From 6da44fe057033f562957b3f3af1424c6a50b174e Mon Sep 17 00:00:00 2001 From: Sheogorath <sheogorath@shivering-isles.com> Date: Sun, 13 Nov 2022 03:10:31 +0100 Subject: [PATCH] feat(blog): Provide intial blog deployment This patch is a first try to move my blog into the cluster. There is still quite some refinement to do. --- apps/k8s01/blog/blog.yaml | 66 ++++++++++++++++++++++ apps/k8s01/blog/certificate.yaml | 69 +++++++++++++++++++++++ apps/k8s01/blog/ingress.yaml | 90 ++++++++++++++++++++++++++++++ apps/k8s01/blog/kustomization.yaml | 12 ++++ apps/k8s01/blog/namespace.yaml | 31 ++++++++++ apps/k8s01/blog/networkpolicy.yaml | 9 +++ 6 files changed, 277 insertions(+) create mode 100644 apps/k8s01/blog/blog.yaml create mode 100644 apps/k8s01/blog/certificate.yaml create mode 100644 apps/k8s01/blog/ingress.yaml create mode 100644 apps/k8s01/blog/kustomization.yaml create mode 100644 apps/k8s01/blog/namespace.yaml create mode 100644 apps/k8s01/blog/networkpolicy.yaml diff --git a/apps/k8s01/blog/blog.yaml b/apps/k8s01/blog/blog.yaml new file mode 100644 index 000000000..007e16c8c --- /dev/null +++ b/apps/k8s01/blog/blog.yaml @@ -0,0 +1,66 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: blog + labels: + app.kubernetes.io/name: blog +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/name: blog + template: + metadata: + labels: + app.kubernetes.io/name: blog + spec: + affinity: + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app.kubernetes.io/name: blog + topologyKey: kubernetes.io/hostname + automountServiceAccountToken: false + containers: + - name: dnsproxy + image: quay.io/shivering-isles/blog:latest + imagePullPolicy: Always + ports: + - containerPort: 8080 + protocol: TCP + name: http + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 100m + memory: 256Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: blog + labels: + app.kubernetes.io/name: blog +spec: + type: LoadBalancer + selector: + app.kubernetes.io/name: blog + ports: + - name: http + protocol: TCP + port: 80 + targetPort: http +--- +apiVersion: policy/v1 +kind: PodDisruptionBudget +metadata: + name: blog +spec: + minAvailable: 1 + selector: + matchLabels: + app.kubernetes.io/name: blog diff --git a/apps/k8s01/blog/certificate.yaml b/apps/k8s01/blog/certificate.yaml new file mode 100644 index 000000000..caa57cba9 --- /dev/null +++ b/apps/k8s01/blog/certificate.yaml @@ -0,0 +1,69 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: blog-tls + namespace: blog + labels: + app.kubernetes.io/name: blog +spec: + privateKey: + algorithm: Ed25519 + dnsNames: + - ENC[AES256_GCM,data:0GFhR/qy7O08SttmyTr7XE4Myw==,iv:A/uABlCzi7KWoUsVGdZC0oW1P/AhXfRiyHAr1DGNlPA=,tag:QymCw+8esywtOeIm+mE5Iw==,type:str] + - ENC[AES256_GCM,data:EwUpRPyUQnP2VW6K4qygCqlqYN2nXWs=,iv:FIBxTelhrzOmDRbfebIb/rNqI9Ex2AgS2YOJgHcFB5A=,tag:q0/vNaVzafhxAMbHQVUz6g==,type:str] + issuerRef: + name: letsencrypt + kind: ClusterIssuer + secretName: ingress-blog-tls +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-11-13T02:09:37Z" + mac: ENC[AES256_GCM,data:gGSRaXKGVoFeFaJOmWYacdiGnw0S4guWB/0bdxRTtlS7hP3zYrUD/Em1Wzyfque57Ykmq8egQ+a+6ExFFIMp9w/PA4vh2NWa0QxuET45JihpXZDqMkYj4trMvkzx6/GbAm/e7qOLXC9a8vTuJMG70J46yxfIKtXti1S82GnSjak=,iv:ObaMfHmMbjHPJFYRwQlFDx/JMCuMuI02r0vrNze5+2s=,tag:xyl4Vay/GFolaHSyZJazsA==,type:str] + pgp: + - created_at: "2022-01-21T18:13:48Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcARAAs0OQxzkgcgs/iXO3DXjnuyddgI5X/Gz5Gd3q0U6MrK18 + gfZIWvh2gemiU0YepfnQwbHkFLWOO/hYLjppAd4/HS93Gg8Hqg7Kh9WLiQFqolAn + SSvm1KvlesTselWGu8/282UO5jDM7E0NuqsHPC9K/4im+jkWO9s2fAw+hQIvvVPw + CktPYqihMvTmLyTVX9dMkwgDzTdJ8JeaI26S5tyMkAg+B/ymxKWG4m7bRIG9+kOD + fnsUUfd+zobOLR3w251+AydJlCy3gs6hJYlW1wz8m6cOzKHe3SEnN9GLJSbSa95n + +WpY31VF+eXZ4Z8GXoy3QHTWzbcWJ10RKb5eTPixAJzL3opSTbKJGmUuQlq+/9Wg + 876dUQGl26CHm8solPytStPJDoSjcNbClJN1Rfp2SopAucqDG5XPIzXh7gIzfwrR + qauiO2AnC85DkWwU9w3wODB9zY3PzcmbzxyLPzEqnSABIEVw8VJoM/pnIRv2gs17 + 2YN61VO/YgUuxXtvvAHMgk1XQPfH45bM/i9lwX8EHDHqBWQVtYIqyw0lnVPZl1Hz + VuN6/aH4AnVAqeMjS4ezLZ26cyF8S/wkuQPK8tOfOs2l4smD1jp67A1A9RQfF4Hz + QRHL7VEc3EElB7FobZSAccjptfghhFjtIEhrmiZJgIIFcYv8IGDCf59pmVXSUKPS + UQGgA6xeWVYOj7DKYrgO4xMUXtofOv4WVRFO7iejeRqF5YbWmaCIq0GNvpwwZvWe + jqtu9MjOqwG0X682yB6/Ss/HBV+vAYrMoRqunjrSlZ+oLw== + =pOY7 + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2022-01-21T18:13:48Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPARAAlM62U+idC9A4irm5RkSx5fZv+HGu7Jrm5GNPzv2tQ9WY + ponFAjh0/DDq2qWcpveRS3owFAwhoMbm1vYx9O29ycM5XzjxHF5CjytSssRU0FkX + UK5OdW+SURLREvIOZjYoEqjxFGj22ZAegkNIHYadTSGyesWM8Fj3Q6Su0EVyeyaI + FaE5Eo3Ya0tn7p+oMoAsJFJhtz9oFvPcaXCri+BTiIHCGZBQf9ndAvpr23zd2cO8 + LBNwHOmJmtiHM3xndhVstBt9YnRqjqg3hZt65zB7LIP8zRPDtzsvTAdcLMkibhh5 + GPn6JyOvlBPFrxR0ZmuGTURFODfjFrjn96igHDGbET1XKDVb99uQA7tJDRjZYUPM + 3zfjj+aKi8R9k+/fU/jO827K8jHN9tPmrsJslUGDtV6sRxfWXUsfur8840TfnFBm + f8mqqOBA9ahJaN+0EyXvFHCfPglYs7zXKL4fYnO6PKB7fR+IDFUQzHxZGDTgLB6g + gtayT8FHE6EQ/1Lxsjw4kHfJYlabi5jSPAWtws/RXF8oZgByT6O1yYCtfJPzzlyT + A9b2X2EG4Lj6QFQNN7n/qOwa6timOrdZOfIDLMZt7JIDpHXhCmzo2WCm3wFS/L4R + 6zuYDUg5rm3sxHzcw+9xn/PK8yedVCmCGNrnON9hn0TeqXmuY87KQu1Az+3wJqDU + ZgEJAhCnHsdsGhUmeXb4Lb8+hJfFB1DTL3qk6iPqxPsjfA1n3N/KYLd3KYWaM6fm + 21yCsmkJZRWxgOwTPbF+KIQAq4yleW06ys6DFLz2wgLc3LlRjJFlPeajM6v6XicO + lDUgoEyZhw== + =y2A9 + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL)$ + version: 3.7.3 diff --git a/apps/k8s01/blog/ingress.yaml b/apps/k8s01/blog/ingress.yaml new file mode 100644 index 000000000..3a0265d28 --- /dev/null +++ b/apps/k8s01/blog/ingress.yaml @@ -0,0 +1,90 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: blog + namespace: blog + labels: + app.kubernetes.io/name: blog + annotations: + forecastle.stakater.com/expose: "true" + forecastle.stakater.com/appName: Blog + forecastle.stakater.com/group: Apps +spec: + rules: + - host: ENC[AES256_GCM,data:ppI47WC3acfE0wU+ES4GIYYrpQ==,iv:64B7Iq33LIA0ZlW/dX70WPIt8+USIj8WyQKsnDV84KM=,tag:o0OUBlEvgYyyJeLG729HzA==,type:str] + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: blog + port: + number: 80 + - host: ENC[AES256_GCM,data:KuF4mLV6HvWj2If/YHEnefFLprYilow=,iv:5TAwfNWAH+aDabUeEkkDBQA6icDgbaL99ptqZFwB3Vk=,tag:KRzVkueByKcZKox7YRgcgg==,type:str] + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: blog + port: + number: 80 + tls: + - hosts: + - ENC[AES256_GCM,data:PO5x7BaDhzNbw74zPhWFVkUmpg==,iv:tr16kBcknaBHAsPzBS2eCNsuH+yvclLNdaV7t4ObiI0=,tag:jDJHCjybZZ2PclhBmQcfWA==,type:str] + - ENC[AES256_GCM,data:uOa5ivvA40/r2zcptgPNC5+SJYqwAFM=,iv:TwaYhLr6NUJ8s2MooJ6WDfnbcICTlpbUUe1i2hibjIE=,tag:87iuuLIHkzsJCBdna/nKfg==,type:str] + secretName: ingress-blog-tls +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2022-11-13T02:09:45Z" + mac: ENC[AES256_GCM,data:rXKZ7xsJbQ6x1HchVKlyK8j2Mr2DlAA1Re9LDoN+R6dIv8+2LahGcoVYblI9L1SNr2Ou+V8AEYEp79lDE1NBnqtFCmpg1UJUXfunwuw9NQYVy75LucWh3315A9wlzcMl90A2DgkjIZpsgz8DCjHWJtIQKYrpLNzm/g9k+6qswPE=,iv:29WyyXfxFE/k/NaSaLvgVadNcGyRK+g5AW7lXXsC4d4=,tag:EVTSL8stQ2rjpoGzoL9VcQ==,type:str] + pgp: + - created_at: "2022-09-13T20:16:18Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA7kpg2bgzVHcAQ//QKUo6MGGO7kJyGfQ8WULaFNILDGmSNjPj6avjps8nbpa + BdNlszBms4ghflXW6xfBe2vqTvo+Bjd6XqngSoEOpYQNruKTodDpkRBj2KsT+nza + PfQocIiGaLmYsjdT7RtrCIzkm27IwL1MMtPrWPPfiiRHv5lw18y+l2c2kkO8TA4A + eETwEpbeVTo+iryTYSHMQKHeKk+s3Oh/MVGHHC3AlNn8hmvi2Wt/eSLye27a7J5T + lbJrNkIDX/1G9NR0bg2045MkljzYyY7ttP58j+WsOca3ct8NWy4Z4OQeldCmwIFr + BrKYCoFI6eZ6DHT9Rlqm246WN70hbRb7usCgX8dn8WT/Z8dXWzRryYtIVjkzrIVm + AZQ1XelkdXybGa/ORV5aj81AIXu7konepcJX64L6OxcQjFhQWAO7y1rwclOW8QOb + h2RlsE79wNobUsErXTvUmsW30l0GWYeh3IgR0HAMu2P8ttDvb8I4yu5H1/5uZnZY + jLBnH8ooC9uDnh2z5u6ru5JmHjlQ8BWUF/dptt57qUo/I+xBhiSCqYLFo2WOy1lx + hDlSzIE5Sn5TA3fxXyc9Hwv5/c3ELW6EuXqiy4MUcLREL07C4OLp0/1q/Tshj0FG + PReQZkVON4jFuDtfFVID8Rm20CBkVe2xahThK8jCGms15UpiU8hsv8VgAn7aIsPS + UQF1wuAsfdOVLBugwP0jsc57R60KmtLpig04S0WLJAlNEXGk+yGqAsluHGxJpnnm + LUM72fLPLolfVdF2aS9UjTSkSy34Rh5J/j08usEN8R7mWw== + =xL8K + -----END PGP MESSAGE----- + fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601 + - created_at: "2022-09-13T20:16:18Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA4oYbIHZIrAPARAAi5C2YbFg1dJGa/C+tsp2xn3fhu5Qvl2ywWFz/lWyO6rW + si4H0ivAkiI85jd2xgxXq54EWY5pkH0a/Ynly5p9zJuZf+dXP5RkOa7EEbv7h/UV + ZRQRpJRJuMKIOUXHKvRR93lQYItSPTCkcRkt6mVEhvYQwOxJmmmjtOF1umbra3Zi + sFWez2yil9BCC9kGWM4n2kHHLhb0RJdlfj3tP7RTYC9ssGCdoUnh4CgksRv6QW2G + HbrO38UJf96gzrjh09HJS4gSnIbtHVDGZ5lVITFpU3WPirga4BGEgib6Ip2GNb4i + 6hPmb3aWFwLeHf83CoDV8VbL03t5OLdeUWkAn9xNSZOPy8rZJgm/UXfuii1l39ui + gJk2VWVleK1rHGEV+sCsjGQjQvGL6QUgB+4dp6petsw5Jt1gxBbVZmvkuWjpkPw4 + BkLHPf51Gs0SCogWaVf5XdQqX1bovTZotTbTpa6A0G4iwsPIqQkSB/C7ykod5I0s + lXBqXCk9sgAr+hxdRtMpzZJhWC82EoP+Z8IhVEl0GvRyFC+BjFJKMNiTNLRsqmxL + iGaZrCXym7qM++uGKaUWmhVPg3g+l2AUmAwgf6ISIGQolaIf7J+jIc9jw4HSYcIM + MAjvGOGD02ABGvNGwiyi84ibIhnVngmrxuBrQTfBSfhqhJa6XUtLvaTt0OJa2UnU + aAEJAhAjKsBPBcSGRBgbDk+peX46kE7gF1p0tIqKjD1mBaSW5+x5xcITUHQxTcuV + tievOikl8nF+zBDmG3TlRiKimMGz2DwlARwkIsXOaU9I/VVwot153VYG/tpEbqKs + 8LzbNsLdj2Ld + =S0CC + -----END PGP MESSAGE----- + fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07 + encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|.*(H|h)osts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey|externalName)$ + version: 3.7.3 diff --git a/apps/k8s01/blog/kustomization.yaml b/apps/k8s01/blog/kustomization.yaml new file mode 100644 index 000000000..edf59a4db --- /dev/null +++ b/apps/k8s01/blog/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: blog +resources: + - namespace.yaml + - certificate.yaml + - blog.yaml + - ingress.yaml + - ../../../shared/networkpolicies/allow-from-ingress.yaml + - ../../../shared/resourcequotas/default.yaml +patchesStrategicMerge: + - networkpolicy.yaml \ No newline at end of file diff --git a/apps/k8s01/blog/namespace.yaml b/apps/k8s01/blog/namespace.yaml new file mode 100644 index 000000000..30c8ee4f6 --- /dev/null +++ b/apps/k8s01/blog/namespace.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: blog + labels: + pod-security.kubernetes.io/audit: restricted + pod-security.kubernetes.io/enforce: baseline + pod-security.kubernetes.io/warn: restricted + pod-security.kubernetes.io/audit-version: v1.23 + pod-security.kubernetes.io/enforce-version: v1.23 + pod-security.kubernetes.io/warn-version: v1.23 +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flux-reconciler + namespace: blog +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: flux-reconciler + namespace: blog +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +subjects: + - kind: ServiceAccount + name: flux-reconciler + namespace: blog diff --git a/apps/k8s01/blog/networkpolicy.yaml b/apps/k8s01/blog/networkpolicy.yaml new file mode 100644 index 000000000..d89a28256 --- /dev/null +++ b/apps/k8s01/blog/networkpolicy.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-from-ingress +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: blog -- GitLab