From ab772e828868d6a7a2df23f87c0819d7652465f1 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sun, 31 Jul 2022 19:03:31 +0200 Subject: k8s-emc: matomo is no part of new cdn repo --- contrib/k8s-emc/_graveyard_/import-acme-certs.sh | 9 + contrib/k8s-emc/_graveyard_/ingress.yml | 329 ++++++++++++++++++++++ contrib/k8s-emc/_graveyard_/matomo-cm.yml | 132 +++++++++ contrib/k8s-emc/_graveyard_/matomo-deploy.yml | 75 +++++ contrib/k8s-emc/_graveyard_/matomo-ingress.yml | 28 ++ contrib/k8s-emc/_graveyard_/matomo-svc.yml | 16 ++ contrib/k8s-emc/_graveyard_/mysql-secret.yml | 11 + contrib/k8s-emc/_graveyard_/mysql-statefulset.yml | 71 +++++ contrib/k8s-emc/_graveyard_/mysql-svc.yml | 16 ++ contrib/k8s-emc/_graveyard_/ns.yml | 5 + 10 files changed, 692 insertions(+) create mode 100755 contrib/k8s-emc/_graveyard_/import-acme-certs.sh create mode 100644 contrib/k8s-emc/_graveyard_/ingress.yml create mode 100644 contrib/k8s-emc/_graveyard_/matomo-cm.yml create mode 100644 contrib/k8s-emc/_graveyard_/matomo-deploy.yml create mode 100644 contrib/k8s-emc/_graveyard_/matomo-ingress.yml create mode 100644 contrib/k8s-emc/_graveyard_/matomo-svc.yml create mode 100644 contrib/k8s-emc/_graveyard_/mysql-secret.yml create mode 100644 contrib/k8s-emc/_graveyard_/mysql-statefulset.yml create mode 100644 contrib/k8s-emc/_graveyard_/mysql-svc.yml create mode 100644 contrib/k8s-emc/_graveyard_/ns.yml (limited to 'contrib/k8s-emc/_graveyard_') diff --git a/contrib/k8s-emc/_graveyard_/import-acme-certs.sh b/contrib/k8s-emc/_graveyard_/import-acme-certs.sh new file mode 100755 index 0000000..b85fa42 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/import-acme-certs.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +declare -A domains +domains[emc-stats]="emc-stats.elev8.at" +domains[stream-elev8]="stream.elev8.at" +domains[stream-elevate]="stream.elevate.at" +for name in "${!domains[@]}"; do + ssh emc-00 kubectl -n emc create secret tls "$name\-tls" "--cert=/var/lib/acme/live/${domains[$name]}/fullchain" "--key=/var/lib/acme/live/${domains[$name]}/privkey" --dry-run=client -o json | kubectl apply -f - +done diff --git a/contrib/k8s-emc/_graveyard_/ingress.yml b/contrib/k8s-emc/_graveyard_/ingress.yml new file mode 100644 index 0000000..d6fd08f --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/ingress.yml @@ -0,0 +1,329 @@ +apiVersion: v1 +kind: Namespace +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx +--- +apiVersion: v1 +automountServiceAccountToken: true +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - namespaces + verbs: + - get +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - "" + resources: + - services + verbs: + - get + - list + - watch +- apiGroups: + - networking.k8s.io + resources: + - ingresses + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - events + verbs: + - create + - patch +- apiGroups: + - networking.k8s.io + resources: + - ingresses/status + verbs: + - update +- apiGroups: + - networking.k8s.io + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: +- kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +apiVersion: v1 +data: + allow-snippet-annotations: "true" +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx-controller + namespace: ingress-nginx +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + selector: + matchLabels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + template: + metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + spec: + containers: + - args: + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --controller-class=k8s.io/ingress-nginx + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + image: registry.k8s.io/ingress-nginx/controller:v1.2.1@sha256:5516d103a9c2ecc4f026efbd4b40662ce22dc1f824fb129ed121460aaa5c47f8 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: controller + ports: + - containerPort: 80 + name: http + protocol: TCP + - containerPort: 443 + name: https + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: + requests: + cpu: 100m + memory: 90Mi + securityContext: + allowPrivilegeEscalation: true + capabilities: + add: + - NET_BIND_SERVICE + drop: + - ALL + runAsUser: 101 + hostNetwork: true + dnsPolicy: ClusterFirstWithHostNet + nodeSelector: + streaming.spreadspace.org/zone: dist-lb + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/part-of: ingress-nginx + app.kubernetes.io/version: 1.2.1 + name: nginx +spec: + controller: k8s.io/ingress-nginx diff --git a/contrib/k8s-emc/_graveyard_/matomo-cm.yml