From b6e0c310c410e59ae210108d33fdc66bedb7cbf1 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 29 Apr 2020 15:55:18 +0200 Subject: add k8s-lwl --- contrib/k8s-emc/stats-auth-secret.yml | 10 -- contrib/k8s-lwl/acme-hack/acmetool-desired.yml | 3 + contrib/k8s-lwl/acme-hack/do.sh | 26 +++++ contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml | 41 +++++++ contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml | 66 +++++++++++ contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml | 19 ++++ contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml | 20 ++++ contrib/k8s-lwl/acme-hack/wipe.sh | 6 + contrib/k8s-lwl/grafana-ingress.yml | 23 ++++ contrib/k8s-lwl/grafana-statefulset.yml | 65 +++++++++++ contrib/k8s-lwl/grafana-svc.yml | 16 +++ contrib/k8s-lwl/graphite-cm-api.yml | 17 +++ contrib/k8s-lwl/graphite-cm-carbon.yml | 55 ++++++++++ contrib/k8s-lwl/graphite-statefulset.yml | 76 +++++++++++++ contrib/k8s-lwl/graphite-svc.yml | 18 +++ contrib/k8s-lwl/ingress-cm.yml | 8 ++ contrib/k8s-lwl/ingress-default-backend.yml | 59 ++++++++++ contrib/k8s-lwl/ingress-ds.yml | 70 ++++++++++++ contrib/k8s-lwl/ingress-rbac.yml | 133 +++++++++++++++++++++++ contrib/k8s-lwl/ingress-tcp-cm.yml | 8 ++ contrib/k8s-lwl/ingress-udp-cm.yml | 8 ++ contrib/k8s-lwl/matomo-cm.yml | 132 ++++++++++++++++++++++ contrib/k8s-lwl/matomo-deploy.yml | 75 +++++++++++++ contrib/k8s-lwl/matomo-ingress.yml | 24 ++++ contrib/k8s-lwl/matomo-svc.yml | 16 +++ contrib/k8s-lwl/mysql-secret.yml | 11 ++ contrib/k8s-lwl/mysql-statefulset.yml | 71 ++++++++++++ contrib/k8s-lwl/mysql-svc.yml | 16 +++ contrib/k8s-lwl/node-labels.sh | 16 +++ contrib/k8s-lwl/ns.yml | 5 + contrib/k8s-lwl/stream-site-cm.yml | 44 ++++++++ contrib/k8s-lwl/stream-site-deploy.yml | 66 +++++++++++ contrib/k8s-lwl/stream-site-ingress.yml | 23 ++++ contrib/k8s-lwl/stream-site-svc.yml | 21 ++++ 34 files changed, 1257 insertions(+), 10 deletions(-) delete mode 100644 contrib/k8s-emc/stats-auth-secret.yml create mode 100644 contrib/k8s-lwl/acme-hack/acmetool-desired.yml create mode 100755 contrib/k8s-lwl/acme-hack/do.sh create mode 100644 contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml create mode 100644 contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml create mode 100644 contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml create mode 100644 contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml create mode 100755 contrib/k8s-lwl/acme-hack/wipe.sh create mode 100644 contrib/k8s-lwl/grafana-ingress.yml create mode 100644 contrib/k8s-lwl/grafana-statefulset.yml create mode 100644 contrib/k8s-lwl/grafana-svc.yml create mode 100644 contrib/k8s-lwl/graphite-cm-api.yml create mode 100644 contrib/k8s-lwl/graphite-cm-carbon.yml create mode 100644 contrib/k8s-lwl/graphite-statefulset.yml create mode 100644 contrib/k8s-lwl/graphite-svc.yml create mode 100644 contrib/k8s-lwl/ingress-cm.yml create mode 100644 contrib/k8s-lwl/ingress-default-backend.yml create mode 100644 contrib/k8s-lwl/ingress-ds.yml create mode 100644 contrib/k8s-lwl/ingress-rbac.yml create mode 100644 contrib/k8s-lwl/ingress-tcp-cm.yml create mode 100644 contrib/k8s-lwl/ingress-udp-cm.yml create mode 100644 contrib/k8s-lwl/matomo-cm.yml create mode 100644 contrib/k8s-lwl/matomo-deploy.yml create mode 100644 contrib/k8s-lwl/matomo-ingress.yml create mode 100644 contrib/k8s-lwl/matomo-svc.yml create mode 100644 contrib/k8s-lwl/mysql-secret.yml create mode 100644 contrib/k8s-lwl/mysql-statefulset.yml create mode 100644 contrib/k8s-lwl/mysql-svc.yml create mode 100755 contrib/k8s-lwl/node-labels.sh create mode 100644 contrib/k8s-lwl/ns.yml create mode 100644 contrib/k8s-lwl/stream-site-cm.yml create mode 100644 contrib/k8s-lwl/stream-site-deploy.yml create mode 100644 contrib/k8s-lwl/stream-site-ingress.yml create mode 100644 contrib/k8s-lwl/stream-site-svc.yml diff --git