diff options
Diffstat (limited to 'contrib/k8s-emc/_graveyard_')
14 files changed, 511 insertions, 0 deletions
diff --git a/contrib/k8s-emc/_graveyard_/acme-hack/do.sh b/contrib/k8s-emc/_graveyard_/acme-hack/do.sh new file mode 100755 index 0000000..3c2b5e3 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/acme-hack/do.sh @@ -0,0 +1,23 @@ +#!/bin/bash + +declare -A domains +domains[emc-live]="emc-live.elev8.at" +domains[emc-stats]="emc-stats.elev8.at" +domains[stream-elev8]="stream.elev8.at" +domains[stream-elevate]="stream.elevate.at" + +kubectl apply -f nginx-acme-cm.yml +kubectl apply -f nginx-acme-deploy.yml +kubectl apply -f nginx-acme-svc.yml +for name in "${!domains[@]}"; do + cat nginx-acme-ingress.yml | sed "s/<<name>>/$name/g" | sed "s/<<hostname>>/${domains[$name]}/g" | kubectl apply -f - +done + +### TODO: wait for all pods and then contiune the script +#exit 0 + +ssh emc-00 systemctl start acmetool + +for name in "${!domains[@]}"; do + ssh emc-00 kubectl -n emc create secret tls "$name\-tls" "--cert=/var/lib/acme/live/${domains[$name]}/fullchain" "--key=/var/lib/acme/live/${domains[$name]}/privkey" --dry-run -o json | kubectl apply -f - +done diff --git a/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-cm.yml b/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-cm.yml new file mode 100644 index 0000000..9050c04 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-cm.yml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: emc + name: nginx-acme-hack + labels: + app: nginx + type: acme-challenge + tier: hack +data: + nginx.conf: | + worker_processes 1; + pid /srv/nginx.pid; + error_log /dev/stderr notice; + + events { + worker_connections 64; + # multi_accept on; + } + + http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /dev/null; + + server { + listen 8080 default_server; + server_name _; + + root /srv/www; + } + } diff --git a/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-deploy.yml b/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-deploy.yml new file mode 100644 index 0000000..3549f0d --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-deploy.yml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: emc + name: nginx-acme-hack-emc-00 + labels: + app: nginx + type: acme-challenge + tier: hack + worker: emc-00 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + type: acme-challenge + tier: hack + worker: emc-00 + strategy: + type: Recreate + revisionHistoryLimit: 5 + template: + metadata: + labels: + app: nginx + type: acme-challenge + tier: hack + worker: emc-00 + spec: + nodeName: emc-00 + securityContext: + runAsUser: 998 + fsGroup: 998 + containers: + - name: nginx + image: spreadspace/nginx:4 + imagePullPolicy: Always + args: + - nginx + - -c + - /srv/config/nginx.conf + - -g + - "daemon off;" + volumeMounts: + - name: home + mountPath: /srv + - name: nginx-lib + mountPath: /var/lib/nginx + - name: nginx-config + mountPath: /srv/config + - name: acme-challenge + mountPath: /srv/www/.well-known/acme-challenge + volumes: + - name: home + emptyDir: + medium: Memory + - name: nginx-lib + emptyDir: + medium: Memory + - name: nginx-config + configMap: + name: nginx-acme-hack + - name: acme-challenge + hostPath: + type: DirectoryOrCreate + path: /var/run/acme/acme-challenge/ diff --git a/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-ingress.yml b/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-ingress.yml new file mode 100644 index 0000000..c6c2b0b --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-ingress.yml @@ -0,0 +1,19 @@ +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: emc + name: nginx-acme-hack-<<name>> + labels: + app: nginx + type: acme-challenge + tier: hack +spec: + rules: + - host: <<hostname>> + http: + paths: + - path: /.well-known/acme-challenge/ + backend: + serviceName: nginx-acme-hack-emc-00 + servicePort: 8080 diff --git a/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-svc.yml b/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-svc.yml new file mode 100644 index 0000000..7bc3540 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/acme-hack/nginx-acme-svc.yml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: emc + name: nginx-acme-hack-emc-00 + labels: + app: nginx + type: acme-challenge + tier: hack + worker: emc-00 +spec: + selector: + app: nginx + type: acme-challenge + tier: hack + worker: emc-00 + clusterIP: None + ports: + - name: http + port: 8080 diff --git a/contrib/k8s-emc/_graveyard_/acme-hack/wipe.sh b/contrib/k8s-emc/_graveyard_/acme-hack/wipe.sh new file mode 100755 index 0000000..6834aa6 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/acme-hack/wipe.