From ab772e828868d6a7a2df23f87c0819d7652465f1 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 31 Jul 2022 19:03:31 +0200 Subject: k8s-emc: matomo is no part of new cdn repo --- contrib/k8s-emc/_graveyard_/import-acme-certs.sh | 9 + contrib/k8s-emc/_graveyard_/ingress.yml | 329 ++++++++++++++++++++++ contrib/k8s-emc/_graveyard_/matomo-cm.yml | 132 +++++++++ contrib/k8s-emc/_graveyard_/matomo-deploy.yml | 75 +++++ contrib/k8s-emc/_graveyard_/matomo-ingress.yml | 28 ++ contrib/k8s-emc/_graveyard_/matomo-svc.yml | 16 ++ contrib/k8s-emc/_graveyard_/mysql-secret.yml | 11 + contrib/k8s-emc/_graveyard_/mysql-statefulset.yml | 71 +++++ contrib/k8s-emc/_graveyard_/mysql-svc.yml | 16 ++ contrib/k8s-emc/_graveyard_/ns.yml | 5 + contrib/k8s-emc/import-acme-certs.sh | 9 - contrib/k8s-emc/ingress.yml | 329 ---------------------- contrib/k8s-emc/matomo-cm.yml | 132 --------- contrib/k8s-emc/matomo-deploy.yml | 75 ----- contrib/k8s-emc/matomo-ingress.yml | 28 -- contrib/k8s-emc/matomo-svc.yml | 16 -- contrib/k8s-emc/mysql-secret.yml | 11 - contrib/k8s-emc/mysql-statefulset.yml | 71 ----- contrib/k8s-emc/mysql-svc.yml | 16 -- contrib/k8s-emc/ns.yml | 5 - 20 files changed, 692 insertions(+), 692 deletions(-) create mode 100755 contrib/k8s-emc/_graveyard_/import-acme-certs.sh create mode 100644 contrib/k8s-emc/_graveyard_/ingress.yml create mode 100644 contrib/k8s-emc/_graveyard_/matomo-cm.yml create mode 100644 contrib/k8s-emc/_graveyard_/matomo-deploy.yml create mode 100644 contrib/k8s-emc/_graveyard_/matomo-ingress.yml create mode 100644 contrib/k8s-emc/_graveyard_/matomo-svc.yml create mode 100644 contrib/k8s-emc/_graveyard_/mysql-secret.yml create mode 100644 contrib/k8s-emc/_graveyard_/mysql-statefulset.yml create mode 100644 contrib/k8s-emc/_graveyard_/mysql-svc.yml create mode 100644 contrib/k8s-emc/_graveyard_/ns.yml delete mode 100755 contrib/k8s-emc/import-acme-certs.sh delete mode 100644 contrib/k8s-emc/ingress.yml delete mode 100644 contrib/k8s-emc/matomo-cm.yml delete mode 100644 contrib/k8s-emc/matomo-deploy.yml delete mode 100644 contrib/k8s-emc/matomo-ingress.yml delete mode 100644 contrib/k8s-emc/matomo-svc.yml delete mode 100644 contrib/k8s-emc/mysql-secret.yml delete mode 100644 contrib/k8s-emc/mysql-statefulset.yml delete mode 100644 contrib/k8s-emc/mysql-svc.yml delete mode 100644 contrib/k8s-emc/ns.yml diff --git a/contrib/k8s-emc/_graveyard_/import-acme-certs.sh b/contrib/k8s-emc/_graveyard_/import-acme-certs.sh new file mode 100755 index 0000000..b85fa42 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/import-acme-certs.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +declare -A domains +domains[emc-stats]="emc-stats.elev8.at" +domains[stream-elev8]="stream.elev8.at" +domains[stream-elevate]="stream.elevate.at" +for name in "${!domains[@]}"; do + ssh emc-00 kubectl -n emc create secret tls "$name\-tls" "--cert=/var/lib/acme/live/${domains[$name]}/fullchain" "--key=/var/lib/acme/live/${domains[$name]}/privkey" --dry-run=client -o json | kubectl apply -f - +done diff --git a/contrib/k8s-emc/_graveyard_/ingress.yml b/contrib/k8s-emc/_graveyard_/ingress.yml new file mode 100644 index 0000000..d6fd08f --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/ingress.yml @@ -0,0 +1,329 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + spec: + containers: + - args: + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.2.1@sha256:5516d103a9c2ecc4f026efbd4b40662ce22dc1f824fb129ed121460aaa5c47f8 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + nodeSelector: + streaming.spreadspace.org/zone: dist-lb + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: nginx +spec: + controller: k8s.io/ingress-nginx diff --git a/contrib/k8s-emc/_graveyard_/matomo-cm.yml b/contrib/k8s-emc/_graveyard_/matomo-cm.yml new file mode 100644 index 0000000..60af25b --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/matomo-cm.yml @@ -0,0 +1,132 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: emc + name: stats-matomo + labels: + app: matomo + tier: stats +data: + nginx.conf: | + worker_processes 4; + pid /srv/nginx.pid; + error_log /dev/stderr notice; + + events { + worker_connections 768; + # multi_accept on; + } + + http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /dev/null; + + server { + listen 8080 default_server; + listen [::]:8080 default_server; + + server_name _; + + add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + root /var/www/html; + + index index.php; + + ## only allow accessing the following php files + location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php { + try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT $document_root; + fastcgi_param SERVER_PROTOCOL $server_protocol; + fastcgi_param REQUEST_SCHEME $scheme; + fastcgi_param HTTPS $https if_not_empty; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + + fastcgi_param HTTP_PROXY ""; + #fastcgi_param HTTP_X_FORWARDED_URI /matomo; + fastcgi_intercept_errors on; + fastcgi_pass 127.0.0.1:9000; + } + + ## deny access to all other .php files + location ~* ^.+\.php$ { + deny all; + return 403; + } + + location / { + try_files $uri $uri/ =404; + } + + ## disable all access to the following directories + location ~ /(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + + location ~ /\.ht { + deny all; + return 403; + } + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ /(libs|vendor|plugins|misc/user) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } + + location ~ \.php$ { + } + } + } diff --git a/contrib/k8s-emc/_graveyard_/matomo-deploy.yml b/contrib/k8s-emc/_graveyard_/matomo-deploy.yml new file mode 100644 index 0000000..37fff0c --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/matomo-deploy.yml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: emc + name: stats-matomo + labels: + app: matomo + tier: stats +spec: + replicas: 1 + selector: + matchLabels: + app: matomo + tier: stats + strategy: + type: Recreate + revisionHistoryLimit: 5 + template: + metadata: + labels: + app: matomo + tier: stats + spec: + nodeName: emc-ctrl + securityContext: + runAsUser: 998 + fsGroup: 998 + initContainers: + - name: prepare-matomo-html + image: busybox + command: ['sh', '-c', 'chown 998:998 /srv/html && chmod 700 /srv/html'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: matomo-html + mountPath: /srv/html + containers: + - name: matomo + image: spreadspace/matomo:4 + imagePullPolicy: Always + volumeMounts: + - name: matomo-html + mountPath: /var/www/html + - name: nginx + image: spreadspace/nginx:4 + imagePullPolicy: Always + args: + - nginx + - -c + - /srv/config/nginx.conf + - -g + - "daemon off;" + volumeMounts: + - name: home + mountPath: /srv + - name: nginx-lib + mountPath: /var/lib/nginx + - name: nginx-config + mountPath: /srv/config + - name: matomo-html + mountPath: /var/www/html + volumes: + - name: home + emptyDir: + medium: Memory + - name: nginx-lib + emptyDir: + medium: Memory + - name: nginx-config + configMap: + name: stats-matomo + - name: matomo-html + hostPath: + type: DirectoryOrCreate + path: /srv/stats/matomo diff --git a/contrib/k8s-emc/_graveyard_/matomo-ingress.yml b/contrib/k8s-emc/_graveyard_/matomo-ingress.yml new file mode 100644 index 0000000..0ad283c --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/matomo-ingress.yml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + namespace: emc + name: stats-matomo + labels: + app: matomo + tier: stats +# annotations: +# nginx.ingress.kubernetes.io/rewrite-target: / +spec: + ingressClassName: nginx + tls: + - secretName: emc-stats-tls + hosts: + - emc-stats.elev8.at + rules: + - host: emc-stats.elev8.at + http: + paths: +# - path: /matomo + - path: / + pathType: Prefix + backend: + service: + name: stats-matomo + port: + number: 8080 diff --git a/contrib/k8s-emc/_graveyard_/matomo-svc.yml b/contrib/k8s-emc/_graveyard_/matomo-svc.yml new file mode 100644 index 0000000..4bac3c7 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/matomo-svc.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: emc + name: stats-matomo + labels: + app: matomo + tier: stats +spec: + selector: + app: matomo + tier: stats + clusterIP: 172.18.242.14 + ports: + - name: http + port: 8080 diff --git a/contrib/k8s-emc/_graveyard_/mysql-secret.yml b/contrib/k8s-emc/_graveyard_/mysql-secret.yml new file mode 100644 index 0000000..91f73be --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/mysql-secret.yml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: emc + name: stats-mysql-root + labels: + app: mysql + tier: stats +type: Opaque +data: + password: Y2hhbmdlLW1lCg== # change-me diff --git a/contrib/k8s-emc/_graveyard_/mysql-statefulset.yml b/contrib/k8s-emc/_graveyard_/mysql-statefulset.yml new file mode 100644 index 0000000..e02979e --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/mysql-statefulset.yml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: emc + name: stats-mysql + labels: + app: mysql + tier: stats +spec: + serviceName: stats-mysql + replicas: 1 + selector: + matchLabels: + app: mysql + tier: stats + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: mysql + tier: stats + spec: + nodeName: emc-ctrl + securityContext: + runAsUser: 27 + fsGroup: 27 + initContainers: + - name: prepare-mysql-volumes + image: busybox + command: ['sh', '-c', 'chown 27:27 /srv/lib && chmod 700 /srv/lib && mkdir -p /srv/tmp/log /srv/tmp/run /srv/tmp/files && ln -sf /dev/stderr /srv/tmp/log/mysqld.log && chown 27:27 /srv/tmp/log/mysqld.log /srv/tmp/run /srv/tmp/files'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: mysql-lib + mountPath: /srv/lib + - name: mysql-tmp + mountPath: /srv/tmp + containers: + - name: mysql + image: quay.io/neith00/mysql-docker:s2streamstats + imagePullPolicy: IfNotPresent + env: + - name: MYSQL_ROOT_PASSWORD + value: /var/run/mysql-secret/password + volumeMounts: + - name: mysql-lib + mountPath: /var/lib/mysql + - name: mysql-tmp + subPath: log + mountPath: /var/log + - name: mysql-tmp + subPath: run + mountPath: /var/run/mysqld + - name: mysql-tmp + subPath: files + mountPath: /var/lib/mysql-files/ + - name: mysql-secret + mountPath: /var/run/mysql-secret/ + volumes: + - name: mysql-lib + hostPath: + type: DirectoryOrCreate + path: /srv/stats/mysql + - name: mysql-tmp + emptyDir: + medium: Memory + - name: mysql-secret + secret: + secretName: stats-mysql-root + defaultMode: 0400 diff --git a/contrib/k8s-emc/_graveyard_/mysql-svc.yml b/contrib/k8s-emc/_graveyard_/mysql-svc.yml new file mode 100644 index 0000000..70bcd4a --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/mysql-svc.