ungleich-public/ungleich-k8s
6
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

[opennebula] initial commit

Browse source
This commit is contained in:
Nico Schottelius 2021-08-10 21:29:40 +02:00
parent cd44ce6506
commit 225b251fb9
11 changed files with 2474 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
apps/opennebula/.helmignore Normal file
View file

@ -0,0 +1,24 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/
.#*

6
apps/opennebula/Chart.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: v2
name: ungleich-opennebula
description: OpenNebula Control Plane, made for replacing native OpenNebula setups
version: 0.1.0
appVersion: "6.0.0.2"

136
apps/opennebula/README.md Normal file
View file

@ -0,0 +1,136 @@
## OpenNebula Chart
## Containers to do
- oned: main api
- also needs ssh files
- scheduler
- mysql for data
- sunstone
- novnc
- nginx on 443
Storage:
- mysql pvc (prod: 65G!)
## Containers done
### Scheduler
Needs /etc/one/sched.conf.
[root@opennebula-opennebula-6cbb864798-txfhf one]# /usr/bin/mm_sched
Could not open file /root/.one/one_auth
```
[root@opennebula-opennebula-6cbb864798-txfhf one]# mkdir /root/.one
[root@opennebula-opennebula-6cbb864798-txfhf one]# vi /root/.one/one_auth
[root@opennebula-opennebula-6cbb864798-txfhf one]# /usr/bin/mm_sched
```
## DB cleanup
- via cronjob
- maybe 1/month
```
ALTER TABLE vm_pool DROP INDEX ftidx;
ALTER TABLE vm_pool ADD FULLTEXT INDEX ftidx (search_token);
```
## Oned
- Needs SSH keys
- Define secret and provide out-of-band?
## certbot for nginx
## nginx for sunstone
## Sunstone
templates: sunstone-server
- needs ssl certificates access
files:
- /var/lib/one/.one/one_auth
- /var/lib/one/.one/sunstone_auth
Maybe via latent / hanging secret?
cmd:
```
mkdir -p /run/lock/one
mkdir -p /run/one
ruby /usr/lib/one/sunstone/sunstone-server.rb
```
``
[root@opennebula-opennebula-574c564b76-h6skt /]# sunstone-server start
Error, check /var/log/one/novnc.log
Could not start novnc server
touch: cannot touch '/var/lock/one/.sunstone.lock': No such file or directory
Error creating lock file
VNC server is not running
[root@opennebula-opennebula-574c564b76-h6skt /]# mkdir -p /run/lock/one
[root@opennebula-opennebula-574c564b76-h6skt /]# sunstone-server start
VNC proxy started
/usr/bin/sunstone-server: line 104: /var/run/one/sunstone.pid: No such file or directory
sunstone-server started
[root@opennebula-opennebula-574c564b76-h6skt /]#
```
```
SUNSTONE_CONF=/etc/one/sunstone-server.conf
``
- Starting novnc
- ruby $SUNSTONE_SERVER > $SUNSTONE_LOG 2>$SUNSTONE_LOG_ERROR &
SUNSTONE_PID=/var/run/one/sunstone.pid
SUNSTONE_SERVER=/usr/lib/one/sunstone/sunstone-server.rb
SUNSTONE_LOCK_FILE=/var/lock/one/.sunstone.lock
SUNSTONE_LOG=/var/log/one/sunstone.log
SUNSTONE_LOG_ERROR=/var/log/one/sunstone.error
SUNSTONE_CONF=/etc/one/sunstone-server.conf
NOVNC_SERVER=/usr/bin/novnc-server
- Memcached
- SSL cert
Sat Aug 07 11:54:42 2021 [E]: No such file or directory @ rb_sysopen - /var/lib/one/.one/sunstone_auth
serveradmin:...
Sat Aug 07 12:08:37 2021 [E]: Configuration of ':webauthn_origin' is missing
Provide the serveradmin and oneadmin credentials in the /var/lib/one/.one/.
### File upload
From the website:
If you want to upload files to OpenNebula, you will have to share the
uploads directory (/var/tmp by default) between Sunstone and
oned. Some servers do not take into account the TMPDIR environment
variable, in which case this directory must be defined in the
configuration file (:tmpdir). It may also be necessary to set it in
Passenger (client_body_temp_path).
We can probably do without it using the hostpath
## Fireedge
* Basically a guacamole viewer, which we already have
## Follow up
- Find out if DB can be cleaned up (65G is huge!)
- https://docs.opennebula.io/6.0/installation_and_configuration/opennebula_services/database.html