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +kubectl --namespace emc delete ingress -l tier=hack -l type=acme-challenge +kubectl --namespace emc delete svc -l tier=hack -l type=acme-challenge +kubectl --namespace emc delete deploy -l tier=hack -l type=acme-challenge +kubectl --namespace emc delete cm -l tier=hack -l type=acme-challenge diff --git a/contrib/k8s-emc/_graveyard_/elasticsearch-statefulset.yml b/contrib/k8s-emc/_graveyard_/elasticsearch-statefulset.yml new file mode 100644 index 0000000..86edd8f --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/elasticsearch-statefulset.yml @@ -0,0 +1,62 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: emc + name: stats-es + labels: + app: elasticsearch + tier: stats +spec: + serviceName: stats-es + replicas: 1 + selector: + matchLabels: + app: elasticsearch + tier: stats + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: elasticsearch + tier: stats + spec: + nodeName: emc-stats + securityContext: + runAsUser: 998 + fsGroup: 998 + initContainers: + - name: prepare-es-data + image: busybox + command: ['sh', '-c', 'chown 998:998 /srv/data && chmod 700 /srv/data'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: es-data + mountPath: /srv/data + containers: + - name: elasticsearch + image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.2.2 + imagePullPolicy: Always + resources: + limits: + memory: 3072Mi + requests: + memory: 2048Mi + env: + - name: ES_JAVA_OPTS + value: "-Xms1536m -Xmx1536m" + - name: cluster.name + value: emc-stats + - name: node.name + valueFrom: + fieldRef: + fieldPath: metadata.name + volumeMounts: + - name: es-data + mountPath: /usr/share/elasticsearch/data + volumes: + - name: es-data + hostPath: + type: DirectoryOrCreate + path: /srv/stats/elasticsearch diff --git a/contrib/k8s-emc/_graveyard_/elasticsearch-svc.yml b/contrib/k8s-emc/_graveyard_/elasticsearch-svc.yml new file mode 100644 index 0000000..d3451a8 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/elasticsearch-svc.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: emc + name: stats-es + labels: + app: elasticsearch + tier: stats +spec: + selector: + app: elasticsearch + tier: stats + clusterIP: 172.18.242.12 + ports: + - name: http + port: 9200 diff --git a/contrib/k8s-emc/_graveyard_/kibana-deploy.yml b/contrib/k8s-emc/_graveyard_/kibana-deploy.yml new file mode 100644 index 0000000..eabb003 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/kibana-deploy.yml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: emc + name: stats-kibana + labels: + app: kibana + tier: stats +spec: + replicas: 1 + selector: + matchLabels: + app: kibana + tier: stats + strategy: + type: Recreate + revisionHistoryLimit: 5 + template: + metadata: + labels: + app: kibana + tier: stats + spec: + nodeName: emc-stats + securityContext: + runAsUser: 998 + fsGroup: 998 + containers: + - name: kibana + image: docker.elastic.co/kibana/kibana-oss:6.2.1 + imagePullPolicy: Always + resources: + limits: + memory: 3072Mi + requests: + memory: 2048Mi + env: + - name: ELASTICSEARCH_URL + value: http://stats-es:9200/ + - name: SERVER_BASEPATH + value: "/kibana" + volumeMounts: + - name: optimize + mountPath: /usr/share/kibana/optimize + volumes: + - name: optimize + emptyDir: + medium: Memory diff --git a/contrib/k8s-emc/_graveyard_/kibana-ingress.yml b/contrib/k8s-emc/_graveyard_/kibana-ingress.yml new file mode 100644 index 0000000..572a012 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/kibana-ingress.yml @@ -0,0 +1,26 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: emc + name: stats-kibana + labels: + app: kibana + tier: stats + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: stats-auth + nginx.ingress.kubernetes.io/auth-realm: "Authentication Required - Elevate Mediachannel Stats" +spec: + tls: + - secretName: stream-stats-tls + hosts: + - elevate-stats.spreadspace.org + rules: + - host: elevate-stats.spreadspace.org + http: + paths: + - path: /kibana + backend: + serviceName: stats-kibana + servicePort: 5601 diff --git a/contrib/k8s-emc/_graveyard_/kibana-svc.yml b/contrib/k8s-emc/_graveyard_/kibana-svc.yml new file mode 100644 index 0000000..1dd9250 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/kibana-svc.