Undercloud/k8s-apps
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update

Browse Source
This commit is contained in:
Gitea Root Administrator
2025-08-22 13:48:07 +02:00
parent f96faf6ace
commit 185ff178cb
30 changed files with 3663 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
.DS_Store vendored
View File

Binary file not shown.

BIN
code-server/.DS_Store vendored Normal file
View File

Binary file not shown.

10
code-server/README.md Normal file
View File

@@ -0,0 +1,10 @@
# code server
## online IDE
### in the style of visual studio code
the style has to be set manually after bootstrap
improvements:
metrics
liveness probes
resource limits

200
code-server/code-server.yaml Normal file
View File

@@ -0,0 +1,200 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: startup
namespace: code-server
data:
startup.sh: |
#!/bin/sh
echo "startup..."
sleep 10s
git config --global user.name shodan
git config --global user.email "thrawn235@gmail.com"
if test ! -f "/home/coder/.config/startup.ran"; then
echo "waiting 60s for startup..."
sleep 60s
echo "cloning k8aux-apps"
cd /home/coder/project
git clone https://shodan:$SHODAN_PW@gitea.undercloud.cf./undercloud/k8aux-apps.git
git clone http://aux-balancer.undercloud.cf.:3000/undercloud/k8aux-bootstrap.git
git clone http://aux-balancer.undercloud.cf.:3000/undercloud/flatcar.git
echo "create startup.ran file..."
touch /home/coder/.config/startup.ran
else
echo "startup ran already!"
fi
echo "startup done."
#exit 123
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: code-server
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph
# CephFS filesystem name into which the volume shall be created
fsName: code-server
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: code-server-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
reclaimPolicy: Delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
namespace: code-server
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 64M
storageClassName: code-server
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: project
namespace: code-server
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 8G
storageClassName: code-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: code-server
namespace: code-server
labels:
app: code-server
spec:
replicas: 1
selector:
matchLabels:
app: code-server
template:
metadata:
labels:
app: code-server
spec:
dnsConfig:
options:
- name: ndots
value: "1"
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: code-server
image: codercom/code-server
imagePullPolicy: IfNotPresent
lifecycle:
postStart:
exec:
command:
- "/home/coder/startup.sh"
ports:
- containerPort: 8080
- name: metrics
containerPort: 2112
env:
- name: CODER_PROMETHEUS_ENABLE
value: "0.0.0.0:2112"
- name: DOCKER_USER
value: docker
- name: PASSWORD
valueFrom:
secretKeyRef:
name: admin
key: pw
- name: SHODAN_PW
valueFrom:
secretKeyRef:
name: shodan
key: pw
optional: false
volumeMounts:
- mountPath: /home/coder/.config
name: data
- mountPath: /home/coder/project
name: project
- mountPath: /home/coder/startup.sh
name: startup
subPath: startup.sh
volumes:
- name: data
persistentVolumeClaim:
claimName: data
readOnly: false
- name: project
persistentVolumeClaim:
claimName: project
readOnly: false
- name: startup
configMap:
name: startup
defaultMode: 0777
items:
- key: "startup.sh"
path: "startup.sh"
---
apiVersion: v1
kind: Service
metadata:
name: code-server
namespace: code-server
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: code-server
sessionAffinity: None
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: code-server-metrics
namespace: code-server
labels:
app: code-server-metrics
spec:
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- name: metrics
port: 2112
protocol: TCP
selector:
app: code-server
sessionAffinity: None
type: ClusterIP

42
code-server/filesystem.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: ceph.rook.io/v1
kind: CephFilesystem
metadata:
name: code-server
namespace: rook-ceph
spec:
metadataPool:
failureDomain: host
replicated:
size: 3
dataPools:
- name: replicated
failureDomain: host
replicated:
size: 3
preserveFilesystemOnDelete: false
metadataServer:
activeCount: 1
activeStandby: true
placement:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: role
# operator: In
# values:
# - mds-node
tolerations:
- key: node-role.kubernetes.io/storage-node
operator: Exists
effect: NoSchedule
# podAffinity:
# podAntiAffinity:
# topologySpreadConstraints:
#resources:
# limits:
# cpu: "80m"
# memory: "1024Mi"
# requests:
# cpu: "500m"
# memory: "1024Mi"

25
code-server/ingress.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: code-server
namespace: code-server
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- code-server.undercloud.cf
secretName: code-server-tls
rules:
- host: code-server.undercloud.cf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: code-server
port:
number: 80

6
code-server/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: code-server
labels:
prometheus: prometheus

17
code-server/secrets.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Secret
metadata:
name: admin
namespace: code-server
type: Opaque
data:
pw: NElzVGhlTWluZEtpbGxlcg==
---
apiVersion: v1
kind: Secret
metadata:
name: shodan
namespace: code-server
type: Opaque
data:
pw: NElzVGhlTWluZEtpbGxlcg==

4
demo/ingress.yaml
View File

@@ -13,10 +13,10 @@ metadata:
spec:
tls:
- hosts:
- demo.apps.undercloud.dev
- demo.undercloud.dev
secretName: demo-tls
rules:
- host: demo.apps.undercloud.dev
- host: demo.undercloud.dev
http:
paths:
- path: /

