rework core-deployments to use helm 🪖
This commit is contained in:
parent
4758e8391b
commit
99622afe22
12 changed files with 272 additions and 5848 deletions
68
README.md
68
README.md
|
@ -1 +1,67 @@
|
||||||
# core deployments
|
# core deployments
|
||||||
|
|
||||||
|
## CNI
|
||||||
|
|
||||||
|
Add repo if not present already:
|
||||||
|
```
|
||||||
|
helm repo add cilium https://helm.cilium.io/
|
||||||
|
```
|
||||||
|
Install chart:
|
||||||
|
```
|
||||||
|
helm install cilium cilium/cilium --namespace=kube-system --set ipv4.enabled=true --set ipv6.enabled=true
|
||||||
|
```
|
||||||
|
|
||||||
|
## ingress
|
||||||
|
|
||||||
|
Add repo if not present already:
|
||||||
|
```
|
||||||
|
helm repo add nginx-stable https://helm.nginx.com/stable
|
||||||
|
```
|
||||||
|
Install chart:
|
||||||
|
```
|
||||||
|
helm install nginx-ingress nginx-stable/nginx-ingress --namespace nginx --create-namespace -f ingress/values.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
## certbot
|
||||||
|
Add CRDs:
|
||||||
|
```
|
||||||
|
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.11.0/cert-manager.crds.yaml
|
||||||
|
```
|
||||||
|
Add repo if not present already:
|
||||||
|
```
|
||||||
|
helm repo add jetstack https://charts.jetstack.io
|
||||||
|
```
|
||||||
|
Install chart:
|
||||||
|
```
|
||||||
|
helm install certbot --namespace cert-manager --create-namespace --version v1.11.0 jetstack/cert-manager
|
||||||
|
```
|
||||||
|
Install ClusterIssuer:
|
||||||
|
```
|
||||||
|
kubectl apply -f certbot/clusterissuer.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
## storage
|
||||||
|
|
||||||
|
Add repo if not present already:
|
||||||
|
```
|
||||||
|
helm repo add rook-release https://charts.rook.io/release
|
||||||
|
```
|
||||||
|
Install chart:
|
||||||
|
```
|
||||||
|
helm install --create-namespace --namespace rook-ceph rook-ceph rook-release/rook-ceph
|
||||||
|
```
|
||||||
|
Install chart:
|
||||||
|
```
|
||||||
|
helm install --create-namespace --namespace rook-ceph rook-ceph-cluster rook-release/rook-ceph-cluster -f storage/values.yaml
|
||||||
|
```
|
||||||
|
Install Ingress for Dashboard and the StorageClasses:
|
||||||
|
```
|
||||||
|
kubectl apply -f storage/dashboard.yaml -f storage/storageclass.yaml
|
||||||
|
```
|
||||||
|
|
||||||
|
## tests
|
||||||
|
|
||||||
|
Install Test Deployments:
|
||||||
|
```
|
||||||
|
kubectl apply -f tests/test-ingress.yaml -f tests/test-storage.yaml
|
||||||
|
```
|
39
certbot/clusterissuer.yaml
Normal file
39
certbot/clusterissuer.yaml
Normal file
|
@ -0,0 +1,39 @@
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: ClusterIssuer
|
||||||
|
metadata:
|
||||||
|
name: letsencrypt-prod
|
||||||
|
namespace: cert-manager
|
||||||
|
spec:
|
||||||
|
acme:
|
||||||
|
# The ACME server URL
|
||||||
|
server: https://acme-v02.api.letsencrypt.org/directory
|
||||||
|
# Email address used for ACME registration
|
||||||
|
email: certs@yolokube.de
|
||||||
|
# Name of a secret used to store the ACME account private key
|
||||||
|
privateKeySecretRef:
|
||||||
|
name: letsencrypt-prod
|
||||||
|
# Enable the HTTP-01 challenge provider
|
||||||
|
solvers:
|
||||||
|
- http01:
|
||||||
|
ingress:
|
||||||
|
class: nginx
