This commit is contained in:
Nico Schottelius 2021-07-17 20:12:27 +02:00
parent 034885e016
commit e28cb019a5
3 changed files with 73 additions and 8 deletions

View file

@ -19,7 +19,7 @@ This project is testing, deploying and using IPv6 only k8s clusters.
* virtualisation (VMs, kubevirt) * virtualisation (VMs, kubevirt)
* network policies * network policies
* prometheus in the cluster * prometheus in the cluster
* argocd (?) for CI and upgrades * -argocd (?) for CI and upgrades- using flux
* Maybe LoadBalancer support (our ClusterIP already does that though) * Maybe LoadBalancer support (our ClusterIP already does that though)
* (Other) DNS entrys for services * (Other) DNS entrys for services
* Internal backup / snapshots * Internal backup / snapshots
@ -138,7 +138,7 @@ We can confirm this on the upstream side, where we also run bird:
% birdc show route % birdc show route
BIRD 2.0.7 ready. BIRD 2.0.7 ready.
Table master6: Table master6:
2a0a:e5c0:13:e1:f4c5:ab65:a67f:53c0/122 unicast [place7-server1 20:04:14.222] * (100) [AS65534i] 2a0a:e5c0:13:e1:f4c5:ab65:a67f:53c0/122 unicast [place7-srever1 20:04:14.222] * (100) [AS65534i]
via 2a0a:e5c0:13:0:225:b3ff:fe20:3554 on eth0 via 2a0a:e5c0:13:0:225:b3ff:fe20:3554 on eth0
unicast [place7-server3 20:04:14.224] (100) [AS65534i] unicast [place7-server3 20:04:14.224] (100) [AS65534i]
via 2a0a:e5c0:13:0:224:81ff:fee0:db7a on eth0 via 2a0a:e5c0:13:0:224:81ff:fee0:db7a on eth0
@ -240,7 +240,30 @@ The [guide for creating HA
clusters](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/) clusters](https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/)
referes to an external load balancer that referes to an external load balancer that
## Secrets
Handled via https://github.com/mittwald/kubernetes-secret-generator
```
helm repo add mittwald https://helm.mittwald.de
helm repo update
helm upgrade --install kubernetes-secret-generator mittwald/kubernetes-secret-generator
```
Generating / creating secrets:
```
apiVersion: v1
kind: Secret
metadata:
name: string-secret
annotations:
secret-generator.v1.mittwald.de/autogenerate: password
data:
username: c29tZXVzZXI=
```
This will add a password into it. Password only will
## The IPv4 "problem" ## The IPv4 "problem"

View file

@ -6,7 +6,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes # This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version. # to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/) # Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.0 version: 0.1.1
# This is the version number of the application being deployed. This version number should be # This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to # incremented each time you make changes to the application. Versions are not expected to

View file

@ -24,6 +24,25 @@ spec:
volumeMounts: volumeMounts:
- name: etcletsencrypt - name: etcletsencrypt
mountPath: "/etc/letsencrypt" mountPath: "/etc/letsencrypt"
- name: generate-matrix-signing-key
image: matrixdotorg/synapse:v{{ .Values.synapseVersion }}
env:
- name: SYNAPSE_CONFIG_PATH
value: "/config/homeserver.yaml"
command:
- "python"
- "-m"
- "synapse.app.homeserver"
- "--config-path"
- "/config"
- "--keys-directory"
- "/data"
- "--generate-keys"
volumeMounts:
- name: data
mountPath: "/data"
- name: matrix-config
mountPath: "/config"
containers: containers:
# This container will only start *after* the cert has been placed # This container will only start *after* the cert has been placed
- name: nginx - name: nginx
@ -40,7 +59,7 @@ spec:
ports: ports:
- containerPort: 5432 - containerPort: 5432
envFrom: envFrom:
- configMapRef: - secretRef:
name: {{ tpl .Values.identifier . }}-postgres-config name: {{ tpl .Values.identifier . }}-postgres-config
# Use subpath to avoid lost+found error # Use subpath to avoid lost+found error
volumeMounts: volumeMounts:
@ -52,8 +71,10 @@ spec:
ports: ports:
- containerPort: 8008 - containerPort: 8008
env: env:
- name: SYNAPSE_CONFIG_PATH - name: SYNAPSE_CONFIG_DIR
value: "/config/homeserver.yaml" value: "/config"
# - name: SYNAPSE_CONFIG_PATH
# value: "/config/homeserver.yaml"
volumeMounts: volumeMounts:
- name: data - name: data
mountPath: "/data" mountPath: "/data"
@ -95,6 +116,23 @@ spec:
use-as-service: {{ .Release.Name }} use-as-service: {{ .Release.Name }}
--- ---
apiVersion: v1 apiVersion: v1
kind: Service
metadata:
name: {{ tpl .Values.identifier . }}-web
labels:
app: {{ tpl .Values.identifier . }}-web
spec:
type: ClusterIP
ports:
# Required for letsencrypt
- port: 80
name: http
- port: 443
name: https
selector:
use-as-service: {{ .Release.Name }}-web
---
apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: {{ tpl .Values.identifier . }}-letsencrypt-certs name: {{ tpl .Values.identifier . }}-letsencrypt-certs
@ -192,9 +230,11 @@ data:
} }
--- ---
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: Secret
metadata: metadata:
name: {{ tpl .Values.identifier . }}-postgres-config name: {{ tpl .Values.identifier . }}-postgres-config
annotations:
secret-generator.v1.mittwald.de/autogenerate: POSTGRES_PASSWORD
data: data:
POSTGRES_USER: matrix-synapse POSTGRES_USER: matrix-synapse
POSTGRES_DB: matrix-synapse POSTGRES_DB: matrix-synapse
@ -214,6 +254,8 @@ data:
allow_public_rooms_over_federation: false allow_public_rooms_over_federation: false
pid_file: "/var/run/matrix/homeserver.pid" pid_file: "/var/run/matrix/homeserver.pid"
report_stats: false
signing_key_path: "/data/signin.key"
listeners: listeners:
- port: 8008 - port: 8008
@ -249,7 +291,7 @@ data:
log_config: "/config/log.yaml" log_config: "/config/log.yaml"
enable_media_repo: true enable_media_repo: true
media_store_path: "/data" media_store_path: "/data/media"
max_upload_size: "{{ .Values.max_filesize_in_mb }}M" max_upload_size: "{{ .Values.max_filesize_in_mb }}M"
enable_registration: {{ .Values.enable_registration }} enable_registration: {{ .Values.enable_registration }}