Skip to content

Instantly share code, notes, and snippets.

@wilsonianb
Last active June 21, 2019 21:14
Show Gist options
  • Save wilsonianb/0b09086821f55b46e3bfb0e83b042b8e to your computer and use it in GitHub Desktop.
Save wilsonianb/0b09086821f55b46e3bfb0e83b042b8e to your computer and use it in GitHub Desktop.
Codius host kubernetes manifests
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: acme-dns
namespace: acme-dns
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
rules:
- host: "acme.codius.example.com"
http:
paths:
- path: /update
backend:
serviceName: acme-dns-service
servicePort: 80
https:
paths:
- path: /update
backend:
serviceName: acme-dns
servicePort: 443
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
data:
53: "default/acme-dns-service:53"
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
data:
53: "default/acme-dns-service:53"
apiVersion: v1
kind: Namespace
metadata:
name: acme-dns
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: acme-dns-pvc
namespace: acme-dns
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 50Mi
---
apiVersion: v1
kind: Service
metadata:
name: acme-dns
namespace: acme-dns
spec:
selector:
app: acme-dns
ports:
- name: https
protocol: TCP
port: 443
targetPort: 443
- name: http
protocol: TCP
port: 80
targetPort: 80
- name: dns-tcp
protocol: TCP
port: 53
targetPort: 53
- name: dns-udp
protocol: UDP
port: 53
targetPort: 53
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: acme-dns
namespace: acme-dns
labels:
app: acme-dns
spec:
replicas: 1
selector:
matchLabels:
app: acme-dns
template:
metadata:
labels:
app: acme-dns
spec:
containers:
- name: acme-dns
image: joohoi/acme-dns
ports:
- containerPort: 443
name: https
- containerPort: 80
name: http
- containerPort: 53
name: dns
- containerPort: 53
name: dns-udp
protocol: UDP
volumeMounts:
- name: config-volume
mountPath: /etc/acme-dns/config.cfg
subPath: config.cfg
- name: data-volume
mountPath: /var/lib/acme-dns
volumes:
- name: config-volume
configMap:
name: acme-dns-config
- name: data-volume
persistentVolumeClaim:
claimName: acme-dns-pvc
apiVersion: certmanager.k8s.io/v1alpha1
kind: Certificate
metadata:
name: codius-host-certificate
namespace: codiusd
spec:
secretName: codiusd-certificate
issuerRef:
name: issuer-letsencrypt
namespace: codiusd
commonName: codius.example.com
dnsNames:
- codius.example.com
- "*.codius.example.com"
acme:
config:
- dns01:
provider: acmedns
domains:
- codius.example.com
- "*.codius.example.com"
apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
metadata:
name: issuer-letsencrypt
namespace: codiusd
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: yourname@codius.example.com
privateKeySecretRef:
name: account-private-key-secret
dns01:
providers:
- name: acmedns
acmedns:
# host: https://acme.codius.example.com
host: http://acme-dns.acme-dns
accountSecretRef:
name: certmanager-secret
key: acmedns.json
kind: NetworkPolicy
apiVersion: networking.k8s.io/v1
metadata:
namespace: codius-untrusted
name: codius-untrusted
spec:
policyTypes:
- Egress
podSelector: {}
egress:
- to:
- ipBlock:
cidr: 0.0.0.0/0
except:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
apiVersion: v1
kind: Service
metadata:
name: codiusd-service
spec:
type: LoadBalancer
selector:
app: codiusd
ports:
- protocol: TCP
port: 3000
apiVersion: v1
kind: Namespace
metadata:
name: codiusd
---
apiVersion: v1
kind: Namespace
metadata:
name: codius-untrusted
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: codiusd