a/contrib/k8s-emc/stats-auth-secret.yml b/contrib/k8s-emc/stats-auth-secret.yml deleted file mode 100644 index 623b9e2..0000000 --- a/contrib/k8s-emc/stats-auth-secret.yml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - namespace: emc - name: stats-auth - labels: - tier: stats -type: Opaque -data: - auth: ZXF1aW5veDokYXByMSR4NXJ5UzdDWSR1U1hJdHp5Mm9abmlzRkpsRUg2QXkwCg== diff --git a/contrib/k8s-lwl/acme-hack/acmetool-desired.yml b/contrib/k8s-lwl/acme-hack/acmetool-desired.yml new file mode 100644 index 0000000..d8a67e2 --- /dev/null +++ b/contrib/k8s-lwl/acme-hack/acmetool-desired.yml @@ -0,0 +1,3 @@ +satisfy: + names: + - <> diff --git a/contrib/k8s-lwl/acme-hack/do.sh b/contrib/k8s-lwl/acme-hack/do.sh new file mode 100755 index 0000000..f4c71ce --- /dev/null +++ b/contrib/k8s-lwl/acme-hack/do.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +declare -A domains +domains[cdn]="cdn.lndwrbl.live" +domains[stats]="stats.lndwrbl.live" +domains[stream]="stream.lndwrbl.live" + +kubectl apply -f nginx-acme-cm.yml +kubectl apply -f nginx-acme-deploy.yml +kubectl apply -f nginx-acme-svc.yml +for name in "${!domains[@]}"; do + cat nginx-acme-ingress.yml | sed "s/<>/$name/g" | sed "s/<>/${domains[$name]}/g" | kubectl apply -f - +done + +for name in "${!domains[@]}"; do + cat acmetool-desired.yml | sed "s/<>/${domains[$name]}/g" | ssh lw-live-00 "cat > /var/lib/acme/desired/${domains[$name]}" +done + +### TODO: wait for all pods and then contiune the script +#exit 0 + +ssh lw-live-00 systemctl start acmetool + +for name in "${!domains[@]}"; do + ssh lw-live-00 kubectl -n lwl create secret tls "$name\-tls" "--cert=/var/lib/acme/live/${domains[$name]}/fullchain" "--key=/var/lib/acme/live/${domains[$name]}/privkey" --dry-run -o json | kubectl apply -f - +done diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml new file mode 100644 index 0000000..7599d3c --- /dev/null +++ b/contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: lwl + name: nginx-acme-hack + labels: + app: nginx + type: acme-challenge + tier: hack +data: + nginx.conf: | + worker_processes 1; + pid /srv/nginx.pid; + error_log /dev/stderr notice; + + events { + worker_connections 64; + # multi_accept on; + } + + http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /dev/null; + + server { + listen 8080 default_server; + server_name _; + + root /srv/www; + } + } diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml new file mode 100644 index 0000000..7d52f55 --- /dev/null +++ b/contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: lwl + name: nginx-acme-hack-lw-live-00 + labels: + app: nginx + type: acme-challenge + tier: hack + worker: lw-live-00 +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + type: acme-challenge + tier: hack + worker: lw-live-00 + strategy: + type: Recreate + revisionHistoryLimit: 5 + template: + metadata: + labels: + app: nginx + type: acme-challenge + tier: hack + worker: lw-live-00 + spec: + nodeName: lw-live-00 + securityContext: + runAsUser: 998 + fsGroup: 998 + containers: + - name: nginx + image: spreadspace/nginx:4 + imagePullPolicy: Always + args: + - nginx + - -c + - /srv/config/nginx.conf + - -g + - "daemon off;" + volumeMounts: + - name: home + mountPath: /srv + - name: nginx-lib + mountPath: /var/lib/nginx + - name: nginx-config + mountPath: /srv/config + - name: acme-challenge + mountPath: /srv/www/.well-known/acme-challenge + volumes: + - name: home + emptyDir: + medium: Memory + - name: nginx-lib + emptyDir: + medium: Memory + - name: nginx-config + configMap: + name: nginx-acme-hack + - name: acme-challenge + hostPath: + type: DirectoryOrCreate + path: /var/run/acme/acme-challenge/ diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml new file mode 100644 index 0000000..e7a3e0e --- /dev/null +++ b/contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml @@ -0,0 +1,19 @@ +--- +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: lwl + name: nginx-acme-hack-<> + labels: + app: nginx + type: acme-challenge + tier: hack +spec: + rules: + - host: <> + http: + paths: + - path: /.well-known/acme-challenge/ + backend: + serviceName: nginx-acme-hack-lw-live-00 + servicePort: 8080 diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml new file mode 100644 index 0000000..198a16c --- /dev/null +++ b/contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: lwl + name: nginx-acme-hack-lw-live-00 + labels: + app: nginx + type: acme-challenge + tier: hack + worker: lw-live-00 +spec: + selector: + app: nginx + type: acme-challenge + tier: hack + worker: lw-live-00 + clusterIP: None + ports: + - name: http + port: 8080 diff --git a/contrib/k8s-lwl/acme-hack/wipe.sh b/contrib/k8s-lwl/acme-hack/wipe.sh new file mode 100755 index 0000000..5791f7b --- /dev/null +++ b/contrib/k8s-lwl/acme-hack/wipe.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +kubectl --namespace lwl delete ingress -l tier=hack -l type=acme-challenge +kubectl --namespace lwl delete svc -l tier=hack -l type=acme-challenge +kubectl --namespace lwl delete deploy -l tier=hack -l type=acme-challenge +kubectl --namespace lwl delete cm -l tier=hack -l type=acme-challenge diff --git a/contrib/k8s-lwl/grafana-ingress.yml b/contrib/k8s-lwl/grafana-ingress.yml new file mode 100644 index 0000000..b857a46 --- /dev/null +++ b/contrib/k8s-lwl/grafana-ingress.yml @@ -0,0 +1,23 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: lwl + name: stats-grafana + labels: + app: grafana + tier: stats + annotations: + nginx.ingress.kubernetes.io/rewrite-target: / +spec: + tls: + - secretName: stats-tls + hosts: + - stats.lndwrbl.live + rules: + - host: stats.lndwrbl.live + http: + paths: + - path: /grafana + backend: + serviceName: stats-grafana + servicePort: 3000 diff --git a/contrib/k8s-lwl/grafana-statefulset.yml b/contrib/k8s-lwl/grafana-statefulset.yml new file mode 100644 index 0000000..ca995f1 --- /dev/null +++ b/contrib/k8s-lwl/grafana-statefulset.yml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: lwl + name: stats-grafana + labels: + app: grafana + tier: stats +spec: + serviceName: stats-grafana + replicas: 1 + selector: + matchLabels: + app: grafana + tier: stats + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: grafana + tier: stats + spec: + nodeName: lw-master + initContainers: + - name: prepare-grafana-data + image: busybox + command: ['sh', '-c', 'mkdir -p /srv/data/lib /srv/data/log'] + volumeMounts: + - name: grafana-data + mountPath: /srv/data + containers: + - name: grafana + image: grafana/grafana:6.6.2 + imagePullPolicy: Always + resources: + limits: + memory: 3072Mi + requests: + memory: 2048Mi + env: + - name: GF_SERVER_ROOT_URL + value: https://stats.lndwrbl.live/grafana + - name: GF_SECURITY_ADMIN_PASSWORD + value: secret + - name: GF_ANALYTICS_CHECK_FOR_UPDATES + value: "false" + - name: GF_SECURITY_DISABLE_GRAVATAR + value: "true" + - name: GF_USERS_ALLOW_SIGN_UP + value: "false" + - name: GF_USERS_ALLOW_ORG_CREATE + value: "false" + volumeMounts: + - name: grafana-data + mountPath: /var/lib/grafana + subPath: lib + - name: grafana-data + mountPath: /var/log/grafana + subPath: log + volumes: + - name: grafana-data + hostPath: + type: DirectoryOrCreate + path: /srv/stats/grafana diff --git a/contrib/k8s-lwl/grafana-svc.yml b/contrib/k8s-lwl/grafana-svc.yml new file mode 100644 index 0000000..81b80ce --- /dev/null +++ b/contrib/k8s-lwl/grafana-svc.