42
dns/dns.yaml
View File

@@ -53,46 +53,46 @@ metadata:
namespace: dns
data:
Corefile: |
apps.undercloud.dev:53 {
undercloud.dev:53 {
errors
log
reload 10s
health
ready
template IN SOA apps.undercloud.dev {
template IN SOA undercloud.dev {
rcode NOERROR
answer "{{.Name}} 3600 IN SOA ns1.apps.undercloud.dev. hostmaster.apps.undercloud.dev. 1 7200 3600 1209600 3600"
additional "ns1.apps.undercloud.dev. 3600 IN A 10.0.91.54"
additional "ns2.apps.undercloud.dev. 3600 IN A 10.0.91.54"
additional "ns1.apps.undercloud.dev. 3600 IN AAAA 2001:470:7116:f:1::54"
additional "ns2.apps.undercloud.dev. 3600 IN AAAA 2001:470:7116:f:1::54"
answer "{{.Name}} 3600 IN SOA ns1.undercloud.dev. hostmaster.undercloud.dev. 1 7200 3600 1209600 3600"
additional "ns1.undercloud.dev. 3600 IN A 10.0.91.54"
additional "ns2.undercloud.dev. 3600 IN A 10.0.91.54"
additional "ns1.undercloud.dev. 3600 IN AAAA 2001:470:7116:f:1::54"
additional "ns2.undercloud.dev. 3600 IN AAAA 2001:470:7116:f:1::54"
}
template IN NS apps.undercloud.dev {
template IN NS undercloud.dev {
rcode NOERROR
answer "{{.Name}} 3600 IN NS ns1.apps.undercloud.dev."
answer "{{.Name}} 3600 IN NS ns2.apps.undercloud.dev."
additional "ns1.apps.undercloud.dev. 3600 IN A 10.0.91.54"
additional "ns2.apps.undercloud.dev. 3600 IN A 10.0.91.54"
additional "ns1.apps.undercloud.dev. 3600 IN AAAA 2001:470:7116:f:1::54"
additional "ns2.apps.undercloud.dev. 3600 IN AAAA 2001:470:7116:f:1::54"
answer "{{.Name}} 3600 IN NS ns1.undercloud.dev."
answer "{{.Name}} 3600 IN NS ns2.undercloud.dev."
additional "ns1.undercloud.dev. 3600 IN A 10.0.91.54"
additional "ns2.undercloud.dev. 3600 IN A 10.0.91.54"
additional "ns1.undercloud.dev. 3600 IN AAAA 2001:470:7116:f:1::54"
additional "ns2.undercloud.dev. 3600 IN AAAA 2001:470:7116:f:1::54"
}
hosts {
10.0.91.54 ns1.apps.undercloud.dev
10.0.91.54 ns2.apps.undercloud.dev
2001:470:7116:f:1::54 ns1.apps.undercloud.dev
2001:470:7116:f:1::54 ns2.apps.undercloud.dev
10.0.91.54 ns1.undercloud.dev
10.0.91.54 ns2.undercloud.dev
2001:470:7116:f:1::54 ns1.undercloud.dev
2001:470:7116:f:1::54 ns2.undercloud.dev
fallthrough
}
# Wildcard A servi ici
template IN A apps.undercloud.dev {
template IN A undercloud.dev {
match ^(.+)\.apps\.undercloud\.dev\.$
answer "{{.Name}} 300 IN A 93.228.39.77"
}
#template IN A *.apps.undercloud.dev {
#template IN A *.undercloud.dev {
# rcode NOERROR
# answer "{{.Name}} 60 IN A 93.228.39.77"
#}
@@ -100,7 +100,7 @@ data:
# Tout le reste va vers etcd sur 5533
forward . 127.0.0.1:5533
}
apps.undercloud.dev:5533 {
undercloud.dev:5533 {
bind 127.0.0.1
errors
log

2
dns/external-dns.yaml
View File

@@ -48,7 +48,7 @@ spec:
args:
- --source=ingress
- --provider=coredns
- --domain-filter=apps.undercloud.dev
- --domain-filter=undercloud.dev
- --policy=sync
- --registry=txt
#- --managed-record-types=A,CNAME,TXT,AAAA

BIN
homer/.DS_Store vendored Normal file
View File

Binary file not shown.

10
homer/README.md Normal file
View File

@@ -0,0 +1,10 @@
# Homer
## Home Screen Link collection
add proper icons
and try to load them remotely from gitea.undercloud.cf
improvements:
metrics
liveness probes
resource limits

564
homer/configmaps.yaml Normal file
View File

@@ -0,0 +1,564 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config
namespace: homer
data:
# file-like keys
config.yml: |
---
# Homepage configuration
# See https://fontawesome.com/v5/search for icons options
title: "Undercloud Dashboard"
subtitle: "undercloud"
logo: "guild-logo.png"
# icon: "fas fa-skull-crossbones" # Optional icon
header: true
#footer: '<p>Created with <span class="has-text-danger">❤️</span> with <a href="https://bulma.io/">bulma</a>, <a href="https://vuejs.org/">vuejs</a> & <a href="https://fontawesome.com/">font awesome</a> // Fork me on <a href="https://github.com/bastienwirtz/homer"><i class="fab fa-github-alt"></i></a></p>' # set false if you want to hide it.
footer: false
# Optional theme customization
theme: default
colors:
light:
highlight-primary: "#3367d6"
highlight-secondary: "#4285f4"
highlight-hover: "#5a95f5"
background: "#f5f5f5"
card-background: "#ffffff"
text: "#363636"
text-header: "#ffffff"
text-title: "#303030"
text-subtitle: "#424242"
card-shadow: rgba(0, 0, 0, 0.1)
link: "#3273dc"
link-hover: "#363636"
background-image: "../assets/logos/wallpaper.jpg"
dark:
highlight-primary: "#3367d6"
highlight-secondary: "#4285f4"
highlight-hover: "#5a95f5"
background: "#131313"
card-background: "#2b2b2b"
text: "#eaeaea"
text-header: "#ffffff"
text-title: "#fafafa"
text-subtitle: "#f5f5f5"
card-shadow: rgba(0, 0, 0, 0.4)
link: "#3273dc"
link-hover: "#ffdd57"
background-image: "../assets/logos/wallpaper.jpg"
# Optional message
message:
url: https://homer.undercloud.cf
style: "is-dark" # See https://bulma.io/documentation/components/message/#colors for styling options.
title: "Welcome"
#icon: "fa fa-grin"
content: "Welcome to the Undercloud Dashboard. <br /> A comprehensive link collection of all Webapps in the Undercloud Network"
# Optional navbar
# links: [] # Allows for navbar (dark mode, layout, and search) without any links
links:
- name: "Contribute"
icon: "fab fa-github"
url: "https://github.com/bastienwirtz/homer"
target: "_blank" # optional html a tag target attribute
- name: "Wiki"
icon: "fas fa-book"
url: "https://bookstack.undercloud.cf/"
# this will link to a second homer page that will load config from additional-page.yml and keep default config values as in config.yml file
# see url field and assets/additional-page.yml.dist used in this example:
#- name: "another page!"
# icon: "fas fa-file-alt"
# url: "#additional-page"
# Services
# First level array represent a group.
# Leave only a "items" key if not using group (group name, icon & tagstyle are optional, section separation will not be displayed).
services:
- name: "Network"
icon: "fas fa-cloud"
items:
- name: "SophosXG"
logo: "assets/logos/sophos.png"
subtitle: "Admin Webinterface"
tag: "app"
keywords: "firewall xg admin"
url: "https://firewall-admin.undercloud.cf"
#target: "_blank" # optional html a tag target attribute
- name: "SophosXG"
logo: "assets/logos/userportal.png"
subtitle: "Userportal"
tag: "firewall xg user userportal"
url: "https://firewall-userportal.undercloud.cf"
- name: "Coreswitch"
logo: "assets/logos/mikrotik.png"
subtitle: "mikrotik main switch"
tag: "switch"
url: "http://coreswitch.admin.undercloud.cf"
- name: "lancom"
logo: "assets/logos/lancom.png"
subtitle: "lancom-router"
tag: "switch"
url: "http://10.0.0.1"
- name: "Aux1"
logo: "assets/logos/unifi.png"
subtitle: "Unifi"
tag: "unifi"
keywords: "unifi aux aux1"
url: "https://aux1-unifi.undercloud.cf"
#target: "_blank" # optional html a tag target attribute
- name: "Aux2"
logo: "assets/logos/unifi.png"
subtitle: "Unifi"
tag: "unifi"
keywords: "unifi aux aux2"
url: "https://aux2-unifi.undercloud.cf"
#target: "_blank" # optional html a tag target attribute
- name: "Aux"
icon: "fas fa-cloud"
items:
- name: "Aux1"
logo: "assets/logos/cockpit.png"
subtitle: "Cockpit"
tag: "cockpit"
keywords: "cockpit aux aux1"
url: "https://aux1-cockpit.undercloud.cf"
#target: "_blank" # optional html a tag target attribute
- name: "Aux1"
logo: "assets/logos/gitea.png"
subtitle: "gitea (internal only)"
tag: "gitea"
keywords: "gitea aux aux1"
#url: "http://aux1.undercloud.cf.:3000"
url: "http://aux1:3000"
#target: "_blank" # optional html a tag target attribute
- name: "Aux1"
logo: "assets/logos/portainer.png"
subtitle: "Portainer"
tag: "portainer"
keywords: "portainer aux aux1"
url: "https://aux1-portainer.undercloud.cf"
#target: "_blank" # optional html a tag target attribute
- name: "Aux1"
logo: "assets/logos/unifi.png"
subtitle: "Unifi"
tag: "unifi"
keywords: "unifi aux aux1"
url: "https://aux1-unifi.undercloud.cf"
#target: "_blank" # optional html a tag target attribute
- name: "Aux1"
logo: "assets/logos/minio.png"
subtitle: "Minio"
tag: "minio"
keywords: "minio backup s3"
url: "https://aux1.undercloud.cf:9001"
#target: "_blank" # optional html a tag target attribute
- name: "Aux2"
logo: "assets/logos/cockpit.png"
subtitle: "Cockpit"
tag: "cockpit"
keywords: "cockpit aux aux2"
url: "https://aux2-cockpit.undercloud.cf"
#target: "_blank" # optional html a tag target attribute
- name: "Aux2"
logo: "assets/logos/gitea.png"
subtitle: "gitea (internal only)"
tag: "gitea"
keywords: "gitea aux aux2"
#url: "http://aux2.undercloud.cf.:3000"
url: "http://aux2:3000"
#target: "_blank" # optional html a tag target attribute
- name: "Aux2"
logo: "assets/logos/portainer.png"
subtitle: "Portainer"
tag: "portainer"
keywords: "portainer aux aux2"
url: "https://aux2-portainer.undercloud.cf"
#target: "_blank" # optional html a tag target attribute
- name: "Aux2"
logo: "assets/logos/unifi.png"
subtitle: "Unifi"
tag: "unifi"
keywords: "unifi aux aux2"
url: "https://aux2-unifi.undercloud.cf"
#target: "_blank" # optional html a tag target attribute
- name: "Aux2"
logo: "assets/logos/minio.png"
subtitle: "Minio"
tag: "minio"
keywords: "minio backup s3"
url: "https://aux2.undercloud.cf:9001"
#target: "_blank" # optional html a tag target attribute
- name: "Kubernetes"
icon: "fas fa-cloud"
items:
- name: "ArgoCD"
logo: "assets/logos/argocd.png"
subtitle: "Argocd"
tag: "argocd"
keywords: "kubernetes argocd"
url: "https://argocd.undercloud.cf"
- name: "Kubernetes Dashboard"
logo: "assets/logos/kubernetes.png"
subtitle: "kubernetes - dashboard"
tag: "kubernetes"
keywords: "kubernetes dashbaord"
url: "https://kubernetes-dashboard.undercloud.cf"
- name: "Portainer"
logo: "assets/logos/portainer.png"
subtitle: "portainer - kubernetes"
tag: "portainer"
keywords: "portainer"
url: "https://portainer.undercloud.cf"
- name: "Kubevirt"
logo: "assets/logos/kubevirt.png"
subtitle: "virtual Machines"
tag: "kubevirt"
keywords: "kubevirt virtual machines"
url: "https://kubevirt.undercloud.cf"
- name: "Apps"
icon: "fas fa-cloud"
items:
- name: "Gitea"
logo: "assets/logos/gitea.png"
subtitle: "git"
tag: "gitea"
keywords: "kubernetes gitea"
url: "https://gitea.undercloud.cf"
- name: "code-server"
logo: "assets/logos/code-server.png"
subtitle: "web ide"
tag: "code-server"
keywords: "kubernetes code-server"
url: "https://code-server.undercloud.cf"
- name: "vaultwarden"
logo: "assets/logos/vaultwarden.png"
subtitle: "password manager (bitwarden)"
tag: "vaultwarden"
keywords: "vaultwarden bitwarden password"
url: "https://vaultwarden.undercloud.cf"
- name: "pihole"
logo: "assets/logos/pihole.png"
subtitle: "pihole admin"
tag: "pihole"
keywords: "pihole dns"
url: "https://pihole.undercloud.cf/admin"
- name: "LDAP"
logo: "assets/logos/phpldapadmin.png"
subtitle: "phpldapadmin"
tag: "ldap"
keywords: "ldap phpldapadmin"
url: "https://phpldapadmin.undercloud.cf"
- name: "Bookstack"
logo: "assets/logos/bookstack.png"
subtitle: "wiki"
tag: "wiki"
keywords: "bookstack wiki"
url: "https://bookstack.undercloud.cf"
- name: "Nextcloud"
logo: "assets/logos/nextcloud.png"
subtitle: "nextcloud"
tag: "nextcloud"
keywords: "nextcloud owncloud"
url: "https://nextcloud.undercloud.cf"
- name: "Fileserver"
logo: "assets/logos/filebrowser.png"
subtitle: "filebrowser"
tag: "fileserver"
keywords: "filebrowser fileserver files"
url: "https://fileserver.undercloud.cf"
- name: "Jellyfin"
logo: "assets/logos/jellyfin.png"
subtitle: "jellyfin"
tag: "jellyfin"
keywords: "jellyfin movies music"
url: "https://jellyfin.undercloud.cf"
- name: "Website"
logo: "assets/logos/wordpress.png"
subtitle: "wordpress"
tag: "wordpress"
keywords: "wordpress website blog"
url: "https://wordpress.undercloud.cf"
- name: "Forum"
logo: "assets/logos/phpbb.png"
subtitle: "phpbb"
tag: "forum"
keywords: "forum phpbb"
url: "https://forum.undercloud.cf"
- name: "Paperless"
logo: "assets/logos/paperless.png"
subtitle: "documents"
tag: "paperless"
keywords: "paperless documents scan"
url: "https://paperless.undercloud.cf"
- name: "OpenHAB"
logo: "assets/logos/openhab.png"
subtitle: "home automation"
tag: "openhab"
keywords: "openhab home automation"
url: "https://openhab.undercloud.cf"
- name: "Netbox"
logo: "assets/logos/netbox.png"
subtitle: "IP Address Management"
tag: "netbox"
keywords: "ip address"
url: "https://netbox.undercloud.cf"
- name: "Keycloak"
logo: "assets/logos/keycloak.png"
subtitle: "Sigle Sign On"
tag: "keycloak"
keywords: "single sign on sso keycloak"
url: "https://keycloak.undercloud.cf"
- name: "Emulator"
logo: "assets/logos/emulatorjs.png"
subtitle: "emulatorjs"
tag: "emulatorjs"
keywords: "emulator"
url: "https://emulator.undercloud.cf"
- name: "Emulator Backend"
logo: "assets/logos/emulatorjs.png"
subtitle: "backend"
tag: "emulatorjs"
keywords: "emulator"
url: "https://emulator-backend.undercloud.cf"
- name: "MStream"
logo: "assets/logos/mstream.png"
subtitle: "music streaming"
tag: "mstream"
keywords: "mstream music streaming"
url: "https://mstream.undercloud.cf"
- name: "Wekan"
logo: "assets/logos/wekan.png"
subtitle: "Kanban Board"
tag: "kanban"
keywords: "kanban"
url: "https://kanban.undercloud.cf"
- name: "Rally"
logo: "assets/logos/doodle.png"
subtitle: "find Appointments"
tag: "rally"
keywords: "doodle rally termine appointments"
url: "https://rally.undercloud.cf"
- name: "Communication"
icon: "fas fa-cloud"
items:
- name: "matrix"
logo: "assets/logos/matrix.png"
subtitle: "matrix server"
tag: "matrix"
keywords: "matrix synapse server"
url: "https://matrix.undercloud.cf"
- name: "element"
logo: "assets/logos/element.png"
subtitle: "matrix client"
tag: "element"
keywords: "matrix element server"
url: "https://element.undercloud.cf"
- name: "Jitsi"
logo: "assets/logos/jitsi.png"
subtitle: "video conferencing"
tag: "jitsi"
keywords: "jitsi video conference telephony"
url: "https://jitsi.undercloud.cf"
- name: "Roundcube"
logo: "assets/logos/roundcube.png"
subtitle: "webmail"
tag: "webmail"
keywords: "webmail mail"
url: "https://roundcube.undercloud.cf"
- name: "Autodiscover"
logo: "assets/logos/roundcube.png"
subtitle: "Support Page"
tag: "mail"
keywords: "webmail mail"
url: "https://autodiscover.undercloud.cf"
- name: "Remote"
icon: "fas fa-cloud"
items:
- name: "Warpgate"
logo: "assets/logos/ssh.png"
subtitle: "ssh gateway"
tag: "ssh"
keywords: "ssh warpgate gateway"
url: "https://warpgate.undercloud.cf"
- name: "wetty"
logo: "assets/logos/ssh.png"
subtitle: "http ssh client"
tag: "ssh"
keywords: "ssh wetty gateway"
url: "https://wetty.undercloud.cf"
- name: "Bastillion"
logo: "assets/logos/bastillion.png"
subtitle: "http ssh client"
tag: "ssh"
keywords: "ssh bastillion gateway"
url: "https://bastillion.undercloud.cf"
- name: "Guacamole"
logo: "assets/logos/guacamole.png"
subtitle: "RDP, VNC, SSH"
tag: "guacamole"
keywords: "ssh guacamole rdp vnc gateway"
url: "https://guacamole.undercloud.cf"
- name: "Monitoring"
icon: "fas fa-cloud"
items:
- name: "Prometheus"
logo: "assets/logos/prometheus.png"
subtitle: "prometheus"
tag: "prometheus"
keywords: "prometheus monitoring"
url: "https://prometheus.undercloud.cf"
- name: "Grafana"
logo: "assets/logos/grafana.png"
subtitle: "grafana"
tag: "grafana"
keywords: "grafana monitoring"
url: "https://grafana.undercloud.cf"
- name: "Alert Manager"
logo: "assets/logos/alertmanager.png"
subtitle: "alertmanager"
tag: "alertmanager"
keywords: "alertmanager monitoring"
url: "https://alertmanager.undercloud.cf"
- name: "Kibana"
logo: "assets/logos/kibana.png"
subtitle: "kibana"
tag: "kibana"
keywords: "kibana logging monitoring"
url: "https://kibana.undercloud.cf"
- name: "Test"
icon: "fas fa-cloud"
items:
- name: "Demo"
logo: "assets/logos/demo.png"
subtitle: "test ngnix"
tag: "nginx"
keywords: "kubernetes nginx demo"
url: "https://demo.undercloud.cf"
- name: "kuard"
logo: "assets/logos/app.png"
subtitle: "browser test (v6 only it seems)"
tag: "kuard"
keywords: "kubernetes kuard"
url: "https://kuard.undercloud.cf"
- name: "Smokeping"
logo: "assets/logos/smokeping.png"
subtitle: "ping"
tag: "smokeping"
keywords: "ping smokeping"
url: "https://smokeping.undercloud.cf/smokeping/smokeping.cgi"
- name: "Storage"
icon: "fas fa-cloud"
items:
- name: "Rook-Ceph"
logo: "assets/logos/ceph.png"
subtitle: "rook ceph dashboard"
tag: "rook-ceph"
keywords: "kubernetes rook rook-ceph ceph"
url: "https://ceph.undercloud.cf"
- name: "External Links"
icon: "fas fa-cloud"
items:
- name: "Google Mail"
logo: "assets/logos/gmail.png"
subtitle: "webmail"
tag: "google"
keywords: "mail gmail google webmail"
url: "https://mail.google.com/"
- name: "Google Drive"
logo: "assets/logos/drive.png"
subtitle: "web storage by google"
tag: "google"
keywords: "google drive"
url: "https://drive.google.com/drive/my-drive"
- name: "Freenom"
logo: "assets/logos/freenom.png"
subtitle: "DNS Registrar (undercloud.cf)"
tag: "dns"
keywords: "dns regostrar"
url: "https://www.freenom.com/"
- name: "Tunnelbroker"
logo: "assets/logos/he.png"
subtitle: "6in4 Tunnel from Hurricane Electric"
tag: "tunnelbroker"
keywords: "ipv6 tunnelbroker"
url: "https://tunnelbroker.net/"
- name: "Hurricane Electric DNS"
logo: "assets/logos/he.png"
subtitle: "free DNS Service"
tag: "dns"
keywords: "he dns"
url: "https://dns.he.net/"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: startup
namespace: homer
data:
startup.sh: |
#!/bin/sh
echo "startup..."
mkdir -p /www/assets/logos
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/alertmanager.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/app.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/argocd.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/bgsound.jpg
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/ceph.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/cockpit.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/code-server.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/demo.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/drive.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/freenom.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/gitea.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/gmail.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/grafana.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/he.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/kubernetes.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/lancom.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/mikrotik.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/phpldapadmin.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/pihole.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/portainer.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/prometheus.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/roundcube.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/snappymail.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/ssh.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/unifi.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/userportal.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/vaultwarden.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/kibana.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/guacamole.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/bastillion.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/sophos.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/bookstack.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/nextcloud.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/funkwhale.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/filebrowser.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/jellyfin.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/wordpress.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/phpbb.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/matrix.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/element.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/jitsi.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/openhab.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/paperless.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/netbox.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/keycloak.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/emulatorjs.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/smokeping.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/mstream.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/kubevirt.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/doodle.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/wekan.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/rally.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/minio.png
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/wallpaper.jpg
wget -c -P /www/assets/logos --no-parent http://aux-balancer.undercloud.cf:3000/undercloud/assets/raw/branch/main/homer/guild-logo.png
echo "startup done."
#exit 123
---