namespace: codiusd
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: codius-untrusted
name: codiusd
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: codiusd
namespace: codius-untrusted
subjects:
- kind: ServiceAccount
name: codiusd
namespace: codiusd
roleRef:
kind: Role
name: codiusd
apiGroup: rbac.authorization.k8s.io
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: codiusd-pvc
namespace: codiusd
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 100Mi
---
apiVersion: v1
kind: Service
metadata:
name: codiusd-service
namespace: codiusd
spec:
type: LoadBalancer
selector:
app: codiusd
ports:
- protocol: TCP
port: 3000
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: codiusd
namespace: codiusd
annotations:
kubernetes.io/ingress.class: "traefik"
# ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/hsts-max-age: "63072000"
ingress.kubernetes.io/hsts-include-subdomains: "true"
ingress.kubernetes.io/hsts-preload: "true"
ingress.kubernetes.io/frame-deny: "true"
ingress.kubernetes.io/content-type-nosniff: "true"
ingress.kubernetes.io/browser-xss-filter: "true"
spec:
tls:
- hosts:
- codius.example.com
- "*.codius.example.com"
secretName: codiusd-certificate
rules:
- host: "codius.example.com"
http: &http_rules
paths:
- backend:
serviceName: codiusd-service
servicePort: 3000
- host: "*.codius.example.com"
http: *http_rules
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: codiusd
namespace: codiusd
labels:
app: codiusd
spec:
replicas: 1
selector:
matchLabels:
app: codiusd
template:
metadata:
labels:
app: codiusd
spec:
containers:
- name: codiusd
image: wilsonianbcoil/codiusd
env:
- name: CODIUS_PUBLIC_URI
value: https://codius.example.com
- name: DEBUG
value: "*codiusd*"
- name: CODIUS_BIND_IP
value: "0.0.0.0"
- name: CODIUS_ADMIN_API
value: "true"
- name: ILP_BTP_SERVER
value: "btp+ws://moneyd.moneyd:7768"
- name: CODIUS_K8S_NAMESPACE
value: codius-untrusted
ports:
- containerPort: 3000
- containerPort: 3001
volumeMounts:
- name: data-volume
mountPath: /var/lib/codius
serviceAccountName: codiusd
volumes:
- name: data-volume
persistentVolumeClaim:
claimName: codiusd-pvc
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx
namespace: ingress-nginx
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
- name: https
port: 443
targetPort: 443
protocol: TCP
- name: dns-tcp
protocol: TCP
port: 53
targetPort: 53
- name: dns-udp
protocol: UDP
port: 53
targetPort: 53
selector:
app: ingress-nginx
# https://raw.githubusercontent.com/kubernetes/ingress-nginx/nginx-0.24.1/deploy/mandatory.yaml
# modified expose port 53
apiVersion: v1
kind: Namespace
metadata:
name: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-configuration
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
kind: ConfigMap
apiVersion: v1
metadata:
name: tcp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
data:
53: "acme-dns/acme-dns:53"
---
kind: ConfigMap
apiVersion: v1
metadata:
name: udp-services
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
data:
53: "acme-dns/acme-dns:53"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: nginx-ingress-clusterrole
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- "extensions"
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- "extensions"
resources:
- ingresses/status
verbs:
- update
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: Role
metadata:
name: nginx-ingress-role
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
resourceNames:
# Defaults to "<election-id>-<ingress-class>"
# Here: "<ingress-controller-leader>-<nginx>"
# This has to be adapted if you change either parameter
# when launching the nginx-ingress-controller.
- "ingress-controller-leader-nginx"
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- ""
resources:
- endpoints
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: RoleBinding
metadata:
name: nginx-ingress-role-nisa-binding
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: nginx-ingress-role
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: nginx-ingress-clusterrole-nisa-binding
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: nginx-ingress-clusterrole
subjects:
- kind: ServiceAccount
name: nginx-ingress-serviceaccount
namespace: ingress-nginx
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-ingress-controller
namespace: ingress-nginx
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
annotations:
prometheus.io/port: "10254"
prometheus.io/scrape: "true"
spec:
serviceAccountName: nginx-ingress-serviceaccount
containers:
- name: nginx-ingress-controller
image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.24.1
args:
- /nginx-ingress-controller
- --configmap=$(POD_NAMESPACE)/nginx-configuration
- --tcp-services-configmap=$(POD_NAMESPACE)/tcp-services
- --udp-services-configmap=$(POD_NAMESPACE)/udp-services
- --publish-service=$(POD_NAMESPACE)/ingress-nginx
- --annotations-prefix=nginx.ingress.kubernetes.io
securityContext:
allowPrivilegeEscalation: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# www-data -> 33
runAsUser: 33
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: dns-tcp
containerPort: 53
hostPort: 53
protocol: TCP
- name: dns-udp
containerPort: 53
hostPort: 53
protocol: UDP
livenessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 10
---
# from https://raw.githubusercontent.com/kata-containers/packaging/master/kata-deploy/kata-deploy.yaml
# removes expectation that containerd is running via systemd
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: kata-deploy
namespace: kube-system
spec:
selector:
matchLabels:
name: kata-deploy
template:
metadata:
labels:
name: kata-deploy
spec:
serviceAccountName: kata-label-node
containers:
- name: kube-kata
image: katadocker/kata-deploy
imagePullPolicy: Always
lifecycle:
preStop:
exec:
command: ["bash", "-c", "/opt/kata-artifacts/scripts/kata-deploy.sh cleanup"]
command: [ "bash", "-c", "sed -i 's/systemctl restart \\$1/#&/' /opt/kata-artifacts/scripts/kata-deploy.sh; /opt/kata-artifacts/scripts/kata-deploy.sh install" ]
env:
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
privileged: false
volumeMounts:
- name: crio-conf
mountPath: /etc/crio/
- name: containerd-conf
mountPath: /etc/containerd/
- name: kata-artifacts
mountPath: /opt/kata/
- name: dbus
mountPath: /var/run/dbus
- name: systemd
mountPath: /run/systemd
- name: local-bin
mountPath: /usr/local/bin/
volumes:
- name: crio-conf
hostPath:
path: /etc/crio/
- name: containerd-conf
hostPath:
path: /etc/containerd/
- name: kata-artifacts
hostPath:
path: /opt/kata/
type: DirectoryOrCreate
- name: dbus
hostPath:
path: /var/run/dbus
- name: systemd
hostPath:
path: /run/systemd
- name: local-bin
hostPath:
path: /usr/local/bin/
updateStrategy:
rollingUpdate:
maxUnavailable: 1
type: RollingUpdate
apiVersion: v1
kind: Namespace
metadata:
name: moneyd
---
apiVersion: v1
kind: Service
metadata:
name: moneyd
namespace: moneyd
spec:
selector:
app: moneyd
ports:
- protocol: TCP
port: 7768
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: moneyd
namespace: moneyd
labels:
app: moneyd
spec:
replicas: 1
selector:
matchLabels:
app: moneyd
template:
metadata:
labels:
app: moneyd
spec:
volumes:
- name: moneyd-config
secret:
secretName: moneyd-config
containers:
- name: moneyd-xrp
image: wilsonianbcoil/moneyd-xrp
args: ["xrp:start"]
env:
- name: DEBUG
value: "*"
ports:
- containerPort: 7768
volumeMounts:
- name: moneyd-config
mountPath: "/root"
readOnly: true
apiVersion: apps/v1
kind: Deployment
metadata:
name: selftest
labels:
app: selftest
spec:
replicas: 1
selector:
matchLabels:
app: selftest
template:
metadata:
labels:
app: selftest
spec:
containers:
- name: selftest
image: androswong418/codius-test-image@sha256:0dce885c4e558a8a7612b80e3c7f5faa54520ed27836b1f892962cf855d031a2
ports:
- containerPort: 3000
serviceAccountName: codiusd
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment