Merge branch 'master' of code.ungleich.ch:ungleich-public/ungleich-k8s

This commit is contained in:
Nico Schottelius 2021-10-18 15:16:47 +02:00
commit 8305b7cab1
16 changed files with 791 additions and 85 deletions

0
apps/netbox/.gitkeep Normal file
View file

View file

@ -1,15 +0,0 @@
## Missing
- SMTP settings / secrets (ungleich mail + sops?)
- Exposing sizes in value.yaml (db, gitea)
- Maybe reducing to 1 PVC?
## Problems
* nginx and fpm need to share filesystem/data
* might be able to workaround with copying (a bit ugly)
* Sharing via cephfs is non-optimal
* Maybe separate data volume?
* Separating apps & data
* apache stays listening on port 80
* Trusted domain not set yet

View file

@ -48,73 +48,79 @@ spec:
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-nextcloud
name: {{ .Release.Name }}-zammad
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-nextcloud
app: {{ .Release.Name }}-zammad
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-nextcloud
app: {{ .Release.Name }}-zammad
spec:
initContainers:
- name: wait-for-cert
image: busybox
command:
- sh
- -c
- until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done
volumeMounts:
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
# initContainers:
# - name: wait-for-cert
# image: busybox
# command:
# - sh
# - -c
# - until ls /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem; do sleep 5; done
# volumeMounts:
# - name: etcletsencrypt
# mountPath: "/etc/letsencrypt"
containers:
- name: nginx
image: nginx:1.21-alpine
# - name: nginx
# image: nginx:1.21-alpine
# ports:
# - containerPort: 443
# volumeMounts:
# - name: nginx-config
# mountPath: "/etc/nginx/conf.d/"
# - name: etcletsencrypt
# mountPath: "/etc/letsencrypt"
# - name: zammad-data
# mountPath: "/var/www/html"
# # Is it ready to work?
# readinessProbe:
# tcpSocket:
# port: 443
# initialDelaySeconds: 5
# periodSeconds: 10
# # Is it still working?
# livenessProbe:
# tcpSocket:
# port: 443
# initialDelaySeconds: 15
# periodSeconds: 20
- name: elasticsearch
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.1
ports:
- containerPort: 443
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: nextcloud-data
mountPath: "/var/www/html"
# Is it ready to work?
readinessProbe:
tcpSocket:
port: 443
initialDelaySeconds: 5
periodSeconds: 10
# Is it still working?
livenessProbe:
tcpSocket:
port: 443
initialDelaySeconds: 15
periodSeconds: 20
- name: nextcloud
image: nextcloud:{{ .Chart.AppVersion }}-fpm-alpine
# Wait for 10 minutes to get ready
startupProbe:
httpGet:
path: /ocs/v2.php/apps/serverinfo/api/v1/info
port: fpm
failureThreshold: 20
periodSeconds: 30
# Dead if failing for 1 minute
livenessProbe:
httpGet:
path: /ocs/v2.php/apps/serverinfo/api/v1/info
port: fpm
failureThreshold: 6
periodSeconds: 10
readinessProbe:
httpGet:
path: /ocs/v2.php/apps/serverinfo/api/v1/info
port: fpm
failureThreshold: 3
periodSeconds: 30
- containerPort: 9200
name: elastic
- name: zammad
image: index.docker.io/zammad/zammad-docker-compose:zammad-{{ .Chart.AppVersion }}
# # Wait for 10 minutes to get ready
# startupProbe:
# httpGet:
# path: /ocs/v2.php/apps/serverinfo/api/v1/info
# port: fpm
# failureThreshold: 20
# periodSeconds: 30
# # Dead if failing for 1 minute
# livenessProbe:
# httpGet:
# path: /ocs/v2.php/apps/serverinfo/api/v1/info
# port: fpm
# failureThreshold: 6
# periodSeconds: 10
# readinessProbe:
# httpGet:
# path: /ocs/v2.php/apps/serverinfo/api/v1/info
# port: fpm
# failureThreshold: 3
# periodSeconds: 30
ports:
- containerPort: 9000
name: fpm
@ -124,17 +130,17 @@ spec:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_DB
- name: NEXTCLOUD_TRUSTED_DOMAINS
- name: ZAMMAD_TRUSTED_DOMAINS
value: "{{ tpl .Values.fqdn . }}"
- name: NEXTCLOUD_ADMIN_USER
- name: ZAMMAD_ADMIN_USER
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-nextcloud
name: {{ tpl .Values.identifier . }}-zammad
key: USERNAME
- name: NEXTCLOUD_ADMIN_PASSWORD
- name: ZAMMAD_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-nextcloud
name: {{ tpl .Values.identifier . }}-zammad
key: PASSWORD
- name: POSTGRES_USER
valueFrom:
@ -149,13 +155,13 @@ spec:
- name: POSTGRES_HOST
value: {{ .Release.Name }}-postgres
volumeMounts:
- name: nextcloud-data
- name: zammad-data
mountPath: "/var/www/html"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
- name: nextcloud-data
- name: zammad-data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-data
- name: postgres-data
@ -180,7 +186,7 @@ spec:
- port: 443
name: https
selector:
app: {{ .Release.Name }}-nextcloud
app: {{ .Release.Name }}-zammad
---
apiVersion: v1
kind: PersistentVolumeClaim
@ -226,7 +232,7 @@ spec:
template:
metadata:
labels:
app: {{ .Release.Name }}-nextcloud
app: {{ .Release.Name }}-zammad
spec:
restartPolicy: Never
containers:
@ -269,13 +275,13 @@ metadata:
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
stringData:
POSTGRES_USER: "postgres"
POSTGRES_DB: "nextcloud"
POSTGRES_DB: "zammad"
---
apiVersion: v1
kind: Secret
metadata:
name: {{ tpl .Values.identifier . }}-nextcloud
name: {{ tpl .Values.identifier . }}-zammad
annotations:
secret-generator.v1.mittwald.de/autogenerate: PASSWORD
stringData:
USERNAME: "nextcloud"
USERNAME: "zammad"