b/contrib/k8s-emc/_graveyard_/matomo-cm.yml new file mode 100644 index 0000000..60af25b --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/matomo-cm.yml @@ -0,0 +1,132 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + namespace: emc + name: stats-matomo + labels: + app: matomo + tier: stats +data: + nginx.conf: | + worker_processes 4; + pid /srv/nginx.pid; + error_log /dev/stderr notice; + + events { + worker_connections 768; + # multi_accept on; + } + + http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + + server_names_hash_bucket_size 64; + + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /dev/null; + + server { + listen 8080 default_server; + listen [::]:8080 default_server; + + server_name _; + + add_header Referrer-Policy origin always; # make sure outgoing links don't show the URL to the Matomo instance + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + + root /var/www/html; + + index index.php; + + ## only allow accessing the following php files + location ~ ^/(index|matomo|piwik|js/index|plugins/HeatmapSessionRecording/configs)\.php { + try_files $fastcgi_script_name =404; # protects against CVE-2019-11043. If this line is already included in your snippets/fastcgi-php.conf you can comment it here. + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param QUERY_STRING $query_string; + fastcgi_param REQUEST_METHOD $request_method; + fastcgi_param CONTENT_TYPE $content_type; + fastcgi_param CONTENT_LENGTH $content_length; + + fastcgi_param SCRIPT_NAME $fastcgi_script_name; + fastcgi_param REQUEST_URI $request_uri; + fastcgi_param DOCUMENT_URI $document_uri; + fastcgi_param DOCUMENT_ROOT $document_root; + fastcgi_param SERVER_PROTOCOL $server_protocol; + fastcgi_param REQUEST_SCHEME $scheme; + fastcgi_param HTTPS $https if_not_empty; + + fastcgi_param GATEWAY_INTERFACE CGI/1.1; + fastcgi_param SERVER_SOFTWARE nginx/$nginx_version; + + fastcgi_param REMOTE_ADDR $remote_addr; + fastcgi_param REMOTE_PORT $remote_port; + fastcgi_param SERVER_ADDR $server_addr; + fastcgi_param SERVER_PORT $server_port; + fastcgi_param SERVER_NAME $server_name; + + # PHP only, required if PHP was built with --enable-force-cgi-redirect + fastcgi_param REDIRECT_STATUS 200; + + fastcgi_param HTTP_PROXY ""; + #fastcgi_param HTTP_X_FORWARDED_URI /matomo; + fastcgi_intercept_errors on; + fastcgi_pass 127.0.0.1:9000; + } + + ## deny access to all other .php files + location ~* ^.+\.php$ { + deny all; + return 403; + } + + location / { + try_files $uri $uri/ =404; + } + + ## disable all access to the following directories + location ~ /(config|tmp|core|lang) { + deny all; + return 403; # replace with 404 to not show these directories exist + } + + location ~ /\.ht { + deny all; + return 403; + } + + location ~ js/container_.*_preview\.js$ { + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + } + + location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ { + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + } + + location ~ /(libs|vendor|plugins|misc/user) { + deny all; + return 403; + } + + ## properly display textfiles in root directory + location ~/(.*\.md|LEGALNOTICE|LICENSE) { + default_type text/plain; + } + + location ~ \.php$ { + } + } + } diff --git a/contrib/k8s-emc/_graveyard_/matomo-deploy.yml b/contrib/k8s-emc/_graveyard_/matomo-deploy.yml new file mode 100644 index 0000000..37fff0c --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/matomo-deploy.yml @@ -0,0 +1,75 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + namespace: emc + name: stats-matomo + labels: + app: matomo + tier: stats +spec: + replicas: 1 + selector: + matchLabels: + app: matomo + tier: stats + strategy: + type: Recreate + revisionHistoryLimit: 5 + template: + metadata: + labels: + app: matomo + tier: stats + spec: + nodeName: emc-ctrl + securityContext: + runAsUser: 998 + fsGroup: 998 + initContainers: + - name: prepare-matomo-html + image: busybox + command: ['sh', '-c', 'chown 998:998 /srv/html && chmod 700 /srv/html'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: matomo-html + mountPath: /srv/html + containers: + - name: matomo + image: spreadspace/matomo:4 + imagePullPolicy: Always + volumeMounts: + - name: matomo-html + mountPath: /var/www/html + - name: nginx + image: spreadspace/nginx:4 + imagePullPolicy: Always + args: + - nginx + - -c + - /srv/config/nginx.conf + - -g + - "daemon off;" + volumeMounts: + - name: home + mountPath: /srv + - name: nginx-lib + mountPath: /var/lib/nginx + - name: nginx-config + mountPath: /srv/config + - name: matomo-html + mountPath: /var/www/html + volumes: + - name: home + emptyDir: + medium: Memory + - name: nginx-lib + emptyDir: + medium: Memory + - name: nginx-config + configMap: + name: stats-matomo + - name: matomo-html + hostPath: + type: DirectoryOrCreate + path: /srv/stats/matomo diff --git a/contrib/k8s-emc/_graveyard_/matomo-ingress.yml b/contrib/k8s-emc/_graveyard_/matomo-ingress.yml new file mode 100644 index 0000000..0ad283c --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/matomo-ingress.yml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + namespace: emc + name: stats-matomo + labels: + app: matomo + tier: stats +# annotations: +# nginx.ingress.kubernetes.io/rewrite-target: / +spec: + ingressClassName: nginx + tls: + - secretName: emc-stats-tls + hosts: + - emc-stats.elev8.at + rules: + - host: emc-stats.elev8.at + http: + paths: +# - path: /matomo + - path: / + pathType: Prefix + backend: + service: + name: stats-matomo + port: + number: 8080 diff --git a/contrib/k8s-emc/_graveyard_/matomo-svc.yml b/contrib/k8s-emc/_graveyard_/matomo-svc.yml new file mode 100644 index 0000000..4bac3c7 --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/matomo-svc.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: emc + name: stats-matomo + labels: + app: matomo + tier: stats +spec: + selector: + app: matomo + tier: stats + clusterIP: 172.18.242.14 + ports: + - name: http + port: 8080 diff --git a/contrib/k8s-emc/_graveyard_/mysql-secret.yml b/contrib/k8s-emc/_graveyard_/mysql-secret.yml new file mode 100644 index 0000000..91f73be --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/mysql-secret.yml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Secret +metadata: + namespace: emc + name: stats-mysql-root + labels: + app: mysql + tier: stats +type: Opaque +data: + password: Y2hhbmdlLW1lCg== # change-me diff --git a/contrib/k8s-emc/_graveyard_/mysql-statefulset.yml b/contrib/k8s-emc/_graveyard_/mysql-statefulset.yml new file mode 100644 index 0000000..e02979e --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/mysql-statefulset.yml @@ -0,0 +1,71 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + namespace: emc + name: stats-mysql + labels: + app: mysql + tier: stats +spec: + serviceName: stats-mysql + replicas: 1 + selector: + matchLabels: + app: mysql + tier: stats + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + app: mysql + tier: stats + spec: + nodeName: emc-ctrl + securityContext: + runAsUser: 27 + fsGroup: 27 + initContainers: + - name: prepare-mysql-volumes + image: busybox + command: ['sh', '-c', 'chown 27:27 /srv/lib && chmod 700 /srv/lib && mkdir -p /srv/tmp/log /srv/tmp/run /srv/tmp/files && ln -sf /dev/stderr /srv/tmp/log/mysqld.log && chown 27:27 /srv/tmp/log/mysqld.log /srv/tmp/run /srv/tmp/files'] + securityContext: + runAsUser: 0 + volumeMounts: + - name: mysql-lib + mountPath: /srv/lib + - name: mysql-tmp + mountPath: /srv/tmp + containers: + - name: mysql + image: quay.io/neith00/mysql-docker:s2streamstats + imagePullPolicy: IfNotPresent + env: + - name: MYSQL_ROOT_PASSWORD + value: /var/run/mysql-secret/password + volumeMounts: + - name: mysql-lib + mountPath: /var/lib/mysql + - name: mysql-tmp + subPath: log + mountPath: /var/log + - name: mysql-tmp + subPath: run + mountPath: /var/run/mysqld + - name: mysql-tmp + subPath: files + mountPath: /var/lib/mysql-files/ + - name: mysql-secret + mountPath: /var/run/mysql-secret/ + volumes: + - name: mysql-lib + hostPath: + type: DirectoryOrCreate + path: /srv/stats/mysql + - name: mysql-tmp + emptyDir: + medium: Memory + - name: mysql-secret + secret: + secretName: stats-mysql-root + defaultMode: 0400 diff --git a/contrib/k8s-emc/_graveyard_/mysql-svc.yml b/contrib/k8s-emc/_graveyard_/mysql-svc.yml new file mode 100644 index 0000000..70bcd4a --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/mysql-svc.yml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + namespace: emc + name: stats-mysql + labels: + app: mysql + tier: stats +spec: + selector: + app: mysql + tier: stats + clusterIP: 172.18.242.23 + ports: + - name: mysql + port: 3306 diff --git a/contrib/k8s-emc/_graveyard_/ns.yml b/contrib/k8s-emc/_graveyard_/ns.yml new file mode 100644 index 0000000..67afdcc --- /dev/null +++ b/contrib/k8s-emc/_graveyard_/ns.yml @@ -0,0 +1,5 @@ +--- +kind: Namespace +apiVersion: v1 +metadata: + name: emc -- cgit v1.2.3