53
apps/opennebula/nginx/https.conf Normal file
View file

@ -0,0 +1,53 @@
server {
listen *:443 ssl;
listen [::]:443 ssl;
ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;
server_name {{ tpl .Values.fqdn . }};
root /usr/share/nginx/html;
client_max_body_size 0;
try_files $uri/index.html $uri.html $uri @sunstone;
location ~* \.(ico|css|js|gif|jpe?g|png)(\?[0-9]+)?$ {
expires 1y;
# Need to enable proxying in this location as well
try_files $uri @sunstone;
}
# Rails error pages
error_page 500 502 503 504 /500.html;
location @sunstone {
proxy_pass http://localhost:9869;
# Forward original host name to be seen in unicorn
proxy_set_header Host $host;
# Server name and address like being available in PHP
proxy_set_header SERVER_NAME $server_name;
proxy_set_header SERVER_ADDR $server_addr;
# Forward client ip address to rack/rails so logging
proxy_set_header X-Forwarded-For $remote_addr;
# Tell rack if it is http or https
# https://github.com/intridea/omniauth/blob/master/lib/omniauth/strategy.rb#L483
# http://nginx.org/en/docs/http/ngx_http_core_module.html#variables
# $https was introduced in 1.1.11 - we are using 0.7.67-3+squeeze3
# so we cannot use
# proxy_set_header HTTPS $https;
# but have to forward the scheme like this
proxy_set_header X_FORWARDED_SCHEME $scheme;
# Some applications seem to use X_FORWARDED_SCHEME while others need
# X_FORWARDED_PROTO, so we set X_FORWARDED_PROTO too
proxy_set_header X_FORWARDED_PROTO $scheme;
}
}

41
apps/opennebula/nginx/xmlrpc.conf Normal file
View file

@ -0,0 +1,41 @@
server {
listen *:2634 ssl;
listen [::]:2634 ssl;
ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;
server_name {{ tpl .Values.fqdn . }};
root /usr/share/nginx/html;
client_max_body_size 0;
location / {
proxy_pass http://localhost:2633;
# Forward original host name to be seen in unicorn
proxy_set_header Host $host;
# Server name and address like being available in PHP
proxy_set_header SERVER_NAME $server_name;
proxy_set_header SERVER_ADDR $server_addr;
# Forward client ip address to rack/rails so logging
proxy_set_header X-Forwarded-For $remote_addr;
# Tell rack if it is http or https
# https://github.com/intridea/omniauth/blob/master/lib/omniauth/strategy.rb#L483
# http://nginx.org/en/docs/http/ngx_http_core_module.html#variables
# $https was introduced in 1.1.11 - we are using 0.7.67-3+squeeze3
# so we cannot use
# proxy_set_header HTTPS $https;
# but have to forward the scheme like this
proxy_set_header X_FORWARDED_SCHEME $scheme;
# Some applications seem to use X_FORWARDED_SCHEME while others need
# X_FORWARDED_PROTO, so we set X_FORWARDED_PROTO too
proxy_set_header X_FORWARDED_PROTO $scheme;
}
}