42
homer/filesystem.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: ceph.rook.io/v1
kind: CephFilesystem
metadata:
name: homer
namespace: rook-ceph
spec:
metadataPool:
failureDomain: host
replicated:
size: 3
dataPools:
- name: replicated
failureDomain: host
replicated:
size: 3
preserveFilesystemOnDelete: false
metadataServer:
activeCount: 1
activeStandby: true
placement:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: role
# operator: In
# values:
# - mds-node
tolerations:
- key: node-role.kubernetes.io/storage-node
operator: Exists
effect: NoSchedule
# podAffinity:
# podAntiAffinity:
# topologySpreadConstraints:
#resources:
# limits:
# cpu: "80m"
# memory: "1024Mi"
# requests:
# cpu: "500m"
# memory: "1024Mi"

129
homer/homer.yaml Normal file
View File

@@ -0,0 +1,129 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: homer
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph
# CephFS filesystem name into which the volume shall be created
fsName: homer
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: homer-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
reclaimPolicy: Delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: assets
namespace: homer
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 64M
storageClassName: homer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: homer
namespace: homer
labels:
app: homer
spec:
replicas: 1
selector:
matchLabels:
app: homer
template:
metadata:
labels:
app: homer
spec:
dnsConfig:
options:
- name: ndots
value: "1"
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
initContainers:
- name: copy-assets
image: b4bz/homer:v23.02.2
command: ['/bin/startup.sh']
volumeMounts:
- mountPath: /www/assets
name: assets
- mountPath: /bin/startup.sh
name: startup
subPath: startup.sh
containers:
- name: homer
image: b4bz/homer:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8080
volumeMounts:
- mountPath: /www/assets/config.yml
name: assets-config
subPath: config.yml
- mountPath: /www/assets
name: assets
volumes:
- name: assets-config
configMap:
name: config
defaultMode: 0700
items:
- key: "config.yml"
path: "config.yml"
- name: startup
configMap:
name: startup
defaultMode: 0700
items:
- key: "startup.sh"
path: "startup.sh"
- name: assets
persistentVolumeClaim:
claimName: assets
readOnly: false
---
apiVersion: v1
kind: Service
metadata:
name: homer
namespace: homer
spec:
ipFamilies:
- IPv4
#- IPv4
#ipFamilyPolicy: PreferDualStack
ipFamilyPolicy: SingleStack
ports:
- name: http
port: 80
protocol: TCP
targetPort: 8080
selector:
app: homer
sessionAffinity: None
type: ClusterIP

84
homer/ingress.yaml Normal file
View File

@@ -0,0 +1,84 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homer
namespace: homer
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- homer.undercloud.cf
secretName: homer-tls
rules:
- host: homer.undercloud.cf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homer
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: www
namespace: homer
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- www.undercloud.cf
secretName: www-tls
rules:
- host: www.undercloud.cf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homer
port:
number: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rooturl
namespace: homer
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
spec:
tls:
- hosts:
- undercloud.cf
secretName: rooturl-tls
rules:
- host: undercloud.cf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: homer
port:
number: 80
- path: /.well-known/matrix/server
pathType: Prefix
backend:
service:
name: nginx
port:
number: 80

4
homer/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: homer

98
homer/nginx.yaml Normal file
View File

@@ -0,0 +1,98 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: well-known
namespace: homer
data:
server: |
{
"m.server": "matrix.undercloud.cf:443"
}
client: |
{
"m.homeserver": {
"base_url": "https://matrix.undercloud.cf",
"server_name": "undercloud.cf"
},
"m.identity_server": {
"base_url": "https://vector.im"
}
}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx
namespace: homer
labels:
app: nginx
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
annotations:
#backup.velero.io/backup-volumes: html
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 443
- containerPort: 80
env:
- name: PUID
value: "1000"
- name: PGID
value: "1000"
volumeMounts:
- mountPath: /usr/share/nginx/html/.well-known/matrix/server
name: well-known
subPath: server
- mountPath: /usr/share/nginx/html/.well-known/matrix/client
name: well-known-client
subPath: server
volumes:
- name: well-known
configMap:
name: well-known
items:
- key: "server"
path: "server"
- name: well-known-client
configMap:
name: well-known
items:
- key: "client"
path: "client"
---
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: homer
spec:
internalTrafficPolicy: Cluster
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
#ipFamilyPolicy: SingleStack
ports:
- name: https
port: 443
protocol: TCP
targetPort: 443
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: nginx
#sessionAffinity: None
type: ClusterIP

BIN
openldap/.DS_Store vendored Normal file
View File

Binary file not shown.

19
openldap/README.md Normal file
View File

@@ -0,0 +1,19 @@
# openldap
## directory server
the traffic is proxied by the ingress controller
there is a config map in place ingress-nginx/tcp-services
see:
https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/
the traffic is still secured in the pod with a cert from cert manager
looks like nested groups are not possible
improvements:
proper lets encrypt cert
demand encryption
sophosxg firewall user
metrics
liveness probes
resource limits

39
openldap/ca-configmap.yaml Normal file
View File

@@ -0,0 +1,39 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: ca
namespace: openldap
data:
# file-like keys
ca.crt: |
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4
WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJu
ZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBY
MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygc
h77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+
0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6U
A5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sW
T8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyH
B5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UC
B5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUv
KBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWn
OlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTn
jh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbw
qHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CI
rU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNV
HRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkq
hkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZL
ubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ
3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KK
NFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5
ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7Ur
TkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdC
jNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVc
oyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq
4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPA
mRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57d
emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
-----END CERTIFICATE-----

69
openldap/certificates.yaml Normal file
View File

@@ -0,0 +1,69 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ldap
namespace: openldap
spec:
# Secret names are always required.
secretName: openldap-tls
duration: 2160h0m0s # 90d
renewBefore: 360h0m0s # 15d
subject:
organizations:
- undercloud
# The use of the common name field has been deprecated since 2000 and is
# discouraged from being used.
commonName: ldap.undercloud.cf
#isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
# At least one of a DNS Name, URI, or IP address is required.
dnsNames:
- ldap.undercloud.cf
#- ldap.openldap.svc.k8aux.undercloud.cf
#ipAddresses:
# - 192.168.0.5
# Issuer references are always required.
issuerRef:
name: ca
# We can reference ClusterIssuers by changing the kind here.
# The default value is Issuer (i.e. a locally namespaced Issuer)
kind: ClusterIssuer
# This is optional since cert-manager will default to this value however
# if you are using an external issuer, change this to that issuer group.
#group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: phpldapadmin
namespace: openldap
spec:
# Secret names are always required.
secretName: phpldapadmin-tls
duration: 2160h0m0s # 90d
renewBefore: 360h0m0s # 15d
subject:
organizations:
- undercloud
commonName: phpldapadmin.openldap.svc.k8aux.undercloud.cf
#isCA: false
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
usages:
- server auth
- client auth
dnsNames:
- phpldapadmin.openldap.svc.k8aux.undercloud.cf
issuerRef:
name: ca
kind: ClusterIssuer

1779
openldap/configmaps.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

42
openldap/filesystem.yaml Normal file
View File

@@ -0,0 +1,42 @@
apiVersion: ceph.rook.io/v1
kind: CephFilesystem
metadata:
name: openldap
namespace: rook-ceph
spec:
metadataPool:
failureDomain: host
replicated:
size: 3
dataPools:
- name: replicated
failureDomain: host
replicated:
size: 3
preserveFilesystemOnDelete: false
metadataServer:
activeCount: 1
activeStandby: true
placement:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: role
# operator: In
# values:
# - mds-node
tolerations:
- key: node-role.kubernetes.io/storage-node
operator: Exists
effect: NoSchedule
# podAffinity:
# podAntiAffinity:
# topologySpreadConstraints:
#resources:
# limits:
# cpu: "80m"
# memory: "1024Mi"
# requests:
# cpu: "500m"
# memory: "1024Mi"