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1
|
||||||
|
kind: ClusterIssuer
|
||||||
|
metadata:
|
||||||
|
name: letsencrypt-staging
|
||||||
|
spec:
|
||||||
|
acme:
|
||||||
|
# The ACME server URL
|
||||||
|
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||||
|
# Email address used for ACME registration
|
||||||
|
email: certs@yolokube.de
|
||||||
|
# Name of a secret used to store the ACME account private key
|
||||||
|
privateKeySecretRef:
|
||||||
|
name: letsencrypt-staging
|
||||||
|
# Enable the HTTP-01 challenge provider
|
||||||
|
solvers:
|
||||||
|
- http01:
|
||||||
|
ingress:
|
||||||
|
class: nginx
|
|
@ -1,377 +0,0 @@
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Namespace
|
|
||||||
metadata:
|
|
||||||
name: nginx-ingress
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: nginx-ingress
|
|
||||||
namespace: nginx-ingress
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: nginx-ingress
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- services
|
|
||||||
- endpoints
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- secrets
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- configmaps
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- update
|
|
||||||
- create
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- pods
|
|
||||||
verbs:
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- namespaces
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- apiGroups:
|
|
||||||
- ""
|
|
||||||
resources:
|
|
||||||
- events
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- patch
|
|
||||||
- list
|
|
||||||
- apiGroups:
|
|
||||||
- coordination.k8s.io
|
|
||||||
resources:
|
|
||||||
- leases
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- update
|
|
||||||
- create
|
|
||||||
- apiGroups:
|
|
||||||
- networking.k8s.io
|
|
||||||
resources:
|
|
||||||
- ingresses
|
|
||||||
verbs:
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- get
|
|
||||||
- apiGroups:
|
|
||||||
- networking.k8s.io
|
|
||||||
resources:
|
|
||||||
- ingresses/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- k8s.nginx.org
|
|
||||||
resources:
|
|
||||||
- virtualservers
|
|
||||||
- virtualserverroutes
|
|
||||||
- globalconfigurations
|
|
||||||
- transportservers
|
|
||||||
- policies
|
|
||||||
verbs:
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- get
|
|
||||||
- apiGroups:
|
|
||||||
- k8s.nginx.org
|
|
||||||
resources:
|
|
||||||
- virtualservers/status
|
|
||||||
- virtualserverroutes/status
|
|
||||||
- policies/status
|
|
||||||
- transportservers/status
|
|
||||||
- dnsendpoints/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
|
||||||
- networking.k8s.io
|
|
||||||
resources:
|
|
||||||
- ingressclasses
|
|
||||||
verbs:
|
|
||||||
- get
|
|
||||||
- apiGroups:
|
|
||||||
- cis.f5.com
|
|
||||||
resources:
|
|
||||||
- ingresslinks
|
|
||||||
verbs:
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- get
|
|
||||||
- apiGroups:
|
|
||||||
- cert-manager.io
|
|
||||||
resources:
|
|
||||||
- certificates
|
|
||||||
verbs:
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- get
|
|
||||||
- update
|
|
||||||
- create
|
|
||||||
- delete
|
|
||||||
- apiGroups:
|
|
||||||
- externaldns.nginx.org
