tandoor.yaml - Amethyst Gist

tandoor.yaml · 12 KiB · YAML Raw

--- apiVersion: v1 kind: Namespace metadata: name: tandoor --- # kubectl -n tandoor create secret generic recipes --from-literal=postgresql-password=$(openssl rand -base64 33) --from-literal=postgresql-postgres-password=$(openssl rand -base64 33) --from-literal=secret-key=$(openssl rand -hex 32) #kind: Secret #apiVersion: v1 #metadata: # name: recipes # namespace: tandoor #type: Opaque #data: # postgresql-password: ... # postgresql-postgres-password: ... # secret-key: ... --- kind: ConfigMap apiVersion: v1 metadata: labels: app: recipes name: recipes-nginx-config namespace: tandoor data: nginx-config: |- events { worker_connections 1024; } http { include mime.types; server { listen 80; server_name _; client_max_body_size 16M; # serve static files location /static/ { alias /static/; } # serve media files location /media/ { alias /media/; } } } --- apiVersion: v1 kind: ServiceAccount metadata: name: recipes namespace: tandoor --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: recipes-media namespace: tandoor labels: app: recipes spec: accessModes: - ReadWriteMany resources: requests: storage: 100Gi storageClassName: rook-cephfs --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: recipes-static namespace: tandoor labels: app: recipes spec: accessModes: - ReadWriteMany resources: requests: storage: 100Gi storageClassName: rook-cephfs --- apiVersion: apps/v1 kind: StatefulSet metadata: labels: app: recipes tier: database name: recipes-postgresql namespace: tandoor spec: replicas: 1 selector: matchLabels: app: recipes serviceName: recipes-postgresql updateStrategy: type: RollingUpdate template: metadata: annotations: backup.velero.io/backup-volumes: data labels: app: recipes tier: database name: recipes-postgresql spec: containers: - name: recipes-db env: - name: BITNAMI_DEBUG value: "false" - name: POSTGRESQL_PORT_NUMBER value: "5432" - name: POSTGRESQL_VOLUME_DIR value: /bitnami/postgresql - name: PGDATA value: /bitnami/postgresql/data - name: POSTGRES_USER value: recipes - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: recipes key: postgresql-password - name: POSTGRESQL_POSTGRES_PASSWORD valueFrom: secretKeyRef: name: recipes key: postgresql-postgres-password - name: POSTGRES_DB value: recipes image: docker.io/bitnami/postgresql:15.5.0-debian-11-r17 imagePullPolicy: IfNotPresent livenessProbe: exec: command: - sh - -c - exec pg_isready -U "postgres" -d "wiki" -h 127.0.0.1 -p 5432 failureThreshold: 6 initialDelaySeconds: 30 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 ports: - containerPort: 5432 name: postgresql protocol: TCP readinessProbe: exec: command: - sh - -c - -e - | pg_isready -U "postgres" -d "wiki" -h 127.0.0.1 -p 5432 [ -f /opt/bitnami/postgresql/tmp/.initialized ] failureThreshold: 6 initialDelaySeconds: 5 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 5 resources: requests: cpu: 250m memory: 256Mi securityContext: runAsUser: 1001 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /bitnami/postgresql name: data dnsPolicy: ClusterFirst initContainers: - command: - sh - -c - | mkdir -p /bitnami/postgresql/data chmod 700 /bitnami/postgresql/data find /bitnami/postgresql -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" | \ xargs chown -R 1001:1001 image: docker.io/bitnami/minideb:stretch imagePullPolicy: Always name: init-chmod-data resources: requests: cpu: 250m memory: 256Mi securityContext: runAsUser: 0 volumeMounts: - mountPath: /bitnami/postgresql name: data restartPolicy: Always securityContext: fsGroup: 1001 serviceAccount: recipes serviceAccountName: recipes terminationGracePeriodSeconds: 30 volumeClaimTemplates: - apiVersion: v1 kind: PersistentVolumeClaim metadata: name: data spec: accessModes: - ReadWriteOnce resources: requests: storage: 50Gi volumeMode: Filesystem storageClassName: rook-ssd-block --- apiVersion: v1 kind: Service metadata: labels: app: recipes tier: database name: recipes-postgresql namespace: tandoor spec: ports: - name: postgresql port: 5432 protocol: TCP targetPort: postgresql selector: app: recipes tier: database sessionAffinity: None type: ClusterIP --- apiVersion: apps/v1 kind: Deployment metadata: name: recipes namespace: tandoor labels: app: recipes environment: production tier: frontend spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: recipes environment: production template: metadata: annotations: backup.velero.io/backup-volumes: media,static labels: app: recipes tier: frontend environment: production spec: restartPolicy: Always serviceAccount: recipes serviceAccountName: recipes initContainers: - name: init-chmod-data env: - name: SECRET_KEY valueFrom: secretKeyRef: name: recipes key: secret-key - name: DB_ENGINE value: django.db.backends.postgresql - name: POSTGRES_HOST value: recipes-postgresql - name: POSTGRES_PORT value: "5432" - name: POSTGRES_USER value: postgres - name: POSTGRES_DB value: recipes - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: recipes key: postgresql-postgres-password image: vabene1111/recipes imagePullPolicy: Always resources: requests: cpu: 250m memory: 64Mi command: - sh - -c - | set -e source venv/bin/activate echo "Updating database" python manage.py migrate python manage.py collectstatic_js_reverse python manage.py collectstatic --noinput echo "Setting media file attributes" chown -R 65534:65534 /opt/recipes/mediafiles find /opt/recipes/mediafiles -type d | xargs -r chmod 755 find /opt/recipes/mediafiles -type f | xargs -r chmod 644 echo "Done" securityContext: runAsUser: 0 volumeMounts: - mountPath: /opt/recipes/mediafiles name: media # mount as subPath due to lost+found on ext4 pvc subPath: files - mountPath: /opt/recipes/staticfiles name: static # mount as subPath due to lost+found on ext4 pvc subPath: files containers: - name: recipes-nginx image: nginx:latest imagePullPolicy: IfNotPresent ports: - containerPort: 80 protocol: TCP name: http - containerPort: 8080 protocol: TCP name: gunicorn resources: requests: cpu: 250m memory: 64Mi volumeMounts: - mountPath: /media name: media # mount as subPath due to lost+found on ext4 pvc subPath: files - mountPath: /static name: static # mount as subPath due to lost+found on ext4 pvc subPath: files - name: nginx-config mountPath: /etc/nginx/nginx.conf subPath: nginx-config readOnly: true - name: recipes image: vabene1111/recipes imagePullPolicy: IfNotPresent command: - /opt/recipes/venv/bin/gunicorn - -b - :8080 - --access-logfile - "-" - --error-logfile - "-" - --log-level - INFO - recipes.wsgi livenessProbe: failureThreshold: 3 httpGet: path: / port: 8080 scheme: HTTP periodSeconds: 30 readinessProbe: httpGet: path: / port: 8080 scheme: HTTP periodSeconds: 30 resources: requests: cpu: 250m memory: 64Mi volumeMounts: - mountPath: /opt/recipes/mediafiles name: media # mount as subPath due to lost+found on ext4 pvc subPath: files - mountPath: /opt/recipes/staticfiles name: static # mount as subPath due to lost+found on ext4 pvc subPath: files env: - name: DEBUG value: "0" - name: ALLOWED_HOSTS value: '*' - name: SECRET_KEY valueFrom: secretKeyRef: name: recipes key: secret-key - name: GUNICORN_MEDIA value: "0" - name: DB_ENGINE value: django.db.backends.postgresql - name: POSTGRES_HOST value: recipes-postgresql - name: POSTGRES_PORT value: "5432" - name: POSTGRES_USER value: postgres - name: POSTGRES_DB value: recipes - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: recipes key: postgresql-postgres-password securityContext: runAsUser: 65534 volumes: - name: media persistentVolumeClaim: claimName: recipes-media - name: static persistentVolumeClaim: claimName: recipes-static - name: nginx-config configMap: name: recipes-nginx-config --- apiVersion: v1 kind: Service metadata: name: recipes namespace: tandoor labels: app: recipes tier: frontend spec: selector: app: recipes tier: frontend environment: production ports: - port: 80 targetPort: http name: http protocol: TCP - port: 8080 targetPort: gunicorn name: gunicorn protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: kubernetes.io/tls-acme: "true" cert-manager.io/cluster-issuer: letsencrypt-prod name: recipes namespace: tandoor spec: ingressClassName: nginx rules: - host: recipes.tblflp.net http: paths: - backend: service: name: recipes port: number: 8080 path: / pathType: Prefix - backend: service: name: recipes port: number: 80 path: /media pathType: Prefix - backend: service: name: recipes port: number: 80 path: /static pathType: Prefix tls: - hosts: - recipes.tblflp.net secretName: recipes-local-tls

1	---
2	apiVersion: v1
3	kind: Namespace
4	metadata:
5	name: tandoor
6	---
7	# kubectl -n tandoor create secret generic recipes --from-literal=postgresql-password=$(openssl rand -base64 33) --from-literal=postgresql-postgres-password=$(openssl rand -base64 33) --from-literal=secret-key=$(openssl rand -hex 32)
8	#kind: Secret
9	#apiVersion: v1
10	#metadata:
11	# name: recipes
12	# namespace: tandoor
13	#type: Opaque
14	#data:
15	# postgresql-password: ...
