Public/k3d_outils
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

🎉 initial commit

Browse Source
This commit is contained in:
Laurent Drogou
2022-04-06 15:33:57 +02:00
commit 968716ec76
29 changed files with 846 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
add-all-service-helm.sh Executable file
View File

@@ -0,0 +1,9 @@
kubectl apply -f namespaces-create.yaml
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yaml
kubectl apply -f service-postgres.yaml
kubectl apply -f service-mongodb.yaml
kubectl apply -f service-sourcegraph.yaml
kubectl apply -f ingress-sourcegraph.yaml
kubectl apply -f helm-vault-server.yaml
kubectl apply -f ingress-vault.yaml
kubectl apply -f helm-graviteeio-server.yaml

10
add-all-service.sh Executable file
View File

@@ -0,0 +1,10 @@
kubectl apply -f namespaces-create.yaml
kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.6.0/cert-manager.yaml
kubectl apply -f ./bdd/service-postgres.yaml
kubectl apply -f ./bdd/service-mongodb.yaml
kubectl apply -f ./rabbitmq/service-rabbitmq.yaml
#kubectl apply -f ./sourcegrpah/service-sourcegraph.yaml
#kubectl apply -f ./sourcegraph/ingress-sourcegraph.yaml
kubectl apply -f ./vault/helm-vault-server.yaml
kubectl apply -f ./vault/ingress-vault.yaml

92
bdd/service-mongodb.yaml Normal file
View File

@@ -0,0 +1,92 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: mongo
provisioner: rancher.io/local-path
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: mongo-pv-volume
namespace: database
labels:
type: local
spec:
storageClassName: mongo
capacity:
storage: 50Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/rca/mongodb/data"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
deploy: mongo
app.kubernetes.io/component: mongodb
name: mongo
namespace: database
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
storageClassName: mongo
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mongo-statefulset
namespace: database
labels:
app: mongo
spec:
serviceName: "mongo"
replicas: 1
selector:
matchLabels:
app: mongo
template:
metadata:
labels:
app: mongo
spec:
containers:
- name: mongodb
image: mongo:3.4
#env:
# - name: MONGO_INITDB_ROOT_USERNAME
# value: admin
# - name: MONGO_INITDB_ROOT_PASSWORD
# value: password
ports:
- containerPort: 27017
name: mongodb
volumeMounts:
- mountPath: /data/db
name: mongo-pv-data
volumes:
- name: mongo-pv-data
persistentVolumeClaim:
claimName: mongo
---
apiVersion: v1
kind: Service
metadata:
name: mongo-service
namespace: database
labels:
app: mongo
spec:
ports:
- port: 27017
nodePort: 30010
name: mongo
type: NodePort
selector:
app: mongo

102
bdd/service-postgres.yaml Normal file
View File

@@ -0,0 +1,102 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: postgres
provisioner: rancher.io/local-path
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: task-pv-volume
namespace: database
labels:
type: local
spec:
storageClassName: postgres
capacity:
storage: 50Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/rca/postgres/data"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
deploy: postgres
app.kubernetes.io/component: postgres
name: postgres
namespace: database
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
storageClassName: postgres
---
apiVersion: v1
kind: ConfigMap
metadata:
name: postgres-configuration
namespace: database
labels:
app: postgres
data:
POSTGRES_DB: postgres
POSTGRES_USER: rootrca
POSTGRES_PASSWORD: rca12345
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres-statefulset
namespace: database
labels:
app: postgres
spec:
serviceName: "postgres"
replicas: 1
selector:
matchLabels:
app: postgres
template:
metadata:
labels:
app: postgres
spec:
containers:
- name: postgres
image: postgres:12
envFrom:
- configMapRef:
name: postgres-configuration
ports:
- containerPort: 5432
name: postgresdb
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: pv-data
volumes:
- name: pv-data
persistentVolumeClaim:
claimName: postgres
---
apiVersion: v1
kind: Service
metadata:
name: postgres-service
namespace: database
labels:
app: postgres
spec:
ports:
- port: 5432
nodePort: 30080
name: postgres
type: NodePort
selector:
app: postgres

1
create-k3d-outils.sh Executable file
View File

@@ -0,0 +1 @@
k3d cluster create outils --config outils-config-v3.yaml

12
dev-localhost-cert.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dev-localhost
namespace: default
spec:
secretName: dev-localhost-tls
issuerRef:
name: vault-issuer
commonName: dev.localhost
dnsNames:
- dev.localhost

