diff --git a/k8s/api/1-config.yaml b/k8s/api/1-config.yaml new file mode 100644 index 0000000..0eabec0 --- /dev/null +++ b/k8s/api/1-config.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vault-api-kv + namespace: canister +spec: + destination: + create: true + name: api-kv + mount: kv + path: canister/api + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault-auth diff --git a/k8s/api/2-deployment.yaml b/k8s/api/2-deployment.yaml new file mode 100644 index 0000000..87a2b70 --- /dev/null +++ b/k8s/api/2-deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: api + namespace: canister +spec: + replicas: 2 + selector: + matchLabels: + app: com.tale.canister.api + template: + metadata: + labels: + app: com.tale.canister.api + spec: + restartPolicy: Always + containers: + - name: api + image: ghcr.io/cnstr/api:latest + imagePullPolicy: Always + ports: + - name: api + containerPort: 3000 + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + envFrom: + - secretRef: + name: api-kv diff --git a/k8s/api/3-service.yaml b/k8s/api/3-service.yaml new file mode 100644 index 0000000..ed77943 --- /dev/null +++ b/k8s/api/3-service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: api + namespace: canister +spec: + ports: + - port: 3000 + targetPort: 3000 + selector: + app: com.tale.canister.api diff --git a/k8s/api/4-ingress.yaml b/k8s/api/4-ingress.yaml new file mode 100644 index 0000000..bf71ed6 --- /dev/null +++ b/k8s/api/4-ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: api + namespace: canister + annotations: + cert-manager.io/cluster-issuer: acme-prod + +spec: + ingressClassName: nginx + rules: + - host: api.canister.me + http: + paths: + - pathType: Prefix + path: /v2 + backend: + service: + name: api + port: + number: 3000 + tls: + - hosts: + - 'api.canister.me' + secretName: api-tls diff --git a/k8s/clickhouse/1-config.yaml b/k8s/clickhouse/1-config.yaml new file mode 100644 index 0000000..74a3da0 --- /dev/null +++ b/k8s/clickhouse/1-config.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vault-clickhouse-kv + namespace: canister +spec: + destination: + create: true + name: clickhouse-kv + mount: kv + path: canister/clickhouse + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault-auth diff --git a/k8s/clickhouse/2-migration.yaml b/k8s/clickhouse/2-migration.yaml new file mode 100644 index 0000000..6442657 --- /dev/null +++ b/k8s/clickhouse/2-migration.yaml @@ -0,0 +1,32 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: clickhouse-migration + namespace: canister +data: + migration.sql: | + CREATE TABLE IF NOT EXISTS canister.download_events ( + package_id String, + package_version String, + package_author String, + package_maintainer String, + repository_uri String, + repository_suite String, + repository_component String, + client String, + client_version String, + jailbreak String, + jailbreak_version String, + distribution String, + distribution_version String, + client_architecture String, + client_bitness UInt32, + device String, + device_platform String, + device_version String, + database_uuid String, + timestamp String, + time DateTime + ) + ENGINE = MergeTree() + ORDER BY (timestamp) diff --git a/k8s/clickhouse/3-pvc.yaml b/k8s/clickhouse/3-pvc.yaml new file mode 100644 index 0000000..34dc39b --- /dev/null +++ b/k8s/clickhouse/3-pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: clickhouse + namespace: canister +spec: + storageClassName: openebs-hostpath + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 25Gi diff --git a/k8s/clickhouse/4-deployment.yaml b/k8s/clickhouse/4-deployment.yaml new file mode 100644 index 0000000..475c0f1 --- /dev/null +++ b/k8s/clickhouse/4-deployment.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: clickhouse + namespace: canister +spec: + replicas: 1 + selector: + matchLabels: + app: com.tale.canister.clickhouse + template: + metadata: + labels: + app: com.tale.canister.clickhouse + spec: + restartPolicy: Always + containers: + - name: clickhouse + image: clickhouse/clickhouse-server:latest + ports: + - name: clickhouse + containerPort: 8123 + volumeMounts: + - name: migration + mountPath: /docker-entrypoint-initdb.d/ + - name: data + mountPath: /var/lib/clickhouse + env: + - name: 'CLICKHOUSE_DEFAULT_ACCES_MANAGEMENT' + value: '1' + envFrom: + - secretRef: + name: clickhouse-kv + readinessProbe: + httpGet: + path: /ping + port: 8123 + initialDelaySeconds: 5 + periodSeconds: 5 + livenessProbe: + httpGet: + path: /ping + port: 8123 + initialDelaySeconds: 5 + periodSeconds: 5 + volumes: + - name: migration + configMap: + name: clickhouse-migration + items: + - key: migration.sql + path: migration.sql + - name: data + persistentVolumeClaim: + claimName: clickhouse diff --git a/k8s/clickhouse/5-service.yaml b/k8s/clickhouse/5-service.yaml new file mode 100644 index 0000000..5bde057 --- /dev/null +++ b/k8s/clickhouse/5-service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: clickhouse + namespace: canister +spec: + ports: + - port: 8123 + targetPort: 8123 + selector: + app: com.tale.canister.clickhouse diff --git a/k8s/core/1-config.yaml b/k8s/core/1-config.yaml new file mode 100644 index 0000000..968e83b --- /dev/null +++ b/k8s/core/1-config.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vault-core-kv + namespace: canister +spec: + destination: + create: true + name: core-kv + mount: kv + path: canister/core + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault-auth diff --git a/k8s/core/2-job.yaml b/k8s/core/2-job.yaml new file mode 100644 index 0000000..cef8c3e --- /dev/null +++ b/k8s/core/2-job.yaml @@ -0,0 +1,22 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: core + namespace: canister +spec: + schedule: 0 * * * * + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 1 + concurrencyPolicy: Replace + jobTemplate: + spec: + template: + spec: + restartPolicy: OnFailure + containers: + - image: ghcr.io/cnstr/core:latest + imagePullPolicy: Always + name: core + envFrom: + - secretRef: + name: core-kv diff --git a/k8s/grafana/1-pvc.yaml b/k8s/grafana/1-pvc.yaml new file mode 100644 index 0000000..0d5fb30 --- /dev/null +++ b/k8s/grafana/1-pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: grafana + namespace: canister +spec: + storageClassName: openebs-hostpath + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1.5Gi diff --git a/k8s/grafana/2-deployment.yaml b/k8s/grafana/2-deployment.yaml new file mode 100644 index 0000000..c12b0a6 --- /dev/null +++ b/k8s/grafana/2-deployment.yaml @@ -0,0 +1,29 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grafana + namespace: canister +spec: + replicas: 1 + selector: + matchLabels: + app: com.tale.canister.grafana + template: + metadata: + labels: + app: com.tale.canister.grafana + spec: + restartPolicy: Always + containers: + - name: grafana + image: grafana/grafana:latest + ports: + - name: grafana + containerPort: 3000 + volumeMounts: + - name: dashboards + mountPath: /var/lib/grafana + volumes: + - name: dashboards + persistentVolumeClaim: + claimName: grafana diff --git a/k8s/grafana/3-service.yaml b/k8s/grafana/3-service.yaml new file mode 100644 index 0000000..01c876c --- /dev/null +++ b/k8s/grafana/3-service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: grafana + namespace: canister +spec: + ports: + - port: 3000 + targetPort: 3000 + selector: + app: com.tale.canister.grafana diff --git a/k8s/grafana/4-ingress.yaml b/k8s/grafana/4-ingress.yaml new file mode 100644 index 0000000..2c0bc7f --- /dev/null +++ b/k8s/grafana/4-ingress.yaml @@ -0,0 +1,24 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grafana + namespace: canister + annotations: + cert-manager.io/cluster-issuer: acme-prod +spec: + ingressClassName: nginx + rules: + - host: dash.canister.me + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: grafana + port: + number: 3000 + tls: + - hosts: + - 'dash.canister.me' + secretName: grafana-tls diff --git a/k8s/typesense/1-config.yaml b/k8s/typesense/1-config.yaml new file mode 100644 index 0000000..d156965 --- /dev/null +++ b/k8s/typesense/1-config.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vault-typesense-kv + namespace: canister +spec: + destination: + create: true + name: typesense-kv + mount: kv + path: canister/typesense + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault-auth diff --git a/k8s/typesense/2-pvc.yaml b/k8s/typesense/2-pvc.yaml new file mode 100644 index 0000000..e60f96c --- /dev/null +++ b/k8s/typesense/2-pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: typesense + namespace: canister +spec: + storageClassName: openebs-hostpath + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 5Gi diff --git a/k8s/typesense/3-deployment.yaml b/k8s/typesense/3-deployment.yaml new file mode 100644 index 0000000..9e1ee7c --- /dev/null +++ b/k8s/typesense/3-deployment.yaml @@ -0,0 +1,58 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: typesense + namespace: canister + labels: + app: com.tale.canister.typesense +spec: + selector: + matchLabels: + app: com.tale.canister.typesense + template: + metadata: + labels: + app: com.tale.canister.typesense + spec: + securityContext: + fsGroup: 2000 + runAsUser: 10000 + runAsGroup: 3000 + runAsNonRoot: true + containers: + - name: typesense + image: typesense/typesense:26.0 + ports: + - containerPort: 8108 + name: http + livenessProbe: + httpGet: + path: /health + port: 8108 + initialDelaySeconds: 5 + periodSeconds: 5 + timeoutSeconds: 5 + envFrom: + - secretRef: + name: typesense-kv + env: + - name: TYPESENSE_DATA_DIR + value: /usr/share/typesense/data + - name: TYPESENSE_API_ADDRESS + value: '0.0.0.0' + - name: TYPESENSE_ENABLE_CORS + value: 'true' + resources: + requests: + memory: 256Mi + cpu: 256m + limits: + memory: 1Gi + cpu: 1024m + volumeMounts: + - name: data + mountPath: /usr/share/typesense/data + volumes: + - name: data + persistentVolumeClaim: + claimName: typesense diff --git a/k8s/typesense/4-service.yaml b/k8s/typesense/4-service.yaml new file mode 100644 index 0000000..1c97d42 --- /dev/null +++ b/k8s/typesense/4-service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: typesense + namespace: canister +spec: + selector: + app: com.tale.canister.typesense + ports: + - name: http + port: 8108 + targetPort: 8108 diff --git a/k8s/typesense/5-ingress.yaml b/k8s/typesense/5-ingress.yaml new file mode 100644 index 0000000..b6b1a38 --- /dev/null +++ b/k8s/typesense/5-ingress.yaml @@ -0,0 +1,46 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: typesense-ingress + namespace: canister + annotations: + cert-manager.io/cluster-issuer: acme-prod +spec: + ingressClassName: nginx + rules: + - host: ts-prod1.canister.me + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: typesense + port: + number: 8108 + - host: ts-prod2.canister.me + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: typesense + port: + number: 8108 + - host: ts-prod3.canister.me + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: typesense + port: + number: 8108 + tls: + - hosts: + - ts-prod1.canister.me + - ts-prod2.canister.me + - ts-prod3.canister.me + secretName: ts-cluster-tls diff --git a/k8s/vault.yaml b/k8s/vault.yaml new file mode 100644 index 0000000..2de2ae6 --- /dev/null +++ b/k8s/vault.yaml @@ -0,0 +1,13 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault-auth + namespace: canister +spec: + kubernetes: + audiences: + - vault + role: k8s-cluster + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/k8s/vector/1-config.yaml b/k8s/vector/1-config.yaml new file mode 100644 index 0000000..734e782 --- /dev/null +++ b/k8s/vector/1-config.yaml @@ -0,0 +1,14 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: vault-vector-kv + namespace: canister +spec: + destination: + create: true + name: vector-kv + mount: kv + path: canister/vector + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault-auth diff --git a/k8s/vector/2-deployment.yaml b/k8s/vector/2-deployment.yaml new file mode 100644 index 0000000..79be43e --- /dev/null +++ b/k8s/vector/2-deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: vector + namespace: canister +spec: + replicas: 1 + selector: + matchLabels: + app: com.tale.canister.vector + template: + metadata: + labels: + app: com.tale.canister.vector + spec: + restartPolicy: Always + containers: + - name: vector + image: timberio/vector:0.39.0-distroless-libc + command: + - /usr/bin/vector + - --config + - /etc/vector/vector.toml + ports: + - name: vector + containerPort: 8687 + volumeMounts: + - name: vector + mountPath: /etc/vector + livenessProbe: + httpGet: + path: /health + port: 8686 + initialDelaySeconds: 5 + periodSeconds: 5 + readinessProbe: + httpGet: + path: /health + port: 8686 + initialDelaySeconds: 5 + periodSeconds: 5 + volumes: + - name: vector + secret: + secretName: vector-kv + items: + - key: VECTOR_CONFIG + path: vector.toml diff --git a/k8s/vector/3-service.yaml b/k8s/vector/3-service.yaml new file mode 100644 index 0000000..5756ab5 --- /dev/null +++ b/k8s/vector/3-service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: vector + namespace: canister +spec: + ports: + - port: 8687 + targetPort: 8687 + selector: + app: com.tale.canister.vector