16	# postgresql-postgres-password: ...
17	# secret-key: ...
18	---
19	kind: ConfigMap
20	apiVersion: v1
21	metadata:
22	labels:
23	app: recipes
24	name: recipes-nginx-config
25	namespace: tandoor
26	data:
27	nginx-config: \|-
28	events {
29	worker_connections 1024;
30	}
31	http {
32	include mime.types;
33	server {
34	listen 80;
35	server_name _;
36
37	client_max_body_size 16M;
38
39	# serve static files
40	location /static/ {
41	alias /static/;
42	}
43	# serve media files
44	location /media/ {
45	alias /media/;
46	}
47	}
48	}
49	---
50	apiVersion: v1
51	kind: ServiceAccount
52	metadata:
53	name: recipes
54	namespace: tandoor
55	---
56	apiVersion: v1
57	kind: PersistentVolumeClaim
58	metadata:
59	name: recipes-media
60	namespace: tandoor
61	labels:
62	app: recipes
63	spec:
64	accessModes:
65	- ReadWriteMany
66	resources:
67	requests:
68	storage: 100Gi
69	storageClassName: rook-cephfs
70	---
71	apiVersion: v1
72	kind: PersistentVolumeClaim
73	metadata:
74	name: recipes-static
75	namespace: tandoor
76	labels:
77	app: recipes
78	spec:
79	accessModes:
80	- ReadWriteMany
81	resources:
82	requests:
83	storage: 100Gi
84	storageClassName: rook-cephfs
85	---
86	apiVersion: apps/v1
87	kind: StatefulSet
88	metadata:
89	labels:
90	app: recipes
91	tier: database
92	name: recipes-postgresql
93	namespace: tandoor
94	spec:
95	replicas: 1
96	selector:
97	matchLabels:
98	app: recipes
99	serviceName: recipes-postgresql
100	updateStrategy:
101	type: RollingUpdate
102	template:
103	metadata:
104	annotations:
105	backup.velero.io/backup-volumes: data
106	labels:
107	app: recipes
108	tier: database
109	name: recipes-postgresql
110	spec:
111	containers:
112	- name: recipes-db
113	env:
114	- name: BITNAMI_DEBUG
115	value: "false"
116	- name: POSTGRESQL_PORT_NUMBER
117	value: "5432"
118	- name: POSTGRESQL_VOLUME_DIR
119	value: /bitnami/postgresql
120	- name: PGDATA
121	value: /bitnami/postgresql/data
122	- name: POSTGRES_USER
123	value: recipes
124	- name: POSTGRES_PASSWORD
125	valueFrom:
126	secretKeyRef:
127	name: recipes
128	key: postgresql-password
129	- name: POSTGRESQL_POSTGRES_PASSWORD
130	valueFrom:
131	secretKeyRef:
132	name: recipes
133	key: postgresql-postgres-password
134	- name: POSTGRES_DB
135	value: recipes
136	image: docker.io/bitnami/postgresql:15.5.0-debian-11-r17
137	imagePullPolicy: IfNotPresent
138	livenessProbe:
139	exec:
140	command:
141	- sh
142	- -c
143	- exec pg_isready -U "postgres" -d "wiki" -h 127.0.0.1 -p 5432
144	failureThreshold: 6
145	initialDelaySeconds: 30
146	periodSeconds: 10
147	successThreshold: 1
148	timeoutSeconds: 5
149	ports:
150	- containerPort: 5432
151	name: postgresql
152	protocol: TCP
153	readinessProbe:
154	exec:
155	command:
156	- sh
157	- -c
158	- -e
159	- \|
160	pg_isready -U "postgres" -d "wiki" -h 127.0.0.1 -p 5432
161	[ -f /opt/bitnami/postgresql/tmp/.initialized ]
162	failureThreshold: 6
163	initialDelaySeconds: 5
164	periodSeconds: 10
165	successThreshold: 1
166	timeoutSeconds: 5
167	resources:
168	requests:
169	cpu: 250m
170	memory: 256Mi
171	securityContext:
172	runAsUser: 1001
173	terminationMessagePath: /dev/termination-log
174	terminationMessagePolicy: File
175	volumeMounts:
176	- mountPath: /bitnami/postgresql
177	name: data
178	dnsPolicy: ClusterFirst
179	initContainers:
180	- command:
181	- sh
182	- -c
183	- \|
184	mkdir -p /bitnami/postgresql/data