23
apps/zammad/.helmignore Normal file
View file

@ -0,0 +1,23 @@
# Patterns to ignore when building packages.
# This supports shell glob matching, relative path matching, and
# negation (prefixed with !). Only one pattern per line.
.DS_Store
# Common VCS dirs
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
# Common backup files
*.swp
*.bak
*.tmp
*.orig
*~
# Various IDEs
.project
.idea/
*.tmproj
.vscode/

8
apps/zammad/Chart.yaml Normal file
View file

@ -0,0 +1,8 @@
apiVersion: v2
name: ungleich-zammad
description: ungleich managed zammad
type: application
version: 0.1.0
appVersion: "5.0.0-2"

0
apps/zammad/README.md Normal file
View file

View file

@ -0,0 +1,66 @@
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ tpl .Values.fqdn . }};
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
ssl_certificate /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ tpl .Values.fqdn . }}/privkey.pem;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
error_log /dev/stdout info;
access_log /dev/stdout;
root /opt/zammad/public;
location ~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png) {
expires max;
}
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 86400;
proxy_pass http://localhost:6042;
}
location / {
proxy_set_header Host $http_host;
proxy_set_header CLIENT_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# Change this line in an SSO setup
proxy_set_header X-Forwarded-User "";
proxy_read_timeout 300;
proxy_pass http://localhost:3000;
gzip on;
gzip_types text/plain text/xml text/css image/svg+xml application/javascript application/x-javascript application/json application/xml;
gzip_proxied any;
}
}

