├── README.md
├── efk
├── elasticsearch-statefulset.yaml
├── elasticsearch-storageclass.yaml
├── elasticsearch-svc.yaml
├── fluentd-configmap.yaml
├── fluentd-daemonset.yaml
├── kibana.yaml
└── kube-logging.yaml
├── elasticsearch
├── es-client.yaml
├── es-data.yaml
├── es-discovery-svc.yaml
├── es-kb-svc.yaml
├── es-kb.yaml
├── es-master.yaml
└── es-svc.yaml
├── gitlab
├── gitlab-deploy.yaml
├── gitlab-ingress.yaml
├── gitlab-svc.yaml
├── postgresql-deploy.yaml
├── postgresql-svc.yaml
├── redis-deploy.yaml
└── redis-svc.yaml
├── harbor
├── adminserver
│ ├── adminserver.cm.yaml
│ ├── adminserver.rc.yaml
│ └── adminserver.svc.yaml
├── harbor.cfg
├── jobservice
│ ├── jobservice.cm.yaml
│ ├── jobservice.rc.yaml
│ └── jobservice.svc.yaml
├── mysql
│ ├── mysql.cm.yaml
│ ├── mysql.rc.yaml
│ └── mysql.svc.yaml
├── nginx
│ ├── nginx.cm.yaml
│ ├── nginx.rc.yaml
│ └── nginx.svc.yaml
├── prepare
├── pv
│ └── ops.pv.yaml
├── registry
│ ├── registry.cm.yaml
│ ├── registry.rc.yaml
│ └── registry.svc.yaml
├── templates
│ ├── adminserver.cm.yaml
│ ├── jobservice.cm.yaml
│ ├── mysql.cm.yaml
│ ├── nginx.cm.yaml
│ ├── registry.cm.yaml
│ └── ui.cm.yaml
└── ui
│ ├── ui.cm.yaml
│ ├── ui.rc.yaml
│ └── ui.svc.yaml
├── jenkins
├── deploy.yaml
├── rbac.yaml
├── service.yaml
└── volume.yaml
├── monitor
├── grafana.yaml
├── heapster.yaml
└── influxdb.yaml
├── prometheus
├── node-exporter.yaml
├── prometheus-cm.yaml
├── prometheus-deploy.yaml
├── prometheus-sa.yaml
└── prometheus-svc.yaml
├── sentry
├── README.md
├── deployment.yaml
├── deployment0.yaml
└── svc.yaml
└── traefik2
├── IngressRoute.yaml
├── canary
├── appv1.yaml
├── appv2.yaml
├── rbac.yaml
├── traefik-dynamic.toml
└── traefik.yaml
├── crd.yaml
├── https
├── IngressRoute.yaml
├── crd.yaml
├── rbac.yaml
└── traefik.yaml
├── rbac.yaml
├── redis
├── IngressRoute.yaml
├── crd.yaml
├── rbac.yaml
└── traefik.yaml
└── traefik.yaml
/README.md:
--------------------------------------------------------------------------------
1 | # k8s-repo
2 | Some commonly used kubernetes app 🎉🎉🎉~~~
3 |
4 |
5 |
--------------------------------------------------------------------------------
/efk/elasticsearch-statefulset.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: StatefulSet
3 | metadata:
4 | name: es-cluster
5 | namespace: logging
6 | spec:
7 | serviceName: elasticsearch
8 | replicas: 3
9 | selector:
10 | matchLabels:
11 | app: elasticsearch
12 | template:
13 | metadata:
14 | labels:
15 | app: elasticsearch
16 | spec:
17 | containers:
18 | - name: elasticsearch
19 | image: docker.elastic.co/elasticsearch/elasticsearch-oss:6.4.3
20 | resources:
21 | limits:
22 | cpu: 1000m
23 | requests:
24 | cpu: 100m
25 | ports:
26 | - containerPort: 9200
27 | name: rest
28 | protocol: TCP
29 | - containerPort: 9300
30 | name: inter-node
31 | protocol: TCP
32 | volumeMounts:
33 | - name: data
34 | mountPath: /usr/share/elasticsearch/data
35 | env:
36 | - name: cluster.name
37 | value: k8s-logs
38 | - name: node.name
39 | valueFrom:
40 | fieldRef:
41 | fieldPath: metadata.name
42 | - name: discovery.zen.ping.unicast.hosts
43 | value: "es-cluster-0.elasticsearch,es-cluster-1.elasticsearch,es-cluster-2.elasticsearch"
44 | - name: discovery.zen.minimum_master_nodes
45 | value: "2"
46 | - name: ES_JAVA_OPTS
47 | value: "-Xms512m -Xmx512m"
48 | initContainers:
49 | - name: fix-permissions
50 | image: busybox
51 | command: ["sh", "-c", "chown -R 1000:1000 /usr/share/elasticsearch/data"]
52 | securityContext:
53 | privileged: true
54 | volumeMounts:
55 | - name: data
56 | mountPath: /usr/share/elasticsearch/data
57 | - name: increase-vm-max-map
58 | image: busybox
59 | command: ["sysctl", "-w", "vm.max_map_count=262144"]
60 | securityContext:
61 | privileged: true
62 | - name: increase-fd-ulimit
63 | image: busybox
64 | command: ["sh", "-c", "ulimit -n 65536"]
65 | securityContext:
66 | privileged: true
67 | volumeClaimTemplates:
68 | - metadata:
69 | name: data
70 | labels:
71 | app: elasticsearch
72 | spec:
73 | accessModes: [ "ReadWriteOnce" ]
74 | storageClassName: es-data-db
75 | resources:
76 | requests:
77 | storage: 50Gi
78 |
--------------------------------------------------------------------------------
/efk/elasticsearch-storageclass.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: storage.k8s.io/v1
2 | kind: StorageClass
3 | metadata:
4 | name: es-data-db
5 | provisioner: fuseim.pri/ifs
6 |
--------------------------------------------------------------------------------
/efk/elasticsearch-svc.yaml:
--------------------------------------------------------------------------------
1 | kind: Service
2 | apiVersion: v1
3 | metadata:
4 | name: elasticsearch
5 | namespace: logging
6 | labels:
7 | app: elasticsearch
8 | spec:
9 | selector:
10 | app: elasticsearch
11 | clusterIP: None
12 | ports:
13 | - port: 9200
14 | name: rest
15 | - port: 9300
16 | name: inter-node
17 |
--------------------------------------------------------------------------------
/efk/fluentd-configmap.yaml:
--------------------------------------------------------------------------------
1 | kind: ConfigMap
2 | apiVersion: v1
3 | metadata:
4 | name: fluentd-config
5 | namespace: logging
6 | labels:
7 | addonmanager.kubernetes.io/mode: Reconcile
8 | data:
9 | system.conf: |-
10 |
11 | root_dir /tmp/fluentd-buffers/
12 |
13 | containers.input.conf: |-
14 |
15 | @id fluentd-containers.log
16 | @type tail
17 | path /var/log/containers/*.log
18 | pos_file /var/log/es-containers.log.pos
19 | time_format %Y-%m-%dT%H:%M:%S.%NZ
20 | localtime
21 | tag raw.kubernetes.*
22 | format json
23 | read_from_head true
24 |
25 | # Detect exceptions in the log output and forward them as one log entry.
26 |
27 | @id raw.kubernetes
28 | @type detect_exceptions
29 | remove_tag_prefix raw
30 | message log
31 | stream stream
32 | multiline_flush_interval 5
33 | max_bytes 500000
34 | max_lines 1000
35 |
36 | system.input.conf: |-
37 | # Logs from systemd-journal for interesting services.
38 |
39 | @id journald-docker
40 | @type systemd
41 | filters [{ "_SYSTEMD_UNIT": "docker.service" }]
42 |
43 | @type local
44 | persistent true
45 |
46 | read_from_head true
47 | tag docker
48 |
49 |
50 | @id journald-kubelet
51 | @type systemd
52 | filters [{ "_SYSTEMD_UNIT": "kubelet.service" }]
53 |
54 | @type local
55 | persistent true
56 |
57 | read_from_head true
58 | tag kubelet
59 |
60 | forward.input.conf: |-
61 | # Takes the messages sent over TCP
62 |
63 | @type forward
64 |
65 | output.conf: |-
66 | # Enriches records with Kubernetes metadata
67 |
68 | @type kubernetes_metadata
69 |
70 |
71 | @id elasticsearch
72 | @type elasticsearch
73 | @log_level info
74 | include_tag_key true
75 | host elasticsearch
76 | port 9200
77 | logstash_format true
78 | request_timeout 30s
79 |
80 | @type file
81 | path /var/log/fluentd-buffers/kubernetes.system.buffer
82 | flush_mode interval
83 | retry_type exponential_backoff
84 | flush_thread_count 2
85 | flush_interval 5s
86 | retry_forever
87 | retry_max_interval 30
88 | chunk_limit_size 2M
89 | queue_limit_length 8
90 | overflow_action block
91 |
92 |
93 |
--------------------------------------------------------------------------------
/efk/fluentd-daemonset.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: fluentd-es
5 | namespace: logging
6 | labels:
7 | k8s-app: fluentd-es
8 | kubernetes.io/cluster-service: "true"
9 | addonmanager.kubernetes.io/mode: Reconcile
10 | ---
11 | kind: ClusterRole
12 | apiVersion: rbac.authorization.k8s.io/v1
13 | metadata:
14 | name: fluentd-es
15 | labels:
16 | k8s-app: fluentd-es
17 | kubernetes.io/cluster-service: "true"
18 | addonmanager.kubernetes.io/mode: Reconcile
19 | rules:
20 | - apiGroups:
21 | - ""
22 | resources:
23 | - "namespaces"
24 | - "pods"
25 | verbs:
26 | - "get"
27 | - "watch"
28 | - "list"
29 | ---
30 | kind: ClusterRoleBinding
31 | apiVersion: rbac.authorization.k8s.io/v1
32 | metadata:
33 | name: fluentd-es
34 | labels:
35 | k8s-app: fluentd-es
36 | kubernetes.io/cluster-service: "true"
37 | addonmanager.kubernetes.io/mode: Reconcile
38 | subjects:
39 | - kind: ServiceAccount
40 | name: fluentd-es
41 | namespace: logging
42 | apiGroup: ""
43 | roleRef:
44 | kind: ClusterRole
45 | name: fluentd-es
46 | apiGroup: ""
47 | ---
48 | apiVersion: apps/v1
49 | kind: DaemonSet
50 | metadata:
51 | name: fluentd-es
52 | namespace: logging
53 | labels:
54 | k8s-app: fluentd-es
55 | version: v2.0.4
56 | kubernetes.io/cluster-service: "true"
57 | addonmanager.kubernetes.io/mode: Reconcile
58 | spec:
59 | selector:
60 | matchLabels:
61 | k8s-app: fluentd-es
62 | version: v2.0.4
63 | template:
64 | metadata:
65 | labels:
66 | k8s-app: fluentd-es
67 | kubernetes.io/cluster-service: "true"
68 | version: v2.0.4
69 | # This annotation ensures that fluentd does not get evicted if the node
70 | # supports critical pod annotation based priority scheme.
71 | # Note that this does not guarantee admission on the nodes (#40573).
72 | annotations:
73 | scheduler.alpha.kubernetes.io/critical-pod: ''
74 | spec:
75 | priorityClassName: system-node-critical
76 | serviceAccountName: fluentd-es
77 | containers:
78 | - name: fluentd-es
79 | image: cnych/fluentd-elasticsearch:v2.0.4
80 | env:
81 | - name: FLUENTD_ARGS
82 | value: --no-supervisor -q
83 | resources:
84 | limits:
85 | memory: 500Mi
86 | requests:
87 | cpu: 100m
88 | memory: 200Mi
89 | volumeMounts:
90 | - name: varlog
91 | mountPath: /var/log
92 | - name: varlibdockercontainers
93 | mountPath: /data/docker/containers
94 | readOnly: true
95 | - name: config-volume
96 | mountPath: /etc/fluent/config.d
97 | nodeSelector:
98 | beta.kubernetes.io/fluentd-ds-ready: "true"
99 | tolerations:
100 | - key: node-role.kubernetes.io/master
101 | operator: Exists
102 | effect: NoSchedule
103 | terminationGracePeriodSeconds: 30
104 | volumes:
105 | - name: varlog
106 | hostPath:
107 | path: /var/log
108 | - name: varlibdockercontainers
109 | hostPath:
110 | path: /data/docker/containers
111 | - name: config-volume
112 | configMap:
113 | name: fluentd-config
114 |
--------------------------------------------------------------------------------
/efk/kibana.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: kibana
5 | namespace: logging
6 | labels:
7 | app: kibana
8 | spec:
9 | ports:
10 | - port: 5601
11 | type: NodePort
12 | selector:
13 | app: kibana
14 | ---
15 | apiVersion: apps/v1
16 | kind: Deployment
17 | metadata:
18 | name: kibana
19 | namespace: logging
20 | labels:
21 | app: kibana
22 | spec:
23 | selector:
24 | matchLabels:
25 | app: kibana
26 | template:
27 | metadata:
28 | labels:
29 | app: kibana
30 | spec:
31 | nodeSelector:
32 | kubernetes.io/hostname: node03
33 | containers:
34 | - name: kibana
35 | image: docker.elastic.co/kibana/kibana-oss:6.4.3
36 | resources:
37 | limits:
38 | cpu: 1000m
39 | requests:
40 | cpu: 100m
41 | env:
42 | - name: ELASTICSEARCH_URL
43 | value: http://elasticsearch:9200
44 | ports:
45 | - containerPort: 5601
--------------------------------------------------------------------------------
/efk/kube-logging.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Namespace
3 | metadata:
4 | name: logging
5 |
--------------------------------------------------------------------------------
/elasticsearch/es-client.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: es-client
5 | namespace: kube-ops
6 | labels:
7 | component: elasticsearch
8 | role: client
9 | spec:
10 | replicas: 2
11 | template:
12 | metadata:
13 | labels:
14 | component: elasticsearch
15 | role: client
16 | spec:
17 | initContainers:
18 | - name: init-sysctl
19 | image: busybox
20 | imagePullPolicy: IfNotPresent
21 | command: ["sysctl", "-w", "vm.max_map_count=262144"]
22 | securityContext:
23 | privileged: true
24 | containers:
25 | - name: es-client
26 | securityContext:
27 | privileged: false
28 | capabilities:
29 | add:
30 | - IPC_LOCK
31 | - SYS_RESOURCE
32 | image: quay.io/pires/docker-elasticsearch-kubernetes:5.6.0
33 | imagePullPolicy: Always
34 | env:
35 | - name: NAMESPACE
36 | valueFrom:
37 | fieldRef:
38 | fieldPath: metadata.namespace
39 | - name: NODE_NAME
40 | valueFrom:
41 | fieldRef:
42 | fieldPath: metadata.name
43 | - name: "CLUSTER_NAME"
44 | value: "myesdb"
45 | - name: NODE_MASTER
46 | value: "false"
47 | - name: NODE_DATA
48 | value: "false"
49 | - name: HTTP_ENABLE
50 | value: "true"
51 | - name: "ES_JAVA_OPTS"
52 | value: "-Xms256m -Xmx256m"
53 | ports:
54 | - containerPort: 9200
55 | name: http
56 | protocol: TCP
57 | - containerPort: 9300
58 | name: transport
59 | protocol: TCP
60 | volumeMounts:
61 | - name: storage
62 | mountPath: /data
63 | volumes:
64 | - emptyDir:
65 | medium: ""
66 | name: "storage"
--------------------------------------------------------------------------------
/elasticsearch/es-data.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: es-data
5 | namespace: kube-ops
6 | labels:
7 | component: elasticsearch
8 | role: data
9 | spec:
10 | replicas: 2
11 | template:
12 | metadata:
13 | labels:
14 | component: elasticsearch
15 | role: data
16 | spec:
17 | initContainers:
18 | - name: init-sysctl
19 | image: busybox
20 | imagePullPolicy: IfNotPresent
21 | command: ["sysctl", "-w", "vm.max_map_count=262144"]
22 | securityContext:
23 | privileged: true
24 | containers:
25 | - name: es-data
26 | securityContext:
27 | privileged: false
28 | capabilities:
29 | add:
30 | - IPC_LOCK
31 | - SYS_RESOURCE
32 | image: quay.io/pires/docker-elasticsearch-kubernetes:5.6.0
33 | imagePullPolicy: Always
34 | env:
35 | - name: NAMESPACE
36 | valueFrom:
37 | fieldRef:
38 | fieldPath: metadata.namespace
39 | - name: NODE_NAME
40 | valueFrom:
41 | fieldRef:
42 | fieldPath: metadata.name
43 | - name: "CLUSTER_NAME"
44 | value: "myesdb"
45 | - name: NODE_MASTER
46 | value: "false"
47 | - name: NODE_INGEST
48 | value: "false"
49 | - name: HTTP_ENABLE
50 | value: "false"
51 | - name: "ES_JAVA_OPTS"
52 | value: "-Xms256m -Xmx256m"
53 | - name: MAX_LOCAL_STORAGE_NODES
54 | value: "2"
55 | ports:
56 | - containerPort: 9300
57 | name: transport
58 | protocol: TCP
59 | livenessProbe:
60 | tcpSocket:
61 | port: 9300
62 | initialDelaySeconds: 20
63 | periodSeconds: 10
64 | volumeMounts:
65 | - name: storage
66 | subPath: elasticsearch/data
67 | mountPath: /data
68 | volumes:
69 | - name: storage
70 | persistentVolumeClaim:
71 | claimName: opspvc
--------------------------------------------------------------------------------
/elasticsearch/es-discovery-svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: elasticsearch-discovery
5 | namespace: kube-ops
6 | labels:
7 | component: elasticsearch
8 | role: master
9 | spec:
10 | selector:
11 | component: elasticsearch
12 | role: master
13 | ports:
14 | - name: transport
15 | port: 9300
16 | protocol: TCP
--------------------------------------------------------------------------------
/elasticsearch/es-kb-svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: kibana
5 | namespace: kube-ops
6 | labels:
7 | k8s-app: kibana
8 | kubernetes.io/cluster-service: "true"
9 | addonmanager.kubernetes.io/mode: Reconcile
10 | kubernetes.io/name: "Kibana"
11 | spec:
12 | ports:
13 | - port: 5601
14 | protocol: TCP
15 | targetPort: 5601
16 | type: NodePort
17 | selector:
18 | k8s-app: kibana
--------------------------------------------------------------------------------
/elasticsearch/es-kb.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1beta2
2 | kind: Deployment
3 | metadata:
4 | name: kibana
5 | namespace: kube-ops
6 | labels:
7 | k8s-app: kibana
8 | kubernetes.io/cluster-service: "true"
9 | addonmanager.kubernetes.io/mode: Reconcile
10 | spec:
11 | replicas: 1
12 | selector:
13 | matchLabels:
14 | k8s-app: kibana
15 | template:
16 | metadata:
17 | labels:
18 | k8s-app: kibana
19 | spec:
20 | containers:
21 | - name: kibana
22 | image: cfontes/kibana-xpack-less:5.5.0
23 | resources:
24 | # need more cpu upon initialization, therefore burstable class
25 | limits:
26 | cpu: 1000m
27 | requests:
28 | cpu: 100m
29 | env:
30 | - name: "CLUSTER_NAME"
31 | value: "myesdb"
32 | #- name: SERVER_BASEPATH
33 | # value: /api/v1/proxy/namespaces/kube-ops/services/kibana
34 | - name: XPACK_SECURITY_ENABLED
35 | value: 'false'
36 | - name: XPACK_GRAPH_ENABLED
37 | value: 'false'
38 | - name: XPACK_ML_ENABLED
39 | value: 'false'
40 | - name: XPACK_REPORTING_ENABLED
41 | value: 'false'
42 | - name: ELASTICSEARCH_URL
43 | value: http://elasticsearch:9200
44 | - name: XPACK_MONITORING_ENABLED
45 | value: "false"
46 | ports:
47 | - containerPort: 5601
48 | name: ui
49 | protocol: TCP
50 |
--------------------------------------------------------------------------------
/elasticsearch/es-master.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: es-master
5 | namespace: kube-ops
6 | labels:
7 | component: elasticsearch
8 | role: master
9 | spec:
10 | replicas: 3
11 | template:
12 | metadata:
13 | labels:
14 | component: elasticsearch
15 | role: master
16 | spec:
17 | initContainers:
18 | - name: init-sysctl
19 | image: busybox
20 | imagePullPolicy: IfNotPresent
21 | command: ["sysctl", "-w", "vm.max_map_count=262144"]
22 | securityContext:
23 | privileged: true
24 | containers:
25 | - name: es-master
26 | securityContext:
27 | privileged: false
28 | capabilities:
29 | add:
30 | - IPC_LOCK
31 | - SYS_RESOURCE
32 | image: quay.io/pires/docker-elasticsearch-kubernetes:5.6.0
33 | imagePullPolicy: Always
34 | env:
35 | - name: NAMESPACE
36 | valueFrom:
37 | fieldRef:
38 | fieldPath: metadata.namespace
39 | - name: NODE_NAME
40 | valueFrom:
41 | fieldRef:
42 | fieldPath: metadata.name
43 | - name: "CLUSTER_NAME"
44 | value: "myesdb"
45 | - name: "NUMBER_OF_MASTERS"
46 | value: "2"
47 | - name: NODE_MASTER
48 | value: "true"
49 | - name: NODE_INGEST
50 | value: "false"
51 | - name: NODE_DATA
52 | value: "false"
53 | - name: HTTP_ENABLE
54 | value: "false"
55 | - name: "ES_JAVA_OPTS"
56 | value: "-Xms256m -Xmx256m"
57 | ports:
58 | - containerPort: 9300
59 | name: transport
60 | protocol: TCP
61 | livenessProbe:
62 | tcpSocket:
63 | port: 9300
64 | volumeMounts:
65 | - name: storage
66 | mountPath: /data
67 | volumes:
68 | - emptyDir:
69 | medium: ""
70 | name: "storage"
--------------------------------------------------------------------------------
/elasticsearch/es-svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: elasticsearch
5 | namespace: kube-ops
6 | labels:
7 | component: elasticsearch
8 | role: client
9 | spec:
10 | selector:
11 | component: elasticsearch
12 | role: client
13 | type: NodePort
14 | ports:
15 | - name: http
16 | port: 9200
17 | protocol: TCP
--------------------------------------------------------------------------------
/gitlab/gitlab-deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: gitlab
5 | namespace: kube-ops
6 | labels:
7 | name: gitlab
8 | spec:
9 | template:
10 | metadata:
11 | name: gitlab
12 | labels:
13 | name: gitlab
14 | spec:
15 | containers:
16 | - name: gitlab
17 | image: sameersbn/gitlab:11.8.0
18 | imagePullPolicy: IfNotPresent
19 | env:
20 | - name: TZ
21 | value: Asia/Shanghai
22 | - name: GITLAB_TIMEZONE
23 | value: Beijing
24 | - name: GITLAB_SECRETS_DB_KEY_BASE
25 | value: long-and-random-alpha-numeric-string
26 | - name: GITLAB_SECRETS_SECRET_KEY_BASE
27 | value: long-and-random-alpha-numeric-string
28 | - name: GITLAB_SECRETS_OTP_KEY_BASE
29 | value: long-and-random-alpha-numeric-string
30 | - name: GITLAB_ROOT_PASSWORD
31 | value: admin321
32 | - name: GITLAB_ROOT_EMAIL
33 | value: 517554016@qq.com
34 | - name: GITLAB_HOST
35 | value: git.qikqiak.com
36 | - name: GITLAB_PORT
37 | value: "80"
38 | - name: GITLAB_SSH_PORT
39 | value: "30022"
40 | - name: GITLAB_NOTIFY_ON_BROKEN_BUILDS
41 | value: "true"
42 | - name: GITLAB_NOTIFY_PUSHER
43 | value: "false"
44 | - name: GITLAB_BACKUP_SCHEDULE
45 | value: daily
46 | - name: GITLAB_BACKUP_TIME
47 | value: 01:00
48 | - name: DB_TYPE
49 | value: postgres
50 | - name: DB_HOST
51 | value: postgresql
52 | - name: DB_PORT
53 | value: "5432"
54 | - name: DB_USER
55 | value: gitlab
56 | - name: DB_PASS
57 | value: passw0rd
58 | - name: DB_NAME
59 | value: gitlab_production
60 | - name: REDIS_HOST
61 | value: redis
62 | - name: REDIS_PORT
63 | value: "6379"
64 | ports:
65 | - name: http
66 | containerPort: 80
67 | - name: ssh
68 | containerPort: 22
69 | volumeMounts:
70 | - mountPath: /home/git/data
71 | name: data
72 | livenessProbe:
73 | httpGet:
74 | path: /
75 | port: 80
76 | initialDelaySeconds: 180
77 | timeoutSeconds: 5
78 | readinessProbe:
79 | httpGet:
80 | path: /
81 | port: 80
82 | initialDelaySeconds: 5
83 | timeoutSeconds: 1
84 | volumes:
85 | - name: data
86 | emptyDir: {}
87 |
--------------------------------------------------------------------------------
/gitlab/gitlab-ingress.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Ingress
3 | metadata:
4 | name: gitlab
5 | namespace: kube-ops
6 | annotations:
7 | kubernetes.io/ingress.class: traefik
8 | spec:
9 | rules:
10 | - host: git.qikqiak.com
11 | http:
12 | paths:
13 | - backend:
14 | serviceName: gitlab
15 | servicePort: http
--------------------------------------------------------------------------------
/gitlab/gitlab-svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: gitlab
5 | namespace: kube-ops
6 | labels:
7 | name: gitlab
8 | spec:
9 | ports:
10 | - name: http
11 | port: 80
12 | targetPort: http
13 | - name: ssh
14 | port: 22
15 | targetPort: ssh
16 | nodePort: 30022
17 | type: NodePort
18 | selector:
19 | name: gitlab
--------------------------------------------------------------------------------
/gitlab/postgresql-deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: postgresql
5 | namespace: kube-ops
6 | labels:
7 | name: postgresql
8 | spec:
9 | template:
10 | metadata:
11 | name: postgresql
12 | labels:
13 | name: postgresql
14 | spec:
15 | containers:
16 | - name: postgresql
17 | image: sameersbn/postgresql:10
18 | imagePullPolicy: IfNotPresent
19 | env:
20 | - name: DB_USER
21 | value: gitlab
22 | - name: DB_PASS
23 | value: passw0rd
24 | - name: DB_NAME
25 | value: gitlab_production
26 | - name: DB_EXTENSION
27 | value: pg_trgm
28 | ports:
29 | - name: postgres
30 | containerPort: 5432
31 | volumeMounts:
32 | - mountPath: /var/lib/postgresql
33 | name: data
34 | livenessProbe:
35 | exec:
36 | command:
37 | - pg_isready
38 | - -h
39 | - localhost
40 | - -U
41 | - postgres
42 | initialDelaySeconds: 30
43 | timeoutSeconds: 5
44 | readinessProbe:
45 | exec:
46 | command:
47 | - pg_isready
48 | - -h
49 | - localhost
50 | - -U
51 | - postgres
52 | initialDelaySeconds: 5
53 | timeoutSeconds: 1
54 | volumes:
55 | - name: data
56 | emptyDir: {}
--------------------------------------------------------------------------------
/gitlab/postgresql-svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: postgresql
5 | namespace: kube-ops
6 | labels:
7 | name: postgresql
8 | spec:
9 | ports:
10 | - name: postgres
11 | port: 5432
12 | targetPort: postgres
13 | selector:
14 | name: postgresql
--------------------------------------------------------------------------------
/gitlab/redis-deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: redis
5 | namespace: kube-ops
6 | labels:
7 | name: redis
8 | spec:
9 | template:
10 | metadata:
11 | name: redis
12 | labels:
13 | name: redis
14 | spec:
15 | containers:
16 | - name: redis
17 | image: sameersbn/redis
18 | imagePullPolicy: IfNotPresent
19 | ports:
20 | - name: redis
21 | containerPort: 6379
22 | volumeMounts:
23 | - mountPath: /var/lib/redis
24 | name: data
25 | livenessProbe:
26 | exec:
27 | command:
28 | - redis-cli
29 | - ping
30 | initialDelaySeconds: 30
31 | timeoutSeconds: 5
32 | readinessProbe:
33 | exec:
34 | command:
35 | - redis-cli
36 | - ping
37 | initialDelaySeconds: 5
38 | timeoutSeconds: 1
39 | volumes:
40 | - name: data
41 | emptyDir: {}
--------------------------------------------------------------------------------
/gitlab/redis-svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: redis
5 | namespace: kube-ops
6 | labels:
7 | name: redis
8 | spec:
9 | ports:
10 | - name: redis
11 | port: 6379
12 | targetPort: redis
13 | selector:
14 | name: redis
--------------------------------------------------------------------------------
/harbor/adminserver/adminserver.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-adminserver-config
5 | namespace: kube-ops
6 | data:
7 | LOG_LEVEL: debug
8 | AUTH_MODE: db_auth
9 | SELF_REGISTRATION: "on"
10 | LDAP_URL: ldaps://ldap.mydomain.com
11 | LDAP_SEARCH_DN: ""
12 | LDAP_SEARCH_PWD: ""
13 | LDAP_BASE_DN: "ou=people,dc=mydomain,dc=com"
14 | LDAP_FILTER: ""
15 | LDAP_UID: uid
16 | LDAP_SCOPE: "3"
17 | LDAP_TIMEOUT: "5"
18 | DATABASE_TYPE: mysql
19 | MYSQL_HOST: mysql
20 | MYSQL_PORT: "3306"
21 | MYSQL_USR: root
22 | MYSQL_PWD: "root123"
23 | MYSQL_DATABASE: registry
24 | REGISTRY_URL: http://registry:5000
25 | TOKEN_SERVICE_URL: http://ui/service/token
26 | EMAIL_HOST: smtp.mydomain.com
27 | EMAIL_PORT: "25"
28 | EMAIL_USR: sample_admin@mydomain.com
29 | EMAIL_PWD: abc
30 | EMAIL_SSL: "false"
31 | EMAIL_FROM: "admin "
32 | EMAIL_IDENTITY: ""
33 | HARBOR_ADMIN_PASSWORD: "Harbor12345"
34 | PROJECT_CREATION_RESTRICTION: everyone
35 | VERIFY_REMOTE_CERT: "on"
36 | MAX_JOB_WORKERS: "3"
37 | UI_SECRET: "42VPEolTxWOEouiW"
38 | JOBSERVICE_SECRET: "VTXdK8CdXADDwS9G"
39 | TOKEN_EXPIRATION: "30"
40 | CFG_EXPIRATION: "5"
41 | GODEBUG: "netdns=cgo"
42 | ADMIRAL_URL: NA
43 | WITH_NOTARY: "False"
44 | RESET: "false"
45 | EXT_ENDPOINT: "http://reg.mydomain.com"
46 | TOKEN_URL: http://ui
47 | JSON_CFG_STORE_PATH: "/etc/config/config.json"
48 | SECRET_KEY: "VTXdK8CdXADDwS9G"
49 |
--------------------------------------------------------------------------------
/harbor/adminserver/adminserver.rc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: adminserver-rc
5 | namespace: kube-ops
6 | labels:
7 | name: adminserver-rc
8 | spec:
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | name: adminserver-apps
14 | spec:
15 | containers:
16 | - name: adminserver-app
17 | image: vmware/harbor-adminserver:v1.2.2
18 | imagePullPolicy: IfNotPresent
19 | env:
20 | - name: LOG_LEVEL
21 | valueFrom:
22 | configMapKeyRef:
23 | name: harbor-adminserver-config
24 | key: LOG_LEVEL
25 | - name: JSON_CFG_STORE_PATH
26 | valueFrom:
27 | configMapKeyRef:
28 | name: harbor-adminserver-config
29 | key: JSON_CFG_STORE_PATH
30 | - name: EXT_ENDPOINT
31 | valueFrom:
32 | configMapKeyRef:
33 | name: harbor-adminserver-config
34 | key: EXT_ENDPOINT
35 | - name: AUTH_MODE
36 | valueFrom:
37 | configMapKeyRef:
38 | name: harbor-adminserver-config
39 | key: AUTH_MODE
40 | - name: SELF_REGISTRATION
41 | valueFrom:
42 | configMapKeyRef:
43 | name: harbor-adminserver-config
44 | key: SELF_REGISTRATION
45 | - name: LDAP_URL
46 | valueFrom:
47 | configMapKeyRef:
48 | name: harbor-adminserver-config
49 | key: LDAP_URL
50 | - name: LDAP_SEARCH_DN
51 | valueFrom:
52 | configMapKeyRef:
53 | name: harbor-adminserver-config
54 | key: LDAP_SEARCH_DN
55 | - name: LDAP_SEARCH_PWD
56 | valueFrom:
57 | configMapKeyRef:
58 | name: harbor-adminserver-config
59 | key: LDAP_SEARCH_PWD
60 | - name: LDAP_BASE_DN
61 | valueFrom:
62 | configMapKeyRef:
63 | name: harbor-adminserver-config
64 | key: LDAP_BASE_DN
65 | - name: LDAP_FILTER
66 | valueFrom:
67 | configMapKeyRef:
68 | name: harbor-adminserver-config
69 | key: LDAP_FILTER
70 | - name: LDAP_UID
71 | valueFrom:
72 | configMapKeyRef:
73 | name: harbor-adminserver-config
74 | key: LDAP_UID
75 | - name: LDAP_SCOPE
76 | valueFrom:
77 | configMapKeyRef:
78 | name: harbor-adminserver-config
79 | key: LDAP_SCOPE
80 | - name: LDAP_TIMEOUT
81 | valueFrom:
82 | configMapKeyRef:
83 | name: harbor-adminserver-config
84 | key: LDAP_TIMEOUT
85 | - name: DATABASE_TYPE
86 | valueFrom:
87 | configMapKeyRef:
88 | name: harbor-adminserver-config
89 | key: DATABASE_TYPE
90 | - name: MYSQL_HOST
91 | valueFrom:
92 | configMapKeyRef:
93 | name: harbor-adminserver-config
94 | key: MYSQL_HOST
95 | - name: MYSQL_PORT
96 | valueFrom:
97 | configMapKeyRef:
98 | name: harbor-adminserver-config
99 | key: MYSQL_PORT
100 | - name: MYSQL_USR
101 | valueFrom:
102 | configMapKeyRef:
103 | name: harbor-adminserver-config
104 | key: MYSQL_USR
105 | - name: MYSQL_PWD
106 | valueFrom:
107 | configMapKeyRef:
108 | name: harbor-adminserver-config
109 | key: MYSQL_PWD
110 | - name: MYSQL_DATABASE
111 | valueFrom:
112 | configMapKeyRef:
113 | name: harbor-adminserver-config
114 | key: MYSQL_DATABASE
115 | - name: REGISTRY_URL
116 | valueFrom:
117 | configMapKeyRef:
118 | name: harbor-adminserver-config
119 | key: REGISTRY_URL
120 | - name: TOKEN_SERVICE_URL
121 | valueFrom:
122 | configMapKeyRef:
123 | name: harbor-adminserver-config
124 | key: TOKEN_SERVICE_URL
125 | - name: EMAIL_HOST
126 | valueFrom:
127 | configMapKeyRef:
128 | name: harbor-adminserver-config
129 | key: EMAIL_HOST
130 | - name: EMAIL_PORT
131 | valueFrom:
132 | configMapKeyRef:
133 | name: harbor-adminserver-config
134 | key: EMAIL_PORT
135 | - name: EMAIL_USR
136 | valueFrom:
137 | configMapKeyRef:
138 | name: harbor-adminserver-config
139 | key: EMAIL_USR
140 | - name: EMAIL_PWD
141 | valueFrom:
142 | configMapKeyRef:
143 | name: harbor-adminserver-config
144 | key: EMAIL_PWD
145 | - name: EMAIL_SSL
146 | valueFrom:
147 | configMapKeyRef:
148 | name: harbor-adminserver-config
149 | key: EMAIL_SSL
150 | - name: EMAIL_FROM
151 | valueFrom:
152 | configMapKeyRef:
153 | name: harbor-adminserver-config
154 | key: EMAIL_FROM
155 | - name: EMAIL_IDENTITY
156 | valueFrom:
157 | configMapKeyRef:
158 | name: harbor-adminserver-config
159 | key: EMAIL_IDENTITY
160 | - name: HARBOR_ADMIN_PASSWORD
161 | valueFrom:
162 | configMapKeyRef:
163 | name: harbor-adminserver-config
164 | key: HARBOR_ADMIN_PASSWORD
165 | - name: PROJECT_CREATION_RESTRICTION
166 | valueFrom:
167 | configMapKeyRef:
168 | name: harbor-adminserver-config
169 | key: PROJECT_CREATION_RESTRICTION
170 | - name: VERIFY_REMOTE_CERT
171 | valueFrom:
172 | configMapKeyRef:
173 | name: harbor-adminserver-config
174 | key: VERIFY_REMOTE_CERT
175 | - name: MAX_JOB_WORKERS
176 | valueFrom:
177 | configMapKeyRef:
178 | name: harbor-adminserver-config
179 | key: MAX_JOB_WORKERS
180 | - name: UI_SECRET
181 | valueFrom:
182 | configMapKeyRef:
183 | name: harbor-adminserver-config
184 | key: UI_SECRET
185 | - name: JOBSERVICE_SECRET
186 | valueFrom:
187 | configMapKeyRef:
188 | name: harbor-adminserver-config
189 | key: JOBSERVICE_SECRET
190 | - name: TOKEN_EXPIRATION
191 | valueFrom:
192 | configMapKeyRef:
193 | name: harbor-adminserver-config
194 | key: TOKEN_EXPIRATION
195 | - name: CFG_EXPIRATION
196 | valueFrom:
197 | configMapKeyRef:
198 | name: harbor-adminserver-config
199 | key: CFG_EXPIRATION
200 | - name: GODEBUG
201 | valueFrom:
202 | configMapKeyRef:
203 | name: harbor-adminserver-config
204 | key: GODEBUG
205 | - name: ADMIRAL_URL
206 | valueFrom:
207 | configMapKeyRef:
208 | name: harbor-adminserver-config
209 | key: ADMIRAL_URL
210 | - name: WITH_NOTARY
211 | valueFrom:
212 | configMapKeyRef:
213 | name: harbor-adminserver-config
214 | key: WITH_NOTARY
215 | - name: RESET
216 | valueFrom:
217 | configMapKeyRef:
218 | name: harbor-adminserver-config
219 | key: RESET
220 | #Workaround the volume API issue.
221 | - name: IMAGE_STORE_PATH
222 | value: "/"
223 | ports:
224 | - containerPort: 80
225 | volumeMounts:
226 | - name: config
227 | mountPath: /etc/adminserver/
228 | volumes:
229 | - name: config
230 | configMap:
231 | name: harbor-adminserver-config
232 | items:
233 | - key: SECRET_KEY
234 | path: key
235 |
--------------------------------------------------------------------------------
/harbor/adminserver/adminserver.svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: adminserver
5 | namespace: kube-ops
6 | spec:
7 | ports:
8 | - port: 80
9 | selector:
10 | name: adminserver-apps
11 |
--------------------------------------------------------------------------------
/harbor/harbor.cfg:
--------------------------------------------------------------------------------
1 | ## Configuration file of Harbor
2 |
3 | #The IP address or hostname to access admin UI and registry service.
4 | #DO NOT use localhost or 127.0.0.1, because Harbor needs to be accessed by external clients.
5 | hostname = reg.mydomain.com
6 |
7 | #The protocol for accessing the UI and token/notification service, by default it is http.
8 | #It can be set to https if ssl is enabled on nginx.
9 | ui_url_protocol = http
10 |
11 | #The password for the root user of mysql db, change this before any production use.
12 | db_password = root123
13 |
14 | #Maximum number of job workers in job service
15 | max_job_workers = 3
16 |
17 | #Determine whether or not to generate certificate for the registry's token.
18 | #If the value is on, the prepare script creates new root cert and private key
19 | #for generating token to access the registry. If the value is off the default key/cert will be used.
20 | #This flag also controls the creation of the notary signer's cert.
21 | customize_crt = on
22 |
23 | #The path of cert and key files for nginx, they are applied only the protocol is set to https
24 | ssl_cert = /data/cert/server.crt
25 | ssl_cert_key = /data/cert/server.key
26 |
27 | #The path of secretkey storage
28 | secretkey_path = /data
29 |
30 | #Admiral's url, comment this attribute, or set its value to NA when Harbor is standalone
31 | admiral_url = NA
32 |
33 | #The password of the Clair's postgres database, only effective when Harbor is deployed with Clair.
34 | #Please update it before deployment, subsequent update will cause Clair's API server and Harbor unable to access Clair's database.
35 | clair_db_password = password
36 |
37 | #NOTES: The properties between BEGIN INITIAL PROPERTIES and END INITIAL PROPERTIES
38 | #only take effect in the first boot, the subsequent changes of these properties
39 | #should be performed on web ui
40 |
41 | #************************BEGIN INITIAL PROPERTIES************************
42 |
43 | #Email account settings for sending out password resetting emails.
44 |
45 | #Email server uses the given username and password to authenticate on TLS connections to host and act as identity.
46 | #Identity left blank to act as username.
47 | email_identity =
48 |
49 | email_server = smtp.mydomain.com
50 | email_server_port = 25
51 | email_username = sample_admin@mydomain.com
52 | email_password = abc
53 | email_from = admin
54 | email_ssl = false
55 |
56 | ##The initial password of Harbor admin, only works for the first time when Harbor starts.
57 | #It has no effect after the first launch of Harbor.
58 | #Change the admin password from UI after launching Harbor.
59 | harbor_admin_password = Harbor12345
60 |
61 | ##By default the auth mode is db_auth, i.e. the credentials are stored in a local database.
62 | #Set it to ldap_auth if you want to verify a user's credentials against an LDAP server.
63 | auth_mode = db_auth
64 |
65 | #The url for an ldap endpoint.
66 | ldap_url = ldaps://ldap.mydomain.com
67 |
68 | #A user's DN who has the permission to search the LDAP/AD server.
69 | #If your LDAP/AD server does not support anonymous search, you should configure this DN and ldap_search_pwd.
70 | #ldap_searchdn = uid=searchuser,ou=people,dc=mydomain,dc=com
71 |
72 | #the password of the ldap_searchdn
73 | #ldap_search_pwd = password
74 |
75 | #The base DN from which to look up a user in LDAP/AD
76 | ldap_basedn = ou=people,dc=mydomain,dc=com
77 |
78 | #Search filter for LDAP/AD, make sure the syntax of the filter is correct.
79 | #ldap_filter = (objectClass=person)
80 |
81 | # The attribute used in a search to match a user, it could be uid, cn, email, sAMAccountName or other attributes depending on your LDAP/AD
82 | ldap_uid = uid
83 |
84 | #the scope to search for users, 1-LDAP_SCOPE_BASE, 2-LDAP_SCOPE_ONELEVEL, 3-LDAP_SCOPE_SUBTREE
85 | ldap_scope = 3
86 |
87 | #Timeout (in seconds) when connecting to an LDAP Server. The default value (and most reasonable) is 5 seconds.
88 | ldap_timeout = 5
89 |
90 | #Turn on or off the self-registration feature
91 | self_registration = on
92 |
93 | #The expiration time (in minute) of token created by token service, default is 30 minutes
94 | token_expiration = 30
95 |
96 | #The flag to control what users have permission to create projects
97 | #The default value "everyone" allows everyone to creates a project.
98 | #Set to "adminonly" so that only admin user can create project.
99 | project_creation_restriction = everyone
100 |
101 | #Determine whether the job service should verify the ssl cert when it connects to a remote registry.
102 | #Set this flag to off when the remote registry uses a self-signed or untrusted certificate.
103 | verify_remote_cert = on
104 |
105 | #The follow configurations are for Harbor HA mode only
106 |
107 | #the address of the mysql database.
108 | db_host = mysql
109 |
110 | #The port of mysql database host
111 | db_port = 3306
112 |
113 | #The user name of mysql database
114 | db_user = root
115 | #************************END INITIAL PROPERTIES************************
116 | #The following attributes only need to be set when auth mode is uaa_auth
117 | uaa_endpoint = uaa.mydomain.org
118 | uaa_clientid= id
119 | uaa_clientsecret= secret
120 | #############
121 |
--------------------------------------------------------------------------------
/harbor/jobservice/jobservice.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-jobservice-config
5 | namespace: kube-ops
6 | data:
7 | MYSQL_HOST: mysql
8 | MYSQL_PORT: "3306"
9 | MYSQL_USR: root
10 | MYSQL_PWD: "root123"
11 | UI_SECRET: "42VPEolTxWOEouiW"
12 | SECRET_KEY: "VTXdK8CdXADDwS9G"
13 | CONFIG_PATH: /etc/jobservice/app.conf
14 | REGISTRY_URL: http://registry:5000
15 | VERIFY_REMOTE_CERT: "on"
16 | MAX_JOB_WORKERS: "3"
17 | LOG_LEVEL: debug
18 | LOG_DIR: /var/log/jobs
19 | GODEBUG: netdns=cgo
20 | EXT_ENDPOINT: "http://reg.mydomain.com"
21 | TOKEN_URL: http://ui
22 | config: |
23 | appname = jobservice
24 | runmode = dev
25 | [dev]
26 | httpport = 80
27 |
--------------------------------------------------------------------------------
/harbor/jobservice/jobservice.rc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: jobservice-rc
5 | namespace: kube-ops
6 | labels:
7 | name: jobservice-rc
8 | spec:
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | name: jobservice-apps
14 | spec:
15 | containers:
16 | - name: jobservice-app
17 | image: vmware/harbor-jobservice:v1.2.2
18 | imagePullPolicy: IfNotPresent
19 | env:
20 | - name: MYSQL_HOST
21 | valueFrom:
22 | configMapKeyRef:
23 | name: harbor-jobservice-config
24 | key: MYSQL_HOST
25 | - name: MYSQL_PORT
26 | valueFrom:
27 | configMapKeyRef:
28 | name: harbor-jobservice-config
29 | key: MYSQL_PORT
30 | - name: MYSQL_USR
31 | valueFrom:
32 | configMapKeyRef:
33 | name: harbor-jobservice-config
34 | key: MYSQL_USR
35 | - name: MYSQL_PWD
36 | valueFrom:
37 | configMapKeyRef:
38 | name: harbor-jobservice-config
39 | key: MYSQL_PWD
40 | - name: UI_SECRET
41 | valueFrom:
42 | configMapKeyRef:
43 | name: harbor-jobservice-config
44 | key: UI_SECRET
45 | - name: SECRET_KEY
46 | valueFrom:
47 | configMapKeyRef:
48 | name: harbor-jobservice-config
49 | key: SECRET_KEY
50 | - name: CONFIG_PATH
51 | valueFrom:
52 | configMapKeyRef:
53 | name: harbor-jobservice-config
54 | key: CONFIG_PATH
55 | - name: REGISTRY_URL
56 | valueFrom:
57 | configMapKeyRef:
58 | name: harbor-jobservice-config
59 | key: REGISTRY_URL
60 | - name: VERIFY_REMOTE_CERT
61 | valueFrom:
62 | configMapKeyRef:
63 | name: harbor-jobservice-config
64 | key: VERIFY_REMOTE_CERT
65 | - name: MAX_JOB_WORKERS
66 | valueFrom:
67 | configMapKeyRef:
68 | name: harbor-jobservice-config
69 | key: MAX_JOB_WORKERS
70 | - name: LOG_LEVEL
71 | valueFrom:
72 | configMapKeyRef:
73 | name: harbor-jobservice-config
74 | key: LOG_LEVEL
75 | - name: LOG_DIR
76 | valueFrom:
77 | configMapKeyRef:
78 | name: harbor-jobservice-config
79 | key: LOG_DIR
80 | - name: GODEBUG
81 | valueFrom:
82 | configMapKeyRef:
83 | name: harbor-jobservice-config
84 | key: GODEBUG
85 | - name: EXT_ENDPOINT
86 | valueFrom:
87 | configMapKeyRef:
88 | name: harbor-jobservice-config
89 | key: EXT_ENDPOINT
90 | - name: TOKEN_URL
91 | valueFrom:
92 | configMapKeyRef:
93 | name: harbor-jobservice-config
94 | key: TOKEN_URL
95 | ports:
96 | - containerPort: 80
97 | volumeMounts:
98 | - name: config
99 | mountPath: /etc/jobservice
100 | - name: logs
101 | mountPath: /var/log/jobs
102 | subPath: harbor/logs
103 | volumes:
104 | - name: config
105 | configMap:
106 | name: harbor-jobservice-config
107 | items:
108 | - key: config
109 | path: app.conf
110 | - name: logs
111 | persistentVolumeClaim:
112 | claimName: opspvc
113 |
--------------------------------------------------------------------------------
/harbor/jobservice/jobservice.svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: jobservice
5 | namespace: kube-ops
6 | spec:
7 | ports:
8 | - port: 80
9 | selector:
10 | name: jobservice-apps
11 |
--------------------------------------------------------------------------------
/harbor/mysql/mysql.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-mysql-config
5 | namespace: kube-ops
6 | data:
7 | MYSQL_ROOT_PASSWORD: "root123"
--------------------------------------------------------------------------------
/harbor/mysql/mysql.rc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1beta1
2 | kind: StatefulSet
3 | metadata:
4 | name: mysql-rc
5 | namespace: kube-ops
6 | labels:
7 | name: mysql-rc
8 | spec:
9 | replicas: 1
10 | serviceName: "mysql"
11 | template:
12 | metadata:
13 | labels:
14 | name: mysql-apps
15 | spec:
16 | containers:
17 | - name: mysql-app
18 | image: vmware/harbor-db:v1.2.2
19 | imagePullPolicy: IfNotPresent
20 | ports:
21 | - containerPort: 3306
22 | env:
23 | - name: MYSQL_ROOT_PASSWORD
24 | valueFrom:
25 | configMapKeyRef:
26 | name: harbor-mysql-config
27 | key: MYSQL_ROOT_PASSWORD
28 | volumeMounts:
29 | - name: mysql-storage
30 | mountPath: /var/lib/mysql
31 | subPath: harbor/mysql
32 | volumes:
33 | - name: mysql-storage
34 | persistentVolumeClaim:
35 | claimName: opspvc
36 |
--------------------------------------------------------------------------------
/harbor/mysql/mysql.svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: mysql
5 | namespace: kube-ops
6 | spec:
7 | ports:
8 | - port: 3306
9 | selector:
10 | name: mysql-apps
11 |
--------------------------------------------------------------------------------
/harbor/nginx/nginx.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-nginx-config
5 | namespace: kube-ops
6 | data:
7 | config: |
8 | worker_processes auto;
9 |
10 | events {
11 | worker_connections 1024;
12 | use epoll;
13 | multi_accept on;
14 | }
15 |
16 | http {
17 | tcp_nodelay on;
18 |
19 | # this is necessary for us to be able to disable request buffering in all cases
20 | proxy_http_version 1.1;
21 |
22 |
23 | upstream registry {
24 | server registry:5000;
25 | }
26 |
27 | upstream ui {
28 | server ui:80;
29 | }
30 |
31 |
32 | server {
33 | listen 443 ssl;
34 | server_name reg.mydomain.com;
35 |
36 | # SSL
37 | ssl_certificate /etc/nginx/https.crt;
38 | ssl_certificate_key /etc/nginx/https.key;
39 |
40 | # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
41 | ssl_protocols TLSv1.1 TLSv1.2;
42 | ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
43 | ssl_prefer_server_ciphers on;
44 | ssl_session_cache shared:SSL:10m;
45 |
46 | # disable any limits to avoid HTTP 413 for large image uploads
47 | client_max_body_size 0;
48 |
49 | # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
50 | chunked_transfer_encoding on;
51 |
52 | location / {
53 | proxy_pass http://ui/;
54 | proxy_set_header Host $http_host;
55 | proxy_set_header X-Real-IP $remote_addr;
56 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
57 |
58 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
59 | proxy_set_header X-Forwarded-Proto $scheme;
60 |
61 | proxy_buffering off;
62 | proxy_request_buffering off;
63 | }
64 |
65 | location /v1/ {
66 | return 404;
67 | }
68 |
69 | location /v2/ {
70 | proxy_pass http://registry/v2/;
71 | proxy_set_header Host $http_host;
72 | proxy_set_header X-Real-IP $remote_addr;
73 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
74 |
75 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
76 | proxy_set_header X-Forwarded-Proto $scheme;
77 |
78 | proxy_buffering off;
79 | proxy_request_buffering off;
80 |
81 | }
82 |
83 | location /service/ {
84 | proxy_pass http://ui/service/;
85 | proxy_set_header Host $http_host;
86 | proxy_set_header X-Real-IP $remote_addr;
87 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
88 |
89 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
90 | proxy_set_header X-Forwarded-Proto $scheme;
91 |
92 | proxy_buffering off;
93 | proxy_request_buffering off;
94 | }
95 | }
96 | server {
97 | listen 80;
98 | server_name reg.mydomain.com;
99 |
100 | # disable any limits to avoid HTTP 413 for large image uploads
101 | client_max_body_size 0;
102 |
103 | # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
104 | chunked_transfer_encoding on;
105 |
106 | # rewrite ^/(.*) https://$server_name:443/$1 permanent;
107 |
108 | location / {
109 | proxy_pass http://ui/;
110 | proxy_set_header Host $http_host;
111 | proxy_set_header X-Real-IP $remote_addr;
112 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
113 |
114 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
115 | proxy_set_header X-Forwarded-Proto $scheme;
116 |
117 | proxy_buffering off;
118 | proxy_request_buffering off;
119 | }
120 |
121 | location /v1/ {
122 | return 404;
123 | }
124 |
125 | location /v2/ {
126 | proxy_pass http://registry/v2/;
127 | proxy_set_header Host $http_host;
128 | proxy_set_header X-Real-IP $remote_addr;
129 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
130 |
131 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
132 | proxy_set_header X-Forwarded-Proto $scheme;
133 |
134 | proxy_buffering off;
135 | proxy_request_buffering off;
136 |
137 | }
138 |
139 | location /service/ {
140 | proxy_pass http://ui/service/;
141 | proxy_set_header Host $http_host;
142 | proxy_set_header X-Real-IP $remote_addr;
143 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
144 |
145 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
146 | proxy_set_header X-Forwarded-Proto $scheme;
147 |
148 | proxy_buffering off;
149 | proxy_request_buffering off;
150 | }
151 | }
152 | }
153 | pkey: |
154 | USE_HTTP
155 | cert: |
156 | USE_HTTP
157 |
--------------------------------------------------------------------------------
/harbor/nginx/nginx.rc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ReplicationController
3 | metadata:
4 | name: nginx-rc
5 | namespace: kube-ops
6 | labels:
7 | name: nginx-rc
8 | spec:
9 | replicas: 1
10 | selector:
11 | name: nginx-apps
12 | template:
13 | metadata:
14 | labels:
15 | name: nginx-apps
16 | spec:
17 | containers:
18 | - name: nginx-app
19 | image: harbor/nginx
20 | imagePullPolicy: IfNotPresent
21 | ports:
22 | - containerPort: 80
23 | - containerPort: 443
24 | volumeMounts:
25 | - name: config
26 | mountPath: /etc/nginx
27 | volumes:
28 | - name: config
29 | configMap:
30 | name: harbor-nginx-config
31 | items:
32 | - key: config
33 | path: nginx.conf
34 | - key: pkey
35 | path: https.key
36 | - key: cert
37 | path: https.crt
--------------------------------------------------------------------------------
/harbor/nginx/nginx.svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: nginx
5 | namespace: kube-ops
6 | spec:
7 | ports:
8 | - name: http
9 | port: 80
10 | - name: https
11 | port: 443
12 | selector:
13 | name: nginx-apps
14 |
--------------------------------------------------------------------------------
/harbor/prepare:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 |
3 | from __future__ import print_function, unicode_literals # We require Python 2.6 or later
4 | import sys
5 | import argparse
6 | import io
7 | import os
8 | import random
9 | import re
10 | import string
11 | import subprocess
12 |
13 | if sys.version_info[:3][0] == 2:
14 | import ConfigParser as configparser
15 | import StringIO as io
16 |
17 | if sys.version_info[:3][0] == 3:
18 | import configparser as configparser
19 | import io as io
20 |
21 |
22 | # prepare base dir
23 | base_dir = os.path.dirname(os.path.abspath(__file__))
24 |
25 | parser = argparse.ArgumentParser(description='Generate *.cm.yaml')
26 | parser.add_argument('-f', default=os.path.join(base_dir, '../harbor.cfg'),
27 | dest='config_file', help='[Optional] path of harbor config file')
28 | parser.add_argument('-k', default='',
29 | dest='private_key', help='[Optional] path of harbor https private key(pem)')
30 | parser.add_argument('-c', default='',
31 | dest='cert', help='[Optional] harbor path of https cert(pem)')
32 | parser.add_argument('-s', default='',
33 | dest='secret_key', help="[Optional] path of harbor secret key(16 characters)")
34 |
35 | args = parser.parse_args()
36 |
37 | # read config file
38 | config_str = ''
39 | if os.path.isfile(args.config_file):
40 | with open(args.config_file) as conf:
41 | config_str = conf.read()
42 | else:
43 | raise Exception('Error: No such file(' + args.config_file + ')')
44 |
45 | config_str = '[harbor]\n' + config_str
46 | fp = io.StringIO()
47 | fp.write(config_str)
48 | fp.seek(0, os.SEEK_SET)
49 | config = configparser.RawConfigParser()
50 | config.readfp(fp)
51 |
52 |
53 | def get_config(key):
54 | """get value by key
55 | """
56 | if config.has_option('harbor', key):
57 | return config.get('harbor', key)
58 | print('Warning: Key(' + key + ') is not existing. Use empty string as default')
59 | return ''
60 |
61 |
62 | def set_config(key, value):
63 | """set key & value
64 | """
65 | config.set('harbor', key, value)
66 |
67 | # relative path with config file
68 | def rel_path(p):
69 | if p[0] == '/':
70 | return p
71 | config_path = args.config_file
72 | if config_path[0] != '/':
73 | config_path = os.path.join(os.getcwd(), config_path)
74 | return os.path.join(os.path.dirname(config_path), p)
75 |
76 | # path of private key
77 | pk_path = args.private_key
78 | if pk_path == '':
79 | pk_path = get_config('ssl_cert_key')
80 | if pk_path != '':
81 | pk_path = rel_path(pk_path)
82 |
83 | # path of cert
84 | cert_path = args.cert
85 | if cert_path == '':
86 | cert_path = get_config('ssl_cert')
87 | if cert_path != '':
88 | cert_path = rel_path(cert_path)
89 |
90 |
91 | # validate
92 | if get_config('ui_url_protocol') == 'https':
93 | if pk_path == '':
94 | raise Exception("Error: The protocol is https but attribute ssl_cert_key is not set")
95 | if cert_path == '':
96 | raise Exception("Error: The protocol is https but attribute ssl_cert is not set")
97 | else:
98 | pk_path = ''
99 | cert_path = ''
100 |
101 |
102 | # read secret key
103 | if args.secret_key != '':
104 | if os.path.isfile(args.secret_key):
105 | key = ''
106 | with open(args.secret_key, 'r') as skey:
107 | key = skey.read()
108 | if len(key) != 16:
109 | raise Exception('Error: The length of secret key has to be 16 characters!')
110 | set_config('secret_key', key)
111 | else:
112 | set_config('secret_key', ''.join(random.choice(
113 | string.ascii_letters + string.digits) for i in range(16)))
114 |
115 | # read https pkey & cert
116 | if pk_path != '':
117 | if os.path.isfile(pk_path):
118 | with open(pk_path, 'r') as pkey:
119 | set_config('https_pkey', pkey.read())
120 | else:
121 | raise Exception('Error: https private key is not existing')
122 | else:
123 | set_config('https_pkey', 'USE_HTTP')
124 |
125 | if cert_path != '':
126 | if os.path.isfile(cert_path):
127 | with open(cert_path, 'r') as cert:
128 | set_config('https_cert', cert.read())
129 | else:
130 | raise Exception('Error: https cert is not existing')
131 | else:
132 | set_config('https_cert', 'USE_HTTP')
133 |
134 |
135 | # add configs
136 | set_config('ui_url', get_config('ui_url_protocol') +
137 | '://' + get_config('hostname'))
138 | set_config('ui_secret', ''.join(random.choice(
139 | string.ascii_letters + string.digits) for i in range(16)))
140 |
141 | # generate auth pkey & cert
142 | with open(os.devnull, 'w') as devnull:
143 | openssl = subprocess.call(['which','openssl'], stdout=devnull, stderr=devnull)
144 | if openssl == 0:
145 | pkey = subprocess.check_output(['openssl','genrsa','4096'], stderr=devnull)
146 | subj = '/C={0}/ST={1}/L={2}/O={3}/OU={4}/CN={5}/emailAddress={6}'.format(get_config('crt_country'),
147 | get_config('crt_state'), get_config('crt_location'), get_config('crt_organization'),
148 | get_config('crt_organizationalunit'), get_config('crt_commonname'), get_config('crt_email'))
149 | openssl = subprocess.Popen(['openssl', 'req', '-new', '-x509', '-key', '/dev/stdin', '-days', '3650', '-subj', subj],
150 | stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=devnull)
151 | cert = openssl.communicate(input=pkey)[0]
152 | set_config('auth_pkey', pkey.decode())
153 | set_config('auth_cert', cert.decode())
154 | else:
155 | set_config('auth_pkey', 'NEED_SET')
156 | set_config('auth_cert', 'NEED_SET')
157 | print('Warning: auth_pkey and auth_cert cannot be generated automatically without openssl. Please set it manually')
158 |
159 |
160 |
161 | variable = re.compile(r'{{.+?}}')
162 | detail = re.compile(r'((\d+) )?([a-zA-Z_0-9-]+)')
163 | def render_template(tmpl):
164 | """render template
165 | replace {{(number of leading spaces)name}} with config
166 | examples:
167 | config:
168 | hostname='test\ntest'
169 |
170 | {{hostname}} -> 'test\ntest'
171 | {{4 hostname}} -> 'test\n test'
172 | """
173 | matches = variable.findall(tmpl)
174 | for match in matches:
175 | segs = detail.search(match)
176 | if segs.group() == '':
177 | raise Exception('Error: Invalid template item(' + match + ')')
178 | value = get_config(segs.group(3))
179 | spaces = segs.group(2)
180 | if spaces != '' and spaces != None:
181 | leading = ''.join(' ' for i in range(int(spaces)))
182 | value = str(value).replace('\n', '\n' + leading)
183 | tmpl = tmpl.replace(match, value)
184 | return tmpl
185 |
186 |
187 | def generate_template(tmpl, dest):
188 | """generate file
189 | """
190 | with open(tmpl) as tmpl:
191 | with open(dest, 'w') as dest:
192 | dest.write(render_template(tmpl.read()))
193 |
194 |
195 | template_dir = os.path.join(base_dir, 'templates')
196 | output_dir = base_dir
197 | generate_template(os.path.join(template_dir, 'ui.cm.yaml'), os.path.join(output_dir, 'ui/ui.cm.yaml'))
198 | generate_template(os.path.join(template_dir, 'jobservice.cm.yaml'), os.path.join(output_dir, 'jobservice/jobservice.cm.yaml'))
199 | generate_template(os.path.join(template_dir, 'mysql.cm.yaml'), os.path.join(output_dir, 'mysql/mysql.cm.yaml'))
200 | generate_template(os.path.join(template_dir, 'nginx.cm.yaml'), os.path.join(output_dir, 'nginx/nginx.cm.yaml'))
201 | generate_template(os.path.join(template_dir, 'registry.cm.yaml'), os.path.join(output_dir, 'registry/registry.cm.yaml'))
202 | generate_template(os.path.join(template_dir, 'adminserver.cm.yaml'), os.path.join(output_dir, 'adminserver/adminserver.cm.yaml'))
203 |
--------------------------------------------------------------------------------
/harbor/pv/ops.pv.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: PersistentVolume
3 | metadata:
4 | name: opspv
5 | labels:
6 | k8s-app: opspv
7 | spec:
8 | accessModes:
9 | - ReadWriteMany
10 | capacity:
11 | storage: 100Gi
12 | persistentVolumeReclaimPolicy: Retain
13 | nfs:
14 | path: /
15 | server: 192.168.1.139 # 替换成你自己的nfs 服务器地址
16 |
17 | ---
18 | apiVersion: v1
19 | kind: PersistentVolumeClaim
20 | metadata:
21 | name: opspvc
22 | namespace: kube-ops
23 | labels:
24 | k8s-app: opspvc
25 | spec:
26 | accessModes:
27 | - ReadWriteMany
28 | resources:
29 | requests:
30 | storage: 100Gi
31 | selector:
32 | matchLabels:
33 | k8s-app: opspv
--------------------------------------------------------------------------------
/harbor/registry/registry.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-registry-config
5 | namespace: kube-ops
6 | data:
7 | config: |
8 | version: 0.1
9 | log:
10 | level: debug
11 | fields:
12 | service: registry
13 | storage:
14 | filesystem:
15 | rootdirectory: /storage
16 | cache:
17 | layerinfo: inmemory
18 | maintenance:
19 | uploadpurging:
20 | enabled: false
21 | delete:
22 | enabled: true
23 | http:
24 | addr: :5000
25 | secret: placeholder
26 | debug:
27 | addr: localhost:5001
28 | auth:
29 | token:
30 | issuer: registry-token-issuer
31 | realm: http://reg.mydomain.com/service/token
32 | rootcertbundle: /etc/docker/registry/root.crt
33 | service: token-service
34 | notifications:
35 | endpoints:
36 | - name: harbor
37 | disabled: false
38 | url: http://ui/service/notifications
39 | timeout: 3000ms
40 | threshold: 5
41 | backoff: 1s
42 |
43 | cert: |
44 |
45 |
46 |
--------------------------------------------------------------------------------
/harbor/registry/registry.rc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: registry-rc
5 | namespace: kube-ops
6 | labels:
7 | name: registry-rc
8 | spec:
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | name: registry-apps
14 | spec:
15 | containers:
16 | - name: registry-app
17 | image: vmware/registry:2.6.2-photon
18 | imagePullPolicy: IfNotPresent
19 | ports:
20 | - containerPort: 5000
21 | - containerPort: 5001
22 | volumeMounts:
23 | - name: config
24 | mountPath: /etc/docker/registry
25 | - name: storage
26 | mountPath: /storage
27 | subPath: harbor/registry
28 | volumes:
29 | - name: config
30 | configMap:
31 | name: harbor-registry-config
32 | items:
33 | - key: config
34 | path: config.yml
35 | - key: cert
36 | path: root.crt
37 | - name: storage
38 | persistentVolumeClaim:
39 | claimName: opspvc
40 |
--------------------------------------------------------------------------------
/harbor/registry/registry.svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: registry
5 | namespace: kube-ops
6 | spec:
7 | ports:
8 | - name: repo
9 | port: 5000
10 | - name: debug
11 | port: 5001
12 | selector:
13 | name: registry-apps
14 |
--------------------------------------------------------------------------------
/harbor/templates/adminserver.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-adminserver-config
5 | namespace: kube-ops
6 | data:
7 | LOG_LEVEL: debug
8 | AUTH_MODE: db_auth
9 | SELF_REGISTRATION: "on"
10 | LDAP_URL: ldaps://ldap.mydomain.com
11 | LDAP_SEARCH_DN: ""
12 | LDAP_SEARCH_PWD: ""
13 | LDAP_BASE_DN: "ou=people,dc=mydomain,dc=com"
14 | LDAP_FILTER: ""
15 | LDAP_UID: uid
16 | LDAP_SCOPE: "3"
17 | LDAP_TIMEOUT: "5"
18 | DATABASE_TYPE: mysql
19 | MYSQL_HOST: mysql
20 | MYSQL_PORT: "3306"
21 | MYSQL_USR: root
22 | MYSQL_PWD: "{{db_password}}"
23 | MYSQL_DATABASE: registry
24 | REGISTRY_URL: http://registry:5000
25 | TOKEN_SERVICE_URL: http://ui/service/token
26 | EMAIL_HOST: smtp.mydomain.com
27 | EMAIL_PORT: "25"
28 | EMAIL_USR: sample_admin@mydomain.com
29 | EMAIL_PWD: abc
30 | EMAIL_SSL: "false"
31 | EMAIL_FROM: "admin "
32 | EMAIL_IDENTITY: ""
33 | HARBOR_ADMIN_PASSWORD: "{{harbor_admin_password}}"
34 | PROJECT_CREATION_RESTRICTION: everyone
35 | VERIFY_REMOTE_CERT: "on"
36 | MAX_JOB_WORKERS: "{{max_job_workers}}"
37 | UI_SECRET: "{{ui_secret}}"
38 | JOBSERVICE_SECRET: "{{secret_key}}"
39 | TOKEN_EXPIRATION: "30"
40 | CFG_EXPIRATION: "5"
41 | GODEBUG: "netdns=cgo"
42 | ADMIRAL_URL: NA
43 | WITH_NOTARY: "False"
44 | RESET: "false"
45 | EXT_ENDPOINT: "{{ui_url}}"
46 | TOKEN_URL: http://ui
47 | JSON_CFG_STORE_PATH: "/etc/config/config.json"
48 | SECRET_KEY: "{{secret_key}}"
49 |
--------------------------------------------------------------------------------
/harbor/templates/jobservice.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-jobservice-config
5 | namespace: kube-ops
6 | data:
7 | MYSQL_HOST: mysql
8 | MYSQL_PORT: "3306"
9 | MYSQL_USR: root
10 | MYSQL_PWD: "{{db_password}}"
11 | UI_SECRET: "{{ui_secret}}"
12 | SECRET_KEY: "{{secret_key}}"
13 | CONFIG_PATH: /etc/jobservice/app.conf
14 | REGISTRY_URL: http://registry:5000
15 | VERIFY_REMOTE_CERT: "{{verify_remote_cert}}"
16 | MAX_JOB_WORKERS: "{{max_job_workers}}"
17 | LOG_LEVEL: debug
18 | LOG_DIR: /var/log/jobs
19 | GODEBUG: netdns=cgo
20 | EXT_ENDPOINT: "{{ui_url}}"
21 | TOKEN_URL: http://ui
22 | config: |
23 | appname = jobservice
24 | runmode = dev
25 | [dev]
26 | httpport = 80
27 |
--------------------------------------------------------------------------------
/harbor/templates/mysql.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-mysql-config
5 | namespace: kube-ops
6 | data:
7 | MYSQL_ROOT_PASSWORD: "{{db_password}}"
--------------------------------------------------------------------------------
/harbor/templates/nginx.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-nginx-config
5 | namespace: kube-ops
6 | data:
7 | config: |
8 | worker_processes auto;
9 |
10 | events {
11 | worker_connections 1024;
12 | use epoll;
13 | multi_accept on;
14 | }
15 |
16 | http {
17 | tcp_nodelay on;
18 |
19 | # this is necessary for us to be able to disable request buffering in all cases
20 | proxy_http_version 1.1;
21 |
22 |
23 | upstream registry {
24 | server registry:5000;
25 | }
26 |
27 | upstream ui {
28 | server ui:80;
29 | }
30 |
31 |
32 | server {
33 | listen 443 ssl;
34 | server_name {{hostname}};
35 |
36 | # SSL
37 | ssl_certificate /etc/nginx/https.crt;
38 | ssl_certificate_key /etc/nginx/https.key;
39 |
40 | # Recommendations from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
41 | ssl_protocols TLSv1.1 TLSv1.2;
42 | ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
43 | ssl_prefer_server_ciphers on;
44 | ssl_session_cache shared:SSL:10m;
45 |
46 | # disable any limits to avoid HTTP 413 for large image uploads
47 | client_max_body_size 0;
48 |
49 | # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
50 | chunked_transfer_encoding on;
51 |
52 | location / {
53 | proxy_pass http://ui/;
54 | proxy_set_header Host $http_host;
55 | proxy_set_header X-Real-IP $remote_addr;
56 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
57 |
58 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
59 | proxy_set_header X-Forwarded-Proto $scheme;
60 |
61 | proxy_buffering off;
62 | proxy_request_buffering off;
63 | }
64 |
65 | location /v1/ {
66 | return 404;
67 | }
68 |
69 | location /v2/ {
70 | proxy_pass http://registry/v2/;
71 | proxy_set_header Host $http_host;
72 | proxy_set_header X-Real-IP $remote_addr;
73 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
74 |
75 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
76 | proxy_set_header X-Forwarded-Proto $scheme;
77 |
78 | proxy_buffering off;
79 | proxy_request_buffering off;
80 |
81 | }
82 |
83 | location /service/ {
84 | proxy_pass http://ui/service/;
85 | proxy_set_header Host $http_host;
86 | proxy_set_header X-Real-IP $remote_addr;
87 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
88 |
89 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
90 | proxy_set_header X-Forwarded-Proto $scheme;
91 |
92 | proxy_buffering off;
93 | proxy_request_buffering off;
94 | }
95 | }
96 | server {
97 | listen 80;
98 | server_name {{hostname}};
99 |
100 | # disable any limits to avoid HTTP 413 for large image uploads
101 | client_max_body_size 0;
102 |
103 | # required to avoid HTTP 411: see Issue #1486 (https://github.com/docker/docker/issues/1486)
104 | chunked_transfer_encoding on;
105 |
106 | # rewrite ^/(.*) https://$server_name:443/$1 permanent;
107 |
108 | location / {
109 | proxy_pass http://ui/;
110 | proxy_set_header Host $http_host;
111 | proxy_set_header X-Real-IP $remote_addr;
112 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
113 |
114 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
115 | proxy_set_header X-Forwarded-Proto $scheme;
116 |
117 | proxy_buffering off;
118 | proxy_request_buffering off;
119 | }
120 |
121 | location /v1/ {
122 | return 404;
123 | }
124 |
125 | location /v2/ {
126 | proxy_pass http://registry/v2/;
127 | proxy_set_header Host $http_host;
128 | proxy_set_header X-Real-IP $remote_addr;
129 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
130 |
131 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
132 | proxy_set_header X-Forwarded-Proto $scheme;
133 |
134 | proxy_buffering off;
135 | proxy_request_buffering off;
136 |
137 | }
138 |
139 | location /service/ {
140 | proxy_pass http://ui/service/;
141 | proxy_set_header Host $http_host;
142 | proxy_set_header X-Real-IP $remote_addr;
143 | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
144 |
145 | # When setting up Harbor behind other proxy, such as an Nginx instance, remove the below line if the proxy already has similar settings.
146 | proxy_set_header X-Forwarded-Proto $scheme;
147 |
148 | proxy_buffering off;
149 | proxy_request_buffering off;
150 | }
151 | }
152 | }
153 | pkey: |
154 | {{4 https_pkey}}
155 | cert: |
156 | {{4 https_cert}}
157 |
--------------------------------------------------------------------------------
/harbor/templates/registry.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-registry-config
5 | namespace: kube-ops
6 | data:
7 | config: |
8 | version: 0.1
9 | log:
10 | level: debug
11 | fields:
12 | service: registry
13 | storage:
14 | filesystem:
15 | rootdirectory: /storage
16 | cache:
17 | layerinfo: inmemory
18 | maintenance:
19 | uploadpurging:
20 | enabled: false
21 | delete:
22 | enabled: true
23 | http:
24 | addr: :5000
25 | secret: placeholder
26 | debug:
27 | addr: localhost:5001
28 | auth:
29 | token:
30 | issuer: registry-token-issuer
31 | realm: {{ui_url}}/service/token
32 | rootcertbundle: /etc/docker/registry/root.crt
33 | service: token-service
34 | notifications:
35 | endpoints:
36 | - name: harbor
37 | disabled: false
38 | url: http://ui/service/notifications
39 | timeout: 3000ms
40 | threshold: 5
41 | backoff: 1s
42 |
43 | cert: |
44 | {{4 auth_cert}}
45 |
46 |
--------------------------------------------------------------------------------
/harbor/templates/ui.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-ui-config
5 | namespace: kube-ops
6 | data:
7 | MYSQL_HOST: mysql
8 | MYSQL_PORT: "3306"
9 | MYSQL_USR: root
10 | MYSQL_PWD: "{{db_password}}"
11 | REGISTRY_URL: http://registry:5000
12 | CONFIG_PATH: /etc/ui/app.conf
13 | HARBOR_REG_URL: "{{hostname}}"
14 | HARBOR_ADMIN_PASSWORD: "{{harbor_admin_password}}"
15 | HARBOR_URL: http://ui
16 | AUTH_MODE: "{{auth_mode}}"
17 | LDAP_URL: "{{ldap_url}}"
18 | LDAP_SEARCH_DN: "{{ldap_searchdn}}"
19 | LDAP_SEARCH_PWD: "{{ldap_search_pwd}}"
20 | LDAP_BASE_DN: "{{ldap_basedn}}"
21 | LDAP_FILTER: "{{ldap_filter}}"
22 | LDAP_UID: "{{ldap_uid}}"
23 | LDAP_SCOPE: "{{ldap_scope}}"
24 | LOG_LEVEL: debug
25 | UI_SECRET: "{{ui_secret}}"
26 | SECRET_KEY: "{{secret_key}}"
27 | GODEBUG: netdns=cgo
28 | EXT_ENDPOINT: "{{ui_url}}"
29 | TOKEN_URL: http://ui
30 | SELF_REGISTRATION: "{{self_registration}}"
31 | USE_COMPRESSED_JS: "{{use_compressed_js}}"
32 | VERIFY_REMOTE_CERT: "{{verify_remote_cert}}"
33 | TOKEN_EXPIRATION: "{{token_expiration}}"
34 | EXT_REG_URL: "{{hostname}}"
35 | config: |
36 | appname = registry
37 | runmode = dev
38 | [lang]
39 | types = en-US|zh-CN
40 | names = en-US|zh-CN
41 | [dev]
42 | httpport = 80
43 | [mail]
44 | host = {{email_server}}
45 | port = {{email_server_port}}
46 | username = {{email_username}}
47 | password = {{email_password}}
48 | from = {{email_from}}
49 | ssl = {{email_ssl}}
50 | pkey: |
51 | {{4 auth_pkey}}
52 |
53 |
54 |
--------------------------------------------------------------------------------
/harbor/ui/ui.cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: harbor-ui-config
5 | namespace: kube-ops
6 | data:
7 | MYSQL_HOST: mysql
8 | MYSQL_PORT: "3306"
9 | MYSQL_USR: root
10 | MYSQL_PWD: "root123"
11 | REGISTRY_URL: http://registry:5000
12 | CONFIG_PATH: /etc/ui/app.conf
13 | HARBOR_REG_URL: "reg.mydomain.com"
14 | HARBOR_ADMIN_PASSWORD: "Harbor12345"
15 | HARBOR_URL: http://ui
16 | AUTH_MODE: "db_auth"
17 | LDAP_URL: "ldaps://ldap.mydomain.com"
18 | LDAP_SEARCH_DN: ""
19 | LDAP_SEARCH_PWD: ""
20 | LDAP_BASE_DN: "ou=people,dc=mydomain,dc=com"
21 | LDAP_FILTER: ""
22 | LDAP_UID: "uid"
23 | LDAP_SCOPE: "3"
24 | LOG_LEVEL: debug
25 | UI_SECRET: "42VPEolTxWOEouiW"
26 | SECRET_KEY: "VTXdK8CdXADDwS9G"
27 | GODEBUG: netdns=cgo
28 | EXT_ENDPOINT: "http://reg.mydomain.com"
29 | TOKEN_URL: http://ui
30 | SELF_REGISTRATION: "on"
31 | USE_COMPRESSED_JS: ""
32 | VERIFY_REMOTE_CERT: "on"
33 | TOKEN_EXPIRATION: "30"
34 | EXT_REG_URL: "reg.mydomain.com"
35 | config: |
36 | appname = registry
37 | runmode = dev
38 | [lang]
39 | types = en-US|zh-CN
40 | names = en-US|zh-CN
41 | [dev]
42 | httpport = 80
43 | [mail]
44 | host = smtp.mydomain.com
45 | port = 25
46 | username = sample_admin@mydomain.com
47 | password = abc
48 | from = admin
49 | ssl = false
50 | pkey: |
51 | -----BEGIN RSA PRIVATE KEY-----
52 | MIIJKAIBAAKCAgEAmkeLN7TSjT48zIkXUr4pMufukZqEL0N+LlJ8P56XlRxrGBZL
53 | LfdjH/ImVUgJsDoGGJ//LdR0Csqua182oIwUPydLLpYwJB6U3VtjChcYcT+faJh2
54 | UvpbxidcFVFaKL8juEeQ0bM2eIElX9aKsZeaY8uxMHsQfpVSPaVfbiYWVJ2uVuHf
55 | mOv4JPnjX+hWrkm3A6pGoGzo6TPerpu+BoTPe7xLTq/cY6toEfXafcP3uv6e2Tuc
56 | MTmYpvrT/mBL94bcAjZYechOGSHdxgewzuAr3vWCJAThFmH4KMpuVj1JC0zRqkYL
57 | ysA8ZF8Py/OD1qypJwCh/H7X2QTrbdWKVgrccRY4otqK348XJ/6sq3fjjv/EMdNJ
58 | jnaBlWEOqYqz/INpSVnWcS9sQc/7Qgp8dRqQWajSGl++wrWfUACI9OQYhzXeqa6x
59 | r5Bss8u498aDmaJ2Jd+2TrORS0yFenwTfLmIRU1NS8ONxvdMClJpAlZ2xsNWQl89
60 | LnrT95/GRkZKqnuX6QpKP1KsmhFq9NTwU0ca7f7fQ00e0+LdLEPv/T9KVnX2qcAW
61 | KiapKFPZzDpRFvPB50903ZrvqH+hfmcoz0lHo+ghimz6GabFJ/wYv5p8wXCCUiDi
62 | fxV431JRDTpZiwMVHPlZRjwVPn2KEWM6wGkwTYGTIJsVK2+DrSaDIxsFTz8CAwEA
63 | AQKCAgBuzxoH/cEIn34Nrh1pWZm/rWPlgmSUidZ0MNx62U6oU4v79e8zaa7xf/vW
64 | XvJOd65vO2ONqD1cjuytw+o5b8MPBQrzv/19w9VKE9xTn/j3RioZdv/tY1JNRXHX
65 | AeJOx9JBBm3Wn/Bspt2QM0jUez3xlZiDaLCVKmyySDf9pi99wO86CeuOK1XEQRL1
66 | jKvNbLadVEx75x12ecHkCYp3piZcCgbQ0nDpyW/rDnlKwVkKHt06y5zIokSpEhj3
67 | aHTHqT4V/LCZb6vgUzm1hUqRm+MGtbEua667Y8xYh+St3kC7dAZXVQ4dJut5b+mp
68 | pBK6OrMXh1XRQ82GWwk5jxlX6V8gYLU9fmI9AfMsupVJ3Gwx4GdTznjzeoPuCA3I
69 | XeG6qctMHbPQPHkw+9rDNyOF+hnRCRdLH2FboRjg+FuAe/7GAn5+J4yZChGXGn7S
70 | cbPy88EoeVXPfj9o6Y8aJEq7bgZJ3Gf5b4KFLCnbMwiYKmm6GZ4HsZJfrnkwYghy
71 | ufLfDS9zmDgHClYDws3znLuptEpcZlI8IkXP000G0FimfB5Ho4tM1YSC4jTEeRRO
72 | +n2Pa63Z5uT6lq4koJpnGYi0xPEkJE1f/C9Npy5Fa5jWs2/M5RTYBrWWq5JS8OPg
73 | I/wVK3z0ciiGkwYcgWCN84g8ja/1DsStFibEWyoDTgdUYHSDWQKCAQEAy3FipsvV
74 | t4KHR57tomR4T/RHFWgQZNKo0Bcc+PeFuaP/0dKXOjlxCIuroUXllALbEuvaKAOU
75 | W8cqpEGpkB3mQkB9X8oEnhgUeFjTlU4pIE8G4YpkZmwJENCsYqBds056qrSzdH6I
76 | UQhxf5MoiQKd7T+vwQ41hbgTyzUW6nl1B7vSlrb5KgYTxhd4O2IKFe7t0eR/pvd+
77 | i72yam2gTHP8KTINN+8261AsKm0oiuATnNXhSUxZ/hslQ4iHiybvMxC+55DrnU2M
78 | y141Mn7v2NVMQUY2Q5lLsdm3A0DXuGYKdcXXcWqO86umoA+oD4kipnF5bod7Mudj
79 | iG7zxuvoYisiQwKCAQEAwiLBBzM/h+d5wn2ugnRKmEoF6f03+rmK7WQ1u6wzHOe6
80 | 9stLueYxtJToIyNmXOkYkECbQY5cj2lk4cbtkca+mI/tBkeCRe9DKxNzvVqMg2n5
81 | +DyKvVEp4oNlp4+RCOzBJuKjBpGcCYo7P2xlOIjnq1AcgTTP6clYAiNVCPqQWPPH
82 | h0U+wqTZVkwdewWk8mNuuOZ0Pimgvuy7uEhHotCtGRR4Pbke+djaf20QM+EPNe93
83 | 66KIIOWdhrstaKlI0dXiyq6V32ENdJM4gAawyDzPgmGlOre1/DZbwbtKaK1Eb6Wa
84 | q+oUCl7nTG+eliswqbg8/IEEZfocidWS9dxthm/lVQKCAQBx7DV9B6nO0FYmwhV6
85 | GV7SDw17LEH544lKtZawyBLnKLIJci7jGOV2Dph2f+iWYJ8C0nXgcFi0qCv1vRtR
86 | q5yUPv62FC9PxFY6KiuZcSJQiFBnHhMo05ikBOZzeC/gR7MjQns3Yd+92MeN0/8f
87 | 8gozn7Uwm19XWQQkh78kYA0r3n6HjUCryqlqBRx7zGOvcpNUNOtSuUbww7JULL1V
88 | 8qEjBHcoelk7njKNM4E/e0kgSxiT7iB6zgKo9ZxJTO0noFn23E1EUffkrgWGGFUB
89 | DDheWQ3r/rzHhA4a0UW7adCzsKz7Qtt4EggFm57VzEpOAD8qqM1RbQdskA0MuG/y
90 | AQt3AoIBAAjUld0i+p/O6p3rI5XxfjchHtW+293+tJAJv9vygDyvWbTCGIazLs2c
91 | /FYk1RIi1CgzmBxKQnGPhLQ0XTgFR0QfP9PKSuWtdWuvLdOOG9gaaPFep5zm5TXV
92 | bjlJ8Xnrcvm2012IIAXbEMjYwF3q9Ea5lSJXaaGjs+oc+1A2PXyeUhQYFTu7Tdt8
93 | CNdAsXkJBs9IRD9Tm2kz0XIXb5K7VTRP1wxPsFYDBCVJq7QAZ7W3V8gTE4gTia/I
94 | Mc+R66sHxJIdkNmhS4Bi9e303/OruHCgymg6VP/M5S2RvFe4keVWLgvl0NWL7Y9v
95 | gFIqUsNViwidQbr1vniSi2W9ignUayUCggEBAJ8vvr42+gtLIku9+nvpAYSEG2y0
96 | lhKyzAcUJMpeumvVogLk/0l4PCuLSOtHQA4PSf4nmj54ZTY7D2EieARKI4MRVTGA
97 | 7/xxQnGP4k0LEAN6zyyqp7DBDIFqXleNF6HsOhADsOG2AiUAZpwP+gYKTtTHMeat
98 | dfTSQUYtJj13CbEle8IYz+n4KB6tWYRYZDv7wKkt3FavWJ2FTTQMIlJ9Ybz90soj
99 | wfN2aT7m/bBMknSWSvknYIzuqeSu9jfAXy/ffVt/huHq4j/WBkAAbLOlmUhleUMc
100 | fRcHchWgWd8KBKnCX0eFul4rU4X1LxYqosacV5W02MOcnpMikR4tcTqFhQY=
101 | -----END RSA PRIVATE KEY-----
102 |
103 |
104 |
105 |
--------------------------------------------------------------------------------
/harbor/ui/ui.rc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: ui-rc
5 | namespace: kube-ops
6 | labels:
7 | name: ui-rc
8 | spec:
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | name: ui-apps
14 | spec:
15 | containers:
16 | - name: ui-app
17 | image: vmware/harbor-ui:v1.2.2
18 | imagePullPolicy: IfNotPresent
19 | env:
20 | - name: MYSQL_HOST
21 | valueFrom:
22 | configMapKeyRef:
23 | name: harbor-ui-config
24 | key: MYSQL_HOST
25 | - name: MYSQL_PORT
26 | valueFrom:
27 | configMapKeyRef:
28 | name: harbor-ui-config
29 | key: MYSQL_PORT
30 | - name: MYSQL_USR
31 | valueFrom:
32 | configMapKeyRef:
33 | name: harbor-ui-config
34 | key: MYSQL_USR
35 | - name: MYSQL_PWD
36 | valueFrom:
37 | configMapKeyRef:
38 | name: harbor-ui-config
39 | key: MYSQL_PWD
40 | - name: REGISTRY_URL
41 | valueFrom:
42 | configMapKeyRef:
43 | name: harbor-ui-config
44 | key: REGISTRY_URL
45 | - name: CONFIG_PATH
46 | valueFrom:
47 | configMapKeyRef:
48 | name: harbor-ui-config
49 | key: CONFIG_PATH
50 | - name: HARBOR_REG_URL
51 | valueFrom:
52 | configMapKeyRef:
53 | name: harbor-ui-config
54 | key: HARBOR_REG_URL
55 | - name: HARBOR_ADMIN_PASSWORD
56 | valueFrom:
57 | configMapKeyRef:
58 | name: harbor-ui-config
59 | key: HARBOR_ADMIN_PASSWORD
60 | - name: HARBOR_URL
61 | valueFrom:
62 | configMapKeyRef:
63 | name: harbor-ui-config
64 | key: HARBOR_URL
65 | - name: AUTH_MODE
66 | valueFrom:
67 | configMapKeyRef:
68 | name: harbor-ui-config
69 | key: AUTH_MODE
70 | - name: LDAP_URL
71 | valueFrom:
72 | configMapKeyRef:
73 | name: harbor-ui-config
74 | key: LDAP_URL
75 | - name: LDAP_SEARCH_DN
76 | valueFrom:
77 | configMapKeyRef:
78 | name: harbor-ui-config
79 | key: LDAP_SEARCH_DN
80 | - name: LDAP_SEARCH_PWD
81 | valueFrom:
82 | configMapKeyRef:
83 | name: harbor-ui-config
84 | key: LDAP_SEARCH_PWD
85 | - name: LDAP_BASE_DN
86 | valueFrom:
87 | configMapKeyRef:
88 | name: harbor-ui-config
89 | key: LDAP_BASE_DN
90 | - name: LDAP_FILTER
91 | valueFrom:
92 | configMapKeyRef:
93 | name: harbor-ui-config
94 | key: LDAP_FILTER
95 | - name: LDAP_UID
96 | valueFrom:
97 | configMapKeyRef:
98 | name: harbor-ui-config
99 | key: LDAP_UID
100 | - name: LDAP_SCOPE
101 | valueFrom:
102 | configMapKeyRef:
103 | name: harbor-ui-config
104 | key: LDAP_SCOPE
105 | - name: LOG_LEVEL
106 | valueFrom:
107 | configMapKeyRef:
108 | name: harbor-ui-config
109 | key: LOG_LEVEL
110 | - name: UI_SECRET
111 | valueFrom:
112 | configMapKeyRef:
113 | name: harbor-ui-config
114 | key: UI_SECRET
115 | - name: SECRET_KEY
116 | valueFrom:
117 | configMapKeyRef:
118 | name: harbor-ui-config
119 | key: SECRET_KEY
120 | - name: GODEBUG
121 | valueFrom:
122 | configMapKeyRef:
123 | name: harbor-ui-config
124 | key: GODEBUG
125 | - name: EXT_ENDPOINT
126 | valueFrom:
127 | configMapKeyRef:
128 | name: harbor-ui-config
129 | key: EXT_ENDPOINT
130 | - name: TOKEN_URL
131 | valueFrom:
132 | configMapKeyRef:
133 | name: harbor-ui-config
134 | key: TOKEN_URL
135 | - name: SELF_REGISTRATION
136 | valueFrom:
137 | configMapKeyRef:
138 | name: harbor-ui-config
139 | key: SELF_REGISTRATION
140 | - name: USE_COMPRESSED_JS
141 | valueFrom:
142 | configMapKeyRef:
143 | name: harbor-ui-config
144 | key: USE_COMPRESSED_JS
145 | - name: VERIFY_REMOTE_CERT
146 | valueFrom:
147 | configMapKeyRef:
148 | name: harbor-ui-config
149 | key: VERIFY_REMOTE_CERT
150 | - name: TOKEN_EXPIRATION
151 | valueFrom:
152 | configMapKeyRef:
153 | name: harbor-ui-config
154 | key: TOKEN_EXPIRATION
155 | - name: EXT_REG_URL
156 | valueFrom:
157 | configMapKeyRef:
158 | name: harbor-ui-config
159 | key: EXT_REG_URL
160 | ports:
161 | - containerPort: 80
162 | volumeMounts:
163 | - name: config
164 | mountPath: /etc/ui
165 | volumes:
166 | - name: config
167 | configMap:
168 | name: harbor-ui-config
169 | items:
170 | - key: config
171 | path: app.conf
172 | - key: pkey
173 | path: private_key.pem
--------------------------------------------------------------------------------
/harbor/ui/ui.svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: ui
5 | namespace: kube-ops
6 | spec:
7 | ports:
8 | - port: 80
9 | selector:
10 | name: ui-apps
11 |
--------------------------------------------------------------------------------
/jenkins/deploy.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: extensions/v1beta1
3 | kind: Deployment
4 | metadata:
5 | name: jenkins
6 | namespace: kube-ops
7 | spec:
8 | template:
9 | metadata:
10 | labels:
11 | app: jenkins
12 | spec:
13 | terminationGracePeriodSeconds: 10
14 | serviceAccountName: jenkins
15 | containers:
16 | - name: jenkins
17 | image: jenkins/jenkins:lts
18 | imagePullPolicy: IfNotPresent
19 | ports:
20 | - containerPort: 8080
21 | name: web
22 | protocol: TCP
23 | - containerPort: 50000
24 | name: agent
25 | protocol: TCP
26 | resources:
27 | limits:
28 | cpu: 1000m
29 | memory: 1Gi
30 | requests:
31 | cpu: 500m
32 | memory: 512Mi
33 | livenessProbe:
34 | httpGet:
35 | path: /login
36 | port: 8080
37 | initialDelaySeconds: 60
38 | timeoutSeconds: 5
39 | failureThreshold: 12 # ~2 minutes
40 | readinessProbe:
41 | httpGet:
42 | path: /login
43 | port: 8080
44 | initialDelaySeconds: 60
45 | timeoutSeconds: 5
46 | failureThreshold: 12 # ~2 minutes
47 | volumeMounts:
48 | - name: jenkinshome
49 | subPath: jenkins
50 | mountPath: /var/jenkins_home
51 | env:
52 | - name: LIMITS_MEMORY
53 | valueFrom:
54 | resourceFieldRef:
55 | resource: limits.memory
56 | divisor: 1Mi
57 | - name: JAVA_OPTS
58 | value: -Xmx$(LIMITS_MEMORY)m -XshowSettings:vm -Dhudson.slaves.NodeProvisioner.initialDelay=0 -Dhudson.slaves.NodeProvisioner.MARGIN=50 -Dhudson.slaves.NodeProvisioner.MARGIN0=0.85 -Duser.timezone=Asia/Shanghai
59 | securityContext:
60 | fsGroup: 1000
61 | volumes:
62 | - name: jenkinshome
63 | persistentVolumeClaim:
64 | claimName: opspvc
65 |
--------------------------------------------------------------------------------
/jenkins/rbac.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: jenkins
5 | namespace: kube-ops
6 |
7 | ---
8 |
9 | kind: Role
10 | apiVersion: rbac.authorization.k8s.io/v1beta1
11 | metadata:
12 | name: jenkins
13 | namespace: kube-ops
14 | rules:
15 | - apiGroups: ["extensions", "apps"]
16 | resources: ["deployments"]
17 | verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
18 | - apiGroups: [""]
19 | resources: ["services"]
20 | verbs: ["create", "delete", "get", "list", "watch", "patch", "update"]
21 | - apiGroups: [""]
22 | resources: ["pods"]
23 | verbs: ["create","delete","get","list","patch","update","watch"]
24 | - apiGroups: [""]
25 | resources: ["pods/exec"]
26 | verbs: ["create","delete","get","list","patch","update","watch"]
27 | - apiGroups: [""]
28 | resources: ["pods/log"]
29 | verbs: ["get","list","watch"]
30 | - apiGroups: [""]
31 | resources: ["secrets"]
32 | verbs: ["get"]
33 |
34 | ---
35 | apiVersion: rbac.authorization.k8s.io/v1beta1
36 | kind: RoleBinding
37 | metadata:
38 | name: jenkins
39 | namespace: kube-ops
40 | roleRef:
41 | apiGroup: rbac.authorization.k8s.io
42 | kind: Role
43 | name: jenkins
44 | subjects:
45 | - kind: ServiceAccount
46 | name: jenkins
47 | namespace: kube-ops
48 |
--------------------------------------------------------------------------------
/jenkins/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: jenkins
5 | namespace: kube-ops
6 | labels:
7 | app: jenkins
8 | spec:
9 | selector:
10 | app: jenkins
11 | type: NodePort
12 | ports:
13 | - name: web
14 | port: 8080
15 | targetPort: web
16 | nodePort: 30001
17 | - name: agent
18 | port: 50000
19 | targetPort: agent
20 |
--------------------------------------------------------------------------------
/jenkins/volume.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: PersistentVolume
3 | metadata:
4 | name: opspv
5 | spec:
6 | capacity:
7 | storage: 20Gi
8 | accessModes:
9 | - ReadWriteMany
10 | persistentVolumeReclaimPolicy: Delete
11 | nfs:
12 | path: /data/k8s
13 | server: 10.151.30.57
14 |
15 | ---
16 | kind: PersistentVolumeClaim
17 | apiVersion: v1
18 | metadata:
19 | name: opspvc
20 | namespace: kube-ops
21 | spec:
22 | accessModes:
23 | - ReadWriteMany
24 | resources:
25 | requests:
26 | storage: 20Gi
--------------------------------------------------------------------------------
/monitor/grafana.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: grafana
5 | namespace: kube-ops
6 | spec:
7 | replicas: 1
8 | template:
9 | metadata:
10 | labels:
11 | task: monitoring
12 | k8s-app: grafana
13 | spec:
14 | containers:
15 | - name: grafana
16 | image: gcr.io/google_containers/heapster-grafana-amd64:v4.4.3
17 | ports:
18 | - containerPort: 3000
19 | protocol: TCP
20 | volumeMounts:
21 | - mountPath: /var
22 | name: grafana
23 | subPath: grafana/data
24 | - mountPath: /ssl
25 | name: ssl
26 | resources:
27 | limits:
28 | cpu: 200m
29 | memory: 200Mi
30 | requests:
31 | cpu: 100m
32 | memory: 100Mi
33 | env:
34 | - name: INFLUXDB_HOST
35 | value: influxdb.kube-system
36 | - name: GF_SERVER_HTTP_PORT
37 | value: "3000"
38 | - name: GF_AUTH_BASIC_ENABLED
39 | value: "true"
40 | - name: GF_AUTH_ANONYMOUS_ENABLED
41 | value: "false"
42 | - name: GF_SERVER_ROOT_URL
43 | value: /
44 | - name: GF_SMTP_ENABLED
45 | value: "true"
46 | - name: GF_ALERTING_ENABLED
47 | value: "true"
48 | - name: GF_ALERTING_EXECUTE_ALERTS
49 | value: "true"
50 | readinessProbe:
51 | httpGet:
52 | path: /login
53 | port: 3000
54 | initialDelaySeconds: 30
55 | timeoutSeconds: 2
56 | volumes:
57 | - name: ssl
58 | secret:
59 | secretName: ssl
60 | - name: grafana
61 | emptyDir: {}
62 |
63 | ---
64 | apiVersion: v1
65 | kind: Service
66 | metadata:
67 | labels:
68 | kubernetes.io/cluster-service: 'true'
69 | kubernetes.io/name: grafana
70 | name: grafana
71 | namespace: kube-ops
72 | spec:
73 | type: NodePort
74 | ports:
75 | - port: 80
76 | targetPort: 3000
77 | selector:
78 | k8s-app: grafana
79 |
--------------------------------------------------------------------------------
/monitor/heapster.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | k8s-app: heapster
6 | task: monitoring
7 | name: heapster
8 | namespace: kube-system
9 | spec:
10 | replicas: 1
11 | selector:
12 | matchLabels:
13 | k8s-app: heapster
14 | task: monitoring
15 | strategy:
16 | rollingUpdate:
17 | maxSurge: 1
18 | maxUnavailable: 1
19 | type: RollingUpdate
20 | template:
21 | metadata:
22 | labels:
23 | k8s-app: heapster
24 | task: monitoring
25 | spec:
26 | containers:
27 | - command:
28 | - /heapster
29 | - --source=kubernetes:https://kubernetes.default
30 | - --sink=influxdb:http://influxdb.kube-system.svc:8086
31 | image: gcr.io/google_containers/heapster-amd64:v1.3.0
32 | imagePullPolicy: IfNotPresent
33 | name: heapster
34 | restartPolicy: Always
35 | serviceAccount: heapster
36 |
--------------------------------------------------------------------------------
/monitor/influxdb.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | name: influxdb
5 | namespace: kube-system
6 | spec:
7 | replicas: 1
8 | template:
9 | metadata:
10 | labels:
11 | task: monitoring
12 | k8s-app: influxdb
13 | spec:
14 | containers:
15 | - name: influxdb
16 | image: gcr.io/google_containers/heapster-influxdb-amd64:v1.3.3
17 | volumeMounts:
18 | - mountPath: /data
19 | name: influxdb-storage
20 | resources:
21 | limits:
22 | cpu: 200m
23 | memory: 256Mi
24 | requests:
25 | cpu: 100m
26 | memory: 100Mi
27 | volumes:
28 | - name: influxdb-storage
29 | emptyDir: {}
30 | ---
31 | apiVersion: v1
32 | kind: Service
33 | metadata:
34 | labels:
35 | task: monitoring
36 | kubernetes.io/cluster-service: 'true'
37 | kubernetes.io/name: influxdb
38 | name: influxdb
39 | namespace: kube-system
40 | spec:
41 | ports:
42 | - port: 8086
43 | targetPort: 8086
44 | selector:
45 | k8s-app: influxdb
46 |
--------------------------------------------------------------------------------
/prometheus/node-exporter.yaml:
--------------------------------------------------------------------------------
1 | ---
2 | apiVersion: extensions/v1beta1
3 | kind: DaemonSet
4 | metadata:
5 | name: node-exporter
6 | namespace: kube-ops
7 | labels:
8 | k8s-app: node-exporter
9 | spec:
10 | template:
11 | metadata:
12 | labels:
13 | k8s-app: node-exporter
14 | spec:
15 | containers:
16 | - image: prom/node-exporter
17 | name: node-exporter
18 | ports:
19 | - containerPort: 9100
20 | protocol: TCP
21 | name: http
22 |
23 | ---
24 | apiVersion: v1
25 | kind: Service
26 | metadata:
27 | labels:
28 | k8s-app: node-exporter
29 | name: node-exporter
30 | namespace: kube-ops
31 | spec:
32 | ports:
33 | - name: http
34 | port: 9100
35 | nodePort: 31672
36 | protocol: TCP
37 | type: NodePort
38 | selector:
39 | k8s-app: node-exporter
40 |
--------------------------------------------------------------------------------
/prometheus/prometheus-cm.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ConfigMap
3 | metadata:
4 | name: prometheus-config
5 | namespace: kube-ops
6 | data:
7 | prometheus.yml: |
8 | global:
9 | scrape_interval: 30s
10 | scrape_timeout: 30s
11 |
12 | rule_files:
13 | - /etc/prometheus/rules.yml
14 |
15 | alerting:
16 | alertmanagers:
17 | - static_configs:
18 | - targets: ["localhost:9093"]
19 |
20 | scrape_configs:
21 | - job_name: 'prometheus'
22 | static_configs:
23 | - targets: ['localhost:9090']
24 |
25 | - job_name: 'kubernetes-apiservers'
26 | kubernetes_sd_configs:
27 | - role: endpoints
28 | scheme: https
29 | tls_config:
30 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
31 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
32 | relabel_configs:
33 | - source_labels: [__meta_kubernetes_namespace, __meta_kubernetes_service_name, __meta_kubernetes_endpoint_port_name]
34 | action: keep
35 | regex: default;kubernetes;https
36 |
37 | - job_name: 'kubernetes-nodes'
38 | scheme: https
39 | tls_config:
40 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
41 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
42 | kubernetes_sd_configs:
43 | - role: node
44 | relabel_configs:
45 | - action: labelmap
46 | regex: __meta_kubernetes_node_label_(.+)
47 | - target_label: __address__
48 | replacement: kubernetes.default.svc:443
49 | - source_labels: [__meta_kubernetes_node_name]
50 | regex: (.+)
51 | target_label: __metrics_path__
52 | replacement: /api/v1/nodes/${1}/proxy/metrics
53 |
54 | - job_name: 'kubernetes-cadvisor'
55 | scheme: https
56 | tls_config:
57 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
58 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
59 | kubernetes_sd_configs:
60 | - role: node
61 | relabel_configs:
62 | - action: labelmap
63 | regex: __meta_kubernetes_node_label_(.+)
64 | - target_label: __address__
65 | replacement: kubernetes.default.svc:443
66 | - source_labels: [__meta_kubernetes_node_name]
67 | regex: (.+)
68 | target_label: __metrics_path__
69 | replacement: /api/v1/nodes/${1}/proxy/metrics/cadvisor
70 |
71 | - job_name: 'kubernetes-node-exporter'
72 | scheme: http
73 | tls_config:
74 | ca_file: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
75 | bearer_token_file: /var/run/secrets/kubernetes.io/serviceaccount/token
76 | kubernetes_sd_configs:
77 | - role: node
78 | relabel_configs:
79 | - action: labelmap
80 | regex: __meta_kubernetes_node_label_(.+)
81 | - source_labels: [__meta_kubernetes_role]
82 | action: replace
83 | target_label: kubernetes_role
84 | - source_labels: [__address__]
85 | regex: '(.*):10250'
86 | replacement: '${1}:31672'
87 | target_label: __address__
88 |
89 | - job_name: 'kubernetes-service-endpoints'
90 | kubernetes_sd_configs:
91 | - role: endpoints
92 | relabel_configs:
93 | - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scrape]
94 | action: keep
95 | regex: true
96 | - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_scheme]
97 | action: replace
98 | target_label: __scheme__
99 | regex: (https?)
100 | - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_path]
101 | action: replace
102 | target_label: __metrics_path__
103 | regex: (.+)
104 | - source_labels: [__address__, __meta_kubernetes_service_annotation_prometheus_io_port]
105 | action: replace
106 | target_label: __address__
107 | regex: ([^:]+)(?::\d+)?;(\d+)
108 | replacement: $1:$2
109 | - action: labelmap
110 | regex: __meta_kubernetes_service_label_(.+)
111 | - source_labels: [__meta_kubernetes_namespace]
112 | action: replace
113 | target_label: kubernetes_namespace
114 | - source_labels: [__meta_kubernetes_service_name]
115 | action: replace
116 | target_label: kubernetes_name
117 |
118 | - job_name: 'kubernetes-services'
119 | metrics_path: /probe
120 | params:
121 | module: [http_2xx]
122 |
123 | kubernetes_sd_configs:
124 | - role: service
125 |
126 | relabel_configs:
127 | - source_labels: [__meta_kubernetes_service_annotation_prometheus_io_probe]
128 | action: keep
129 | regex: true
130 | - source_labels: [__address__]
131 | target_label: __param_target
132 | - target_label: __address__
133 | replacement: blackbox-exporter.example.com:9115
134 | - source_labels: [__param_target]
135 | target_label: instance
136 | - action: labelmap
137 | regex: __meta_kubernetes_service_label_(.+)
138 | - source_labels: [__meta_kubernetes_namespace]
139 | target_label: kubernetes_namespace
140 | - source_labels: [__meta_kubernetes_service_name]
141 | target_label: kubernetes_name
142 |
143 | rules.yml: |
144 | groups:
145 | - name: test-rule
146 | rules:
147 | - alert: NodeFilesystemUsage
148 | expr: (node_filesystem_size{device="rootfs"} - node_filesystem_free{device="rootfs"}) / node_filesystem_size{device="rootfs"} * 100 > 80
149 | for: 2m
150 | labels:
151 | team: node
152 | annotations:
153 | summary: "{{$labels.instance}}: High Filesystem usage detected"
154 | description: "{{$labels.instance}}: Filesystem usage is above 80% (current value is: {{ $value }}"
155 | - alert: NodeMemoryUsage
156 | expr: (node_memory_MemTotal - (node_memory_MemFree+node_memory_Buffers+node_memory_Cached )) / node_memory_MemTotal * 100 > 80
157 | for: 2m
158 | labels:
159 | team: node
160 | annotations:
161 | summary: "{{$labels.instance}}: High Memory usage detected"
162 | description: "{{$labels.instance}}: Memory usage is above 80% (current value is: {{ $value }}"
163 | - alert: NodeCPUUsage
164 | expr: (100 - (avg by (instance) (irate(node_cpu{job="kubernetes-node-exporter",mode="idle"}[5m])) * 100)) > 80
165 | for: 2m
166 | labels:
167 | team: node
168 | annotations:
169 | summary: "{{$labels.instance}}: High CPU usage detected"
170 | description: "{{$labels.instance}}: CPU usage is above 80% (current value is: {{ $value }}"
171 |
172 | ---
173 | kind: ConfigMap
174 | apiVersion: v1
175 | metadata:
176 | name: alertmanager
177 | namespace: kube-ops
178 | data:
179 | config.yml: |-
180 | global:
181 | resolve_timeout: 5m
182 | route:
183 | receiver: webhook
184 | group_wait: 30s
185 | group_interval: 5m
186 | repeat_interval: 4h
187 | group_by: [alertname]
188 | routes:
189 | - receiver: webhook
190 | group_wait: 10s
191 | match:
192 | team: node
193 | receivers:
194 | - name: webhook
195 | webhook_configs:
196 | - url: 'http://apollo/hooks/dingtalk/'
197 | send_resolved: true
198 | - url: 'http://apollo/hooks/prome/'
199 | send_resolved: true
200 |
--------------------------------------------------------------------------------
/prometheus/prometheus-deploy.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | k8s-app: prometheus
6 | name: prometheus
7 | namespace: kube-ops
8 | spec:
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | k8s-app: prometheus
14 | spec:
15 | serviceAccountName: prometheus
16 | containers:
17 | - image: prom/prometheus:v2.0.0-rc.3
18 | name: prometheus
19 | command:
20 | - "/bin/prometheus"
21 | args:
22 | - "--config.file=/etc/prometheus/prometheus.yml"
23 | - "--storage.tsdb.path=/prometheus"
24 | - "--storage.tsdb.retention=24h"
25 | ports:
26 | - containerPort: 9090
27 | protocol: TCP
28 | name: http
29 | volumeMounts:
30 | - mountPath: "/prometheus"
31 | name: data
32 | - mountPath: "/etc/prometheus"
33 | name: config-volume
34 | resources:
35 | requests:
36 | cpu: 100m
37 | memory: 100Mi
38 | limits:
39 | cpu: 200m
40 | memory: 1Gi
41 | - image: quay.io/prometheus/alertmanager:v0.12.0
42 | name: alertmanager
43 | args:
44 | - "-config.file=/etc/alertmanager/config.yml"
45 | - "-storage.path=/alertmanager"
46 | ports:
47 | - containerPort: 9093
48 | protocol: TCP
49 | name: http
50 | volumeMounts:
51 | - name: alertmanager-config-volume
52 | mountPath: /etc/alertmanager
53 | resources:
54 | requests:
55 | cpu: 50m
56 | memory: 50Mi
57 | limits:
58 | cpu: 200m
59 | memory: 200Mi
60 | volumes:
61 | - name: data
62 | emptyDir: {}
63 | - configMap:
64 | name: prometheus-config
65 | name: config-volume
66 | - name: alertmanager-config-volume
67 | configMap:
68 | name: alertmanager
69 |
--------------------------------------------------------------------------------
/prometheus/prometheus-sa.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: prometheus
5 | namespace: kube-ops
6 |
7 | ---
8 | apiVersion: rbac.authorization.k8s.io/v1
9 | kind: ClusterRole
10 | metadata:
11 | name: prometheus
12 | rules:
13 | - apiGroups: [""]
14 | resources:
15 | - nodes
16 | - services
17 | - endpoints
18 | - pods
19 | - nodes/proxy
20 | verbs: ["get", "list", "watch"]
21 | - apiGroups: [""]
22 | resources:
23 | - configmaps
24 | verbs: ["get"]
25 | - nonResourceURLs: ["/metics"] # 对非资源型 endpoint metrics 进行 get 操作
26 | verbs: ["get"]
27 |
28 | ---
29 | apiVersion: rbac.authorization.k8s.io/v1beta1
30 | kind: ClusterRoleBinding
31 | metadata:
32 | name: prometheus
33 | roleRef:
34 | apiGroup: rbac.authorization.k8s.io
35 | kind: ClusterRole
36 | name: prometheus
37 | subjects:
38 | - kind: ServiceAccount
39 | name: prometheus
40 | namespace: kube-ops
41 |
--------------------------------------------------------------------------------
/prometheus/prometheus-svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: prometheus
5 | namespace: kube-ops
6 | labels:
7 | k8s-app: prometheus
8 | spec:
9 | selector:
10 | k8s-app: prometheus
11 | type: NodePort
12 | ports:
13 | - name: web
14 | port: 9090
15 | targetPort: http
--------------------------------------------------------------------------------
/sentry/README.md:
--------------------------------------------------------------------------------
1 | ## 在`kubernetes` 集群上安装`sentry` 服务
2 |
3 | `sentry`这个镜像比较坑,不能一次性安装完成。
4 |
5 | **第一步**:环境变量的配置,根据你的实际情况进行填写,比如这里的`postgresql`数据库可以安装到同一个`POD`下面,我这里因为之前就安装过,所以就直接使用了,注意环境变量中的`postgresql`数据库的用户名需要使用`postgres`,`sentry`要求使用超级管理员权限,然后我是手动到`postgresql`中手动新建了一个数据库:`sentry`,然后把权限赋给`postgres`:(进入psql)
6 | ```shell
7 | CREATE DATABASE sentry OWNER postgres;
8 | GRANT ALL PRIVILEGES ON DATABASE sentry to postgres;
9 | ```
10 |
11 | **第二步**:先执行`deployment0.yaml`这个文件,里面的执行的命令是:`sentry upgrade`,用于同步数据库结构到`postgresql`中,执行完成后,最好进入容器终端再执行下面的命令:
12 | ```shell
13 | sentry django migrate
14 | ```
15 | 用于确认同步结构。
16 |
17 | **第三步**:我们可以在`sentry`数据库中查询`sentry_organization`表,看其中是否有数据,虽然[官方说明](https://github.com/getsentry/sentry/issues/3002)执行了上面的**upgrade**操作会初始化一些基本数据,但是我这边测试发现该表中没有数据,没有数据的结果会导致后面用户报错:**IndexError: list index out of range**,添加一条数据:
18 | ```shell
19 | INSERT INTO sentry_organization(name, status, date_added, slug, flags, default_role) VALUES('yidianzhishi', 0, '2017-05-09 02:30:40.719879+00', 'ydzs', 1, 'member');
20 | ```
21 |
22 | **第四步**:上面的数据库操作执行完成了,现在回到上面的容器中去,新建用户:
23 | ```shell
24 | sentry createuser
25 | ```
26 |
27 | 然后根据提示输入即可。
28 |
29 | **第五步**:删除上面的`deployment0.yaml`,添加`deployment.yaml`以及`svc.yaml`
30 | ```shell
31 | kubectl delete -f delpoyment0.yaml
32 | kubectl create -f deployment.yaml
33 | kubectl create -f svc.yaml
34 | ```
35 |
36 | 上面的`deployment.yaml`中运行了3个容器,一个是**WEB**服务,一个是`Celery Worker`,另外一个是定时任务。
37 |
38 | 至此,`sentry`在`kubernetes`上就部署完成了。
39 |
40 | 
41 |
42 |
--------------------------------------------------------------------------------
/sentry/deployment.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: sentry
6 | name: sentry
7 | namespace: kube-ops
8 | spec:
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: sentry
14 | spec:
15 | containers:
16 | - image: sentry:8.22-onbuild
17 | imagePullPolicy: Always
18 | name: sentry
19 | env:
20 | - name: C_FORCE_ROOT
21 | value: "true"
22 | - name: SENTRY_REDIS_HOST
23 | value: "redis"
24 | - name: SENTRY_REDIS_PORT
25 | value: "6379"
26 | - name: SENTRY_REDIS_DB
27 | value: "2"
28 | - name: SENTRY_RABBITMQ_HOST
29 | value: "rabbitmq:5672"
30 | - name: SENTRY_RABBITMQ_USERNAME
31 | value: "xxxx"
32 | - name: SENTRY_RABBITMQ_PASSWORD
33 | value: "xxxx"
34 | - name: SENTRY_SECRET_KEY
35 | value: "xxxxxxxxxxxxxxxxxxxxxxxxx"
36 | - name: SENTRY_POSTGRES_HOST
37 | value: "postgresql"
38 | - name: SENTRY_POSTGRES_PORT
39 | value: "5432"
40 | - name: SENTRY_DB_NAME
41 | value: "sentry"
42 | - name: SENTRY_DB_USER
43 | value: "postgres"
44 | - name: SENTRY_DB_PASSWORD
45 | value: "postgres321"
46 | - name: SENTRY_EMAIL_HOST
47 | value: "xxxxxxxxxxxxx"
48 | - name: SENTRY_EMAIL_PORT
49 | value: "xxxxxxxxx"
50 | - name: SENTRY_EMAIL_USE_TLS
51 | value: "xxxxxxxxx"
52 | - name: SENTRY_EMAIL_USER
53 | value: "xxxxxxxxxxxxxx"
54 | - name: SENTRY_EMAIL_PASSWORD
55 | value: "xxxxxxxxxxxx"
56 | - name: SENTRY_SERVER_EMAIL
57 | value: "xxxxxxxxxxxxxx"
58 | ports:
59 | - containerPort: 9000
60 | name: web
61 | resources:
62 | limits:
63 | cpu: 200m
64 | memory: 400Mi
65 | requests:
66 | cpu: 50m
67 | memory: 100Mi
68 | volumeMounts:
69 | - mountPath: /var/lib/sentry/files
70 | subPath: sentry
71 | name: storage
72 | - image: sentry:8.22-onbuild
73 | imagePullPolicy: Always
74 | name: sentry-worker
75 | command: ["sentry", "run", "worker"]
76 | env:
77 | - name: C_FORCE_ROOT
78 | value: "true"
79 | - name: SENTRY_REDIS_HOST
80 | value: "redis"
81 | - name: SENTRY_REDIS_PORT
82 | value: "6379"
83 | - name: SENTRY_REDIS_DB
84 | value: "2"
85 | - name: SENTRY_RABBITMQ_HOST
86 | value: "rabbitmq:5672"
87 | - name: SENTRY_RABBITMQ_USERNAME
88 | value: "xxxx"
89 | - name: SENTRY_RABBITMQ_PASSWORD
90 | value: "xxxx"
91 | - name: SENTRY_SECRET_KEY
92 | value: "xxxxxxxxxxxxxxxxxxxxxxxxx"
93 | - name: SENTRY_POSTGRES_HOST
94 | value: "postgresql"
95 | - name: SENTRY_POSTGRES_PORT
96 | value: "5432"
97 | - name: SENTRY_DB_NAME
98 | value: "sentry"
99 | - name: SENTRY_DB_USER
100 | value: "postgres"
101 | - name: SENTRY_DB_PASSWORD
102 | value: "postgres321"
103 | - name: SENTRY_EMAIL_HOST
104 | value: "xxxxxxxxxxxxx"
105 | - name: SENTRY_EMAIL_PORT
106 | value: "xxxxxxxxx"
107 | - name: SENTRY_EMAIL_USE_TLS
108 | value: "xxxxxxxxx"
109 | - name: SENTRY_EMAIL_USER
110 | value: "xxxxxxxxxxxxxx"
111 | - name: SENTRY_EMAIL_PASSWORD
112 | value: "xxxxxxxxxxxx"
113 | - name: SENTRY_SERVER_EMAIL
114 | value: "xxxxxxxxxxxxxx"
115 | - image: sentry:8.22-onbuild
116 | imagePullPolicy: Always
117 | name: sentry-cron
118 | command: ["sentry", "run", "cron"]
119 | env:
120 | - name: C_FORCE_ROOT
121 | value: "true"
122 | - name: SENTRY_REDIS_HOST
123 | value: "redis"
124 | - name: SENTRY_REDIS_PORT
125 | value: "6379"
126 | - name: SENTRY_REDIS_DB
127 | value: "2"
128 | - name: SENTRY_RABBITMQ_HOST
129 | value: "rabbitmq:5672"
130 | - name: SENTRY_RABBITMQ_USERNAME
131 | value: "xxxx"
132 | - name: SENTRY_RABBITMQ_PASSWORD
133 | value: "xxxx"
134 | - name: SENTRY_SECRET_KEY
135 | value: "xxxxxxxxxxxxxxxxxxxxxxxxx"
136 | - name: SENTRY_POSTGRES_HOST
137 | value: "postgresql"
138 | - name: SENTRY_POSTGRES_PORT
139 | value: "5432"
140 | - name: SENTRY_DB_NAME
141 | value: "sentry"
142 | - name: SENTRY_DB_USER
143 | value: "postgres"
144 | - name: SENTRY_DB_PASSWORD
145 | value: "postgres321"
146 | - name: SENTRY_EMAIL_HOST
147 | value: "xxxxxxxxxxxxx"
148 | - name: SENTRY_EMAIL_PORT
149 | value: "xxxxxxxxx"
150 | - name: SENTRY_EMAIL_USE_TLS
151 | value: "xxxxxxxxx"
152 | - name: SENTRY_EMAIL_USER
153 | value: "xxxxxxxxxxxxxx"
154 | - name: SENTRY_EMAIL_PASSWORD
155 | value: "xxxxxxxxxxxx"
156 | - name: SENTRY_SERVER_EMAIL
157 | value: "xxxxxxxxxxxxxx"
158 | volumes:
159 | - name: storage
160 | emptyDir: {}
161 |
--------------------------------------------------------------------------------
/sentry/deployment0.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: extensions/v1beta1
2 | kind: Deployment
3 | metadata:
4 | labels:
5 | app: sentry
6 | name: sentry
7 | namespace: kube-ops
8 | spec:
9 | replicas: 1
10 | template:
11 | metadata:
12 | labels:
13 | app: sentry
14 | spec:
15 | containers:
16 | - image: sentry:8.22-onbuild
17 | imagePullPolicy: Always
18 | name: sentry
19 | command: ["sentry", "upgrade"]
20 | env:
21 | - name: C_FORCE_ROOT
22 | value: "true"
23 | - name: SENTRY_REDIS_HOST
24 | value: "redis"
25 | - name: SENTRY_REDIS_PORT
26 | value: "6379"
27 | - name: SENTRY_REDIS_DB
28 | value: "2"
29 | - name: SENTRY_RABBITMQ_HOST
30 | value: "rabbitmq:5672"
31 | - name: SENTRY_RABBITMQ_USERNAME
32 | value: "xxxx"
33 | - name: SENTRY_RABBITMQ_PASSWORD
34 | value: "xxxx"
35 | - name: SENTRY_SECRET_KEY
36 | value: "xxxxxxxxxxxxxxxxxxxxxxxxx"
37 | - name: SENTRY_POSTGRES_HOST
38 | value: "postgresql"
39 | - name: SENTRY_POSTGRES_PORT
40 | value: "5432"
41 | - name: SENTRY_DB_NAME
42 | value: "sentry"
43 | - name: SENTRY_DB_USER
44 | value: "postgres"
45 | - name: SENTRY_DB_PASSWORD
46 | value: "postgres321"
47 | - name: SENTRY_EMAIL_HOST
48 | value: "xxxxxxxxxxxxx"
49 | - name: SENTRY_EMAIL_PORT
50 | value: "xxxxxxxxx"
51 | - name: SENTRY_EMAIL_USE_TLS
52 | value: "xxxxxxxxx"
53 | - name: SENTRY_EMAIL_USER
54 | value: "xxxxxxxxxxxxxx"
55 | - name: SENTRY_EMAIL_PASSWORD
56 | value: "xxxxxxxxxxxx"
57 | - name: SENTRY_SERVER_EMAIL
58 | value: "xxxxxxxxxxxxxx"
59 |
--------------------------------------------------------------------------------
/sentry/svc.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | labels:
5 | app: sentry
6 | name: sentry
7 | namespace: kube-ops
8 | spec:
9 | ports:
10 | - port: 9000
11 | targetPort: web
12 | selector:
13 | app: sentry
14 |
--------------------------------------------------------------------------------
/traefik2/IngressRoute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: traefik.containo.us/v1alpha1
2 | kind: IngressRoute
3 | metadata:
4 | name: traefik-webui
5 | namespace: kube-system
6 | spec:
7 | entryPoints:
8 | - web
9 | routes:
10 | - match: Host(`traefik.qikqiak.com`)
11 | kind: Rule
12 | services:
13 | - name: traefik
14 | port: 8080
--------------------------------------------------------------------------------
/traefik2/canary/appv1.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appv1
5 | namespace: kube-system
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: appv1
10 | template:
11 | metadata:
12 | labels:
13 | use: test
14 | app: appv1
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx
19 | ports:
20 | - containerPort: 80
21 | name: portv1
22 |
23 | ---
24 |
25 | apiVersion: v1
26 | kind: Service
27 | metadata:
28 | name: appv1
29 | namespace: kube-system
30 | spec:
31 | selector:
32 | app: appv1
33 | ports:
34 | - name: http
35 | port: 80
36 | targetPort: portv1
37 |
--------------------------------------------------------------------------------
/traefik2/canary/appv2.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: appv2
5 | namespace: kube-system
6 | spec:
7 | selector:
8 | matchLabels:
9 | app: appv2
10 | template:
11 | metadata:
12 | labels:
13 | use: test
14 | app: appv2
15 | spec:
16 | containers:
17 | - name: nginx
18 | image: nginx
19 | ports:
20 | - containerPort: 80
21 | name: portv2
22 |
23 | ---
24 |
25 | apiVersion: v1
26 | kind: Service
27 | metadata:
28 | name: appv2
29 | namespace: kube-system
30 | spec:
31 | selector:
32 | app: appv2
33 | ports:
34 | - name: http
35 | port: 80
36 | targetPort: portv2
--------------------------------------------------------------------------------
/traefik2/canary/rbac.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: traefik-ingress-controller
5 | namespace: kube-system
6 | ---
7 | kind: ClusterRole
8 | apiVersion: rbac.authorization.k8s.io/v1beta1
9 | metadata:
10 | name: traefik-ingress-controller
11 | rules:
12 | - apiGroups:
13 | - ""
14 | resources:
15 | - services
16 | - endpoints
17 | - secrets
18 | verbs:
19 | - get
20 | - list
21 | - watch
22 | - apiGroups:
23 | - extensions
24 | resources:
25 | - ingresses
26 | verbs:
27 | - get
28 | - list
29 | - watch
30 | - apiGroups:
31 | - extensions
32 | resources:
33 | - ingresses/status
34 | verbs:
35 | - update
36 | - apiGroups:
37 | - traefik.containo.us
38 | resources:
39 | - middlewares
40 | verbs:
41 | - get
42 | - list
43 | - watch
44 | - apiGroups:
45 | - traefik.containo.us
46 | resources:
47 | - ingressroutes
48 | verbs:
49 | - get
50 | - list
51 | - watch
52 | - apiGroups:
53 | - traefik.containo.us
54 | resources:
55 | - ingressroutetcps
56 | verbs:
57 | - get
58 | - list
59 | - watch
60 | - apiGroups:
61 | - traefik.containo.us
62 | resources:
63 | - tlsoptions
64 | verbs:
65 | - get
66 | - list
67 | - watch
68 | ---
69 | kind: ClusterRoleBinding
70 | apiVersion: rbac.authorization.k8s.io/v1beta1
71 | metadata:
72 | name: traefik-ingress-controller
73 | roleRef:
74 | apiGroup: rbac.authorization.k8s.io
75 | kind: ClusterRole
76 | name: traefik-ingress-controller
77 | subjects:
78 | - kind: ServiceAccount
79 | name: traefik-ingress-controller
80 | namespace: kube-system
--------------------------------------------------------------------------------
/traefik2/canary/traefik-dynamic.toml:
--------------------------------------------------------------------------------
1 | [http]
2 | [http.routers]
3 | [http.routers.Router0]
4 | entryPoints = ["web"]
5 | service = "app"
6 | rule = "Host(`nginx.qikqiak.com`)"
7 |
8 | [http.services]
9 | [http.services.app]
10 |
11 | [[http.services.app.weighted.services]]
12 | name = "appv1"
13 | weight = 3
14 |
15 | [[http.services.app.weighted.services]]
16 | name = "appv2"
17 | weight = 1
18 |
19 | [http.services.appv1]
20 | [http.services.appv1.loadBalancer]
21 | [[http.services.appv1.loadBalancer.servers]]
22 | url = "http://appv1/"
23 |
24 | [http.services.appv2]
25 | [http.services.appv2.loadBalancer]
26 | [[http.services.appv2.loadBalancer.servers]]
27 | url = "http://appv2/"
28 |
--------------------------------------------------------------------------------
/traefik2/canary/traefik.yaml:
--------------------------------------------------------------------------------
1 | # 通过 kubectl create configmap traefik-dynamic-conf --from-file=traefik-dynamic.toml -n kube-system 创建 ConfigMap
2 | kind: Deployment
3 | apiVersion: extensions/v1beta1
4 | metadata:
5 | name: traefik
6 | namespace: kube-system
7 | labels:
8 | k8s-app: traefik-ingress-lb
9 | spec:
10 | selector:
11 | matchLabels:
12 | k8s-app: traefik-ingress-lb
13 | template:
14 | metadata:
15 | labels:
16 | k8s-app: traefik-ingress-lb
17 | name: traefik-ingress-lb
18 | spec:
19 | serviceAccountName: traefik-ingress-controller
20 | tolerations:
21 | - operator: "Exists"
22 | nodeSelector:
23 | kubernetes.io/hostname: ydzs-master
24 | volumes:
25 | - name: config
26 | configMap:
27 | name: traefik-dynamic-conf
28 | containers:
29 | - image: traefik:v2.0.2
30 | name: traefik-ingress-lb
31 | volumeMounts:
32 | - name: config
33 | mountPath: /config
34 | ports:
35 | - name: web
36 | containerPort: 80
37 | hostPort: 80
38 | - name: admin
39 | containerPort: 8080
40 | hostPort: 8080
41 | args:
42 | - --entrypoints.web.Address=:80
43 | - --api.insecure=true
44 | - --providers.file.watch=true
45 | - --providers.file.filename=/config/traefik-dynamic.toml
46 | - --api
47 | - --api.debug=true
48 | - --api.dashboard=true
49 | - --accesslog
50 |
--------------------------------------------------------------------------------
/traefik2/crd.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: ingressroutes.traefik.containo.us
5 |
6 | spec:
7 | group: traefik.containo.us
8 | version: v1alpha1
9 | names:
10 | kind: IngressRoute
11 | plural: ingressroutes
12 | singular: ingressroute
13 | scope: Namespaced
14 |
15 | ---
16 | apiVersion: apiextensions.k8s.io/v1beta1
17 | kind: CustomResourceDefinition
18 | metadata:
19 | name: ingressroutetcps.traefik.containo.us
20 |
21 | spec:
22 | group: traefik.containo.us
23 | version: v1alpha1
24 | names:
25 | kind: IngressRouteTCP
26 | plural: ingressroutetcps
27 | singular: ingressroutetcp
28 | scope: Namespaced
29 |
30 | ---
31 | apiVersion: apiextensions.k8s.io/v1beta1
32 | kind: CustomResourceDefinition
33 | metadata:
34 | name: middlewares.traefik.containo.us
35 |
36 | spec:
37 | group: traefik.containo.us
38 | version: v1alpha1
39 | names:
40 | kind: Middleware
41 | plural: middlewares
42 | singular: middleware
43 | scope: Namespaced
44 |
45 | ---
46 | apiVersion: apiextensions.k8s.io/v1beta1
47 | kind: CustomResourceDefinition
48 | metadata:
49 | name: tlsoptions.traefik.containo.us
50 |
51 | spec:
52 | group: traefik.containo.us
53 | version: v1alpha1
54 | names:
55 | kind: TLSOption
56 | plural: tlsoptions
57 | singular: tlsoption
58 | scope: Namespaced
--------------------------------------------------------------------------------
/traefik2/https/IngressRoute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: traefik.containo.us/v1alpha1
2 | kind: Middleware
3 | metadata:
4 | name: redirect-https
5 | namespace: kube-system
6 | spec:
7 | redirectScheme:
8 | scheme: https
9 |
10 | ---
11 |
12 | apiVersion: traefik.containo.us/v1alpha1
13 | kind: IngressRoute
14 | metadata:
15 | name: traefik-webui
16 | namespace: kube-system
17 | spec:
18 | entryPoints:
19 | - web
20 | routes:
21 | - match: Host(`traefik.youdianzhishi.com`)
22 | kind: Rule
23 | services:
24 | - name: traefik
25 | port: 8080
26 | middlewares:
27 | - name: redirect-https
28 |
29 | ---
30 |
31 | apiVersion: traefik.containo.us/v1alpha1
32 | kind: IngressRoute
33 | metadata:
34 | name: traefik-webui-tls
35 | namespace: kube-system
36 | spec:
37 | entryPoints:
38 | - websecure
39 | routes:
40 | - match: Host(`traefik.youdianzhishi.com`)
41 | kind: Rule
42 | services:
43 | - name: traefik
44 | port: 8080
45 | tls:
46 | certResolver: default
47 |
--------------------------------------------------------------------------------
/traefik2/https/crd.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: ingressroutes.traefik.containo.us
5 |
6 | spec:
7 | group: traefik.containo.us
8 | version: v1alpha1
9 | names:
10 | kind: IngressRoute
11 | plural: ingressroutes
12 | singular: ingressroute
13 | scope: Namespaced
14 |
15 | ---
16 | apiVersion: apiextensions.k8s.io/v1beta1
17 | kind: CustomResourceDefinition
18 | metadata:
19 | name: ingressroutetcps.traefik.containo.us
20 |
21 | spec:
22 | group: traefik.containo.us
23 | version: v1alpha1
24 | names:
25 | kind: IngressRouteTCP
26 | plural: ingressroutetcps
27 | singular: ingressroutetcp
28 | scope: Namespaced
29 |
30 | ---
31 | apiVersion: apiextensions.k8s.io/v1beta1
32 | kind: CustomResourceDefinition
33 | metadata:
34 | name: middlewares.traefik.containo.us
35 |
36 | spec:
37 | group: traefik.containo.us
38 | version: v1alpha1
39 | names:
40 | kind: Middleware
41 | plural: middlewares
42 | singular: middleware
43 | scope: Namespaced
44 |
45 | ---
46 | apiVersion: apiextensions.k8s.io/v1beta1
47 | kind: CustomResourceDefinition
48 | metadata:
49 | name: tlsoptions.traefik.containo.us
50 |
51 | spec:
52 | group: traefik.containo.us
53 | version: v1alpha1
54 | names:
55 | kind: TLSOption
56 | plural: tlsoptions
57 | singular: tlsoption
58 | scope: Namespaced
--------------------------------------------------------------------------------
/traefik2/https/rbac.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: traefik-ingress-controller
5 | namespace: kube-system
6 | ---
7 | kind: ClusterRole
8 | apiVersion: rbac.authorization.k8s.io/v1beta1
9 | metadata:
10 | name: traefik-ingress-controller
11 | rules:
12 | - apiGroups:
13 | - ""
14 | resources:
15 | - services
16 | - endpoints
17 | - secrets
18 | verbs:
19 | - get
20 | - list
21 | - watch
22 | - apiGroups:
23 | - extensions
24 | resources:
25 | - ingresses
26 | verbs:
27 | - get
28 | - list
29 | - watch
30 | - apiGroups:
31 | - extensions
32 | resources:
33 | - ingresses/status
34 | verbs:
35 | - update
36 | - apiGroups:
37 | - traefik.containo.us
38 | resources:
39 | - middlewares
40 | verbs:
41 | - get
42 | - list
43 | - watch
44 | - apiGroups:
45 | - traefik.containo.us
46 | resources:
47 | - ingressroutes
48 | verbs:
49 | - get
50 | - list
51 | - watch
52 | - apiGroups:
53 | - traefik.containo.us
54 | resources:
55 | - ingressroutetcps
56 | verbs:
57 | - get
58 | - list
59 | - watch
60 | - apiGroups:
61 | - traefik.containo.us
62 | resources:
63 | - tlsoptions
64 | verbs:
65 | - get
66 | - list
67 | - watch
68 | ---
69 | kind: ClusterRoleBinding
70 | apiVersion: rbac.authorization.k8s.io/v1beta1
71 | metadata:
72 | name: traefik-ingress-controller
73 | roleRef:
74 | apiGroup: rbac.authorization.k8s.io
75 | kind: ClusterRole
76 | name: traefik-ingress-controller
77 | subjects:
78 | - kind: ServiceAccount
79 | name: traefik-ingress-controller
80 | namespace: kube-system
--------------------------------------------------------------------------------
/traefik2/https/traefik.yaml:
--------------------------------------------------------------------------------
1 | kind: Deployment
2 | apiVersion: extensions/v1beta1
3 | metadata:
4 | name: traefik
5 | namespace: kube-system
6 | labels:
7 | k8s-app: traefik-ingress-lb
8 | spec:
9 | selector:
10 | matchLabels:
11 | k8s-app: traefik-ingress-lb
12 | template:
13 | metadata:
14 | labels:
15 | k8s-app: traefik-ingress-lb
16 | name: traefik-ingress-lb
17 | spec:
18 | serviceAccountName: traefik-ingress-controller
19 | tolerations:
20 | - operator: "Exists"
21 | nodeSelector:
22 | kubernetes.io/hostname: ydzs-master
23 | containers:
24 | - image: traefik:v2.0
25 | name: traefik-ingress-lb
26 | ports:
27 | - name: web
28 | containerPort: 80
29 | hostPort: 80
30 | - name: websecure
31 | containerPort: 443
32 | hostPort: 443
33 | - name: admin
34 | containerPort: 8080
35 | args:
36 | - --entrypoints.web.Address=:80
37 | - --entrypoints.websecure.Address=:443
38 | - --api.insecure=true
39 | - --providers.kubernetescrd
40 | - --api
41 | - --api.dashboard=true
42 | - --accesslog
43 | - --certificatesresolvers.default.acme.tlsChallenge=true
44 | - --certificatesResolvers.default.acme.email="email@gmail.com"
45 | - --certificatesResolvers.default.acme.storage="acme.json"
46 | #- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
47 |
48 | ---
49 |
50 | kind: Service
51 | apiVersion: v1
52 | metadata:
53 | name: traefik
54 | namespace: kube-system
55 | spec:
56 | selector:
57 | k8s-app: traefik-ingress-lb
58 | ports:
59 | - protocol: TCP
60 | port: 8080
61 | name: admin
62 |
--------------------------------------------------------------------------------
/traefik2/rbac.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: traefik-ingress-controller
5 | namespace: kube-system
6 | ---
7 | kind: ClusterRole
8 | apiVersion: rbac.authorization.k8s.io/v1beta1
9 | metadata:
10 | name: traefik-ingress-controller
11 | rules:
12 | - apiGroups:
13 | - ""
14 | resources:
15 | - services
16 | - endpoints
17 | - secrets
18 | verbs:
19 | - get
20 | - list
21 | - watch
22 | - apiGroups:
23 | - extensions
24 | resources:
25 | - ingresses
26 | verbs:
27 | - get
28 | - list
29 | - watch
30 | - apiGroups:
31 | - extensions
32 | resources:
33 | - ingresses/status
34 | verbs:
35 | - update
36 | - apiGroups:
37 | - traefik.containo.us
38 | resources:
39 | - middlewares
40 | verbs:
41 | - get
42 | - list
43 | - watch
44 | - apiGroups:
45 | - traefik.containo.us
46 | resources:
47 | - ingressroutes
48 | verbs:
49 | - get
50 | - list
51 | - watch
52 | - apiGroups:
53 | - traefik.containo.us
54 | resources:
55 | - ingressroutetcps
56 | verbs:
57 | - get
58 | - list
59 | - watch
60 | - apiGroups:
61 | - traefik.containo.us
62 | resources:
63 | - tlsoptions
64 | verbs:
65 | - get
66 | - list
67 | - watch
68 | ---
69 | kind: ClusterRoleBinding
70 | apiVersion: rbac.authorization.k8s.io/v1beta1
71 | metadata:
72 | name: traefik-ingress-controller
73 | roleRef:
74 | apiGroup: rbac.authorization.k8s.io
75 | kind: ClusterRole
76 | name: traefik-ingress-controller
77 | subjects:
78 | - kind: ServiceAccount
79 | name: traefik-ingress-controller
80 | namespace: kube-system
--------------------------------------------------------------------------------
/traefik2/redis/IngressRoute.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: traefik.containo.us/v1alpha1
2 | kind: IngressRouteTCP
3 | metadata:
4 | name: redis
5 | spec:
6 | entryPoints:
7 | - redis
8 | routes:
9 | - match: HostSNI(`*`)
10 | services:
11 | - name: redis
12 | port: 6379
13 |
--------------------------------------------------------------------------------
/traefik2/redis/crd.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apiextensions.k8s.io/v1beta1
2 | kind: CustomResourceDefinition
3 | metadata:
4 | name: ingressroutes.traefik.containo.us
5 |
6 | spec:
7 | group: traefik.containo.us
8 | version: v1alpha1
9 | names:
10 | kind: IngressRoute
11 | plural: ingressroutes
12 | singular: ingressroute
13 | scope: Namespaced
14 |
15 | ---
16 | apiVersion: apiextensions.k8s.io/v1beta1
17 | kind: CustomResourceDefinition
18 | metadata:
19 | name: ingressroutetcps.traefik.containo.us
20 |
21 | spec:
22 | group: traefik.containo.us
23 | version: v1alpha1
24 | names:
25 | kind: IngressRouteTCP
26 | plural: ingressroutetcps
27 | singular: ingressroutetcp
28 | scope: Namespaced
29 |
30 | ---
31 | apiVersion: apiextensions.k8s.io/v1beta1
32 | kind: CustomResourceDefinition
33 | metadata:
34 | name: middlewares.traefik.containo.us
35 |
36 | spec:
37 | group: traefik.containo.us
38 | version: v1alpha1
39 | names:
40 | kind: Middleware
41 | plural: middlewares
42 | singular: middleware
43 | scope: Namespaced
44 |
45 | ---
46 | apiVersion: apiextensions.k8s.io/v1beta1
47 | kind: CustomResourceDefinition
48 | metadata:
49 | name: tlsoptions.traefik.containo.us
50 |
51 | spec:
52 | group: traefik.containo.us
53 | version: v1alpha1
54 | names:
55 | kind: TLSOption
56 | plural: tlsoptions
57 | singular: tlsoption
58 | scope: Namespaced
--------------------------------------------------------------------------------
/traefik2/redis/rbac.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: ServiceAccount
3 | metadata:
4 | name: traefik-ingress-controller
5 | namespace: kube-system
6 | ---
7 | kind: ClusterRole
8 | apiVersion: rbac.authorization.k8s.io/v1beta1
9 | metadata:
10 | name: traefik-ingress-controller
11 | rules:
12 | - apiGroups:
13 | - ""
14 | resources:
15 | - services
16 | - endpoints
17 | - secrets
18 | verbs:
19 | - get
20 | - list
21 | - watch
22 | - apiGroups:
23 | - extensions
24 | resources:
25 | - ingresses
26 | verbs:
27 | - get
28 | - list
29 | - watch
30 | - apiGroups:
31 | - extensions
32 | resources:
33 | - ingresses/status
34 | verbs:
35 | - update
36 | - apiGroups:
37 | - traefik.containo.us
38 | resources:
39 | - middlewares
40 | verbs:
41 | - get
42 | - list
43 | - watch
44 | - apiGroups:
45 | - traefik.containo.us
46 | resources:
47 | - ingressroutes
48 | verbs:
49 | - get
50 | - list
51 | - watch
52 | - apiGroups:
53 | - traefik.containo.us
54 | resources:
55 | - ingressroutetcps
56 | verbs:
57 | - get
58 | - list
59 | - watch
60 | - apiGroups:
61 | - traefik.containo.us
62 | resources:
63 | - tlsoptions
64 | verbs:
65 | - get
66 | - list
67 | - watch
68 | ---
69 | kind: ClusterRoleBinding
70 | apiVersion: rbac.authorization.k8s.io/v1beta1
71 | metadata:
72 | name: traefik-ingress-controller
73 | roleRef:
74 | apiGroup: rbac.authorization.k8s.io
75 | kind: ClusterRole
76 | name: traefik-ingress-controller
77 | subjects:
78 | - kind: ServiceAccount
79 | name: traefik-ingress-controller
80 | namespace: kube-system
--------------------------------------------------------------------------------
/traefik2/redis/traefik.yaml:
--------------------------------------------------------------------------------
1 | kind: Deployment
2 | apiVersion: extensions/v1beta1
3 | metadata:
4 | name: traefik
5 | namespace: kube-system
6 | labels:
7 | k8s-app: traefik-ingress-lb
8 | spec:
9 | selector:
10 | matchLabels:
11 | k8s-app: traefik-ingress-lb
12 | template:
13 | metadata:
14 | labels:
15 | k8s-app: traefik-ingress-lb
16 | name: traefik-ingress-lb
17 | spec:
18 | serviceAccountName: traefik-ingress-controller
19 | tolerations:
20 | - operator: "Exists"
21 | nodeSelector:
22 | kubernetes.io/hostname: ydzs-master
23 | containers:
24 | - image: traefik:v2.0
25 | name: traefik-ingress-lb
26 | ports:
27 | - name: web
28 | containerPort: 80
29 | hostPort: 80
30 | - name: websecure
31 | containerPort: 443
32 | hostPort: 443
33 | - name: redis
34 | containerPort: 6379
35 | hostPort: 6379
36 | - name: admin
37 | containerPort: 8080
38 | args:
39 | - --entrypoints.web.Address=:80
40 | - --entrypoints.websecure.Address=:443
41 | - --entrypoints.redis.Address=:6379
42 | - --api.insecure=true
43 | - --providers.kubernetescrd
44 | - --api
45 | - --api.dashboard=true
46 | - --accesslog
47 |
48 | ---
49 |
50 | kind: Service
51 | apiVersion: v1
52 | metadata:
53 | name: traefik
54 | namespace: kube-system
55 | spec:
56 | selector:
57 | k8s-app: traefik-ingress-lb
58 | ports:
59 | - protocol: TCP
60 | port: 8080
61 | name: admin
62 |
--------------------------------------------------------------------------------
/traefik2/traefik.yaml:
--------------------------------------------------------------------------------
1 | kind: Deployment
2 | apiVersion: extensions/v1beta1
3 | metadata:
4 | name: traefik
5 | namespace: kube-system
6 | labels:
7 | k8s-app: traefik-ingress-lb
8 | spec:
9 | selector:
10 | matchLabels:
11 | k8s-app: traefik-ingress-lb
12 | template:
13 | metadata:
14 | labels:
15 | k8s-app: traefik-ingress-lb
16 | name: traefik-ingress-lb
17 | spec:
18 | serviceAccountName: traefik-ingress-controller
19 | tolerations:
20 | - operator: "Exists"
21 | nodeSelector:
22 | kubernetes.io/hostname: ydzs-master
23 | containers:
24 | - image: traefik:v2.0
25 | name: traefik-ingress-lb
26 | ports:
27 | - name: web
28 | containerPort: 80
29 | hostPort: 80
30 | - name: websecure
31 | containerPort: 443
32 | hostPort: 443
33 | - name: admin
34 | containerPort: 8080
35 | args:
36 | - --entrypoints.web.Address=:80
37 | - --entrypoints.websecure.Address=:443
38 | - --api.insecure=true
39 | - --providers.kubernetescrd
40 | - --api
41 | - --api.dashboard=true
42 | - --accesslog
43 |
44 | ---
45 |
46 | kind: Service
47 | apiVersion: v1
48 | metadata:
49 | name: traefik
50 | namespace: kube-system
51 | spec:
52 | selector:
53 | k8s-app: traefik-ingress-lb
54 | ports:
55 | - protocol: TCP
56 | port: 8080
57 | name: admin
58 |
--------------------------------------------------------------------------------