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: lwl + name: stats-grafana + labels: + app: grafana + tier: stats +spec: + selector: + app: grafana + tier: stats + clusterIP: 172.18.242.42 + ports: + - name: http + port: 3000 diff --git a/contrib/k8s-lwl/graphite-cm-api.yml b/contrib/k8s-lwl/graphite-cm-api.yml new file mode 100644 index 0000000..265bdc7 --- /dev/null +++ b/contrib/k8s-lwl/graphite-cm-api.yml @@ -0,0 +1,17 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + namespace: lwl + name: stats-graphite-api + labels: + app: graphite + tier: stats +data: + api.yaml: | + search_index: /srv/index/index + whisper: + directories: + - /srv/data/whisper + carbon: + hosts: + - 127.0.0.1:7002 diff --git a/contrib/k8s-lwl/graphite-cm-carbon.yml b/contrib/k8s-lwl/graphite-cm-carbon.yml new file mode 100644 index 0000000..7182d48 --- /dev/null +++ b/contrib/k8s-lwl/graphite-cm-carbon.yml @@ -0,0 +1,55 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + namespace: lwl + name: stats-graphite-carbon + labels: + app: graphite + tier: stats +data: + carbon.conf: | + [cache] + + STORAGE_DIR = /srv/data/ + LOCAL_DATA_DIR = /srv/data/whisper/ + CONF_DIR = /srv/config/ + + MAX_CACHE_SIZE = inf + MAX_UPDATES_PER_SECOND = 1000 + # MAX_UPDATES_PER_SECOND_ON_SHUTDOWN = 5000 + + MAX_CREATES_PER_MINUTE = 50 + + LINE_RECEIVER_INTERFACE = 0.0.0.0 + LINE_RECEIVER_PORT = 2003 + + ENABLE_UDP_LISTENER = False + PICKLE_RECEIVER_PORT = 0 + + LOG_LISTENER_CONNECTIONS = True + + CACHE_QUERY_INTERFACE = 127.0.0.1 + CACHE_QUERY_PORT = 7002 + + USE_FLOW_CONTROL = True + + LOG_UPDATES = False + LOG_CACHE_HITS = False + LOG_CACHE_QUEUE_SORTS = True + + CACHE_WRITE_STRATEGY = sorted + WHISPER_AUTOFLUSH = False + + WHISPER_FALLOCATE_CREATE = True + storage-schemas.conf: | + [carbon] + pattern = ^carbon\. + retentions = 60:90d + + [sfive] + pattern = ^sfive\. + retentions = 15s:10d,1m:21d,15m:5y + + [default_1min_for_1day] + pattern = .* + retentions = 60s:1d diff --git a/contrib/k8s-lwl/graphite-statefulset.yml b/contrib/k8s-lwl/graphite-statefulset.yml new file mode 100644 index 0000000..fc883be --- /dev/null +++ b/contrib/k8s-lwl/graphite-statefulset.yml @@ -0,0 +1,76 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: lwl + name: stats-graphite + labels: + app: graphite + tier: stats +spec: + serviceName: stats-graphite + replicas: 1 + selector: + matchLabels: + app: graphite + tier: stats + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: graphite + tier: stats + spec: + nodeName: lw-master + securityContext: + runAsUser: 998 + fsGroup: 998 + initContainers: + - name: prepare-graphite-data + image: busybox + command: ['sh', '-c', 'chown 998:998 /srv/data && chmod 700 /srv/data'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: graphite-data + mountPath: /srv/data + containers: + - name: carbon + image: spreadspace/graphite-carbon:master-4 + imagePullPolicy: Always + volumeMounts: + - name: home + mountPath: /srv + - name: carbon-config + mountPath: /srv/config + - name: graphite-data + mountPath: /srv/data + - name: api + image: spreadspace/graphite-api:master-4 + imagePullPolicy: Always + volumeMounts: + - name: home + mountPath: /srv + - name: api-config + mountPath: /srv/config + - name: api-index + mountPath: /srv/index + - name: graphite-data + mountPath: /srv/data + volumes: + - name: home + emptyDir: + medium: Memory + - name: graphite-data + hostPath: + type: DirectoryOrCreate + path: /srv/stats/graphite + - name: carbon-config + configMap: + name: stats-graphite-carbon + - name: api-config + configMap: + name: stats-graphite-api + - name: api-index + emptyDir: + medium: Memory diff --git a/contrib/k8s-lwl/graphite-svc.yml b/contrib/k8s-lwl/graphite-svc.yml new file mode 100644 index 0000000..657eec9 --- /dev/null +++ b/contrib/k8s-lwl/graphite-svc.yml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: lwl + name: stats-graphite + labels: + app: graphite + tier: stats +spec: + selector: + app: graphite + tier: stats + clusterIP: 172.18.242.31 + ports: + - name: line + port: 2003 + - name: api + port: 8080 diff --git a/contrib/k8s-lwl/ingress-cm.yml b/contrib/k8s-lwl/ingress-cm.yml new file mode 100644 index 0000000..0a517ea --- /dev/null +++ b/contrib/k8s-lwl/ingress-cm.yml @@ -0,0 +1,8 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + namespace: lwl + name: ingress-nginx-config + labels: + app: nginx + tier: ingress diff --git a/contrib/k8s-lwl/ingress-default-backend.yml b/contrib/k8s-lwl/ingress-default-backend.yml new file mode 100644 index 0000000..48d9e4c --- /dev/null +++ b/contrib/k8s-lwl/ingress-default-backend.yml @@ -0,0 +1,59 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: lwl + name: ingress-default-http-backend + labels: + app: default-http-backend + tier: ingress +spec: + replicas: 1 + selector: + matchLabels: + app: default-http-backend + tier: ingress + template: + metadata: + labels: + app: default-http-backend + tier: ingress + spec: + terminationGracePeriodSeconds: 60 + nodeSelector: + streaming.spreadspace.org/zone: dist-lb + containers: + - name: backend + image: gcr.io/google_containers/defaultbackend:1.4 + livenessProbe: + httpGet: + path: /healthz + port: 8080 + scheme: HTTP + initialDelaySeconds: 30 + timeoutSeconds: 5 + ports: + - containerPort: 8080 + resources: + limits: + cpu: 10m + memory: 20Mi + requests: + cpu: 10m + memory: 20Mi +--- + +apiVersion: v1 +kind: Service +metadata: + namespace: lwl + name: ingress-default-http-backend + labels: + app: default-http-backend + tier: ingress +spec: + ports: + - port: 80 + targetPort: 8080 + selector: + app: default-http-backend + tier: ingress diff --git a/contrib/k8s-lwl/ingress-ds.yml b/contrib/k8s-lwl/ingress-ds.yml new file mode 100644 index 0000000..f6665c6 --- /dev/null +++ b/contrib/k8s-lwl/ingress-ds.yml @@ -0,0 +1,70 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + namespace: lwl + name: ingress-nginx-controller + labels: + app: nginx + tier: ingress +spec: + selector: + matchLabels: + app: nginx + tier: ingress + template: + metadata: + labels: + app: nginx + tier: ingress + annotations: + prometheus.io/port: '10254' + prometheus.io/scrape: 'true' + spec: + serviceAccountName: ingress-nginx + nodeSelector: + streaming.spreadspace.org/zone: dist-lb + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + containers: + - name: nginx-controller + image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.18.0 + args: + - /nginx-ingress-controller + - --default-backend-service=$(POD_NAMESPACE)/ingress-default-http-backend + - --configmap=$(POD_NAMESPACE)/ingress-nginx-config + - --tcp-services-configmap=$(POD_NAMESPACE)/ingress-tcp-config + - --udp-services-configmap=$(POD_NAMESPACE)/ingress-udp-config + - --annotations-prefix=nginx.ingress.kubernetes.io + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + ports: + - name: http + containerPort: 80 + - name: https + containerPort: 443 + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 diff --git a/contrib/k8s-lwl/ingress-rbac.yml b/contrib/k8s-lwl/ingress-rbac.yml new file mode 100644 index 0000000..14e0c44 --- /dev/null +++ b/contrib/k8s-lwl/ingress-rbac.yml @@ -0,0 +1,133 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: lwl + name: ingress-nginx + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ingress-nginx +rules: + - apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - "extensions" + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + - apiGroups: + - "extensions" + resources: + - ingresses/status + verbs: + - update + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: lwl + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: lwl + name: ingress-nginx +rules: + - apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get + - apiGroups: + - "" + resources: + - configmaps + resourceNames: + # Defaults to "-" + # Here: "-" + # This has to be adapted if you change either parameter + # when launching the nginx-ingress-controller. + - "ingress-controller-leader-nginx" + verbs: + - get + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - apiGroups: + - "" + resources: + - endpoints + verbs: + - get + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: lwl + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: lwl diff --git a/contrib/k8s-lwl/ingress-tcp-cm.yml b/contrib/k8s-lwl/ingress-tcp-cm.yml new file mode 100644 index 0000000..33db990 --- /dev/null +++ b/contrib/k8s-lwl/ingress-tcp-cm.yml @@ -0,0 +1,8 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + namespace: lwl + name: ingress-tcp-config + labels: + app: tcp-services + tier: ingress diff --git a/contrib/k8s-lwl/ingress-udp-cm.yml b/contrib/k8s-lwl/ingress-udp-cm.yml new file mode 100644 index 0000000..ecd7faf --- /dev/null +++ b/contrib/k8s-lwl/ingress-udp-cm.yml @@ -0,0 +1,8 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + namespace: lwl + name: ingress-udp-config + labels: + app: udp-services + tier: ingress diff --git a/contrib/k8s-lwl/matomo-cm.yml b/contrib/k8s-lwl/matomo-cm.yml new file mode 100644 index 0000000..6a0a2cb --- /dev/null +++ b/contrib/k8s-lwl/matomo-cm.yml @@ -0,0 +1,132 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: lwl + name: stats-matomo + labels: + app: matomo + tier: stats +data: + nginx.conf: | + worker_processes 4; + pid /srv/nginx.pid; + error_log /dev/stderr notice; + + events { + worker_connections 768; + # multi_accept on; + } + + http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /dev/null; + + server { + listen 8080 default_server; + listen [::]:8080 default_server; + + server_name _; + + add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + root /var/www/html; + + index index.php; + + ## only allow accessing the following php files + location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php { + try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT $document_root; + fastcgi_param SERVER_PROTOCOL $server_protocol; + fastcgi_param REQUEST_SCHEME $scheme; + fastcgi_param HTTPS $https if_not_empty; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + + fastcgi_param HTTP_PROXY ""; + #fastcgi_param HTTP_X_FORWARDED_URI /matomo; + fastcgi_intercept_errors on; + fastcgi_pass 127.0.0.1:9000; + } + + ## deny access to all other .php files + location ~* ^.+\.php$ { + deny all; + return 403; + } + + location / { + try_files $uri $uri/ =404; + } + + ## disable all access to the following directories + location ~ /(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + + location ~ /\.ht { + deny all; + return 403; + } + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ /(libs|vendor|plugins|misc/user) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } + + location ~ \.php$ { + } + } + } diff --git a/contrib/k8s-lwl/matomo-deploy.yml b/contrib/k8s-lwl/matomo-deploy.yml new file mode 100644 index 0000000..4e01229 --- /dev/null +++ b/contrib/k8s-lwl/matomo-deploy.yml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: lwl + name: stats-matomo + labels: + app: matomo + tier: stats +spec: + replicas: 1 + selector: + matchLabels: + app: matomo + tier: stats + strategy: + type: Recreate + revisionHistoryLimit: 5 + template: + metadata: + labels: + app: matomo + tier: stats + spec: + nodeName: lw-master + securityContext: + runAsUser: 998 + fsGroup: 998 + initContainers: + - name: prepare-matomo-html + image: busybox + command: ['sh', '-c', 'chown 998:998 /srv/html && chmod 700 /srv/html'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: matomo-html + mountPath: /srv/html + containers: + - name: matomo + image: spreadspace/matomo:4 + imagePullPolicy: Always + volumeMounts: + - name: matomo-html + mountPath: /var/www/html + - name: nginx + image: spreadspace/nginx:4 + imagePullPolicy: Always + args: + - nginx + - -c + - /srv/config/nginx.conf + - -g + - "daemon off;" + volumeMounts: + - name: home + mountPath: /srv + - name: nginx-lib + mountPath: /var/lib/nginx + - name: nginx-config + mountPath: /srv/config + - name: matomo-html + mountPath: /var/www/html + volumes: + - name: home + emptyDir: + medium: Memory + - name: nginx-lib + emptyDir: + medium: Memory + - name: nginx-config + configMap: + name: stats-matomo + - name: matomo-html + hostPath: + type: DirectoryOrCreate + path: /srv/stats/matomo diff --git a/contrib/k8s-lwl/matomo-ingress.yml b/contrib/k8s-lwl/matomo-ingress.yml new file mode 100644 index 0000000..14044a6 --- /dev/null +++ b/contrib/k8s-lwl/matomo-ingress.yml @@ -0,0 +1,24 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: lwl + name: stats-matomo + labels: + app: matomo + tier: stats +# annotations: +# nginx.ingress.kubernetes.io/rewrite-target: / +spec: + tls: + - secretName: stats-tls + hosts: + - stats.lndwrbl.live + rules: + - host: stats.lndwrbl.live + http: + paths: +# - path: /matomo + - path: / + backend: + serviceName: stats-matomo + servicePort: 8080 diff --git a/contrib/k8s-lwl/matomo-svc.yml b/contrib/k8s-lwl/matomo-svc.yml new file mode 100644 index 0000000..c619424 --- /dev/null +++ b/contrib/k8s-lwl/matomo-svc.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: lwl + name: stats-matomo + labels: + app: matomo + tier: stats +spec: + selector: + app: matomo + tier: stats + clusterIP: 172.18.242.14 + ports: + - name: http + port: 8080 diff --git a/contrib/k8s-lwl/mysql-secret.yml b/contrib/k8s-lwl/mysql-secret.yml new file mode 100644 index 0000000..34ab96e --- /dev/null +++ b/contrib/k8s-lwl/mysql-secret.yml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: lwl + name: stats-mysql-root + labels: + app: mysql + tier: stats +type: Opaque +data: + password: Y2hhbmdlLW1lCg== # change-me diff --git a/contrib/k8s-lwl/mysql-statefulset.yml b/contrib/k8s-lwl/mysql-statefulset.yml new file mode 100644 index 0000000..92d603c --- /dev/null +++ b/contrib/k8s-lwl/mysql-statefulset.yml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: lwl + name: stats-mysql + labels: + app: mysql + tier: stats +spec: + serviceName: stats-mysql + replicas: 1 + selector: + matchLabels: + app: mysql + tier: stats + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: mysql + tier: stats + spec: + nodeName: lw-master + securityContext: + runAsUser: 27 + fsGroup: 27 + initContainers: + - name: prepare-mysql-volumes + image: busybox + command: ['sh', '-c', 'chown 27:27 /srv/lib && chmod 700 /srv/lib && mkdir -p /srv/tmp/log /srv/tmp/run /srv/tmp/files && ln -sf /dev/stderr /srv/tmp/log/mysqld.log && chown 27:27 /srv/tmp/log/mysqld.log /srv/tmp/run /srv/tmp/files'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: mysql-lib + mountPath: /srv/lib + - name: mysql-tmp + mountPath: /srv/tmp + containers: + - name: mysql + image: quay.io/neith00/mysql-docker:s2streamstats + imagePullPolicy: IfNotPresent + env: + - name: MYSQL_ROOT_PASSWORD + value: /var/run/mysql-secret/password + volumeMounts: + - name: mysql-lib + mountPath: /var/lib/mysql + - name: mysql-tmp + subPath: log + mountPath: /var/log + - name: mysql-tmp + subPath: run + mountPath: /var/run/mysqld + - name: mysql-tmp + subPath: files + mountPath: /var/lib/mysql-files/ + - name: mysql-secret + mountPath: /var/run/mysql-secret/ + volumes: + - name: mysql-lib + hostPath: + type: DirectoryOrCreate + path: /srv/stats/mysql + - name: mysql-tmp + emptyDir: + medium: Memory + - name: mysql-secret + secret: + secretName: stats-mysql-root + defaultMode: 0400 diff --git a/contrib/k8s-lwl/mysql-svc.yml b/contrib/k8s-lwl/mysql-svc.yml new file mode 100644 index 0000000..2471c64 --- /dev/null +++ b/contrib/k8s-lwl/mysql-svc.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: lwl + name: stats-mysql + labels: + app: mysql + tier: stats +spec: + selector: + app: mysql + tier: stats + clusterIP: 172.18.242.23 + ports: + - name: mysql + port: 3306 diff --git a/contrib/k8s-lwl/node-labels.sh b/contrib/k8s-lwl/node-labels.sh new file mode 100755 index 0000000..62b2761 --- /dev/null +++ b/contrib/k8s-lwl/node-labels.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +for node in lw-dione lw-helene; do + kubectl label --overwrite node "$node" streaming.spreadspace.org/zone=source +done + +kubectl label --overwrite node "lw-live-dist0" streaming.spreadspace.org/zone=dist-root +# for idx in $(seq 1 x); do +# kubectl label --overwrite node "lw-live-dist$idx" streaming.spreadspace.org/zone=dist-level1 +# done + +# for idx in $(seq -w 01 03); do +# kubectl label --overwrite node "lw-live-$idx" streaming.spreadspace.org/zone=dist-leaf +# done + +kubectl label --overwrite node "lw-live-00" streaming.spreadspace.org/zone=dist-lb diff --git a/contrib/k8s-lwl/ns.yml b/contrib/k8s-lwl/ns.yml new file mode 100644 index 0000000..766e2f8 --- /dev/null +++ b/contrib/k8s-lwl/ns.yml @@ -0,0 +1,5 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: lwl diff --git a/contrib/k8s-lwl/stream-site-cm.yml b/contrib/k8s-lwl/stream-site-cm.yml new file mode 100644 index 0000000..a9d7631 --- /dev/null +++ b/contrib/k8s-lwl/stream-site-cm.yml @@ -0,0 +1,44 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: lwl + name: stream-site-public + labels: + app: nginx + type: stream-site + tier: live + stream: public +data: + nginx.conf: | + worker_processes 4; + pid /srv/nginx.pid; + error_log /dev/stderr notice; + + events { + worker_connections 768; + # multi_accept on; + } + + http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /dev/null; + + server { + listen 8080 default_server; + listen [::]:8080 default_server; + + server_name _; + + root /srv/www; + } + } diff --git a/contrib/k8s-lwl/stream-site-deploy.yml b/contrib/k8s-lwl/stream-site-deploy.yml new file mode 100644 index 0000000..04526d6 --- /dev/null +++ b/contrib/k8s-lwl/stream-site-deploy.yml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: lwl + name: stream-site-public + labels: + app: nginx + type: stream-site + tier: live + stream: public +spec: + replicas: 1 + selector: + matchLabels: + app: nginx + type: stream-site + tier: live + stream: public + strategy: + type: Recreate + revisionHistoryLimit: 5 + template: + metadata: + labels: + app: nginx + type: stream-site + tier: live + stream: public + spec: + nodeName: lw-live-00 + securityContext: + runAsUser: 998 + fsGroup: 998 + containers: + - name: nginx + image: spreadspace/nginx-streaming:4 + imagePullPolicy: Always + args: + - nginx + - -c + - /srv/config/nginx.conf + - -g + - "daemon off;" + volumeMounts: + - name: home + mountPath: /srv + - name: nginx-lib + mountPath: /var/lib/nginx + - name: nginx-config + mountPath: /srv/config + - name: www + mountPath: /srv/www + volumes: + - name: home + emptyDir: + medium: Memory + - name: nginx-lib + emptyDir: + medium: Memory + - name: nginx-config + configMap: + name: stream-site-public + - name: www + hostPath: + type: Directory + path: /srv/www/stream-site diff --git a/contrib/k8s-lwl/stream-site-ingress.yml b/contrib/k8s-lwl/stream-site-ingress.yml new file mode 100644 index 0000000..d0cbfcd --- /dev/null +++ b/contrib/k8s-lwl/stream-site-ingress.yml @@ -0,0 +1,23 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + namespace: lwl + name: stream-site-public + labels: + app: nginx + type: stream-site + tier: live + stream: public +spec: + tls: + - hosts: + - stream.lndwrbl.live + secretName: stream-tls + rules: + - host: stream.lndwrbl.live + http: + paths: + - path: / + backend: + serviceName: stream-site-public + servicePort: 8080 diff --git a/contrib/k8s-lwl/stream-site-svc.yml b/contrib/k8s-lwl/stream-site-svc.yml new file mode 100644 index 0000000..0ee57ac --- /dev/null +++ b/contrib/k8s-lwl/stream-site-svc.yml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: lwl + name: stream-site-public + labels: + app: nginx + type: stream-site + tier: live + stream: public +spec: + selector: + app: nginx + type: stream-site + tier: live + stream: public + type: ClusterIP + clusterIP: None + ports: + - name: http + port: 8080 -- cgit v1.2.3