v1.0.4
This commit is contained in:
parent
81b3f9b324
commit
e004e99884
193
tasks/grafana.yaml
Normal file
193
tasks/grafana.yaml
Normal file
@ -0,0 +1,193 @@
|
||||
---
|
||||
# tasks file for grafana
|
||||
- name: Create Grafana namespace
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: grafana
|
||||
|
||||
- name: Create PVC for MySQL
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: mysql
|
||||
namespace: grafana
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 64Gi
|
||||
|
||||
- name: Create Deployment for MySQL
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: mysql
|
||||
namespace: grafana
|
||||
labels:
|
||||
app: mysql
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: mysql
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: mysql
|
||||
spec:
|
||||
containers:
|
||||
- name: mysql
|
||||
image: mysql
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/lib/mysql
|
||||
ports:
|
||||
- containerPort: 3306
|
||||
env:
|
||||
- name: MYSQL_ROOT_PASSWORD
|
||||
value: "{{ mysql_root_password }}"
|
||||
- name: MYSQL_DATABASE
|
||||
value: grafana
|
||||
- name: MYSQL_USER
|
||||
value: grafana
|
||||
- name: MYSQL_PASSWORD
|
||||
value: "{{ grafana_mysql_password }}"
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: mysql
|
||||
|
||||
- name: Create Service for MySQL
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: mysql
|
||||
namespace: grafana
|
||||
spec:
|
||||
selector:
|
||||
app: mysql
|
||||
ports:
|
||||
- port: 3306
|
||||
name: mysql
|
||||
type: ClusterIP
|
||||
|
||||
- name: Create a config map for grafana
|
||||
k8s:
|
||||
state: present
|
||||
api_version: v1
|
||||
kind: ConfigMap
|
||||
name: grafana
|
||||
namespace: grafana
|
||||
definition:
|
||||
data:
|
||||
ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}"
|
||||
|
||||
- name: Create Deployment for Grafana
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: grafana
|
||||
namespace: grafana
|
||||
labels:
|
||||
app: grafana
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: grafana
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: grafana
|
||||
spec:
|
||||
containers:
|
||||
- name: grafana
|
||||
image: grafana/grafana
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
env:
|
||||
- name: GF_DATABASE_TYPE
|
||||
value: mysql
|
||||
- name: GF_DATABASE_HOST
|
||||
value: mysql
|
||||
- name: GF_DATABASE_USER
|
||||
value: grafana
|
||||
- name: GF_DATABASE_PASSWORD
|
||||
value: "{{ grafana_mysql_password }}"
|
||||
- name: GF_AUTH_LDAP_ENABLED
|
||||
value: "true"
|
||||
- name: GF_AUTH_LDAP_CONFIG_FILE
|
||||
value: /etc/grafana/cm/ldap.toml
|
||||
- name: GF_AUTH_LDAP_ALLOW_SIGN_UP
|
||||
value: "true"
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/grafana/cm
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: grafana
|
||||
|
||||
- name: Create Service for Grafana
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: grafana
|
||||
namespace: grafana
|
||||
spec:
|
||||
selector:
|
||||
app: grafana
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 3000
|
||||
name: grafana
|
||||
type: ClusterIP
|
||||
|
||||
- name: Create Ingress
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: ca-issuer
|
||||
name: grafana
|
||||
namespace: grafana
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
rules:
|
||||
- host: grafana.eom.dev
|
||||
http:
|
||||
paths:
|
||||
- pathType: Prefix
|
||||
path: /
|
||||
backend:
|
||||
service:
|
||||