45
openldap/ingress.yaml Normal file
View File

@@ -0,0 +1,45 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: phpldapadmin
namespace: openldap
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt
#nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
tls:
- hosts:
- phpldapadmin.undercloud.cf
secretName: phpldapadmin-tls
rules:
- host: phpldapadmin.undercloud.cf
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: phpldapadmin
port:
number: 80
---
#apiVersion: networking.k8s.io/v1
#kind: Ingress
#metadata:
# labels:
# app: openldap
# name: ldap
# namespace: openldap
# annotations:
# nginx.ingress.kubernetes.io/rewrite-target: /
# cert-manager.io/cluster-issuer: letsencrypt
# #acme.cert-manager.io/http01-edit-in-place: "true"
#spec:
# tls:
# - hosts:
# - ldap.undercloud.cf
# secretName: openldap-tls
# rules:
# - host: ldap.undercloud.cf

6
openldap/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: openldap
labels:
undercloud.cf/cert: "ca"

189
openldap/openldap.yaml Normal file
View File

@@ -0,0 +1,189 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: openldap
# Change "rook-ceph" provisioner prefix to match the operator namespace if needed
provisioner: rook-ceph.cephfs.csi.ceph.com
parameters:
# clusterID is the namespace where the rook cluster is running
# If you change this namespace, also change the namespace below where the secret namespaces are defined
clusterID: rook-ceph
# CephFS filesystem name into which the volume shall be created
fsName: openldap
# Ceph pool into which the volume shall be created
# Required for provisionVolume: "true"
pool: openldap-replicated
# The secrets contain Ceph admin credentials. These are generated automatically by the operator
# in the same namespace as the cluster.
csi.storage.k8s.io/provisioner-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/provisioner-secret-namespace: rook-ceph
csi.storage.k8s.io/controller-expand-secret-name: rook-csi-cephfs-provisioner
csi.storage.k8s.io/controller-expand-secret-namespace: rook-ceph
csi.storage.k8s.io/node-stage-secret-name: rook-csi-cephfs-node
csi.storage.k8s.io/node-stage-secret-namespace: rook-ceph
reclaimPolicy: Delete
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: openldap
namespace: openldap
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 4G
storageClassName: openldap
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: openldap
namespace: openldap
labels:
app: openldap
spec:
replicas: 1
minReadySeconds: 10
selector:
matchLabels:
app: openldap
template:
metadata:
labels:
app: openldap
spec:
dnsConfig:
options:
- name: ndots
value: "1"
enableServiceLinks: false
containers:
- name: openldap
image: thrawn235/openldap
imagePullPolicy: IfNotPresent
#securityContext:
# privileged: true
args:
- "--copy-service"
#- "--loglevel debug"
ports:
- containerPort: 389
protocol: TCP
- containerPort: 636
protocol: TCP
livenessProbe:
tcpSocket:
port: 389
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 10
readinessProbe:
tcpSocket:
port: 636
initialDelaySeconds: 20
periodSeconds: 10
failureThreshold: 10
env:
#- name: DNSMASQ_USER
# value: root
- name: LDAP_LOG_LEVEL
#value: "stats"
value: "768"
- name: LDAP_TLS_CIPHER_SUITE
value: "SECURE256:+SECURE128:+VERS-TLS1.2:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC"
- name: LDAP_ORGANISATION
value: "undercloud"
- name: LDAP_DOMAIN
value: "undercloud.cf"
- name: LDAP_RFC2307BIS_SCHEMA
value: "true"
- name: LDAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: admin
key: pw
- name: LDAP_CONFIG_PASSWORD
valueFrom:
secretKeyRef:
name: admin
key: pw
- name: LDAP_TLS_CRT_FILENAME
value: "tls.crt"
- name: LDAP_TLS_KEY_FILENAME
value: "tls.key"
- name: LDAP_TLS_VERIFY_CLIENT
value: "try"
#- name: LDAP_TLS_ENFORCE
# value: "true"
volumeMounts:
- mountPath: /var/lib/ldap
name: openldap
subPath: ldap
- mountPath: /etc/ldap/slapd.d
name: openldap
subPath: slapd
- name: ldif
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
- name: root-ca
mountPath: "/container/service/slapd/assets/certs/ca.crt"
subPath: trust-bundle.pem
- name: openldap-tls
mountPath: "/container/service/slapd/assets/certs/tls.crt"
subPath: tls.crt
- name: openldap-tls
mountPath: "/container/service/slapd/assets/certs/tls.key"
subPath: tls.key
volumes:
- name: openldap
persistentVolumeClaim:
claimName: openldap
readOnly: false
- name: ldif
configMap:
name: ldif
items:
- key: structure.ldif
path: structure.ldif
- name: openldap-tls
secret:
secretName: openldap-tls
- name: root-ca
configMap:
name: undercloud-ca-bundle
items:
- key: trust-bundle.pem
path: trust-bundle.pem
---
apiVersion: v1
kind: Service
metadata:
name: ldap
namespace: openldap
spec:
clusterIP: '2001:470:72f0:f:1::40'
clusterIPs:
- '2001:470:72f0:f:1::40'
- 10.0.91.40
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
ports:
- name: ldap
port: 389
protocol: TCP
targetPort: 389
- name: ldaps
port: 636
protocol: TCP
targetPort: 636
selector:
app: openldap
#sessionAffinity: None
type: ClusterIP