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: emc + name: stats-kibana + labels: + app: kibana + tier: stats +spec: + selector: + app: kibana + tier: stats + clusterIP: 172.18.242.13 + ports: + - name: http + port: 5601 diff --git a/contrib/k8s-emc/_graveyard_/onion-hack/stream-site-cm.yml b/contrib/k8s-emc/_graveyard_/onion-hack/stream-site-cm.yml new file mode 100644 index 0000000..556bfe3 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/onion-hack/stream-site-cm.yml @@ -0,0 +1,61 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: emc + name: stream-site-public-onion + labels: + app: nginx + type: stream-site + stream: public-onion +data: + torrc: | + ## Set DataDirectory + DataDirectory /var/lib/tor + + ## Do not act as a SOCKS proxy + SOCKSPort 0 + + ## Publish a hidden service + HiddenServiceDir /srv/onion_service/ + HiddenServicePort 80 127.0.0.1:8080 + + HiddenServiceNonAnonymousMode 1 + HiddenServiceSingleHopMode 1 + nginx.conf: | + worker_processes 4; + pid /srv/nginx.pid; + error_log /dev/stderr notice; + + events { + worker_connections 768; + # multi_accept on; + } + + http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /dev/null; + + server { + listen 127.0.0.1:8080 default_server; + + server_name _; + + root /srv/www; + + location /js/config.js { + alias /srv/config/config.js; + } + } + } + config.js: | + var config = {"resolutions": {"1080p25": {"width": 1920, "height": 1080, "rate": "25/1"}, "720p25": {"width": 1280, "height": 720, "rate": "25/1"}, "480p25": {"width": 854, "height": 480, "rate": "25/1"}, "360p25": {"width": 640, "height": 360, "rate": "25/1"}, "240p25": {"width": 426, "height": 240, "rate": "25/1"}}, "profiles": {"full": {"video": "1080p25", "audio": 160}, "high": {"video": "720p25", "audio": 160}, "medium": {"video": "480p25", "audio": 128}, "low": {"video": "360p25", "audio": 96}, "mini": {"video": "240p25", "audio": 64}, "rec": {"video": "1080p25", "audio": 0}}, "muxes": {"av-orig": {"video": "sdi-orig:video", "audio": "sdi-orig:audio", "formats": {"flash": ["high", "medium", "low", "mini"], "webm": ["high", "medium", "low", "mini"]}}, "audio-orig": {"audio": "sdi-orig:audio", "formats": {"ogg": ["high", "medium", "low", "mini"], "mp3": ["high", "medium", "low", "mini"]}}}, "streamBaseUrl": "http://elevatexfonbiisp.onion:8000"}; diff --git a/contrib/k8s-emc/_graveyard_/onion-hack/stream-site-deploy.yml b/contrib/k8s-emc/_graveyard_/onion-hack/stream-site-deploy.yml new file mode 100644 index 0000000..8ae9b14 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/onion-hack/stream-site-deploy.yml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: emc + name: stream-site-public-onion + labels: + app: nginx + type: stream-site + stream: public-onion +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + type: stream-site + stream: public-onion + strategy: + type: Recreate + revisionHistoryLimit: 5 + template: + metadata: + labels: + app: nginx + type: stream-site + stream: public-onion + spec: + nodeName: emc-00 + securityContext: + runAsUser: 998 + fsGroup: 998 + initContainers: + - name: prepare-onion + image: busybox + command: ['sh', '-c', 'mkdir /srv/onion_service && cp /secrets/onion_service/* /srv/onion_service && chown -R 998:998 /var/lib/tor /srv/onion_service && chmod 0750 /var/lib/tor && chmod 0700 /srv/onion_service'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: home + mountPath: /srv + - name: onion-lib + mountPath: /var/lib/tor + - name: onion-service + mountPath: /secrets/onion_service/ + containers: + - name: nginx + image: spreadspace/nginx-streaming:4 + imagePullPolicy: Always + args: + - nginx + - -c + - /srv/config/nginx.conf + - -g + - "daemon off;" + volumeMounts: + - name: home + mountPath: /srv + - name: nginx-lib + mountPath: /var/lib/nginx + - name: config + mountPath: /srv/config + - name: www + mountPath: /srv/www + - name: onion-service + image: spreadspace/onion-service:master-23 + imagePullPolicy: Always + args: [ '/usr/bin/tor', '-f', '/srv/config/torrc', '--RunAsDaemon', '0' ] + volumeMounts: + - name: home + mountPath: /srv + - name: onion-lib + mountPath: /var/lib/tor + - name: config + mountPath: /srv/config + volumes: + - name: home + emptyDir: + medium: Memory + - name: onion-lib + emptyDir: + medium: Memory + - name: nginx-lib + emptyDir: + medium: Memory + - name: config + configMap: + name: stream-site-public-onion + - name: www + hostPath: + type: Directory + path: /srv/www/emc18 + - name: onion-service + secret: + secretName: stream-site-public-onion diff --git a/contrib/k8s-emc/_graveyard_/onion-hack/stream-site-secret.yml b/contrib/k8s-emc/_graveyard_/onion-hack/stream-site-secret.yml new file mode 100644 index 0000000..00ca264 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/onion-hack/stream-site-secret.yml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: emc + name: stream-site-public-onion + labels: + app: nginx + type: stream-site + stream: public-onion +type: Opaque +data: + hostname: "" + private_key: "" + onion_service_non_anonymous: "" |