name: grafana
|
||||
port:
|
||||
number: 80
|
||||
tls:
|
||||
- hosts:
|
||||
- grafana.eom.dev
|
||||
secretName: grafana
|
||||
@ -1,32 +1,15 @@
|
||||
---
|
||||
# tasks file for influxdb
|
||||
- name: Create persistent volume for influxdb
|
||||
# tasks file for grafana
|
||||
- name: Create InfluxDB namespace
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: PersistentVolume
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: "eom-{{ target_namespace }}-influxdb"
|
||||
spec:
|
||||
capacity:
|
||||
storage: 32Gi
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
storageClassName: standard
|
||||
hostPath:
|
||||
path: "/data/store-0/eom-{{ target_namespace }}/influxdb"
|
||||
nodeAffinity:
|
||||
required:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/hostname
|
||||
operator: In
|
||||
values:
|
||||
- alpha-worker-0
|
||||
name: influxdb
|
||||
|
||||
- name: Create a persistent volume claim for influxdb
|
||||
- name: Create PVC for InfluxDB
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
@ -34,24 +17,25 @@
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: influxdb
|
||||
namespace: "eom-{{ target_namespace }}"
|
||||
namespace: influxdb
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteMany
|
||||
- ReadWriteOnce
|
||||
resources:
|
||||
requests:
|
||||
storage: 32Gi
|
||||
storageClassName: standard
|
||||
volumeName: "eom-{{ target_namespace }}-influxdb"
|
||||
storage: 128Gi
|
||||
|
||||
- name: Create a deployment
|
||||
- name: Create Deployment for InfluxDB
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: influxdb
|
||||
namespace: "eom-{{ target_namespace }}"
|
||||
namespace: influxdb
|
||||
labels:
|
||||
app: influxdb
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
@ -64,32 +48,75 @@
|
||||
spec:
|
||||
containers:
|
||||
- name: influxdb
|
||||
image: bitnami/influxdb
|
||||
image: influxdb
|
||||
env:
|
||||
- name: DOCKER_INFLUXDB_INIT_MODE
|
||||
value: setup
|
||||
- name: DOCKER_INFLUXDB_INIT_USERNAME
|
||||
value: influxdb
|
||||
- name: DOCKER_INFLUXDB_INIT_PASSWORD
|
||||
value: "{{ influxdb_admin_password }}"
|
||||
- name: DOCKER_INFLUXDB_INIT_ORG
|
||||
value: DevOps
|
||||
- name: DOCKER_INFLUXDB_INIT_BUCKET
|
||||
value: default
|
||||
- name: DOCKER_INFLUXDB_INIT_RETENTION
|
||||
value: 1w
|
||||
- name: DOCKER_INFLUXDB_INIT_ADMIN_TOKEN
|
||||
value: "{{ influxdb_admin_token }}"
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/lib/mysql
|
||||
mountPath: /var/lib/influxdb
|
||||
ports:
|
||||
- containerPort: 3306
|
||||
env:
|
||||
key: INFLUXDB_ADMIN_USER_PASSWORD
|
||||
value: "{{ influxdb_root_password }}"
|
||||
- containerPort: 8086
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: influxdb
|
||||
|
||||
- name: Expose deployment as a service
|
||||
- name: Create Service for InfluxDB
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: influxdb
|
||||
namespace: "eom-{{ target_namespace }}"
|
||||
namespace: influxdb
|
||||
spec:
|
||||
selector:
|
||||
app: influxdb
|
||||
ports:
|
||||
- port: 3306
|
||||
name: influxdb-3306
|
||||
- port: 80
|
||||
targetPort: 8086
|
||||
name: influxdb
|
||||
type: ClusterIP
|
||||
|
||||
- name: Create Ingress for InfluxDB
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: ca-issuer
|
||||
name: influxdb
|
||||
namespace: influxdb
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
rules:
|
||||
- host: influxdb.eom.dev
|
||||
http:
|
||||
paths:
|
||||
- pathType: Prefix