1542
apps/opennebula/one/oned.conf Normal file
View file

File diff suppressed because it is too large Load diff

125
apps/opennebula/one/sched.conf Normal file
View file

@ -0,0 +1,125 @@
#*******************************************************************************
# OpenNebula Configuration file
#*******************************************************************************
#*******************************************************************************
# Daemon configuration attributes
#-------------------------------------------------------------------------------
# MESSAGE_SIZE: Buffer size in bytes for XML-RPC responses.
#
# XMLRPC_TIMEOUT: Seconds to timeout XML-RPC calls to oned
#
# ONE_XMLRPC: URL to connect to the OpenNebula daemon (oned)
#
# SCHED_INTERVAL: Seconds between two scheduling actions
#
# MAX_VM: Maximum number of Virtual Machines scheduled in each scheduling
# action. Use 0 to schedule all pending VMs each time.
#
# MAX_DISPATCH: Maximum number of Virtual Machines dispatched in each
# scheduling action
#
# MAX_HOST: Maximum number of Virtual Machines dispatched to each host in
# each scheduling action
#
# LIVE_RESCHEDS: Perform live (1) or cold migrations (0) when rescheduling a VM
#
# DEFAULT_SCHED: Definition of the default scheduling algorithm
# - policy:
# 0 = Packing. Heuristic that minimizes the number of hosts in use by
# packing the VMs in the hosts to reduce VM fragmentation
# 1 = Striping. Heuristic that tries to maximize resources available for
# the VMs by spreading the VMs in the hosts
# 2 = Load-aware. Heuristic that tries to maximize resources available for
# the VMs by using those nodes with less load
# 3 = Custom.
# - rank: Custom arithmetic expression to rank suitable hosts based in
# their attributes
# 4 = Fixed. Hosts will be ranked according to the PRIORITY attribute found
# in the Host or Cluster template.
#
# DEFAULT_DS_SCHED: Definition of the default storage scheduling algorithm
# - policy:
# 0 = Packing. Tries to optimize storage usage by selecting the DS with
# less free space
# 1 = Striping. Tries to optimize I/O by distributing the VMs across
# datastores.
# 2 = Custom.
# - rank: Custom arithmetic expression to rank suitable datastores based
# on their attributes
# 3 = Fixed. Datastores will be ranked according to the PRIORITY attribute
# found in the Datastore template.
#
# DEFAULT_NIC_SCHED: Definition of the default virtual network scheduler
# - policy:
# 0 = Packing. Tries to pack address usage by selecting the VNET with
# less free leases
# 1 = Striping. Tries to distribute address usage across VNETs.
# 2 = Custom.
# - rank: Custom arithmetic expression to rank suitable datastores based
# on their attributes
# 3 = Fixed. Virtual Networks will be ranked according to the PRIORITY
# attribute found in the Virtual Network template.
#
# DIFFERENT_VNETS: When set (YES) the NICs of a VM will be forced to be in
# different Virtual Networks.
#
# LOG: Configuration for the logging system
# - system: defines the logging system:
# file to log in the sched.log file
# syslog to use the syslog facilities
# - debug_level:
# 0 = ERROR
# 1 = WARNING
# 2 = INFO
# 3 = DEBUG Includes general scheduling information (default)
# 4 = DDEBUG Includes time taken for each step
# 5 = DDDEBUG Includes detailed information about the scheduling
# decision, such as VM requirements, Host ranking for
# each VM, etc. This will impact the performance
#
# MEMORY_SYSTEM_DS_SCALE: This factor scales the VM usage of the system DS with
# the memory size. This factor can be use to make the scheduler consider the
# overhead of checkpoint files:
# system_ds_usage = system_ds_usage + memory_system_ds_scale * memory
#
#*******************************************************************************
MESSAGE_SIZE = 1073741824
TIMEOUT = 60
ONE_XMLRPC = "http://localhost:2633/RPC2"
SCHED_INTERVAL = 15
MAX_VM = 5000
MAX_DISPATCH = 30
MAX_HOST = 1
LIVE_RESCHEDS = 1
MEMORY_SYSTEM_DS_SCALE = 0
DIFFERENT_VNETS = YES
DEFAULT_SCHED = [
POLICY = 0
]
DEFAULT_DS_SCHED = [
POLICY = 1
]
DEFAULT_NIC_SCHED = [
POLICY = 1
]
#DEFAULT_SCHED = [
# policy = 3,
# rank = "- (RUNNING_VMS * 50 + FREE_CPU)"
#]
LOG = [
system = "std",
debug_level = 3
]

257
apps/opennebula/one/sunstone-server.conf Normal file
View file

@ -0,0 +1,257 @@
# -------------------------------------------------------------------------- #
# Copyright 2002-2017, OpenNebula Project, OpenNebula Systems #
# #
# Licensed under the Apache License, Version 2.0 (the "License"); you may #
# not use this file except in compliance with the License. You may obtain #
# a copy of the License at #
# #
# http://www.apache.org/licenses/LICENSE-2.0 #
# #
# Unless required by applicable law or agreed to in writing, software #
# distributed under the License is distributed on an "AS IS" BASIS, #
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. #
# See the License for the specific language governing permissions and #
# limitations under the License. #
#--------------------------------------------------------------------------- #
################################################################################
# Server Configuration
################################################################################
# Directory to store temp files when uploading images
#
:tmpdir: /var/tmp
# OpenNebula sever contact information
#
:one_xmlrpc: http://localhost:2633/RPC2
:one_xmlrpc_timeout: 60
# :subscriber_endpoint to subscribe for OpenNebula events must match those in
# oned.conf
:subscriber_endpoint: tcp://localhost:2101
# Server Configuration
#
# Sinatra fails if the IP is specified in k8s
#:host: 127.0.0.1
:port: 9869
# Place where to store sessions, this value can be memory, memcache or memcache-dalli
# Use memcache when starting multiple server processes, for example,
# with passenger
#
# NOTE. memcache needs a separate memcached server to be configured. Refer
# to memcached documentation to configure the server.
:sessions: memory
# Memcache configuration
:memcache_host: localhost
:memcache_port: 11211
:memcache_namespace: opennebula.sunstone
# Excution environment for Sunstone
# dev, Instead of pulling the minified js all the files will be pulled (app/main.js)
# Check the Building from Source guide in the docs, for details on how to run
# Sunstone in development
# prod, the minified js will be used (dist/main.js)
:env: 'prod'
################################################################################
# Log
################################################################################
# Log debug level
# 0 = ERROR, 1 = WARNING, 2 = INFO, 3 = DEBUG
#
:debug_level: 3
################################################################################
# Proxy
################################################################################
# Enable an http proxy for the support portal and to download MarketPlaceApps
# from the MarketPlace to the user's desktop.
# :proxy: http://<hostname>:<port>
################################################################################
# Auth
################################################################################
# Authentication driver for incomming requests
# sunstone: for OpenNebula's user-password scheme
# x509: for x509 certificates based authentication
# opennebula: the authentication will be done by the opennebula core using the
# driver defined for the user
# remote: performs the login based on a Kerberos REMOTE_USER
#
:auth: opennebula
# Authentication driver to communicate with OpenNebula core
# cipher, for symmetric cipher encryption of tokens
# x509, for x509 certificate encryption of tokens
#
:core_auth: cipher
# Two Factor Authentication Issuer Label
:two_factor_auth_issuer: opennebula
################################################################################
# WebAuthn
################################################################################
# This value needs to match `window.location.origin` evaluated by the User Agent
# during registration and authentication ceremonies. Remember that WebAuthn
# requires TLS on anything else than localhost.
#:webauthn_origin: http://localhost:9869
:webauthn_origin: https://{{ tpl .Values.fqdn . }}
# Relying Party name for display purposes
:webauthn_rpname: 'OpenNebula Cloud'
# Optional client timeout hint, in milliseconds. Specifies how long the browser
# should wait for any interaction with the user.
:webauthn_timeout: 60000
# Optional differing Relying Party ID
# See https://www.w3.org/TR/webauthn/#relying-party-identifier
# :webauthn_rpid: example.com
# Supported cryptographic algorithms
# See https://www.iana.org/assignments/jose/jose.xhtml
# Possible is any list of
# ES256 | ES384 | ES512 | PS256 | PS384 | PS512 | RS256 | RS384 | RS512 | RS1
# :webauthn_algorithms: [ES256, PS256, RS256]
################################################################################
# Check Upgrades
################################################################################
# To check for the latest release. Comment this value if you don't want to check
# this.
:remote_version: http://downloads.opennebula.org/latest
################################################################################
# UI Settings
################################################################################
# :vnc_proxy_
# port: port where the vnc proxy will listen
# support_wss: no | yes | only. For yes and only, provide path to
# cert and key. "yes" means both ws and wss connections will be
# supported.
# vnc_proxy_cert: Certificate to encrypt wss connections.
# vnc_proxy_key: Key for wss connections. Only necessary if not included in cert.
# vnc_proxy_ipv6: Enable ipv6 support for novnc-server
#
# :vnc_request_password: true | false
# Request VNC password for external windows, by default it will not be requested
#
:vnc_proxy_port: 29876
:vnc_proxy_support_wss: yes
:vnc_proxy_cert: /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem
:vnc_proxy_key: /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem
:vnc_proxy_ipv6: yes
:vnc_request_password: false
# Login Session Length in seconds, defaults to 1 hour.
#:session_expire_time: 3600
# Default language setting
:lang: en_US
# Default table order
:table_order: desc
# Default views directory
:mode: 'mixed'
# True to display 'Keep me logged in' option.
:keep_me_logged: true
# this display button and clock icon in table of vm
:leases:
suspend:
time: "+1209600"
color: "#000000"
warning:
time: "-86400"
color: "#085aef"
terminate:
time: "+1209600"
color: "#e1ef08"
warning:
time: "-86400"
color: "#ef2808"
# This change the thresholds of dashboard resource usage
:threshold_min: 0
:threshold_low: 33
:threshold_high: 66
#support filesystem
:support_fs:
- ext4
- ext3
- ext2
- xfs
################################################################################
# Marketplace
################################################################################
# Marketplace username and password
# If no credentials are provided, an anonymous client will be used
#
#:marketplace_username:
#:marketplace_password:
# Marketplace endpoint
# The url should not include the /appliance path since it will be automatically
# included
#
:marketplace_url: http://marketplace.opennebula.systems/
################################################################################
# OneFlow
################################################################################
# OneFlow endpoint
#
:oneflow_server: http://localhost:2474/
################################################################################
# Routes
################################################################################
# Array of files containing ruby code to extend the default sunstone-server
# routes. These files must be placed inside the custom_routes directory
# in the sunstone root dir (/usr/lib/one/sunstone/routes)
#
# Example:
# $ ls /usr/lib/one/sunstone/routes
# custom.rb other.rb
#
# $ cat /usr/lib/one/sunstone/routes/example.rb
# get '/custom' do
# body "It works"
# end
#
#:routes:
# - custom
# - other
:routes:
- oneflow
- vcenter
- support
- nsx
################################################################################
# FireEdge
################################################################################
#:private_fireedge_endpoint: http://localhost:2616
#:public_fireedge_endpoint: http://localhost:2616

