx.ingress.kubernetes.io/rewrite-target: / spec: tls: - - secretName: stream-stats-tls + - secretName: emc-stats-tls hosts: - - elevate-stats.spreadspace.org + - emc-stats.elev8.at rules: - - host: elevate-stats.spreadspace.org + - host: emc-stats.elev8.at http: paths: - path: /grafana diff --git a/contrib/k8s-emc/grafana-statefulset.yml b/contrib/k8s-emc/grafana-statefulset.yml index e7a21e6..b0c8632 100644 --- a/contrib/k8s-emc/grafana-statefulset.yml +++ b/contrib/k8s-emc/grafana-statefulset.yml @@ -21,7 +21,7 @@ spec: app: grafana tier: stats spec: - nodeName: emc-stats + nodeName: emc-master initContainers: - name: prepare-grafana-data image: busybox @@ -31,7 +31,7 @@ spec: mountPath: /srv/data containers: - name: grafana - image: grafana/grafana:4.6.3 + image: grafana/grafana:6.6.2 imagePullPolicy: Always resources: limits: @@ -40,7 +40,7 @@ spec: memory: 2048Mi env: - name: GF_SERVER_ROOT_URL - value: http://elevate-stats.spreadspace.org/grafana + value: https://emc-stats.elev8.at/grafana - name: GF_SECURITY_ADMIN_PASSWORD value: secret - name: GF_ANALYTICS_CHECK_FOR_UPDATES diff --git a/contrib/k8s-emc/graphite-statefulset.yml b/contrib/k8s-emc/graphite-statefulset.yml index 99b1d95..5bd376e 100644 --- a/contrib/k8s-emc/graphite-statefulset.yml +++ b/contrib/k8s-emc/graphite-statefulset.yml @@ -21,7 +21,7 @@ spec: app: graphite tier: stats spec: - nodeName: emc-stats + nodeName: emc-master securityContext: runAsUser: 998 fsGroup: 998 diff --git a/contrib/k8s-emc/ingress-default-backend.yml b/contrib/k8s-emc/ingress-default-backend.yml index b914748..835239f 100644 --- a/contrib/k8s-emc/ingress-default-backend.yml +++ b/contrib/k8s-emc/ingress-default-backend.yml @@ -19,6 +19,8 @@ spec: tier: ingress spec: terminationGracePeriodSeconds: 60 + nodeSelector: + streaming.spreadspace.org/zone: dist-lb containers: - name: backend image: gcr.io/google_containers/defaultbackend:1.4 diff --git a/contrib/k8s-emc/ingress-ds.yml b/contrib/k8s-emc/ingress-ds.yml index e5243d4..885a812 100644 --- a/contrib/k8s-emc/ingress-ds.yml +++ b/contrib/k8s-emc/ingress-ds.yml @@ -22,7 +22,7 @@ spec: spec: serviceAccountName: ingress-nginx nodeSelector: - ingress: "true" + streaming.spreadspace.org/zone: dist-lb hostNetwork: true dnsPolicy: ClusterFirstWithHostNet containers: diff --git a/contrib/k8s-emc/matomo-cm.yml b/contrib/k8s-emc/matomo-cm.yml index f8ce063..60af25b 100644 --- a/contrib/k8s-emc/matomo-cm.yml +++ b/contrib/k8s-emc/matomo-cm.yml @@ -37,46 +37,96 @@ data: server_name _; - root /var/www/html; - - index index.php index.html index.htm; + add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; - location / { - try_files $uri $uri/ =404; - } + root /var/www/html; - error_page 404 /404.html; - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root /usr/share/nginx/html; - } + index index.php; - location = /favicon.ico { - log_not_found off; - access_log off; - } + ## only allow accessing the following php files + location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php { + try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. - location ~ \.php$ { - fastcgi_param GATEWAY_INTERFACE CGI/1.1; - fastcgi_param SERVER_SOFTWARE nginx; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param QUERY_STRING $query_string; fastcgi_param REQUEST_METHOD $request_method; fastcgi_param CONTENT_TYPE $content_type; fastcgi_param CONTENT_LENGTH $content_length; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param SCRIPT_NAME $fastcgi_script_name; fastcgi_param REQUEST_URI $request_uri; fastcgi_param DOCUMENT_URI $document_uri; fastcgi_param DOCUMENT_ROOT $document_root; fastcgi_param SERVER_PROTOCOL $server_protocol; + fastcgi_param REQUEST_SCHEME $scheme; + fastcgi_param HTTPS $https if_not_empty; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + fastcgi_param REMOTE_ADDR $remote_addr; fastcgi_param REMOTE_PORT $remote_port; fastcgi_param SERVER_ADDR $server_addr; fastcgi_param SERVER_PORT $server_port; fastcgi_param SERVER_NAME $server_name; - fastcgi_param HTTP_X_FORWARDED_URI /matomo; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + + fastcgi_param HTTP_PROXY ""; + #fastcgi_param HTTP_X_FORWARDED_URI /matomo; fastcgi_intercept_errors on; fastcgi_pass 127.0.0.1:9000; } + + ## deny access to all other .php files + location ~* ^.+\.php$ { + deny all; + return 403; + } + + location / { + try_files $uri $uri/ =404; + } + + ## disable all access to the following directories + location ~ /(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + + location ~ /\.ht { + deny all; + return 403; + } + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ /(libs|vendor|plugins|misc/user) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } + + location ~ \.php$ { + } } } diff --git a/contrib/k8s-emc/matomo-deploy.yml b/contrib/k8s-emc/matomo-deploy.yml index 646323f..4c0f4ad 100644 --- a/contrib/k8s-emc/matomo-deploy.yml +++ b/contrib/k8s-emc/matomo-deploy.yml @@ -21,7 +21,7 @@ spec: app: matomo tier: stats spec: - nodeName: emc-stats + nodeName: emc-master securityContext: runAsUser: 998 fsGroup: 998 @@ -36,7 +36,7 @@ spec: mountPath: /srv/html containers: - name: matomo - image: spreadspace/matomo:3 + image: spreadspace/matomo:4 imagePullPolicy: Always volumeMounts: - name: matomo-html diff --git a/contrib/k8s-emc/matomo-ingress.yml b/contrib/k8s-emc/matomo-ingress.yml index fae82c3..2396854 100644 --- a/contrib/k8s-emc/matomo-ingress.yml +++ b/contrib/k8s-emc/matomo-ingress.yml @@ -6,18 +6,19 @@ metadata: labels: app: matomo tier: stats - annotations: - nginx.ingress.kubernetes.io/rewrite-target: / +# annotations: +# nginx.ingress.kubernetes.io/rewrite-target: / spec: tls: - - secretName: stream-stats-tls + - secretName: emc-stats-tls hosts: - - elevate-stats.spreadspace.org + - emc-stats.elev8.at rules: - - host: elevate-stats.spreadspace.org + - host: emc-stats.elev8.at http: paths: - - path: /matomo +# - path: /matomo + - path: / backend: serviceName: stats-matomo servicePort: 8080 diff --git a/contrib/k8s-emc/mysql-statefulset.yml b/contrib/k8s-emc/mysql-statefulset.yml index 7b8a697..6187206 100644 --- a/contrib/k8s-emc/mysql-statefulset.yml +++ b/contrib/k8s-emc/mysql-statefulset.yml @@ -21,7 +21,7 @@ spec: app: mysql tier: stats spec: - nodeName: emc-stats + nodeName: emc-master securityContext: runAsUser: 27 fsGroup: 27 |