|
||||
path: /
|
||||
backend:
|
||||
service:
|
||||
name: influxdb
|
||||
port:
|
||||
number: 80
|
||||
tls:
|
||||
- hosts:
|
||||
- influxdb.eom.dev
|
||||
secretName: influxdb
|
||||
|
||||
@ -103,9 +103,9 @@
|
||||
- name: LDAP_BIND_PW
|
||||
value: "{{ ldap_readonly_password }}"
|
||||
- name: LDAP_QUERY_FILTER_DOMAIN
|
||||
value: "(|(mail=*@%s)(mailAlias=*@%s)(mailGroupMember=*@%s))"
|
||||
value: "(mail=*@%s)"
|
||||
- name: LDAP_QUERY_FILTER_USER
|
||||
value: "(|(objectClass=inetOrgPerson))"
|
||||
value: "(mail=%s)"
|
||||
- name: LDAP_QUERY_FILTER_ALIAS
|
||||
value: "(&(objectClass=inetOrgPerson)(mailAlias=%s))"
|
||||
- name: LDAP_QUERY_FILTER_GROUP
|
||||
@ -119,17 +119,17 @@
|
||||
- name: DOVECOT_DEFAULT_PASS_SCHEME
|
||||
value: "MD5-CRYPT"
|
||||
- name: DOVECOT_USER_FILTER
|
||||
value: "(|(objectClass=inetOrgPerson))"
|
||||
value: "(&(objectClass=inetOrgPerson)(uid=%n))"
|
||||
- name: DOVECOT_PASS_ATTRS
|
||||
value: "=user=%{ldap:uid},=password=%{ldap:userPassword}"
|
||||
value: "uid=user,userPassword=password"
|
||||
- name: DOVECOT_USER_ATTRS
|
||||
value: "=home=/var/mail/%{ldap:uid},=mail=maildir:~/Maildir,uidNumber=uid,gidNumber=gid"
|
||||
value: "=home=/var/mail/%{ldap:uid},=uid=5000,=gid=5000,=mail=maildir:~/Maildir"
|
||||
- name: ENABLE_SASLAUTHD
|
||||
value: "1"
|
||||
- name: SASLAUTHD_MECHANISMS
|
||||
value: "ldap"
|
||||
- name: SASLAUTHD_LDAP_FILTER
|
||||
value: "(|(objectClass=inetOrgPerson))"
|
||||
value: "(mail=%U@mail.eom.dev)"
|
||||
- name: SSL_TYPE
|
||||
value: "manual"
|
||||
- name: SSL_CERT_PATH
|
||||
|
||||
@ -1,4 +1,4 @@
|
||||
---
|
||||
# tasks file for eom
|
||||
- name: Deploy
|
||||
include_tasks: git.yaml
|
||||
include_tasks: mastodon.yaml
|
||||
|
||||
80
tasks/mastodon.yaml
Normal file
80
tasks/mastodon.yaml
Normal file
@ -0,0 +1,80 @@
|
||||
---
|
||||
# tasks file for mastodon
|
||||
- name: Add bitnami repository
|
||||
kubernetes.core.helm_repository:
|
||||
name: bitnami
|
||||
repo_url: https://charts.bitnami.com/bitnami
|
||||
|
||||
- name: Update Helm repos
|
||||
command: helm repo update
|
||||
|
||||
- name: Deploy Mastodon
|
||||
kubernetes.core.helm:
|
||||
name: mastodon
|
||||
chart_ref: bitnami/mastodon
|
||||
release_namespace: mastodon
|
||||
create_namespace: true
|
||||
timeout: 300s
|
||||
values:
|
||||
adminUser: "mastodon"
|
||||
adminEmail: "mastodon@mail.eom.dev"
|
||||
adminPassword: "{{ mastodon_admin_password }}"
|
||||
otpSecret: ""
|
||||
secretKeyBase: ""
|
||||
vapidPrivateKey: ""
|
||||
vapidPublicKey: ""
|
||||
activeRecordEncryptionDeterministicKey: ""
|
||||
activeRecordEncryptionKeyDerivationSalt: ""
|
||||
activeRecordEncryptionPrimaryKey: ""
|
||||
extraConfig:
|
||||
LDAP_ENABLED: "true"
|
||||
LDAP_HOST: openldap.auth.svc.cluster.local
|
||||
LDAP_PORT: "387"
|
||||
LDAP_METHOD: plain
|
||||
LDAP_BASE: dc=eom,dc=dev
|
||||
LDAP_BIND_DN: cn=readonly,dc=eom,dc=dev
|
||||
LDAP_PASSWORD: "{{ ldap_readonly_password }}"
|
||||
LDAP_UID: uid
|
||||
LDAP_SEARCH_FILTER: "(&(objectClass=posixAccount)(uid=%{uid}))"
|
||||
LDAP_MAIL: mail
|
||||
enableS3: false
|
||||
localDomain: "mastodon.eom.dev"
|
||||
smtp:
|
||||
server: "mail.eom.dev"
|
||||
port: 587
|
||||
from_address: "mastodon@mail.eom.dev"
|
||||
domain: "mail.eom.dev"
|
||||
reply_to: "mastodon@mail.eom.dev"
|
||||
delivery_method: smtp
|
||||
ca_file: /etc/ssl/certs/ca-certificates.crt
|
||||
openssl_verify_mode: none
|
||||
enable_starttls_auto: true