15
enabled-kube-authent.sh Normal file
View File

@@ -0,0 +1,15 @@
#kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
vault auth enable kubernetes
vault write auth/kubernetes/config \
kubernetes_host="https://$KUBERNETES_PORT_443_TCP_ADDR:443" \
token_reviewer_jwt="$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)" \
kubernetes_ca_cert=@/var/run/secrets/kubernetes.io/serviceaccount/ca.crt \
issuer="https://kubernetes.default.svc.cluster.local"
vault write auth/kubernetes/role/issuer \
bound_service_account_names=issuer \
bound_service_account_namespaces=default \
policies=pki \
ttl=20m

18
enabled-pki.sh Normal file
View File

@@ -0,0 +1,18 @@
#kubectl exec --stdin=true --tty=true vault-0 -- /bin/sh
vault secrets enable pki
vault secrets tune -max-lease-ttl=8760h pki
vault write pki/root/generate/internal common_name=dev.localhost ttl=8760h
vault write pki/config/urls issuing_certificates="http://vault.default:8200/v1/pki/ca" crl_distribution_points="http://vault.default:8200/v1/pki/crl"
vault write pki/roles/dev-dot-localhost allowed_domains=dev.localhost allow_subdomains=true max_ttl=72h
vault policy write pki - <<EOF
path "pki*" { capabilities = ["read", "list"] }
path "pki/roles/dev-dot-localhost" { capabilities = ["create", "update"] }
path "pki/sign/dev-dot-localhost" { capabilities = ["create", "update"] }
path "pki/issue/dev-dot-localhost" { capabilities = ["create"] }
EOF

15
graviteeio/helm-graviteeio-server.yaml Normal file
View File

@@ -0,0 +1,15 @@
# see https://rancher.com/docs/k3s/latest/en/helm/
# see https://github.com/hashicorp/vault-helm
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: graviteeio
namespace: graviteeio
spec:
repo: https://helm.gravitee.io
chart: am
version: 1.0.33
targetNamespace: graviteeio
valuesContent: |-
mongo:
uri: mongodb://192.168.50.239:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000

14
graviteeio/ingress-graviteeio-gateway.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: gatewayam
namespace: graviteeio
spec:
entryPoints:
- web
routes:
- match: Host(`dev.graviteeio.am`) && PathPrefix(`/am`)
kind: Rule
services:
- name: gatewayam
port: 8092

14
graviteeio/ingress-graviteeio-management.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: managementam
namespace: graviteeio
spec:
entryPoints:
- web
routes:
- match: Host(`dev.graviteeio.am`) && PathPrefix(`/am/management`)
kind: Rule
services:
- name: managementam
port: 8093

14
graviteeio/ingress-graviteeio-webui.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: webuiam
namespace: graviteeio
spec:
entryPoints:
- web
routes:
- match: Host(`dev.graviteeio.am`) && PathPrefix(`/am/ui`)
kind: Rule
services:
- name: webuiam
port: 80

44
graviteeio/service-gravitee-gateway.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: v1
kind: Service
metadata:
name: gatewayam
namespace: graviteeio
labels:
app: gatewayam
spec:
ports:
- name: http
port: 8092
targetPort: 8092
selector:
app: gatewayam
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gatewayam
namespace: graviteeio
labels:
app: gatewayam
spec:
replicas: 1
selector:
matchLabels:
app: gatewayam
template:
metadata:
labels:
app: gatewayam
spec:
containers:
- name: gatewayam
image: graviteeio/am-gateway:2
env:
- name: gravitee_management_mongodb_uri
value: mongodb://192.168.50.206:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000
- name: gravitee_oauth2_mongodb_uri
value: mongodb://192.168.50.206:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000
ports:
- name: http
containerPort: 8092

44
graviteeio/service-gravitee-management.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: v1
kind: Service
metadata:
name: managementam
namespace: graviteeio
labels:
app: managementam
spec:
ports:
- name: http
port: 8093
targetPort: 8093
selector:
app: managementam
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: managementam
namespace: graviteeio
labels:
app: managementam
spec:
replicas: 1
selector:
matchLabels:
app: managementam
template:
metadata:
labels:
app: managementam
spec:
containers:
- name: managementam
image: graviteeio/am-management-api:2
env:
- name: gravitee_management_mongodb_uri
value: mongodb://192.168.50.206:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000
- name: gravitee_oauth2_mongodb_uri
value: mongodb://192.168.50.206:27017/graviteeam?serverSelectionTimeoutMS=5000&connectTimeoutMS=5000&socketTimeoutMS=5000
ports:
- name: http
containerPort: 8093

44
graviteeio/service-gravitee-webui.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: v1
kind: Service
metadata:
name: webuiam
namespace: graviteeio
labels:
app: webuiam
spec:
ports:
- name: http
port: 80
targetPort: 80
selector:
app: webuiam
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: webuiam
namespace: graviteeio
labels:
app: webuiam
spec:
replicas: 1
selector:
matchLabels:
app: webuiam
template:
metadata:
labels:
app: webuiam
spec:
containers:
- name: webuiam
image: graviteeio/am-management-ui:2
env:
- name: MGMT_API_URL
value: http://dev.graviteeio.am/am
- name: MGMT_UI_URL
value: http://dev.graviteeio.am/am/ui
ports:
- name: http
containerPort: 80

26
init-issuer.sh Normal file
View File

@@ -0,0 +1,26 @@
kubectl create serviceaccount issuer
kubectl get secrets
ISSUER_SECRET_REF=$(kubectl get serviceaccount issuer -o json | jq -r ".secrets[].name")
cat > vault-issuer.yaml <<EOF
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
namespace: default
spec:
vault:
server: http://vault.default
path: pki/sign/dev-dot-localhost
auth:
kubernetes:
mountPath: /v1/auth/kubernetes
role: issuer
secretRef:
name: $ISSUER_SECRET_REF
key: token
EOF
kubectl apply --filename vault-issuer.yaml

0
init-keys.json Normal file
View File

7
k3d-default.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: k3d.io/v1alpha3
kind: Simple
name: k3s-default
servers: 1
agents: 0
image: docker.io/rancher/k3s:v1.21.5-k3s2

34
namespaces-create.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: v1
kind: Namespace
metadata:
name: outils
labels:
name: outils
---
apiVersion: v1
kind: Namespace
metadata:
name: database
labels:
name: database
---
apiVersion: v1
kind: Namespace
metadata:
name: traefik
labels:
name: traefik
---
apiVersion: v1
kind: Namespace
metadata:
name: vault
labels:
name: vault
---
apiVersion: v1
kind: Namespace
metadata:
name: graviteeio
labels:
name: graviteeio

60
outils-config-v3.yaml Normal file
View File

@@ -0,0 +1,60 @@
kind: Simple
apiVersion: k3d.io/v1alpha3
name: outils
servers: 1
agents: 2
kubeAPI:
host: kubernetes.api.server
hostIP: 127.0.0.1
hostPort: "6443"
volumes:
#- volume: /home/ladro/ldrogou/projets/cluster/outils/helm-vault-server.yaml:/var/lib/rancher/k3s/server/manifests/helm-vault-server.yaml
# nodeFilters:
# - server:0
- volume: /rca/mongodb/data:/rca/mongodb/data
nodeFilters:
- server:0
- agent:*
- volume: /rca/postgres/data:/rca/postgres/data
nodeFilters:
- server:0
- agent:*
- volume: /rca/sourcegraph/config:/rca/sourcegraph/config
nodeFilters:
- server:0
- agent:*
- volume: /rca/sourcegraph/data:/rca/sourcegraph/data
nodeFilters:
- server:0
- agent:*
ports:
- port: 81:80
nodeFilters:
- loadbalancer
- port: 444:443
nodeFilters:
- loadbalancer
- port: 5433:30080
nodeFilters:
- server:0
- port: 27017:30010
nodeFilters:
- server:0
- port: 5672:30082
nodeFilters:
- server:0
- port: 15672:30083
nodeFilters:
- server:0
options:
k3d:
wait: true
timeout: 1m0s
disableLoadbalancer: false
disableImageVolume: false
disableRollback: false
k3s: {}
kubeconfig:
updateDefaultKubeconfig: true
switchCurrentContext: true
runtime: {}

49
rabbitmq/service-rabbitmq.yaml Normal file
View File

@@ -0,0 +1,49 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: rabbitmq-statefulset
namespace: database
labels:
app: rabbitmq
spec:
serviceName: "rabbitmq"
replicas: 1
selector:
matchLabels:
app: rabbitmq
template:
metadata:
labels:
app: rabbitmq
spec:
containers:
- name: rabbitmq
image: rabbitmq:3-management-alpine
envFrom:
- configMapRef:
name: rabbitmq-configuration
ports:
- containerPort: 5672
name: rabbitmqdb
- containerPort: 15672
name: rabbitmqman
---
apiVersion: v1
kind: Service
metadata:
name: rabbitmq-service
namespace: database
labels:
app: rabbitmq
spec:
ports:
- port: 5432
nodePort: 30082
name: rabbitmq
- port: 15672
nodePort: 30083
name: rabbitmqman
type: NodePort
selector:
app: rabbitmq