|
|
||||||
resources:
|
|
||||||
- dnsendpoints
|
|
||||||
verbs:
|
|
||||||
- list
|
|
||||||
- watch
|
|
||||||
- get
|
|
||||||
- update
|
|
||||||
- create
|
|
||||||
- delete
|
|
||||||
- apiGroups:
|
|
||||||
- externaldns.nginx.org
|
|
||||||
resources:
|
|
||||||
- dnsendpoints/status
|
|
||||||
verbs:
|
|
||||||
- update
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: nginx-ingress
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: nginx-ingress
|
|
||||||
namespace: nginx-ingress
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: nginx-ingress
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: nginx-ingress-app-protect
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- appprotect.f5.com
|
|
||||||
resources:
|
|
||||||
- appolicies
|
|
||||||
- aplogconfs
|
|
||||||
- apusersigs
|
|
||||||
verbs:
|
|
||||||
- "get"
|
|
||||||
- "watch"
|
|
||||||
- "list"
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: nginx-ingress-app-protect
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: nginx-ingress
|
|
||||||
namespace: nginx-ingress
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: nginx-ingress-app-protect
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
kind: ClusterRole
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: nginx-ingress-app-protect-dos
|
|
||||||
rules:
|
|
||||||
- apiGroups:
|
|
||||||
- appprotectdos.f5.com
|
|
||||||
resources:
|
|
||||||
- apdospolicies
|
|
||||||
- apdoslogconfs
|
|
||||||
- dosprotectedresources
|
|
||||||
verbs:
|
|
||||||
- "get"
|
|
||||||
- "watch"
|
|
||||||
- "list"
|
|
||||||
---
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
metadata:
|
|
||||||
name: nginx-ingress-app-protect-dos
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: nginx-ingress
|
|
||||||
namespace: nginx-ingress
|
|
||||||
roleRef:
|
|
||||||
kind: ClusterRole
|
|
||||||
name: nginx-ingress-app-protect-dos
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: default-server-secret
|
|
||||||
namespace: nginx-ingress
|
|
||||||
type: kubernetes.io/tls
|
|
||||||
data:
|
|
||||||
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN2akNDQWFZQ0NRREFPRjl0THNhWFhEQU5CZ2txaGtpRzl3MEJBUXNGQURBaE1SOHdIUVlEVlFRRERCWk8KUjBsT1dFbHVaM0psYzNORGIyNTBjbTlzYkdWeU1CNFhEVEU0TURreE1qRTRNRE16TlZvWERUSXpNRGt4TVRFNApNRE16TlZvd0lURWZNQjBHQTFVRUF3d1dUa2RKVGxoSmJtZHlaWE56UTI5dWRISnZiR3hsY2pDQ0FTSXdEUVlKCktvWklodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQUwvN2hIUEtFWGRMdjNyaUM3QlBrMTNpWkt5eTlyQ08KR2xZUXYyK2EzUDF0azIrS3YwVGF5aGRCbDRrcnNUcTZzZm8vWUk1Y2Vhbkw4WGM3U1pyQkVRYm9EN2REbWs1Qgo4eDZLS2xHWU5IWlg0Rm5UZ0VPaStlM2ptTFFxRlBSY1kzVnNPazFFeUZBL0JnWlJVbkNHZUtGeERSN0tQdGhyCmtqSXVuektURXUyaDU4Tlp0S21ScUJHdDEwcTNRYzhZT3ExM2FnbmovUWRjc0ZYYTJnMjB1K1lYZDdoZ3krZksKWk4vVUkxQUQ0YzZyM1lma1ZWUmVHd1lxQVp1WXN2V0RKbW1GNWRwdEMzN011cDBPRUxVTExSakZJOTZXNXIwSAo1TmdPc25NWFJNV1hYVlpiNWRxT3R0SmRtS3FhZ25TZ1JQQVpQN2MwQjFQU2FqYzZjNGZRVXpNQ0F3RUFBVEFOCkJna3Foa2lHOXcwQkFRc0ZBQU9DQVFFQWpLb2tRdGRPcEsrTzhibWVPc3lySmdJSXJycVFVY2ZOUitjb0hZVUoKdGhrYnhITFMzR3VBTWI5dm15VExPY2xxeC9aYzJPblEwMEJCLzlTb0swcitFZ1U2UlVrRWtWcitTTFA3NTdUWgozZWI4dmdPdEduMS9ienM3bzNBaS9kclkrcUI5Q2k1S3lPc3FHTG1US2xFaUtOYkcyR1ZyTWxjS0ZYQU80YTY3Cklnc1hzYktNbTQwV1U3cG9mcGltU1ZmaXFSdkV5YmN3N0NYODF6cFErUyt1eHRYK2VBZ3V0NHh3VlI5d2IyVXYKelhuZk9HbWhWNThDd1dIQnNKa0kxNXhaa2VUWXdSN0diaEFMSkZUUkk3dkhvQXprTWIzbjAxQjQyWjNrN3RXNQpJUDFmTlpIOFUvOWxiUHNoT21FRFZkdjF5ZytVRVJxbStGSis2R0oxeFJGcGZnPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
|
|
||||||
tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdi91RWM4b1JkMHUvZXVJTHNFK1RYZUprckxMMnNJNGFWaEMvYjVyYy9XMlRiNHEvClJOcktGMEdYaVN1eE9ycXgrajlnamx4NXFjdnhkenRKbXNFUkJ1Z1B0ME9hVGtIekhvb3FVWmcwZGxmZ1dkT0EKUTZMNTdlT1l0Q29VOUZ4amRXdzZUVVRJVUQ4R0JsRlNjSVo0b1hFTkhzbysyR3VTTWk2Zk1wTVM3YUhudzFtMApxWkdvRWEzWFNyZEJ6eGc2clhkcUNlUDlCMXl3VmRyYURiUzc1aGQzdUdETDU4cGszOVFqVUFQaHpxdmRoK1JWClZGNGJCaW9CbTVpeTlZTW1hWVhsMm0wTGZzeTZuUTRRdFFzdEdNVWozcGJtdlFmazJBNnljeGRFeFpkZFZsdmwKMm82MjBsMllxcHFDZEtCRThCay90elFIVTlKcU56cHpoOUJUTXdJREFRQUJBb0lCQVFDZklHbXowOHhRVmorNwpLZnZJUXQwQ0YzR2MxNld6eDhVNml4MHg4Mm15d1kxUUNlL3BzWE9LZlRxT1h1SENyUlp5TnUvZ2IvUUQ4bUFOCmxOMjRZTWl0TWRJODg5TEZoTkp3QU5OODJDeTczckM5bzVvUDlkazAvYzRIbjAzSkVYNzZ5QjgzQm9rR1FvYksKMjhMNk0rdHUzUmFqNjd6Vmc2d2szaEhrU0pXSzBwV1YrSjdrUkRWYmhDYUZhNk5nMUZNRWxhTlozVDhhUUtyQgpDUDNDeEFTdjYxWTk5TEI4KzNXWVFIK3NYaTVGM01pYVNBZ1BkQUk3WEh1dXFET1lvMU5PL0JoSGt1aVg2QnRtCnorNTZud2pZMy8yUytSRmNBc3JMTnIwMDJZZi9oY0IraVlDNzVWYmcydVd6WTY3TWdOTGQ5VW9RU3BDRkYrVm4KM0cyUnhybnhBb0dCQU40U3M0ZVlPU2huMVpQQjdhTUZsY0k2RHR2S2ErTGZTTXFyY2pOZjJlSEpZNnhubmxKdgpGenpGL2RiVWVTbWxSekR0WkdlcXZXaHFISy9iTjIyeWJhOU1WMDlRQ0JFTk5jNmtWajJTVHpUWkJVbEx4QzYrCk93Z0wyZHhKendWelU0VC84ajdHalRUN05BZVpFS2FvRHFyRG5BYWkyaW5oZU1JVWZHRXFGKzJyQW9HQkFOMVAKK0tZL0lsS3RWRzRKSklQNzBjUis3RmpyeXJpY05iWCtQVzUvOXFHaWxnY2grZ3l4b25BWlBpd2NpeDN3QVpGdwpaZC96ZFB2aTBkWEppc1BSZjRMazg5b2pCUmpiRmRmc2l5UmJYbyt3TFU4NUhRU2NGMnN5aUFPaTVBRHdVU0FkCm45YWFweUNweEFkREtERHdObit3ZFhtaTZ0OHRpSFRkK3RoVDhkaVpBb0dCQUt6Wis1bG9OOTBtYlF4VVh5YUwKMjFSUm9tMGJjcndsTmVCaWNFSmlzaEhYa2xpSVVxZ3hSZklNM2hhUVRUcklKZENFaHFsV01aV0xPb2I2NTNyZgo3aFlMSXM1ZUtka3o0aFRVdnpldm9TMHVXcm9CV2xOVHlGanIrSWhKZnZUc0hpOGdsU3FkbXgySkJhZUFVWUNXCndNdlQ4NmNLclNyNkQrZG8wS05FZzFsL0FvR0FlMkFVdHVFbFNqLzBmRzgrV3hHc1RFV1JqclRNUzRSUjhRWXQKeXdjdFA4aDZxTGxKUTRCWGxQU05rMXZLTmtOUkxIb2pZT2pCQTViYjhibXNVU1BlV09NNENoaFJ4QnlHbmR2eAphYkJDRkFwY0IvbEg4d1R0alVZYlN5T294ZGt5OEp0ek90ajJhS0FiZHd6NlArWDZDODhjZmxYVFo5MWpYL3RMCjF3TmRKS2tDZ1lCbyt0UzB5TzJ2SWFmK2UwSkN5TGhzVDQ5cTN3Zis2QWVqWGx2WDJ1VnRYejN5QTZnbXo5aCsKcDNlK2JMRUxwb3B0WFhNdUFRR0xhUkcrYlNNcjR5dERYbE5ZSndUeThXczNKY3dlSTdqZVp2b0ZpbmNvVlVIMwphdmxoTUVCRGYxSjltSDB5cDBwWUNaS2ROdHNvZEZtQktzVEtQMjJhTmtsVVhCS3gyZzR6cFE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
|
|
||||||
---
|
|
||||||
kind: ConfigMap
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: nginx-config
|
|
||||||
namespace: nginx-ingress
|
|
||||||
data:
|
|
||||||
---
|
|
||||||
apiVersion: networking.k8s.io/v1
|
|
||||||
kind: IngressClass
|
|
||||||
metadata:
|
|
||||||
name: nginx
|
|
||||||
annotations:
|
|
||||||
ingressclass.kubernetes.io/is-default-class: "true"
|
|
||||||
spec:
|
|
||||||
controller: nginx.org/ingress-controller
|
|
||||||
---
|
|
||||||
apiVersion: apiextensions.k8s.io/v1
|
|
||||||
kind: CustomResourceDefinition
|
|
||||||
metadata:
|
|
||||||
annotations:
|
|
||||||
controller-gen.kubebuilder.io/version: v0.9.2
|
|
||||||
creationTimestamp: null
|
|
||||||
name: globalconfigurations.k8s.nginx.org
|
|
||||||
spec:
|
|
||||||
group: k8s.nginx.org
|
|
||||||
names:
|
|
||||||
kind: GlobalConfiguration
|
|
||||||
listKind: GlobalConfigurationList
|
|
||||||
plural: globalconfigurations
|
|
||||||
shortNames:
|
|
||||||
- gc
|
|
||||||
singular: globalconfiguration
|
|
||||||
scope: Namespaced
|
|
||||||
versions:
|
|
||||||
- name: v1alpha1
|
|
||||||
schema:
|
|
||||||
openAPIV3Schema:
|
|
||||||
description: GlobalConfiguration defines the GlobalConfiguration resource.
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
apiVersion:
|
|
||||||
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
||||||
type: string
|
|
||||||
kind:
|
|
||||||
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
||||||
type: string
|
|
||||||
metadata:
|
|
||||||
type: object
|
|
||||||
spec:
|
|
||||||
description: GlobalConfigurationSpec is the spec of the GlobalConfiguration resource.
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
listeners:
|
|
||||||
type: array
|
|
||||||
items:
|
|
||||||
description: Listener defines a listener.
|
|
||||||
type: object
|
|
||||||
properties:
|
|
||||||
name:
|
|
||||||
type: string
|
|
||||||
port:
|
|
||||||
type: integer
|
|
||||||
protocol:
|
|
||||||
type: string
|
|
||||||
served: true
|
|
||||||
storage: true
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: DaemonSet
|
|
||||||
metadata:
|
|
||||||
name: nginx-ingress
|
|
||||||
namespace: nginx-ingress
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
app: nginx-ingress
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
app: nginx-ingress
|
|
||||||
#annotations:
|
|
||||||
#prometheus.io/scrape: "true"
|
|
||||||
#prometheus.io/port: "9113"
|
|
||||||
#prometheus.io/scheme: http
|
|
||||||
spec:
|
|
||||||
serviceAccountName: nginx-ingress
|
|
||||||
containers:
|
|
||||||
- image: nginx/nginx-ingress:2.3.0
|
|
||||||
imagePullPolicy: IfNotPresent
|
|
||||||
name: nginx-ingress
|
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
containerPort: 80
|
|
||||||
hostPort: 80
|
|
||||||
- name: https
|
|
||||||
containerPort: 443
|
|
||||||
hostPort: 443
|
|
||||||
- name: readiness-port
|
|
||||||
containerPort: 8081
|
|
||||||
- name: prometheus
|
|
||||||
containerPort: 9113
|
|
||||||
readinessProbe:
|
|
||||||
httpGet:
|
|
||||||
path: /nginx-ready
|
|
||||||
port: readiness-port
|
|
||||||
periodSeconds: 1
|
|
||||||
resources:
|
|
||||||
requests:
|
|
||||||
cpu: "100m"
|
|
||||||
memory: "128Mi"
|
|
||||||
#limits:
|
|
||||||
# cpu: "1"
|
|
||||||
# memory: "1Gi"
|
|
||||||
securityContext:
|
|
||||||
allowPrivilegeEscalation: true
|
|
||||||
runAsUser: 101 #nginx
|
|
||||||
capabilities:
|
|
||||||
drop:
|
|
||||||
- ALL
|
|
||||||
add:
|
|
||||||
- NET_BIND_SERVICE
|
|
||||||
env:
|
|
||||||
- name: POD_NAMESPACE
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.namespace
|
|
||||||
- name: POD_NAME
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: metadata.name
|
|
||||||
args:
|
|
||||||
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
|
|
||||||
- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
|
|
||||||
- -enable-custom-resources=false
|
|
||||||
#- -include-year
|
|
||||||
#- -v=3 # Enables extensive logging. Useful for troubleshooting.
|
|
||||||
#- -report-ingress-status
|
|
||||||
#- -external-service=nginx-ingress
|
|
||||||
#- -enable-prometheus-metrics
|
|
||||||
#- -global-configuration=$(POD_NAMESPACE)/nginx-configuration
|
|
6
ingress/values.yaml
Normal file
6
ingress/values.yaml
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
controller:
|
||||||
|
hostNetwork: true
|
||||||
|
setAsDefaultIngress: true
|
||||||
|
service:
|
||||||
|
create: false
|
||||||
|
kind: daemonset
|
5470
letsencrypt.yaml
5470
letsencrypt.yaml
File diff suppressed because it is too large
Load diff
27
storage/dashboard.yaml
Normal file
27
storage/dashboard.yaml
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
---
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: Ingress
|
||||||
|
metadata:
|
||||||
|
name: rook-dashboard-ingress
|
||||||
|
namespace: rook-ceph
|
||||||
|
annotations:
|
||||||
|
kubernetes.io/ingress.class: "nginx"
|
||||||
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
||||||
|
acme.cert-manager.io/http01-edit-in-place: "true"
|
||||||
|
ingress.kubernetes.io/ssl-redirect: "false"
|
||||||
|
spec:
|
||||||
|
rules:
|
||||||
|
- host: "rook.apps.yolokube.de"
|
||||||
|
http:
|
||||||
|
paths:
|
||||||
|
- pathType: Prefix
|
||||||
|
path: "/"
|
||||||
|
backend:
|
||||||
|
service:
|
||||||
|
name: rook-ceph-mgr-dashboard
|
||||||
|
port:
|
||||||
|
number: 80
|
||||||
|
tls:
|
||||||
|
- hosts:
|
||||||
|
- rook.apps.yolokube.de
|
||||||
|
secretName: rook-dashboard-cert
|
126
storage/storageclass.yaml
Normal file
126
storage/storageclass.yaml
Normal file
|
@ -0,0 +1,126 @@
|
||||||
|
### Create Block Storage
|
||||||
|
---
|
||||||
|
apiVersion: ceph.rook.io/v1
|
||||||
|
kind: CephBlockPool
|
||||||
|
metadata:
|
||||||
|
name: replicapool
|
||||||
|
namespace: rook-ceph
|
||||||
|
spec:
|
||||||
|
failureDomain: host
|
||||||
|
replicated:
|
||||||
|
size: 3
|
||||||
|
quotas:
|
||||||
|
maxSize: "10Gi"
|
||||||
|
---
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: rook-ceph-block
|
||||||
|
annotations:
|
||||||
|
storageclass.kubernetes.io/is-default-class: "true"
|
||||||
|
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
|
||||||
|
provisioner: rook-ceph.rbd.csi.ceph.com
|
||||||
|
parameters:
|
||||||
|
# clusterID is the namespace where the rook cluster is running
|
||||||
|
clusterID: rook-ceph
|
||||||
|
# Ceph pool into which the RBD image shall be created
|
||||||
|
pool: replicapool
|
||||||
|
|
||||||
|
# (optional) mapOptions is a comma-separated list of map options.
|
||||||
|
# For krbd options refer
|
||||||
|
# https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options
|
||||||
|
# For nbd options refer
|
||||||
|
# https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options
|
||||||
|
# mapOptions: lock_on_read,queue_depth=1024
|
||||||
|
|
||||||
|
# (optional) unmapOptions is a comma-separated list of unmap options.
|
||||||
|
# For krbd options refer
|
||||||
|
# https://docs.ceph.com/docs/master/man/8/rbd/#kernel-rbd-krbd-options
|
||||||
|
# For nbd options refer
|
||||||
|
# https://docs.ceph.com/docs/master/man/8/rbd-nbd/#options
|
||||||
|
# unmapOptions: force
|
||||||
|
|
||||||
|
# RBD image format. Defaults to "2".
|
||||||
|
imageFormat: "2"
|
||||||
|
|
||||||
|
# RBD image features
|
||||||
|
# Available for imageFormat: "2". Older releases of CSI RBD
|
||||||
|
# support only the `layering` feature. The Linux kernel (KRBD) supports the
|
||||||
|
# full complement of features as of 5.4
|
||||||
|
# `layering` alone corresponds to Ceph's bitfield value of "2" ;
|
||||||
|
# `layering` + `fast-diff` + `object-map` + `deep-flatten` + `exclusive-lock` together
|
||||||
|
# correspond to Ceph's OR'd bitfield value of "63". Here we use
|
||||||
|
# a symbolic, comma-separated format:
|
||||||
|
# For 5.4 or later kernels:
|
||||||
|
#imageFeatures: layering,fast-diff,object-map,deep-flatten,exclusive-lock
|
||||||
|
# For 5.3 or earlier kernels:
|
||||||
|
imageFeatures: layering
|
||||||
|
|
||||||
|
# The secrets contain Ceph admin credentials.
|
||||||
|
csi.storage.k8s.io/provisioner-secret-name: rook-csi-rbd-provisioner
|
||||||
|
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-rbd-provisioner
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
|
||||||
|
csi.storage.k8s.io/node-stage-secret-name: rook-csi-rbd-node
|
||||||
|
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
|
||||||
|
|
||||||
|
# Specify the filesystem type of the volume. If not specified, csi-provisioner
|
||||||
|
# will set default as `ext4`. Note that `xfs` is not recommended due to potential deadlock
|
||||||
|
# in hyperconverged settings where the volume is mounted on the same node as the osds.
|
||||||
|
csi.storage.k8s.io/fstype: ext4
|
||||||
|
|
||||||
|
# Delete the rbd volume when a PVC is deleted
|
||||||
|
reclaimPolicy: Delete
|
||||||
|
|
||||||
|
# Optional, if you want to add dynamic resize for PVC.
|
||||||
|
# For now only ext3, ext4, xfs resize support provided, like in Kubernetes itself.
|
||||||
|
allowVolumeExpansion: true
|
||||||
|
|
||||||
|
---
|
||||||
|
### Create Shared Filesystem
|
||||||
|
apiVersion: ceph.rook.io/v1
|
||||||
|
kind: CephFilesystem
|
||||||
|
metadata:
|
||||||
|
name: rook-ceph-fs
|
||||||
|
namespace: rook-ceph
|
||||||
|
spec:
|
||||||
|
metadataPool:
|
||||||
|
replicated:
|
||||||
|
size: 3
|
||||||
|
dataPools:
|
||||||
|
- name: cephfs-pool
|
||||||
|
replicated:
|
||||||
|
size: 3
|
||||||
|
preserveFilesystemOnDelete: true
|
||||||
|
metadataServer:
|
||||||
|
activeCount: 1
|
||||||
|
activeStandby: true
|
||||||
|
---
|
||||||
|
apiVersion: storage.k8s.io/v1
|
||||||
|
kind: StorageClass
|
||||||
|
metadata:
|
||||||
|
name: rook-cephfs
|
||||||
|
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
|
||||||
|
provisioner: rook-ceph.cephfs.csi.ceph.com
|
||||||
|
parameters:
|
||||||
|
# clusterID is the namespace where the rook cluster is running
|
||||||
|
# If you change this namespace, also change the namespace below where the secret namespaces are defined
|
||||||
|
clusterID: rook-ceph
|
||||||
|
|
||||||
|
# CephFS filesystem name into which the volume shall be created
|
||||||
|
fsName: rook-ceph-fs
|
||||||
|
|
||||||
|
# Ceph pool into which the volume shall be created
|
||||||
|
# Required for provisionVolume: "true"
|
||||||
|
pool: cephfs-pool
|
||||||
|
|
||||||
|
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
|
||||||
|
# in the same namespace as the cluster.
|
||||||
|
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
|
||||||
|
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
|
||||||
|
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
|
||||||
|
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
|
||||||
|
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
|
||||||
|
|
||||||
|
reclaimPolicy: Delete
|
7
storage/values.yaml
Normal file
7
storage/values.yaml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
toolbox:
|
||||||
|
enabled: true
|
||||||
|
cephClusterSpec:
|
||||||
|
dashboard:
|
||||||
|
port: 80
|
||||||
|
ssl: false
|
||||||
|
removeOSDsIfOutAndSafeToRemove: true
|
Loading…
Reference in a new issue