|
||||
tls: true
|
||||
auth_method: starttls
|
||||
login: "mastodon"
|
||||
password: "{{ mastodon_mail_password }}"
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 64Gi
|
||||
redis:
|
||||
auth:
|
||||
password: "{{ mastodon_redis_password }}"
|
||||
postgresql:
|
||||
auth:
|
||||
password: "{{ mastodon_postgres_password }}"
|
||||
minio:
|
||||
enabled: false
|
||||
apache:
|
||||
service:
|
||||
type: ClusterIP
|
||||
ports:
|
||||
http: 80
|
||||
ingress:
|
||||
enabled: true
|
||||
hostname: "mastodon.eom.dev"
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: ca-issuer
|
||||
tls:
|
||||
- hosts:
|
||||
- mastodon.eom.dev
|
||||
secretName: mastodon-tls
|
||||
@ -125,6 +125,19 @@
|
||||
containers:
|
||||
- name: influxdb
|
||||
image: influxdb
|
||||
env:
|
||||
- name: DOCKER_INFLUXDB_INIT_MODE
|
||||
value: setup
|
||||
- name: DOCKER_INFLUXDB_INIT_USERNAME
|
||||
value: grafana
|
||||
- name: DOCKER_INFLUXDB_INIT_PASSWORD
|
||||
value: "{{ grafana_influxdb_password }}"
|
||||
- name: DOCKER_INFLUXDB_INIT_ORG
|
||||
value: grafana
|
||||
- name: DOCKER_INFLUXDB_INIT_BUCKET
|
||||
value: default
|
||||
- name: DOCKER_INFLUXDB_INIT_RETENTION
|
||||
value: 1w
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/lib/influxdb
|
||||
@ -148,10 +161,20 @@
|
||||
selector:
|
||||
app: influxdb
|
||||
ports:
|
||||
- port: 80
|
||||
targetPort: 8086
|
||||
- port: 8086
|
||||
name: influxdb
|
||||
type: ClusterIP
|
||||
type: LoadBalancer
|
||||
|
||||
- name: Create a config map for grafana
|
||||
k8s:
|
||||
state: present
|
||||
api_version: v1
|
||||
kind: ConfigMap
|
||||
name: grafana
|
||||
namespace: monitor
|
||||
definition:
|
||||
data:
|
||||
ldap.toml: "{{ lookup('template', 'ldap.toml.j2') }}"
|
||||
|
||||
- name: Create Deployment for Grafana
|
||||
k8s:
|
||||
@ -188,6 +211,19 @@
|
||||
value: grafana
|
||||
- name: GF_DATABASE_PASSWORD
|
||||
value: "{{ grafana_mysql_password }}"
|
||||
- name: GF_AUTH_LDAP_ENABLED
|
||||
value: "true"
|
||||
- name: GF_AUTH_LDAP_CONFIG_FILE
|
||||
value: /etc/grafana/cm/ldap.toml
|
||||
- name: GF_AUTH_LDAP_ALLOW_SIGN_UP
|
||||
value: "true"
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /etc/grafana/cm
|
||||
volumes:
|
||||
- name: config
|
||||
configMap:
|
||||
name: grafana
|
||||
|
||||
- name: Create Service for Grafana
|
||||
k8s:
|
||||
@ -221,7 +257,7 @@
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
rules:
|
||||
- host: monitor.eom.dev
|
||||
- host: grafana.eom.dev
|
||||
http:
|
||||
paths:
|
||||
- pathType: Prefix
|
||||
@ -231,35 +267,7 @@
|
||||
name: grafana
|
||||
port:
|
||||
number: 80
|
||||
- pathType: Prefix
|
||||
path: /influxdb
|
||||
backend:
|
||||
service:
|
||||
name: influxdb
|
||||
port:
|
||||
number: 80
|
||||
tls:
|
||||
- hosts:
|
||||
- monitor.eom.dev
|
||||
secretName: monitor
|
||||
|
||||
- name: Create Network Policy
|
||||
k8s:
|
||||
state: present
|
||||
definition:
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: NetworkPolicy
|
||||
metadata:
|
||||
name: networkpolicy
|
||||
namespace: monitor
|
||||
spec:
|
||||
podSelector:
|
||||
matchLabels:
|
||||
app: monitor
|
||||
policyTypes:
|
||||
- Ingress
|
||||
ingress:
|
||||
- from:
|
||||
- ipBlock:
|
||||
cidr: 192.168.1.0/24
|
||||
|
||||
- grafana.eom.dev
|
||||
secretName: grafana
|
||||
|
||||
@ -1,47 +0,0 @@
|
||||
---
|
||||
# tasks file for social
|
||||
- name: Deploy Mastodon
|
||||
kubernetes.core.helm:
|
||||