185	chmod 700 /bitnami/postgresql/data
186	find /bitnami/postgresql -mindepth 0 -maxdepth 1 -not -name ".snapshot" -not -name "lost+found" \| \
187	xargs chown -R 1001:1001
188	image: docker.io/bitnami/minideb:stretch
189	imagePullPolicy: Always
190	name: init-chmod-data
191	resources:
192	requests:
193	cpu: 250m
194	memory: 256Mi
195	securityContext:
196	runAsUser: 0
197	volumeMounts:
198	- mountPath: /bitnami/postgresql
199	name: data
200	restartPolicy: Always
201	securityContext:
202	fsGroup: 1001
203	serviceAccount: recipes
204	serviceAccountName: recipes
205	terminationGracePeriodSeconds: 30
206	volumeClaimTemplates:
207	- apiVersion: v1
208	kind: PersistentVolumeClaim
209	metadata:
210	name: data
211	spec:
212	accessModes:
213	- ReadWriteOnce
214	resources:
215	requests:
216	storage: 50Gi
217	volumeMode: Filesystem
218	storageClassName: rook-ssd-block
219	---
220	apiVersion: v1
221	kind: Service
222	metadata:
223	labels:
224	app: recipes
225	tier: database
226	name: recipes-postgresql
227	namespace: tandoor
228	spec:
229	ports:
230	- name: postgresql
231	port: 5432
232	protocol: TCP
233	targetPort: postgresql
234	selector:
235	app: recipes
236	tier: database
237	sessionAffinity: None
238	type: ClusterIP
239	---
240	apiVersion: apps/v1
241	kind: Deployment
242	metadata:
243	name: recipes
244	namespace: tandoor
245	labels:
246	app: recipes
247	environment: production
248	tier: frontend
249	spec:
250	replicas: 1
251	strategy:
252	type: Recreate
253	selector:
254	matchLabels:
255	app: recipes
256	environment: production
257	template:
258	metadata:
259	annotations:
260	backup.velero.io/backup-volumes: media,static
261	labels:
262	app: recipes
263	tier: frontend
264	environment: production
265	spec:
266	restartPolicy: Always
267	serviceAccount: recipes
268	serviceAccountName: recipes
269	initContainers:
270	- name: init-chmod-data
271	env:
272	- name: SECRET_KEY
273	valueFrom:
274	secretKeyRef:
275	name: recipes
276	key: secret-key
277	- name: DB_ENGINE
278	value: django.db.backends.postgresql
279	- name: POSTGRES_HOST
280	value: recipes-postgresql
281	- name: POSTGRES_PORT
282	value: "5432"
283	- name: POSTGRES_USER
284	value: postgres
285	- name: POSTGRES_DB
286	value: recipes
287	- name: POSTGRES_PASSWORD
288	valueFrom:
289	secretKeyRef:
290	name: recipes
291	key: postgresql-postgres-password
292	image: vabene1111/recipes
293	imagePullPolicy: Always
294	resources:
295	requests:
296	cpu: 250m
297	memory: 64Mi
298	command:
299	- sh
300	- -c
301	- \|
302	set -e
303	source venv/bin/activate
304	echo "Updating database"
305	python manage.py migrate
306	python manage.py collectstatic_js_reverse
307	python manage.py collectstatic --noinput
308	echo "Setting media file attributes"
309	chown -R 65534:65534 /opt/recipes/mediafiles
310	find /opt/recipes/mediafiles -type d \| xargs -r chmod 755
311	find /opt/recipes/mediafiles -type f \| xargs -r chmod 644
312	echo "Done"
313	securityContext:
314	runAsUser: 0
315	volumeMounts:
316	- mountPath: /opt/recipes/mediafiles
317	name: media
318	# mount as subPath due to lost+found on ext4 pvc
319	subPath: files
320	- mountPath: /opt/recipes/staticfiles
321	name: static
322	# mount as subPath due to lost+found on ext4 pvc
323	subPath: files
324	containers:
325	- name: recipes-nginx
326	image: nginx:latest
327	imagePullPolicy: IfNotPresent
328	ports:
329	- containerPort: 80
330	protocol: TCP
331	name: http
332	- containerPort: 8080
333	protocol: TCP
334	name: gunicorn
335	resources:
336	requests:
337	cpu: 250m
338	memory: 64Mi
339	volumeMounts:
340	- mountPath: /media
341	name: media
342	# mount as subPath due to lost+found on ext4 pvc
343	subPath: files
344	- mountPath: /static
345	name: static
346	# mount as subPath due to lost+found on ext4 pvc
347	subPath: files
348	- name: nginx-config
349	mountPath: /etc/nginx/nginx.conf
350	subPath: nginx-config
351	readOnly: true
352	- name: recipes
353	image: vabene1111/recipes
354	imagePullPolicy: IfNotPresent
355	command:
356	- /opt/recipes/venv/bin/gunicorn
357	- -b
358	- :8080
359	- --access-logfile
360	- "-"
361	- --error-logfile
362	- "-"
363	- --log-level
364	- INFO
365	- recipes.wsgi
366	livenessProbe:
367	failureThreshold: 3
368	httpGet:
369	path: /
370	port: 8080
371	scheme: HTTP
372	periodSeconds: 30
373	readinessProbe:
374	httpGet:
375	path: /
376	port: 8080
377	scheme: HTTP
378	periodSeconds: 30
379	resources:
380	requests:
381	cpu: 250m
382	memory: 64Mi
383	volumeMounts:
384	- mountPath: /opt/recipes/mediafiles
385	name: media
386	# mount as subPath due to lost+found on ext4 pvc
387	subPath: files
388	- mountPath: /opt/recipes/staticfiles
389	name: static
390	# mount as subPath due to lost+found on ext4 pvc
391	subPath: files
392	env:
393	- name: DEBUG
394	value: "0"
395	- name: ALLOWED_HOSTS
396	value: '*'
397	- name: SECRET_KEY
398	valueFrom:
399	secretKeyRef:
400	name: recipes
401	key: secret-key
402	- name: GUNICORN_MEDIA
403	value: "0"
404	- name: DB_ENGINE
405	value: django.db.backends.postgresql
406	- name: POSTGRES_HOST
407	value: recipes-postgresql
408	- name: POSTGRES_PORT
409	value: "5432"
410	- name: POSTGRES_USER
411	value: postgres
412	- name: POSTGRES_DB
413	value: recipes
414	- name: POSTGRES_PASSWORD
415	valueFrom:
416	secretKeyRef:
417	name: recipes
418	key: postgresql-postgres-password
419	securityContext:
420	runAsUser: 65534
421	volumes:
422	- name: media
423	persistentVolumeClaim:
424	claimName: recipes-media
425	- name: static
426	persistentVolumeClaim:
427	claimName: recipes-static
428	- name: nginx-config
429	configMap:
430	name: recipes-nginx-config
431	---
432	apiVersion: v1
433	kind: Service
434	metadata:
435	name: recipes
436	namespace: tandoor
437	labels:
438	app: recipes
439	tier: frontend
440	spec:
441	selector:
442	app: recipes
443	tier: frontend
444	environment: production
445	ports:
446	- port: 80
447	targetPort: http
448	name: http
449	protocol: TCP
450	- port: 8080
451	targetPort: gunicorn
452	name: gunicorn
453	protocol: TCP
454	---
455	apiVersion: networking.k8s.io/v1
456	kind: Ingress
457	metadata:
458	annotations:
459	kubernetes.io/tls-acme: "true"
460	cert-manager.io/cluster-issuer: letsencrypt-prod
461	name: recipes
462	namespace: tandoor
463	spec:
464	ingressClassName: nginx
465	rules:
466	- host: recipes.tblflp.net
467	http:
468	paths:
469	- backend:
470	service:
471	name: recipes
472	port:
473	number: 8080
474	path: /
475	pathType: Prefix
476	- backend:
477	service:
478	name: recipes
479	port:
480	number: 80
481	path: /media
482	pathType: Prefix
483	- backend:
484	service:
485	name: recipes
486	port:
487	number: 80
488	path: /static
489	pathType: Prefix
490	tls:
491	- hosts:
492	- recipes.tblflp.net
493	secretName: recipes-local-tls