212
openldap/phpldapadmin.yaml Normal file
View File

@@ -0,0 +1,212 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: config
namespace: openldap
data:
# file-like keys
config.php: |
<?php
$config->custom->commands['cmd'] = array(
'entry_internal_attributes_show' => true,
'entry_refresh' => true,
'oslinks' => true,
'switch_template' => true
);
$config->custom->commands['script'] = array(
'add_attr_form' => true,
'add_oclass_form' => true,
'add_value_form' => true,
'collapse' => true,
'compare' => true,
'compare_form' => true,
'copy' => true,
'copy_form' => true,
'create' => true,
'create_confirm' => true,
'delete' => true,
'delete_attr' => true,
'delete_form' => true,
'draw_tree_node' => true,
'expand' => true,
'export' => true,
'export_form' => true,
'import' => true,
'import_form' => true,
'login' => true,
'logout' => true,
'login_form' => true,
'mass_delete' => true,
'mass_edit' => true,
'mass_update' => true,
'modify_member_form' => true,
'monitor' => true,
'purge_cache' => true,
'query_engine' => true,
'rename' => true,
'rename_form' => true,
'rdelete' => true,
'refresh' => true,
'schema' => true,
'server_info' => true,
'show_cache' => true,
'template_engine' => true,
'update_confirm' => true,
'update' => true
);
$servers = new Datastore();
$servers->newServer('ldap_pla');
$servers->setValue('server','name','ldap.undercloud.cf(config) - notls');
$servers->setValue('server','host','ldap.undercloud.cf.');
$servers->setValue('server','tls',false);
$servers->setValue('login','bind_id','cn=admin,dc=config');
//$servers->setValue('server','port',389);
$servers->setValue('server','base',array('cn=config','dc=cn=undercloud,cn=cf'));
$servers->newServer('ldap_pla');
$servers->setValue('server','name','ldap.undercloud.cf - notls');
$servers->setValue('server','host','ldap.undercloud.cf.');
$servers->setValue('server','tls',false);
$servers->setValue('login','bind_id','cn=admin,dc=undercloud,dc=cf');
//$servers->setValue('server','port',389);
//$servers->setValue('server','base',array('dc=undercloud,dc=cf'));
$servers->newServer('ldap_pla');
$servers->setValue('server','name','ldap.undercloud.cf - StartTLS');
$servers->setValue('server','host','ldap://ldap.undercloud.cf');
$servers->setValue('server','port',389);
$servers->setValue('server','tls',true);
$servers->setValue('login','bind_id','cn=admin,dc=undercloud,dc=cf');
$servers->newServer('ldap_pla');
$servers->setValue('server','name','ldap.undercloud.cf:636 - LDAPS');
$servers->setValue('server','host','ldaps://ldap.undercloud.cf:636');
#$servers->setValue('server','tls',true);
$servers->setValue('login','bind_id','cn=admin,dc=undercloud,dc=cf');
$servers->setValue('server','port',0);
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: phpldapadmin
namespace: openldap
labels:
app: phpldapadmin
spec:
replicas: 1
selector:
matchLabels:
app: phpldapadmin
template:
metadata:
labels:
app: phpldapadmin
spec:
dnsConfig:
options:
- name: ndots
value: "1"
#securityContext:
# runAsUser: 1000
# runAsGroup: 1000
# fsGroup: 1000
initContainers:
- name: copy-assets
image: osixia/phpldapadmin:0.9.0
imagePullPolicy: IfNotPresent
command: ['sh', '-c', "cp -f /config.php /container/service/phpldapadmin/assets/config"]
volumeMounts:
- mountPath: /config.php
name: config
subPath: config.php
- mountPath: /container/service/phpldapadmin/assets/config
name: config-dir
containers:
- name: phpldapadmin
image: osixia/phpldapadmin:0.9.0
imagePullPolicy: IfNotPresent
#securityContext:
# privileged: true
ports:
- containerPort: 80
protocol: TCP
args:
- "--copy-service"
env:
#- name: DNSMASQ_USER
# value: root
#- name: PHPLDAPADMIN_LDAP_HOSTS
# value: "#PYTHON2BASH:[{'ldap.openldap.svc.k8aux.undercloud.cf.': [{'server': [{'tls': False}]},{'login': [{'bind_id': 'cn=admin,dc=undercloud,dc=cf'}]}]}]"
- name: PHPLDAPADMIN_TRUST_PROXY_SSL
value: "true"
- name: PHPLDAPADMIN_HTTPS
value: "false"
- name: PHPLDAPADMIN_LDAP_CLIENT_TLS
value: "true"
- name: PHPLDAPADMIN_LDAP_CLIENT_TLS_REQCERT
value: demand
- name: PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME
#/container/service/ldap-client/assets/certs/$PHPLDAPADMIN_LDAP_CLIENT_TLS_CA_CRT_FILENAME.
value: ldap-ca.crt
- name: PHPLDAPADMIN_LDAP_CLIENT_TLS_CRT_FILENAME
value: ldap-client.crt
- name: PHPLDAPADMIN_LDAP_CLIENT_TLS_KEY_FILENAME
value: ldap-client.key
volumeMounts:
- mountPath: /container/service/phpldapadmin/assets/config
name: config-dir
- name: root-ca
mountPath: "container/service/ldap-client/assets/certs/ldap-ca.crt"
subPath: trust-bundle.pem
- name: phpldapadmin-tls
mountPath: "container/service/ldap-client/assets/certs/ldap-client.crt"
subPath: tls.crt
- name: phpldapadmin-tls
mountPath: "container/service/ldap-client/assets/certs/ldap-client.key"
subPath: tls.key
volumes:
- name: config
configMap:
name: config
defaultMode: 0777
items:
- key: "config.php"
path: "config.php"
- name: config-dir
emptyDir:
sizeLimit: 16Mi
- name: root-ca
configMap:
name: undercloud-ca-bundle
items:
- key: trust-bundle.pem
path: trust-bundle.pem
- name: phpldapadmin-tls
secret:
secretName: phpldapadmin-tls
---
apiVersion: v1
kind: Service
metadata:
name: phpldapadmin
namespace: openldap
spec:
ipFamilies:
- IPv6
- IPv4
ipFamilyPolicy: PreferDualStack
#ipFamilyPolicy: SingleStack
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
selector:
app: phpldapadmin
#sessionAffinity: None
type: ClusterIP

8
openldap/secrets.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: v1
kind: Secret
metadata:
name: admin
namespace: openldap
type: Opaque
data:
pw: NElzVGhlTWluZEtpbGxlcg==