name: mastodon
|
||||
chart_ref: oci://registry-1.docker.io/bitnamicharts/mastodon
|
||||
release_namespace: mastodon
|
||||
create_namespace: true
|
||||
values:
|
||||
localDomain: mastodon.eom.dev
|
||||
global:
|
||||
defaultStorageClass: default
|
||||
web:
|
||||
extraEnvVars:
|
||||
- name: LDAP_ENABLED
|
||||
value: "yes"
|
||||
- name: LDAP_HOST
|
||||
value: openldap.auth.svc.cluster.local
|
||||
- name: LDAP_PORT
|
||||
value: 389
|
||||
- name: LDAP_METHOD
|
||||
value: plain
|
||||
- name: LDAP_BASE
|
||||
value: dc=eom,dc=dev
|
||||
- name: LDAP_BIND_DN
|
||||
value: cn=readonly,dc=eom,dc=dev
|
||||
- name: LDAP_PASSWORD
|
||||
value: "{{ ldap_readonly_password }}"
|
||||
- name: LDAP_UID
|
||||
value: uid
|
||||
- name: LDAP_MAIL
|
||||
value: mail
|
||||
- name: LDAP_SEARCH_FILTER
|
||||
value: (|(objectClass=inetOrgPerson))
|
||||
apache:
|
||||
ingress:
|
||||
enabled: true
|
||||
hostname: mastodon.eom.dev
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: ca-issuer
|
||||
tls:
|
||||
- hosts:
|
||||
- mastodon.eom.dev
|
||||
secretName: mastodon-tls
|
||||
postgresql:
|
||||
auth:
|
||||
password: "{{ mastodon_postgres_password }}"
|
||||
@ -7,7 +7,7 @@
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
name: www
|
||||
name: wordpress
|
||||
|
||||
- name: Create PVC for MySQL
|
||||
k8s:
|
||||
@ -17,7 +17,7 @@
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: mysql
|
||||
namespace: www
|
||||
namespace: wordpress
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
@ -33,7 +33,7 @@
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: mysql
|
||||
namespace: www
|
||||
namespace: wordpress
|
||||
labels:
|
||||
app: mysql
|
||||
spec:
|
||||
@ -76,7 +76,7 @@
|
||||
kind: Service
|
||||
metadata:
|
||||
name: mysql
|
||||
namespace: www
|
||||
namespace: wordpress
|
||||
spec:
|
||||
selector:
|
||||
app: mysql
|
||||
@ -93,7 +93,7 @@
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: wordpress
|
||||
namespace: www
|
||||
namespace: wordpress
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
@ -109,7 +109,7 @@
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: wordpress
|
||||
namespace: www
|
||||
namespace: wordpress
|
||||
labels:
|
||||
app: wordpress
|
||||
spec:
|
||||
@ -127,7 +127,7 @@
|
||||
image: wordpress
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /var/www/html
|
||||
mountPath: /var/wordpress/html
|
||||
ports:
|
||||
- containerPort: 3000
|
||||
env:
|
||||
@ -152,7 +152,7 @@
|
||||
kind: Service
|
||||
metadata:
|
||||
name: wordpress
|
||||
namespace: www
|
||||
namespace: wordpress
|
||||
spec:
|
||||
selector:
|
||||
app: wordpress
|
||||
@ -171,7 +171,7 @@
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: ca-issuer
|
||||
name: wordpress
|
||||
namespace: www
|
||||
namespace: wordpress
|
||||
spec:
|
||||
ingressClassName: nginx
|
||||
rules:
|
||||
@ -185,7 +185,18 @@
|
||||
name: wordpress
|
||||
port:
|
||||
number: 80
|
||||
- host: wordpress.eom.dev
|
||||
http:
|
||||
paths:
|
||||
- pathType: Prefix
|
||||
path: /
|
||||
backend:
|
||||
service:
|
||||
name: wordpress
|
||||
port:
|
||||
number: 80
|
||||
tls:
|
||||
- hosts:
|
||||
- www.eom.dev
|
||||
- wordpress.eom.dev
|
||||
secretName: wordpress
|
||||
63
templates/ldap.toml.j2
Normal file
63
templates/ldap.toml.j2
Normal file
@ -0,0 +1,63 @@
|
||||
[[servers]]
|
||||
# Ldap server host (specify multiple hosts space separated)
|
||||
host = "openldap.auth.svc.cluster.local"