14
apps/opennebula/templates/configmap.yaml Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-opennebula-config
data:
{{ tpl (.Files.Glob "one/*").AsConfig . | indent 2 }}
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ .Release.Name }}-nginx-config
data:
{{ tpl (.Files.Glob "nginx/*").AsConfig . | indent 2 }}

261
apps/opennebula/templates/deployment.yaml Normal file
View file

@ -0,0 +1,261 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-opennebula
spec:
selector:
matchLabels:
app-inside: {{ .Release.Name }}-opennebula
replicas: 1
strategy:
type: "Recreate"
template:
metadata:
labels:
app: {{ .Release.Name }}
app-inside: {{ .Release.Name }}-opennebula
annotations:
checksum/config: {{ include (print $.Template.BasePath "/configmap.yaml") . | sha256sum }}
spec:
initContainers:
- name: wait-for-cert
image: busybox
command:
- sh
- -c
- until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 2; done
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: sync-opennebula
image: "opennebula/opennebula:{{ .Chart.AppVersion }}"
command:
- rsync
- -av
- /usr/lib/one/sunstone/public/
- /for-nginx
volumeMounts:
- name: tmp
mountPath: "/for-nginx"
containers:
- name: nginx
image: nginx:1.21-alpine
ports:
- containerPort: 443
- containerPort: 2634
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: tmp
mountPath: "/usr/share/nginx/html"
- name: memcached
image: "memcached:1.6.10-alpine"
ports:
- name: tcp-11211
containerPort: 11211
protocol: TCP
- name: mysql
image: "mysql:8.0.26"
ports:
- name: tcp-3306
containerPort: 3306
protocol: TCP
env:
- name: MYSQL_ALLOW_EMPTY_PASSWORD
value: "yes"
# - name: MYSQL_ROOT_PASSWORD
# valueFrom:
# secretKeyRef:
# name: {{ .Release.Name }}-mysql-config
# key: PASSWORD
volumeMounts:
- name: mysql-data
mountPath: "/var/lib/mysql/"
subPath: mysql
- name: oned
image: "opennebula/opennebula:{{ .Chart.AppVersion }}"
ports:
- name: tcp-2633
containerPort: 2633
protocol: TCP
volumeMounts:
- name: auth
mountPath: "/root/.one"
- name: opennebula-config
mountPath: "/tmp/one"
command:
- "/bin/sh"
- "-c"
- "cp /tmp/one/oned.conf /etc/one/ && mkdir -p /run/lock/one && sleep 15; oned -f"
- name: sunstone
image: "opennebula/opennebula:{{ .Chart.AppVersion }}"
ports:
- name: tcp-9869
containerPort: 9869
protocol: TCP
- name: vnc-proxy
containerPort: 29876
protocol: TCP
volumeMounts:
- name: auth
mountPath: "/var/lib/one/.one"
- name: opennebula-config
mountPath: "/tmp/one"
command:
- "/bin/sh"
- "-c"
- "cp /tmp/one/sunstone-server.conf /etc/one/ && mkdir -p /run/lock/one /run/one && sleep 20; ruby /usr/lib/one/sunstone/sunstone-server.rb; sleep 120"
- name: scheduler
image: "opennebula/opennebula:{{ .Chart.AppVersion }}"
command:
- "sh"
- "-c"
- "cp /tmp/one/sched.conf /etc/one/ && /usr/bin/mm_sched"
volumeMounts:
- name: auth
mountPath: "/root/.one"
- name: opennebula-config
mountPath: "/tmp/one"
volumes:
- name: auth
secret:
secretName: {{ .Release.Name }}-one-auth
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ .Release.Name}}-letsencrypt-certs
- name: mysql-data
persistentVolumeClaim:
claimName: {{ .Release.Name }}-mysql-data
- name: nginx-config
configMap:
name: {{ .Release.Name }}-nginx-config
- name: opennebula-config
configMap:
name: {{ .Release.Name }}-opennebula-config
- name: tmp
emptyDir: {}
# ---
# apiVersion: batch/v1
# kind: Job
# metadata:
# name: {{ .Release.Name }}-getcert
# spec:
# template:
# metadata:
# labels:
# app: {{ .Release.Name }}-opennebula
# spec:
# restartPolicy: Never
# containers:
# - name: certbot
# image: ungleich/ungleich-certbot
# ports:
# - containerPort: 80
# env:
# - name: DOMAIN
# value: {{ .Values.fqdn }}
# - name: EMAIL
# value: {{ .Values.email }}
# - name: STAGING
# value: {{ .Values.letsencryptStaging }}
# # volumeMounts:
# # - name: etcletsencrypt
# # mountPath: "/etc/letsencrypt"
# # volumes:
# # - name: etcletsencrypt
# # persistentVolumeClaim:
# # claimName: {{ .Release.Name }}-letsencrypt-certs
# backoffLimit: 3
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}
labels:
app: {{ .Release.Name }}
spec:
type: ClusterIP
ports:
- port: 80
protocol: TCP
name: http
- port: 443
protocol: TCP
name: https
- port: 2643
protocol: TCP
name: xmlrpc
selector:
app: {{ .Release.Name }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name}}-letsencrypt-certs
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Mi
storageClassName: rook-cephfs
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ .Release.Name }}-mysql-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.dbsizeingb }}Gi
---
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-one-auth
stringData:
one_auth: {{ .Values.one_auth }}
sunstone_auth: {{ .Values.sunstone_auth }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-getcert
spec:
template:
metadata:
labels:
app: {{ .Release.Name }}
spec:
restartPolicy: Never
containers:
- name: certbot
image: ungleich/ungleich-certbot
ports:
- containerPort: 80
env:
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: ONLYGETCERT
value: "yes"
- name: EMAIL
value: "{{ .Values.email }}"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ .Release.Name }}-letsencrypt-certs
backoffLimit: 3

15
apps/opennebula/values.yaml Normal file
View file

@ -0,0 +1,15 @@
clusterDomain: "c2.k8s.ooo"
# For http/https/letsencrypt
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
# Size for the pvc for mysql
dbsizeingb: 100
# Opennebula secrets
one_auth: ""
sunstone_auth: ""
# Letsencrypt settings
email: ""
letsencryptStaging: "yes"