14
sourcegraph/ingress-sourcegraph.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: sourcegraph
namespace: outils
spec:
entryPoints:
- websecure
routes:
- match: Host(`sourcegraph.dev.localhost`)
kind: Rule
services:
- name: sourcegraph
port: 7080

137
sourcegraph/service-sourcegraph.yaml Normal file
View File

@@ -0,0 +1,137 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: k3d-sourcegraph-data
provisioner: rancher.io/local-path
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: sourcegraph-pv-data
namespace: outils
labels:
type: local
spec:
storageClassName: k3d-sourcegraph-data
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/rca/sourcegraph/data"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
deploy: sourcegraph-pvc-data
sourcegraph-resource-requires: no-cluster-admin
app.kubernetes.io/component: sourcegraph
name: sourcegraph-data
namespace: outils
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: k3d-sourcegraph-data
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: k3d-sourcegraph-config
provisioner: rancher.io/local-path
volumeBindingMode: WaitForFirstConsumer
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: sourcegraph-pv-config
namespace: outils
labels:
type: local
spec:
storageClassName: k3d-sourcegraph-config
capacity:
storage: 2Gi
accessModes:
- ReadWriteOnce
hostPath:
path: "/rca/sourcegraph/config"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
deploy: sourcegraph-pvc-config
sourcegraph-resource-requires: no-cluster-admin
app.kubernetes.io/component: sourcegraph
name: sourcegraph-config
namespace: outils
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
storageClassName: k3d-sourcegraph-config
---
apiVersion: v1
kind: Service
metadata:
name: sourcegraph
namespace: outils
labels:
app: sourcegraph
spec:
ports:
- name: http
port: 7080
targetPort: 7080
selector:
app: sourcegraph
type: LoadBalancer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sourcegraph
namespace: outils
labels:
app: sourcegraph
spec:
replicas: 0
selector:
matchLabels:
app: sourcegraph
template:
metadata:
labels:
app: sourcegraph
spec:
containers:
- name: sourcegraph
image: sourcegraph/server:3.36.1
ports:
- name: http
containerPort: 7080
- name: https
containerPort: 7443
volumeMounts:
- mountPath: "/var/opt/sourcegraph"
name: sourcegraph-data
- mountPath: "/etc/sourcegraph"
name: sourcegraph-config
hostAliases:
- ip: 10.0.10.180
hostnames:
- git.int.rcacloud.it
volumes:
- name: sourcegraph-data
persistentVolumeClaim:
claimName: sourcegraph-data
- name: sourcegraph-config
persistentVolumeClaim:
claimName: sourcegraph-config

15
vault/helm-vault-server.yaml Normal file
View File

@@ -0,0 +1,15 @@
# see https://rancher.com/docs/k3s/latest/en/helm/
# see https://github.com/hashicorp/vault-helm
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: vault
namespace: default
spec:
repo: https://helm.releases.hashicorp.com
chart: vault
version: 0.17.1
targetNamespace: default
valuesContent: |-
injector:
enabled: false

14
vault/ingress-vault.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: vault-internal
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`vault.dev.localhost`)
kind: Rule
services:
- name: vault-internal
port: 8200

2
vault/init-vault.sh Executable file
View File

@@ -0,0 +1,2 @@
kubectl exec vault-0 -- vault operator init -key-shares=1 -key-threshold=1 -format=json > init-keys.json
./unseal-vault.sh

16
vault/issuer-vault.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
namespace: default
spec:
vault:
server: http://vault.default:8200
path: pki/sign/dev-dot-localhost
auth:
kubernetes:
mountPath: /v1/auth/kubernetes
role: issuer
secretRef:
name: issuer-token-sh68l
key: token

8
vault/unseal-vault.sh Executable file
View File

@@ -0,0 +1,8 @@
cat init-keys.json | jq -r ".unseal_keys_b64[]"
VAULT_UNSEAL_KEY=$(cat init-keys.json | jq -r ".unseal_keys_b64[]")
kubectl exec vault-0 -- vault operator unseal $VAULT_UNSEAL_KEY
kubectl get pods
cat init-keys.json | jq -r ".root_token"
VAULT_ROOT_TOKEN=$(cat init-keys.json | jq -r ".root_token")
kubectl exec vault-0 -- vault login $VAULT_ROOT_TOKEN

16
vault/vault-issuer.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: vault-issuer
namespace: default
spec:
vault:
server: http://vault.default:8200
path: pki/role/dev-dot-localhost
auth:
kubernetes:
mountPath: /v1/auth/kubernetes
role: issuer
secretRef:
name: issuer-token-xhgk8
key: token