From 8aa7fec1067f9ad9f955920d6bae00a80a42b0e3 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 8 Jul 2022 01:47:30 +0200 Subject: k8s-emc: fix stream-site --- contrib/k8s-emc/ingress.yml | 294 +------------------------------- contrib/k8s-emc/stream-site-cm.yml | 4 +- contrib/k8s-emc/stream-site-deploy.yml | 9 +- contrib/k8s-emc/stream-site-ingress.yml | 17 +- 4 files changed, 20 insertions(+), 304 deletions(-) diff --git a/contrib/k8s-emc/ingress.yml b/contrib/k8s-emc/ingress.yml index f53f5c1..d6fd08f 100644 --- a/contrib/k8s-emc/ingress.yml +++ b/contrib/k8s-emc/ingress.yml @@ -19,18 +19,6 @@ metadata: name: ingress-nginx namespace: ingress-nginx --- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission - namespace: ingress-nginx ---- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: @@ -114,26 +102,6 @@ rules: - patch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: @@ -200,25 +168,6 @@ rules: - watch --- apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: labels: @@ -239,26 +188,6 @@ subjects: namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: labels: @@ -276,25 +205,6 @@ subjects: name: ingress-nginx namespace: ingress-nginx --- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- apiVersion: v1 data: allow-snippet-annotations: "true" @@ -309,60 +219,8 @@ metadata: name: ingress-nginx-controller namespace: ingress-nginx --- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: NodePort ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - ports: - - appProtocol: https - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: ClusterIP ---- apiVersion: apps/v1 -kind: Deployment +kind: DaemonSet metadata: labels: app.kubernetes.io/component: controller @@ -373,8 +231,6 @@ metadata: name: ingress-nginx-controller namespace: ingress-nginx spec: - minReadySeconds: 0 - revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/component: controller @@ -394,9 +250,6 @@ spec: - --controller-class=k8s.io/ingress-nginx - --ingress-class=nginx - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key env: - name: POD_NAME valueFrom: @@ -433,9 +286,6 @@ spec: - containerPort: 443 name: https protocol: TCP - - containerPort: 8443 - name: webhook - protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -458,115 +308,12 @@ spec: drop: - ALL runAsUser: 101 - volumeMounts: - - mountPath: /usr/local/certificates/ - name: webhook-cert - readOnly: true - dnsPolicy: ClusterFirst + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet nodeSelector: - kubernetes.io/os: linux + streaming.spreadspace.org/zone: dist-lb serviceAccountName: ingress-nginx terminationGracePeriodSeconds: 300 - volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission-create - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission-create - spec: - containers: - - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - name: create - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission-patch - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission-patch - spec: - containers: - - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660 - imagePullPolicy: IfNotPresent - name: patch - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission --- apiVersion: networking.k8s.io/v1 kind: IngressClass @@ -580,36 +327,3 @@ metadata: name: nginx spec: controller: k8s.io/ingress-nginx ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: ingress-nginx-controller-admission - namespace: ingress-nginx - path: /networking/v1/ingresses - failurePolicy: Fail - matchPolicy: Equivalent - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None diff --git a/contrib/k8s-emc/stream-site-cm.yml b/contrib/k8s-emc/stream-site-cm.yml index 2cecc8d..53816f3 100644 --- a/contrib/k8s-emc/stream-site-cm.yml +++ b/contrib/k8s-emc/stream-site-cm.yml @@ -10,8 +10,8 @@ metadata: stream: public data: nginx.conf: | - worker_processes 4; - pid /srv/nginx.pid; + worker_processes 2; + pid /var/lib/nginx/nginx.pid; error_log /dev/stderr notice; events { diff --git a/contrib/k8s-emc/stream-site-deploy.yml b/contrib/k8s-emc/stream-site-deploy.yml index 3e7953c..dcc1bcb 100644 --- a/contrib/k8s-emc/stream-site-deploy.yml +++ b/contrib/k8s-emc/stream-site-deploy.yml @@ -33,7 +33,7 @@ spec: fsGroup: 990 containers: - name: nginx - image: registry.gitlab.com/spreadspace/docker/nginx:2021-02-24.20 + image: registry.gitlab.com/spreadspace/docker/nginx:2022-06-12.26 imagePullPolicy: Always args: - nginx @@ -42,8 +42,6 @@ spec: - -g - "daemon off;" volumeMounts: - - name: home - mountPath: /srv - name: nginx-lib mountPath: /var/lib/nginx - name: nginx-config @@ -51,9 +49,6 @@ spec: - name: www mountPath: /srv/www volumes: - - name: home - emptyDir: - medium: Memory - name: nginx-lib emptyDir: medium: Memory @@ -63,4 +58,4 @@ spec: - name: www hostPath: type: Directory - path: /srv/www/stream-site + path: /srv/www/stream-site-emc diff --git a/contrib/k8s-emc/stream-site-ingress.yml b/contrib/k8s-emc/stream-site-ingress.yml index a9f08e9..b6c8efa 100644 --- a/contrib/k8s-emc/stream-site-ingress.yml +++ b/contrib/k8s-emc/stream-site-ingress.yml @@ -1,4 +1,4 @@ -apiVersion: extensions/v1beta1 +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: namespace: emc @@ -9,6 +9,7 @@ metadata: tier: live stream: public spec: + ingressClassName: nginx tls: - hosts: - stream.elev8.at @@ -21,13 +22,19 @@ spec: http: paths: - path: / + pathType: Prefix backend: - serviceName: stream-site-public - servicePort: 8080 + service: + name: stream-site-public + port: + number: 8080 - host: stream.elevate.at http: paths: - path: / + pathType: Prefix backend: - serviceName: stream-site-public - servicePort: 8080 + service: + name: stream-site-public + port: + number: 8080 -- cgit v1.2.3