|
||||
# Default port is 389 or 636 if use_ssl = true
|
||||
port = 389
|
||||
# Set to true if LDAP server should use an encrypted TLS connection (either with STARTTLS or LDAPS)
|
||||
use_ssl = false
|
||||
# If set to true, use LDAP with STARTTLS instead of LDAPS
|
||||
start_tls = false
|
||||
# The value of an accepted TLS cipher. By default, this value is empty. Example value: ["TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"])
|
||||
# For a complete list of supported ciphers and TLS versions, refer to: https://go.dev/src/crypto/tls/cipher_suites.go
|
||||
# Starting with Grafana v11.0 only ciphers with ECDHE support are accepted for TLS 1.2 connections.
|
||||
tls_ciphers = []
|
||||
# This is the minimum TLS version allowed. By default, this value is empty. Accepted values are: TLS1.1 (only for Grafana v10.4 or earlier), TLS1.2, TLS1.3.
|
||||
min_tls_version = ""
|
||||
# set to true if you want to skip SSL cert validation
|
||||
ssl_skip_verify = false
|
||||
# set to the path to your root CA certificate or leave unset to use system defaults
|
||||
# root_ca_cert = "/path/to/certificate.crt"
|
||||
# Authentication against LDAP servers requiring client certificates
|
||||
# client_cert = "/path/to/client.crt"
|
||||
# client_key = "/path/to/client.key"
|
||||
|
||||
# Search user bind dn
|
||||
bind_dn = "cn=readonly,dc=eom,dc=dev"
|
||||
# Search user bind password
|
||||
# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
|
||||
bind_password = "{{ ldap_readonly_password }}"
|
||||
# We recommend using variable expansion for the bind_password, for more info https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#variable-expansion
|
||||
# bind_password = '$__env{LDAP_BIND_PASSWORD}'
|
||||
|
||||
# Timeout in seconds. Applies to each host specified in the 'host' entry (space separated).
|
||||
timeout = 30
|
||||
|
||||
# User search filter, for example "(cn=%s)" or "(sAMAccountName=%s)" or "(uid=%s)"
|
||||
# Allow login from email or username, example "(|(sAMAccountName=%s)(userPrincipalName=%s))"
|
||||
search_filter = "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%s))"
|
||||
|
||||
# An array of base dns to search through
|
||||
search_base_dns = ["dc=eom,dc=dev"]
|
||||
|
||||
group_search_filter = "(&(objectClass=posixGroup)(memberUid=%s))"
|
||||
group_search_filter_user_attribute = "uid"
|
||||
group_search_base_dns = ["dc=eom,dc=dev"]
|
||||
|
||||
# Specify names of the LDAP attributes your LDAP uses
|
||||
[servers.attributes]
|
||||
username = "uid"
|
||||
email = "mail"
|
||||
name = "givenName"
|
||||
surname = "sn"
|
||||
|
||||
[[servers.group_mappings]]
|
||||
group_dn = "cn=DevOps Owners,ou=DevOps,ou=Organizations,dc=eom,dc=dev"
|
||||
org_id = 2
|
||||
org_role = "Admin"
|
||||
grafana_admin = true
|
||||
|
||||
[[servers.group_mappings]]
|
||||
group_dn = "cn=DevOps Members,ou=DevOps,ou=Organizations,dc=eom,dc=dev"
|
||||
org_id = 2
|
||||
org_role = "Viewer"
|
||||
grafana_admin = true
|
||||
@ -260,17 +260,17 @@ mastodon:
|
||||
auth_method: plain
|
||||
ca_file: /etc/ssl/certs/ca-certificates.crt
|
||||
delivery_method: smtp
|
||||
domain:
|
||||
domain: mail.eom.dev
|
||||
enable_starttls: "auto"
|
||||
from_address: notifications@example.com
|
||||
from_address: mastodon@mail.eom.dev
|
||||
return_path:
|
||||
openssl_verify_mode: peer
|
||||
port: 587
|
||||
reply_to:
|
||||
server: smtp.mailgun.org
|
||||
tls: false
|
||||
login:
|
||||
password:
|
||||
server: mail.eom.dev
|
||||
tls: true
|
||||
login: mastodon
|
||||
password: {{ mastodon_mail_password }}
|
||||
# -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
|
||||
# password must be located in keys named `login` and `password` respectively.
|
||||
existingSecret:
|
||||
@ -455,19 +455,18 @@ mastodon:
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: ca-issuer
|
||||
# For choosing an ingress ingressClassName is preferred over annotations
|
||||
# kubernetes.io/ingress.class: nginx
|
||||
#
|
||||
# To automatically request TLS certificates use one of the following
|
||||
# kubernetes.io/tls-acme: "true"
|
||||
# cert-manager.io/cluster-issuer: "letsencrypt"
|
||||
cert-manager.io/cluster-issuer: ca-issuer
|
||||
#
|
||||
# ensure that NGINX's upload size matches Mastodon's
|
||||
# for the K8s ingress controller:
|
||||
# nginx.ingress.kubernetes.io/proxy-body-size: 40m
|
||||
# for the NGINX ingress controller:
|
||||
# nginx.org/client-max-body-size: 40m
|
||||
nginx.org/client-max-body-size: 40m
|
||||
# -- you can specify the ingressClassName if it differs from the default
|
||||
ingressClassName: nginx
|
||||
hosts:
|
||||
@ -487,13 +486,13 @@ ingress:
|
||||
annotations:
|
||||
ingressClassName:
|
||||
hosts:
|
||||
- host: streaming.mastodon.local
|
||||
- host: streaming.mastodon.eom.dev
|
||||
paths:
|
||||
- path: "/"
|
||||
tls:
|
||||
- secretName: mastodon-tls
|
||||
hosts:
|
||||
- streaming.mastodon.local
|
||||
- streaming.mastodon.eom.dev
|
||||
|
||||
# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
|
||||
elasticsearch:
|
||||
@ -534,7 +533,7 @@ postgresql:
|
||||
# you must set a password; the password generated by the postgresql chart will
|
||||
# be rotated on each upgrade:
|
||||
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
|
||||
password: {{ mastodon_postgres_password }}
|
||||
password: "{{ mastodon_postgres_password }}"
|
||||
# Set the password for the "postgres" admin user
|
||||
# set this to the same value as above if you've previously installed
|
||||
# this chart and you're having problems getting mastodon to connect to the DB
|
||||
@ -567,7 +566,7 @@ redis:
|
||||
auth:
|
||||
# -- you must set a password; the password generated by the redis chart will be
|
||||
# rotated on each upgrade:
|
||||
password: ""
|
||||
password: "{{ mastodon_redis_password }}"
|
||||
# setting password for an existing redis instance will store it in a new Secret
|
||||
# you can also specify the name of an existing Secret
|
||||
# with a key of redis-password set to the password you want
|
||||
@ -696,13 +695,13 @@ externalAuth:
|
||||
host: openldap.auth.svc.cluster.local
|
||||
port: 389
|
||||
method: plain
|
||||
# tls_no_verify: true
|
||||
tls_no_verify: true
|
||||
base: dc=eom,dc=dev
|
||||
bind_dn: cn=readonly,dc=eom,dc=dev
|
||||
password: {{ ldap_readonly_password }}
|
||||
uid: uid
|
||||
mail: mail
|
||||
search_filter: (|(objectClass=inetOrgPerson))
|
||||
search_filter: "(&(objectClass=inetOrgPerson)(objectClass=posixAccount)(uid=%{uid}))"
|
||||
# uid_conversion:
|
||||
# enabled: true
|
||||
# search: "., -"
|
||||
|
||||
Loading…
Reference in New Issue
Block a user