View file

@ -0,0 +1,417 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-postgres
spec:
selector:
matchLabels:
instance: {{ .Release.Name }}-postgres
replicas: 1
template:
metadata:
labels:
app: postgres
instance: {{ .Release.Name }}-postgres
spec:
containers:
- name: postgres
image: postgres:14
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: {{ tpl .Values.identifier . }}-postgres-config
volumeMounts:
- name: postgres-data
mountPath: "/var/lib/postgresql/data"
subPath: postgres
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "256Mi"
cpu: "400m"
volumes:
- name: postgres-data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-postgres-data
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-elasticsearch
spec:
selector:
matchLabels:
instance: {{ .Release.Name }}-elasticsearch
replicas: 1
template:
metadata:
labels:
app: elasticsearch
instance: {{ .Release.Name }}-elasticsearch
spec:
containers:
- name: elasticsearch
image: zammad/zammad-docker-compose:zammad-elasticsearch-{{ .Chart.AppVersion }}
env:
- name: discovery.type
value: "single-node"
securityContext:
capabilities:
add: ["SYS_CHROOT"] # Required, because elasticsearch is using chroot()
ports:
- containerPort: 9200
resources:
requests:
memory: "1.2Gi"
cpu: "400m"
limits:
memory: "3Gi"
cpu: "2000m"
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-elasticsearch
labels:
app: elasticsearch
instance: {{ .Release.Name }}-elasticsearch
spec:
type: ClusterIP
ports:
- port: 9200
name: elasticsearch
selector:
instance: {{ .Release.Name }}-elasticsearch
---
apiVersion: v1
kind: Service
metadata:
name: {{ .Release.Name }}-postgres
labels:
instance: {{ .Release.Name }}-postgres
app: postgres
spec:
type: ClusterIP
ports:
- port: 5432
name: postgres
selector:
instance: {{ .Release.Name }}-postgres
---
apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}
labels:
app: zammad
instance: {{ tpl .Values.identifier . }}
spec:
type: ClusterIP
ports:
- port: 80
name: http
- port: 443
name: https
selector:
instance: {{ .Release.Name }}-zammad
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-zammad
spec:
selector:
matchLabels:
instance: {{ .Release.Name }}-zammad
replicas: 1
template:
metadata:
labels:
app: zammad
instance: {{ .Release.Name }}-zammad
annotations:
checksum/config: {{ include (print $.Template.BasePath "/nginxconf.yaml") . | sha256sum }}
spec:
initContainers:
- name: change-permissions
image: busybox
command:
- sh
- -c
- chown 1000:0000 /opt/zammad
volumeMounts:
- name: zammad-data
mountPath: "/opt/zammad"
- name: zammad-init
image: zammad/zammad-docker-compose:zammad-{{ .Chart.AppVersion }}
command:
- /docker-entrypoint.sh
- zammad-init
env:
- name: POSTGRESQL_HOST
value: {{ .Release.Name }}-postgres
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_USER
- name: POSTGRESQL_PASS
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_PASSWORD
- name: POSTGRESQL_DB
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_DB
- name: ELASTICSEARCH_HOST
value: "{{ .Release.Name }}-elasticsearch"
volumeMounts:
- name: zammad-data
mountPath: "/opt/zammad"
containers:
- name: nginx
image: ungleich/ungleich-certbot:0.2.0
ports:
- containerPort: 443
name: https
- containerPort: 80
name: http
env:
- name: DOMAIN
value: "{{ tpl .Values.fqdn . }}"
- name: EMAIL
value: "{{ .Values.email }}"
- name: NGINX
value: "yes"
{{ if eq .Values.letsencryptStaging "no" }}
- name: STAGING
value: "no"
{{ end }}
volumeMounts:
- name: nginx-config
mountPath: "/etc/nginx/conf.d/"
- name: etcletsencrypt
mountPath: "/etc/letsencrypt"
- name: zammad-data
mountPath: "/opt/zammad"
- name: memcached
image: memcached:1.6.12-alpine
resources:
requests:
memory: "64Mi"
cpu: "100m"
limits:
memory: "128Mi"
cpu: "500m"
ports:
- containerPort: 11211
- name: redis
image: redis:6.2.6-alpine
resources:
requests:
memory: "32Mi"
cpu: "100m"
limits:
memory: "64Mi"
cpu: "200m"
ports:
- containerPort: 6379
- name: zammad-railsserver
image: zammad/zammad-docker-compose:zammad-{{ .Chart.AppVersion }}
command:
- /docker-entrypoint.sh
- zammad-railsserver
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
ports:
- containerPort: 3000
name: rails
env:
- name: POSTGRESQL_HOST
value: {{ .Release.Name }}-postgres
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_USER
- name: POSTGRESQL_PASS
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_PASSWORD
- name: POSTGRESQL_DB
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_DB
- name: REDIS_URL
value: "redis://localhost:6379"
- name: MEMCACHE_SERVERS
value: "localhost:11211"
- name: ELASTICSEARCH_HOST
value: "{{ .Release.Name }}-elasticsearch"
volumeMounts:
- name: zammad-data
mountPath: "/opt/zammad"
- name: zammad-scheduler
image: zammad/zammad-docker-compose:zammad-{{ .Chart.AppVersion }}
command:
- /docker-entrypoint.sh
- zammad-scheduler
env:
- name: POSTGRESQL_HOST
value: {{ .Release.Name }}-postgres
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_USER
- name: POSTGRESQL_PASS
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_PASSWORD
- name: POSTGRESQL_DB
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_DB
- name: REDIS_URL
value: "redis://localhost:6379"
- name: MEMCACHE_SERVERS
value: "localhost:11211"
- name: ELASTICSEARCH_HOST
value: "{{ .Release.Name }}-elasticsearch"
volumeMounts:
- name: zammad-data
mountPath: "/opt/zammad"
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
- name: zammad-websocket
image: zammad/zammad-docker-compose:zammad-{{ .Chart.AppVersion }}
command:
- sh
- -c
- "cd /opt/zammad && bundle exec script/websocket-server.rb -b :: -p 6042 start"
env:
- name: POSTGRESQL_HOST
value: {{ .Release.Name }}-postgres
- name: POSTGRESQL_USER
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_USER
- name: POSTGRESQL_PASS
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_PASSWORD
- name: POSTGRESQL_DB
valueFrom:
secretKeyRef:
name: {{ tpl .Values.identifier . }}-postgres-config
key: POSTGRES_DB
- name: REDIS_URL
value: "redis://localhost:6379"
- name: MEMCACHE_SERVERS
value: "localhost:11211"
- name: ELASTICSEARCH_HOST
value: "{{ .Release.Name }}-elasticsearch"
volumeMounts:
- name: zammad-data
mountPath: "/opt/zammad"
ports:
- containerPort: 6042
name: websocket
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "500m"
volumes:
- name: etcletsencrypt
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-letsencrypt-certs
- name: zammad-data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-data
- name: postgres-data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-postgres-data
- name: nginx-config
configMap:
name: {{ tpl .Values.identifier . }}-nginx-config
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-letsencrypt-certs
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Mi
storageClassName: rook-ceph-block
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.datasizeingb }}Gi
storageClassName: rook-ceph-block
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ tpl .Values.identifier . }}-postgres-data
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.dbsizeingb }}Gi
storageClassName: rook-ceph-block
---
apiVersion: v1
kind: Secret
metadata:
name: {{ tpl .Values.identifier . }}-postgres-config
annotations:
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
stringData:
POSTGRES_USER: "postgres"
POSTGRES_DB: "zammad"
---
apiVersion: v1
kind: Secret
metadata:
name: {{ tpl .Values.identifier . }}-zammad
annotations:
secret-generator.v1.mittwald.de/autogenerate: PASSWORD
stringData:
USERNAME: "zammad"