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: emc + name: stats-mysql + labels: + app: mysql + tier: stats +spec: + selector: + app: mysql + tier: stats + clusterIP: 172.18.242.23 + ports: + - name: mysql + port: 3306 diff --git a/contrib/k8s-emc/_graveyard_/ns.yml b/contrib/k8s-emc/_graveyard_/ns.yml new file mode 100644 index 0000000..67afdcc --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/ns.yml @@ -0,0 +1,5 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: emc diff --git a/contrib/k8s-emc/import-acme-certs.sh b/contrib/k8s-emc/import-acme-certs.sh deleted file mode 100755 index b85fa42..0000000 --- a/contrib/k8s-emc/import-acme-certs.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -declare -A domains -domains[emc-stats]="emc-stats.elev8.at" -domains[stream-elev8]="stream.elev8.at" -domains[stream-elevate]="stream.elevate.at" -for name in "${!domains[@]}"; do - ssh emc-00 kubectl -n emc create secret tls "$name\-tls" "--cert=/var/lib/acme/live/${domains[$name]}/fullchain" "--key=/var/lib/acme/live/${domains[$name]}/privkey" --dry-run=client -o json | kubectl apply -f - -done diff --git a/contrib/k8s-emc/ingress.yml b/contrib/k8s-emc/ingress.yml deleted file mode 100644 index d6fd08f..0000000 --- a/contrib/k8s-emc/ingress.yml +++ /dev/null @@ -1,329 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - name: ingress-nginx ---- -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - ingress-controller-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: v1 -data: - allow-snippet-annotations: "true" -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-controller - namespace: ingress-nginx ---- -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - spec: - containers: - - args: - - /nginx-ingress-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.2.1@sha256:5516d103a9c2ecc4f026efbd4b40662ce22dc1f824fb129ed121460aaa5c47f8 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: controller - ports: - - containerPort: 80 - name: http - protocol: TCP - - containerPort: 443 - name: https - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 90Mi - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - runAsUser: 101 - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - nodeSelector: - streaming.spreadspace.org/zone: dist-lb - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: 300 ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.2.1 - name: nginx -spec: - controller: k8s.io/ingress-nginx diff --git a/contrib/k8s-emc/matomo-cm.yml b/contrib/k8s-emc/matomo-cm.yml deleted file mode 100644 index 60af25b..0000000 --- a/contrib/k8s-emc/matomo-cm.yml +++ /dev/null @@ -1,132 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - namespace: emc - name: stats-matomo - labels: - app: matomo - tier: stats -data: - nginx.conf: | - worker_processes 4; - pid /srv/nginx.pid; - error_log /dev/stderr notice; - - events { - worker_connections 768; - # multi_accept on; - } - - http { - sendfile on; - tcp_nopush on; - tcp_nodelay on; - keepalive_timeout 65; - types_hash_max_size 2048; - - server_names_hash_bucket_size 64; - - include /etc/nginx/mime.types; - default_type application/octet-stream; - - access_log /dev/null; - - server { - listen 8080 default_server; - listen [::]:8080 default_server; - - server_name _; - - add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance - add_header X-Content-Type-Options "nosniff" always; - add_header X-XSS-Protection "1; mode=block" always; - - root /var/www/html; - - index index.php; - - ## only allow accessing the following php files - location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php { - try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. - - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param QUERY_STRING $query_string; - fastcgi_param REQUEST_METHOD $request_method; - fastcgi_param CONTENT_TYPE $content_type; - fastcgi_param CONTENT_LENGTH $content_length; - - fastcgi_param SCRIPT_NAME $fastcgi_script_name; - fastcgi_param REQUEST_URI $request_uri; - fastcgi_param DOCUMENT_URI $document_uri; - fastcgi_param DOCUMENT_ROOT $document_root; - fastcgi_param SERVER_PROTOCOL $server_protocol; - fastcgi_param REQUEST_SCHEME $scheme; - fastcgi_param HTTPS $https if_not_empty; - - fastcgi_param GATEWAY_INTERFACE CGI/1.1; - fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; - - fastcgi_param REMOTE_ADDR $remote_addr; - fastcgi_param REMOTE_PORT $remote_port; - fastcgi_param SERVER_ADDR $server_addr; - fastcgi_param SERVER_PORT $server_port; - fastcgi_param SERVER_NAME $server_name; - - # PHP only, required if PHP was built with --enable-force-cgi-redirect - fastcgi_param REDIRECT_STATUS 200; - - fastcgi_param HTTP_PROXY ""; - #fastcgi_param HTTP_X_FORWARDED_URI /matomo; - fastcgi_intercept_errors on; - fastcgi_pass 127.0.0.1:9000; - } - - ## deny access to all other .php files - location ~* ^.+\.php$ { - deny all; - return 403; - } - - location / { - try_files $uri $uri/ =404; - } - - ## disable all access to the following directories - location ~ /(config|tmp|core|lang) { - deny all; - return 403; # replace with 404 to not show these directories exist - } - - location ~ /\.ht { - deny all; - return 403; - } - - location ~ js/container_.*_preview\.js$ { - expires off; - add_header Cache-Control 'private, no-cache, no-store'; - } - - location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { - allow all; - ## Cache images,CSS,JS and webfonts for an hour - ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade - expires 1h; - add_header Pragma public; - add_header Cache-Control "public"; - } - - location ~ /(libs|vendor|plugins|misc/user) { - deny all; - return 403; - } - - ## properly display textfiles in root directory - location ~/(.*\.md|LEGALNOTICE|LICENSE) { - default_type text/plain; - } - - location ~ \.php$ { - } - } - } diff --git a/contrib/k8s-emc/matomo-deploy.yml b/contrib/k8s-emc/matomo-deploy.yml deleted file mode 100644 index 37fff0c..0000000 --- a/contrib/k8s-emc/matomo-deploy.yml +++ /dev/null @@ -1,75 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - namespace: emc - name: stats-matomo - labels: - app: matomo - tier: stats -spec: - replicas: 1 - selector: - matchLabels: - app: matomo - tier: stats - strategy: - type: Recreate - revisionHistoryLimit: 5 - template: - metadata: - labels: - app: matomo - tier: stats - spec: - nodeName: emc-ctrl - securityContext: - runAsUser: 998 - fsGroup: 998 - initContainers: - - name: prepare-matomo-html - image: busybox - command: ['sh', '-c', 'chown 998:998 /srv/html && chmod 700 /srv/html'] - securityContext: - runAsUser: 0 - volumeMounts: - - name: matomo-html - mountPath: /srv/html - containers: - - name: matomo - image: spreadspace/matomo:4 - imagePullPolicy: Always - volumeMounts: - - name: matomo-html - mountPath: /var/www/html - - name: nginx - image: spreadspace/nginx:4 - imagePullPolicy: Always - args: - - nginx - - -c - - /srv/config/nginx.conf - - -g - - "daemon off;" - volumeMounts: - - name: home - mountPath: /srv - - name: nginx-lib - mountPath: /var/lib/nginx - - name: nginx-config - mountPath: /srv/config - - name: matomo-html - mountPath: /var/www/html - volumes: - - name: home - emptyDir: - medium: Memory - - name: nginx-lib - emptyDir: - medium: Memory - - name: nginx-config - configMap: - name: stats-matomo - - name: matomo-html - hostPath: - type: DirectoryOrCreate - path: /srv/stats/matomo diff --git a/contrib/k8s-emc/matomo-ingress.yml b/contrib/k8s-emc/matomo-ingress.yml deleted file mode 100644 index 0ad283c..0000000 --- a/contrib/k8s-emc/matomo-ingress.yml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - namespace: emc - name: stats-matomo - labels: - app: matomo - tier: stats -# annotations: -# nginx.ingress.kubernetes.io/rewrite-target: / -spec: - ingressClassName: nginx - tls: - - secretName: emc-stats-tls - hosts: - - emc-stats.elev8.at - rules: - - host: emc-stats.elev8.at - http: - paths: -# - path: /matomo - - path: / - pathType: Prefix - backend: - service: - name: stats-matomo - port: - number: 8080 diff --git a/contrib/k8s-emc/matomo-svc.yml b/contrib/k8s-emc/matomo-svc.yml deleted file mode 100644 index 4bac3c7..0000000 --- a/contrib/k8s-emc/matomo-svc.yml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - namespace: emc - name: stats-matomo - labels: - app: matomo - tier: stats -spec: - selector: - app: matomo - tier: stats - clusterIP: 172.18.242.14 - ports: - - name: http - port: 8080 diff --git a/contrib/k8s-emc/mysql-secret.yml b/contrib/k8s-emc/mysql-secret.yml deleted file mode 100644 index 91f73be..0000000 --- a/contrib/k8s-emc/mysql-secret.yml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - namespace: emc - name: stats-mysql-root - labels: - app: mysql - tier: stats -type: Opaque -data: - password: Y2hhbmdlLW1lCg== # change-me diff --git a/contrib/k8s-emc/mysql-statefulset.yml b/contrib/k8s-emc/mysql-statefulset.yml deleted file mode 100644 index e02979e..0000000 --- a/contrib/k8s-emc/mysql-statefulset.yml +++ /dev/null @@ -1,71 +0,0 @@ -apiVersion: apps/v1 -kind: StatefulSet -metadata: - namespace: emc - name: stats-mysql - labels: - app: mysql - tier: stats -spec: - serviceName: stats-mysql - replicas: 1 - selector: - matchLabels: - app: mysql - tier: stats - updateStrategy: - type: RollingUpdate - template: - metadata: - labels: - app: mysql - tier: stats - spec: - nodeName: emc-ctrl - securityContext: - runAsUser: 27 - fsGroup: 27 - initContainers: - - name: prepare-mysql-volumes - image: busybox - command: ['sh', '-c', 'chown 27:27 /srv/lib && chmod 700 /srv/lib && mkdir -p /srv/tmp/log /srv/tmp/run /srv/tmp/files && ln -sf /dev/stderr /srv/tmp/log/mysqld.log && chown 27:27 /srv/tmp/log/mysqld.log /srv/tmp/run /srv/tmp/files'] - securityContext: - runAsUser: 0 - volumeMounts: - - name: mysql-lib - mountPath: /srv/lib - - name: mysql-tmp - mountPath: /srv/tmp - containers: - - name: mysql - image: quay.io/neith00/mysql-docker:s2streamstats - imagePullPolicy: IfNotPresent - env: - - name: MYSQL_ROOT_PASSWORD - value: /var/run/mysql-secret/password - volumeMounts: - - name: mysql-lib - mountPath: /var/lib/mysql - - name: mysql-tmp - subPath: log - mountPath: /var/log - - name: mysql-tmp - subPath: run - mountPath: /var/run/mysqld - - name: mysql-tmp - subPath: files - mountPath: /var/lib/mysql-files/ - - name: mysql-secret - mountPath: /var/run/mysql-secret/ - volumes: - - name: mysql-lib - hostPath: - type: DirectoryOrCreate - path: /srv/stats/mysql - - name: mysql-tmp - emptyDir: - medium: Memory - - name: mysql-secret - secret: - secretName: stats-mysql-root - defaultMode: 0400 diff --git a/contrib/k8s-emc/mysql-svc.yml b/contrib/k8s-emc/mysql-svc.yml deleted file mode 100644 index 70bcd4a..0000000 --- a/contrib/k8s-emc/mysql-svc.yml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - namespace: emc - name: stats-mysql - labels: - app: mysql - tier: stats -spec: - selector: - app: mysql - tier: stats - clusterIP: 172.18.242.23 - ports: - - name: mysql - port: 3306 diff --git a/contrib/k8s-emc/ns.yml b/contrib/k8s-emc/ns.yml deleted file mode 100644 index 67afdcc..0000000 --- a/contrib/k8s-emc/ns.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -kind: Namespace -apiVersion: v1 -metadata: - name: emc -- cgit v1.2.3