From b6e0c310c410e59ae210108d33fdc66bedb7cbf1 Mon Sep 17 00:00:00 2001
From: Christian Pointner <equinox@spreadspace.org>
Date: Wed, 29 Apr 2020 15:55:18 +0200
Subject: add k8s-lwl

---
 contrib/k8s-lwl/acme-hack/acmetool-desired.yml   |  3 ++
 contrib/k8s-lwl/acme-hack/do.sh                  | 26 ++++++++++
 contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml      | 41 +++++++++++++++
 contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml  | 66 ++++++++++++++++++++++++
 contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml | 19 +++++++
 contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml     | 20 +++++++
 contrib/k8s-lwl/acme-hack/wipe.sh                |  6 +++
 7 files changed, 181 insertions(+)
 create mode 100644 contrib/k8s-lwl/acme-hack/acmetool-desired.yml
 create mode 100755 contrib/k8s-lwl/acme-hack/do.sh
 create mode 100644 contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml
 create mode 100644 contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml
 create mode 100644 contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml
 create mode 100644 contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml
 create mode 100755 contrib/k8s-lwl/acme-hack/wipe.sh

(limited to 'contrib/k8s-lwl/acme-hack')

diff --git a/contrib/k8s-lwl/acme-hack/acmetool-desired.yml b/contrib/k8s-lwl/acme-hack/acmetool-desired.yml
new file mode 100644
index 0000000..d8a67e2
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/acmetool-desired.yml
@@ -0,0 +1,3 @@
+satisfy:
+    names:
+    - <<hostname>>
diff --git a/contrib/k8s-lwl/acme-hack/do.sh b/contrib/k8s-lwl/acme-hack/do.sh
new file mode 100755
index 0000000..f4c71ce
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/do.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+
+declare -A domains
+domains[cdn]="cdn.lndwrbl.live"
+domains[stats]="stats.lndwrbl.live"
+domains[stream]="stream.lndwrbl.live"
+
+kubectl apply -f nginx-acme-cm.yml
+kubectl apply -f nginx-acme-deploy.yml
+kubectl apply -f nginx-acme-svc.yml
+for name in "${!domains[@]}"; do
+  cat nginx-acme-ingress.yml | sed "s/<<name>>/$name/g" | sed "s/<<hostname>>/${domains[$name]}/g" | kubectl apply -f -
+done
+
+for name in "${!domains[@]}"; do
+  cat acmetool-desired.yml | sed "s/<<hostname>>/${domains[$name]}/g" | ssh lw-live-00 "cat > /var/lib/acme/desired/${domains[$name]}"
+done
+
+### TODO: wait for all pods and then contiune the script
+#exit 0
+
+ssh lw-live-00 systemctl start acmetool
+
+for name in "${!domains[@]}"; do
+  ssh lw-live-00 kubectl -n lwl create secret tls "$name\-tls" "--cert=/var/lib/acme/live/${domains[$name]}/fullchain" "--key=/var/lib/acme/live/${domains[$name]}/privkey" --dry-run -o json | kubectl apply -f -
+done
diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml
new file mode 100644
index 0000000..7599d3c
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/nginx-acme-cm.yml
@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  namespace: lwl
+  name: nginx-acme-hack
+  labels:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+data:
+  nginx.conf: |
+    worker_processes 1;
+    pid /srv/nginx.pid;
+    error_log /dev/stderr notice;
+
+    events {
+      worker_connections 64;
+      # multi_accept on;
+    }
+
+    http {
+      sendfile on;
+      tcp_nopush on;
+      tcp_nodelay on;
+      keepalive_timeout 65;
+      types_hash_max_size 2048;
+
+      server_names_hash_bucket_size 64;
+
+      include /etc/nginx/mime.types;
+      default_type application/octet-stream;
+
+      access_log /dev/null;
+
+      server {
+        listen 8080 default_server;
+        server_name _;
+
+        root /srv/www;
+      }
+    }
diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml
new file mode 100644
index 0000000..7d52f55
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/nginx-acme-deploy.yml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: lwl
+  name: nginx-acme-hack-lw-live-00
+  labels:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+    worker: lw-live-00
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nginx
+      type: acme-challenge
+      tier: hack
+      worker: lw-live-00
+  strategy:
+    type: Recreate
+  revisionHistoryLimit: 5
+  template:
+    metadata:
+      labels:
+        app: nginx
+        type: acme-challenge
+        tier: hack
+        worker: lw-live-00
+    spec:
+      nodeName: lw-live-00
+      securityContext:
+        runAsUser: 998
+        fsGroup: 998
+      containers:
+      - name: nginx
+        image: spreadspace/nginx:4
+        imagePullPolicy: Always
+        args:
+        - nginx
+        - -c
+        - /srv/config/nginx.conf
+        - -g
+        - "daemon off;"
+        volumeMounts:
+        - name: home
+          mountPath: /srv
+        - name: nginx-lib
+          mountPath: /var/lib/nginx
+        - name: nginx-config
+          mountPath: /srv/config
+        - name: acme-challenge
+          mountPath: /srv/www/.well-known/acme-challenge
+      volumes:
+      - name: home
+        emptyDir:
+          medium: Memory
+      - name: nginx-lib
+        emptyDir:
+          medium: Memory
+      - name: nginx-config
+        configMap:
+          name: nginx-acme-hack
+      - name: acme-challenge
+        hostPath:
+          type: DirectoryOrCreate
+          path: /var/run/acme/acme-challenge/
diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml
new file mode 100644
index 0000000..e7a3e0e
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/nginx-acme-ingress.yml
@@ -0,0 +1,19 @@
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  namespace: lwl
+  name: nginx-acme-hack-<<name>>
+  labels:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+spec:
+  rules:
+  - host: <<hostname>>
+    http:
+      paths:
+      - path: /.well-known/acme-challenge/
+        backend:
+          serviceName: nginx-acme-hack-lw-live-00
+          servicePort: 8080
diff --git a/contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml b/contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml
new file mode 100644
index 0000000..198a16c
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/nginx-acme-svc.yml
@@ -0,0 +1,20 @@
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: lwl
+  name: nginx-acme-hack-lw-live-00
+  labels:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+    worker: lw-live-00
+spec:
+  selector:
+    app: nginx
+    type: acme-challenge
+    tier: hack
+    worker: lw-live-00
+  clusterIP: None
+  ports:
+  - name: http
+    port: 8080
diff --git a/contrib/k8s-lwl/acme-hack/wipe.sh b/contrib/k8s-lwl/acme-hack/wipe.sh
new file mode 100755
index 0000000..5791f7b
--- /dev/null
+++ b/contrib/k8s-lwl/acme-hack/wipe.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+kubectl --namespace lwl delete ingress -l tier=hack -l type=acme-challenge
+kubectl --namespace lwl delete svc -l tier=hack -l type=acme-challenge
+kubectl --namespace lwl delete deploy -l tier=hack -l type=acme-challenge
+kubectl --namespace lwl delete cm -l tier=hack -l type=acme-challenge
-- 
cgit v1.2.3