View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: {{ tpl .Values.identifier . }}-nginx-config
data:
{{ tpl (.Files.Glob "nginx/*").AsConfig . | indent 2 }}

View file

@ -0,0 +1,13 @@
apiVersion: v1
kind: Pod
metadata:
name: "{{ tpl .Values.identifier . }}-test-connection"
annotations:
"helm.sh/hook": test
spec:
containers:
- name: wget
image: busybox
command: ['wget']
args: ['https://{{ tpl .Values.fqdn . }}']
restartPolicy: Never

32
apps/zammad/test.yaml Normal file
View file

@ -0,0 +1,32 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ .Release.Name }}-postgres
spec:
selector:
matchLabels:
app: {{ .Release.Name }}-postgres
replicas: 1
template:
metadata:
labels:
app: {{ .Release.Name }}-postgres
spec:
containers:
- name: postgres
image: postgres:13
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: {{ tpl .Values.identifier . }}-postgres-config
volumeMounts:
- name: postgres-data
mountPath: "/var/lib/postgresql/data"
subPath: postgres
volumes:
- name: postgres-data
persistentVolumeClaim:
claimName: {{ tpl .Values.identifier . }}-postgres-data

11
apps/zammad/values.yaml Normal file
View file

@ -0,0 +1,11 @@
clusterDomain: c2.k8s.ooo
email: technik@ungleich.ch
letsencryptStaging: "yes"
# This is how the service and the data volumes are named - i.e. the
# persistent thing
identifier: "{{ .Release.Name }}"
fqdn: "{{ .Release.Name }}.{{ .Release.Namespace }}.svc.{{ .Values.clusterDomain }}"
datasizeingb: 1
dbsizeingb: 0.5

View file

@ -0,0 +1,29 @@
---
apiVersion: projectcalico.org/v3
kind: BGPConfiguration
metadata:
name: default
spec:
logSeverityScreen: Info
nodeToNodeMeshEnabled: true
asNumber: 65534
serviceClusterIPs:
- cidr: 2a0a:e5c0:2:16::/108
serviceExternalIPs:
- cidr: 2a0a:e5c0:2:16::/108
---
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: router1-place6
spec:
peerIP: 2a0a:e5c0:2:11::5
asNumber: 207996
---
apiVersion: projectcalico.org/v3
kind: BGPPeer
metadata:
name: router2-place6
spec:
peerIP: 2a0a:e5c0:2:11::6
asNumber: 207996

View file

@ -0,0 +1,12 @@
# kubeadm-config.yaml
kind: ClusterConfiguration
apiVersion: kubeadm.k8s.io/v1beta2
kubernetesVersion: v1.21.2
networking:
dnsDomain: c6.k8s.ooo
podSubnet: 2a0a:e5c0:2:15::/64
serviceSubnet: 2a0a:e5c0:2:16::/108
---
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
cgroupDriver: cgroupfs

View file

@ -9,4 +9,4 @@ spec:
resources:
requests:
storage: 1Gi
storageClassName: rook-ceph-block
storageClassName: rook-ceph-block-hdd

View file

@ -0,0 +1,97 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: memcached-deployment
spec:
selector:
matchLabels:
app: memcached-test
replicas: 1
template:
metadata:
labels:
app: memcached-test
spec:
containers:
- name: memcache
image: memcached:1.6.12-alpine
ports:
- containerPort: 11211
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: test-network-policy
namespace: default
spec:
podSelector:
matchLabels:
app: memcached-test
policyTypes:
- Ingress
- Egress
ingress:
- from:
# - ipBlock:
# cidr: 172.17.0.0/16
# except:
# - 172.17.1.0/24
# - namespaceSelector:
# matchLabels:
# project: myproject
- podSelector:
matchLabels:
app: myapp
role: frontend
ports:
- protocol: TCP
port: 11211
# egress:
# - to:
# - ipBlock:
# cidr: 10.0.0.0/24
# ports:
# - protocol: TCP
# port: 5978
---
apiVersion: v1
kind: Pod
metadata:
name: alpine-memcached-sleep-access
labels:
app: myapp
role: frontend
spec:
containers:
- name: alpine
image: alpine:3.14
args:
- sleep
- "1000000"
---
apiVersion: v1
kind: Pod
metadata:
name: alpine-memcached-sleep-noaccess
labels:
app: myapp
role: notfrontend
spec:
containers:
- name: alpine
image: alpine:3.14
args:
- sleep
- "1000000"
---
apiVersion: v1
kind: Service
metadata:
name: memcache-service
spec:
selector:
app: memcached-test
ports:
- protocol: TCP
port: 11211