From 9a3e26564712fff42b81f4e69621e6396385be17 Mon Sep 17 00:00:00 2001 From: Victor Barba Martin Date: Fri, 16 Jul 2021 17:15:34 +0200 Subject: [PATCH] add k8s thirdparty services --- bitbucket-pipelines.yaml | 74 +++++++++++++++ k8s/argocd/ingress.yaml | 30 ++++++ k8s/external-dns/credentials.yaml | 4 + k8s/external-dns/deployment.yaml | 31 ++++++ k8s/linode-autoscaler/Dockerfile | 3 + .../webrtc-be-autoscaler.yaml | 0 k8s/monitoring/certificate.yaml | 14 +++ k8s/monitoring/helm-values.yaml | 95 +++++++++++++++++++ terraform/lke.tf | 3 +- 9 files changed, 253 insertions(+), 1 deletion(-) create mode 100644 bitbucket-pipelines.yaml create mode 100644 k8s/argocd/ingress.yaml create mode 100644 k8s/external-dns/credentials.yaml create mode 100644 k8s/external-dns/deployment.yaml create mode 100644 k8s/linode-autoscaler/Dockerfile create mode 100644 k8s/linode-autoscaler/webrtc-be-autoscaler.yaml create mode 100644 k8s/monitoring/certificate.yaml create mode 100644 k8s/monitoring/helm-values.yaml diff --git a/bitbucket-pipelines.yaml b/bitbucket-pipelines.yaml new file mode 100644 index 0000000..dd77f2f --- /dev/null +++ b/bitbucket-pipelines.yaml @@ -0,0 +1,74 @@ +# Template docker-push + +# This template allows you to build and push your docker image to a Docker Hub account. +# The workflow allows running tests, code linting and security scans on feature branches (as well as master). +# The docker image will be validated and pushed to the docker registry after the code is merged to master. + +# Prerequisites: $DOCKERHUB_USERNAME, $DOCKERHUB_PASSWORD setup as deployment variables + +image: atlassian/default-image:2 + + +definitions: + services: + docker: + memory: 3072 +pipelines: + default: + - parallel: + - step: + name: Build and Test + script: + - IMAGE_NAME=$BITBUCKET_REPO_SLUG + - docker build . --file Dockerfile --tag ${IMAGE_NAME} + services: + - docker + caches: + - docker + - step: + name: Lint the Dockerfile + image: hadolint/hadolint:latest-debian + script: + - hadolint Dockerfile + branches: + master: + - step: + name: Build and Test + script: + - IMAGE_NAME=linode-autoscaler + - docker build . --file linode-autoscaler/Dockerfile --tag ${IMAGE_NAME} + - docker save ${IMAGE_NAME} --output "${IMAGE_NAME}.tar" + services: + - docker + caches: + - docker + artifacts: + - "*.tar" + - step: + name: Push COTURN docker image to GCR + image: google/cloud-sdk:alpine + script: + # Authenticating with the service account key file + - echo $GCLOUD_API_KEYFILE | base64 -d > ./gcloud-api-key.json + - gcloud auth activate-service-account --key-file gcloud-api-key.json + - gcloud config set project $GCLOUD_PROJECT + - IMAGE_NAME="linode-autoscaler" + - docker load --input "${IMAGE_NAME}.tar" + - VERSION="prod-0.1.${BITBUCKET_BUILD_NUMBER}" + - docker tag "${IMAGE_NAME}" "gcr.io/${GCLOUD_PROJECT}/${IMAGE_NAME}:${VERSION}" + # Login to google docker hub + - cat ./gcloud-api-key.json | docker login -u _json_key --password-stdin https://gcr.io + - docker push "gcr.io/${GCLOUD_PROJECT}/${IMAGE_NAME}:${VERSION}" + services: + - docker + - step: + name: Deploy to K8s + deployment: production + script: + - IMAGE="gcr.io/$GCLOUD_PROJECT/$BITBUCKET_REPO_SLUG:prod-0.1.$BITBUCKET_BUILD_NUMBER" + - sed -i "s|{{linode_autoscaler_image}}|$IMAGE|g" k8s/webrtc-be-daemonset.yaml + - pipe: atlassian/kubectl-run:1.1.2 + variables: + KUBE_CONFIG: $KUBE_CONFIG + KUBECTL_COMMAND: 'apply' + RESOURCE_PATH: 'k8s/' \ No newline at end of file diff --git a/k8s/argocd/ingress.yaml b/k8s/argocd/ingress.yaml new file mode 100644 index 0000000..07ee276 --- /dev/null +++ b/k8s/argocd/ingress.yaml @@ -0,0 +1,30 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: argocd-server-ingress + namespace: argocd + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + kubernetes.io/ingress.class: nginx + kubernetes.io/tls-acme: "true" + nginx.ingress.kubernetes.io/ssl-passthrough: "true" + # If you encounter a redirect loop or are getting a 307 response code + # then you need to force the nginx ingress to connect to the backend using HTTPS. + # + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +spec: + rules: + - host: argocd.video.jamkazam.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: argocd-server + port: + name: https + tls: + - hosts: + - argocd.video.jamkazam.com + secretName: argocd-secret # do not change, this is provided by Argo CD \ No newline at end of file diff --git a/k8s/external-dns/credentials.yaml b/k8s/external-dns/credentials.yaml new file mode 100644 index 0000000..e605e2e --- /dev/null +++ b/k8s/external-dns/credentials.yaml @@ -0,0 +1,4 @@ +provider: aws +aws: + secretKey: lj85CIIik/83V980VKEPfqlOWtutEM3s7bSqMZNH + accessKey: AKIA2SXEHOQFBQRGCSST \ No newline at end of file diff --git a/k8s/external-dns/deployment.yaml b/k8s/external-dns/deployment.yaml new file mode 100644 index 0000000..72d7584 --- /dev/null +++ b/k8s/external-dns/deployment.yaml @@ -0,0 +1,31 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: external-dns +spec: + strategy: + type: Recreate + selector: + matchLabels: + app: external-dns + template: + metadata: + labels: + app: external-dns + # If you're using kiam or kube2iam, specify the following annotation. + # Otherwise, you may safely omit it. + annotations: + iam.amazonaws.com/role: arn:aws:iam::ACCOUNT-ID:role/IAM-SERVICE-ROLE-NAME + spec: + containers: + - name: external-dns + image: k8s.gcr.io/external-dns/external-dns:v0.7.6 + args: + - --source=service + - --source=ingress + - --domain-filter=external-dns-test.my-org.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones + - --provider=aws + - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization + - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both) + - --registry=txt + - --txt-owner-id=my-hostedzone-identifier \ No newline at end of file diff --git a/k8s/linode-autoscaler/Dockerfile b/k8s/linode-autoscaler/Dockerfile new file mode 100644 index 0000000..aff89e3 --- /dev/null +++ b/k8s/linode-autoscaler/Dockerfile @@ -0,0 +1,3 @@ +FROM meezaan/linode-k8s-autoscaler + +COPY ../video-cluster-kubeconfig.yaml /root/.kube/config \ No newline at end of file diff --git a/k8s/linode-autoscaler/webrtc-be-autoscaler.yaml b/k8s/linode-autoscaler/webrtc-be-autoscaler.yaml new file mode 100644 index 0000000..e69de29 diff --git a/k8s/monitoring/certificate.yaml b/k8s/monitoring/certificate.yaml new file mode 100644 index 0000000..33186e1 --- /dev/null +++ b/k8s/monitoring/certificate.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1alpha2 +kind: Certificate +metadata: + name: prometheus-operator-prod + namespace: monitoring +spec: + secretName: letsencrypt-secret-prod + duration: 2160h # 90d + renewBefore: 360h # 15d + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - monitoring.video.jamkazam.com \ No newline at end of file diff --git a/k8s/monitoring/helm-values.yaml b/k8s/monitoring/helm-values.yaml new file mode 100644 index 0000000..8d391e3 --- /dev/null +++ b/k8s/monitoring/helm-values.yaml @@ -0,0 +1,95 @@ +# Helm chart values for Prometheus Operator with HTTPS and basic auth +prometheus: + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: /$2 + cert-manager.io/cluster-issuer: letsencrypt-prod + # nginx.ingress.kubernetes.io/auth-type: basic + # nginx.ingress.kubernetes.io/auth-secret: basic-auth + # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' + hosts: + - monitoring.video.jamkazam.com + paths: + - /prometheus(/|$)(.*) + tls: + - secretName: letsencrypt-secret-prod + hosts: + - monitoring.video.jamkazam.com + prometheusSpec: + routePrefix: / + externalUrl: https://monitoring.video.jamkazam.com/prometheus + storageSpec: + volumeClaimTemplate: + spec: + storageClassName: linode-block-storage-retain + resources: + requests: + storage: 10Gi + +alertmanager: + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: /$2 + cert-manager.io/cluster-issuer: letsencrypt-prod + # nginx.ingress.kubernetes.io/auth-type: basic + # nginx.ingress.kubernetes.io/auth-secret: basic-auth + # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' + hosts: + - monitoring.video.jamkazam.com + paths: + - /alertmanager(/|$)(.*) + tls: + - secretName: letsencrypt-secret-prod + hosts: + - monitoring.video.jamkazam.com + alertmanagerSpec: + routePrefix: / + externalUrl: https://monitoring.video.jamkazam.com/alertmanager + storage: + volumeClaimTemplate: + spec: + storageClassName: linode-block-storage-retain + resources: + requests: + storage: 10Gi + +grafana: + persistence: + enabled: true + storageClassName: linode-block-storage-retain + size: 10Gi + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/rewrite-target: /$2 + # nginx.ingress.kubernetes.io/auth-type: basic + # nginx.ingress.kubernetes.io/auth-secret: basic-auth + # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required' + hosts: + - monitoring.video.jamkazam.com + path: /grafana(/|$)(.*) + tls: + - secretName: letsencrypt-secret-prod + hosts: + - monitoring.video.jamkazam.com + grafana.ini: + server: + domain: monitoring.video.jamkazam.com + root_url: "%(protocol)s://%(domain)s/grafana/" + enable_gzip: "true" + +# Disable control plane metrics +kubeEtcd: + enabled: false + +kubeControllerManager: + enabled: false + +kubeScheduler: + enabled: false + \ No newline at end of file diff --git a/terraform/lke.tf b/terraform/lke.tf index 610d52b..be79b52 100644 --- a/terraform/lke.tf +++ b/terraform/lke.tf @@ -17,7 +17,8 @@ resource "linode_lke_cluster" "my-cluster" { # Coturn pool pool { type = "g6-standard-2" - count = 3 + count = 1 } } +