add k8s thirdparty services

2021-07-16 17:15:34 +02:00 · 2021-07-16 17:15:34 +02:00 · 9a3e265647
parent 6747120629
commit 9a3e265647
9 changed files with 253 additions and 1 deletions
--- a/bitbucket-pipelines.yaml
+++ b/bitbucket-pipelines.yaml
@ -0,0 +1,74 @@
+# Template docker-push
+
+# This template allows you to build and push your docker image to a Docker Hub account.
+# The workflow allows running tests, code linting and security scans on feature branches (as well as master).
+# The docker image will be validated and pushed to the docker registry after the code is merged to master.
+
+# Prerequisites: $DOCKERHUB_USERNAME, $DOCKERHUB_PASSWORD setup as deployment variables
+
+image: atlassian/default-image:2
+
+
+definitions:
+  services:
+    docker:
+      memory: 3072
+pipelines:
+  default:
+    - parallel:
+        - step:
+            name: Build and Test
+            script:
+              - IMAGE_NAME=$BITBUCKET_REPO_SLUG
+              - docker build . --file Dockerfile --tag ${IMAGE_NAME}
+            services:
+              - docker
+            caches:
+              - docker
+        - step:
+            name: Lint the Dockerfile
+            image: hadolint/hadolint:latest-debian
+            script:
+              - hadolint Dockerfile
+  branches:
+    master:
+      - step:
+          name: Build and Test
+          script:
+            - IMAGE_NAME=linode-autoscaler
+            - docker build . --file linode-autoscaler/Dockerfile --tag ${IMAGE_NAME}
+            - docker save ${IMAGE_NAME} --output "${IMAGE_NAME}.tar"
+          services:
+            - docker
+          caches:
+            - docker
+          artifacts:
+            - "*.tar"
+      - step:
+          name: Push COTURN docker image to GCR
+          image: google/cloud-sdk:alpine
+          script:
+            # Authenticating with the service account key file
+            - echo $GCLOUD_API_KEYFILE | base64 -d > ./gcloud-api-key.json
+            - gcloud auth activate-service-account --key-file gcloud-api-key.json
+            - gcloud config set project $GCLOUD_PROJECT
+            - IMAGE_NAME="linode-autoscaler"
+            - docker load --input "${IMAGE_NAME}.tar"
+            - VERSION="prod-0.1.${BITBUCKET_BUILD_NUMBER}"
+            - docker tag "${IMAGE_NAME}" "gcr.io/${GCLOUD_PROJECT}/${IMAGE_NAME}:${VERSION}"
+            # Login to google docker hub
+            - cat ./gcloud-api-key.json | docker login -u _json_key --password-stdin https://gcr.io
+            - docker push "gcr.io/${GCLOUD_PROJECT}/${IMAGE_NAME}:${VERSION}"
+          services:
+            - docker
+      - step:
+          name: Deploy to K8s
+          deployment: production
+          script:
+            - IMAGE="gcr.io/$GCLOUD_PROJECT/$BITBUCKET_REPO_SLUG:prod-0.1.$BITBUCKET_BUILD_NUMBER"
+            - sed -i "s|{{linode_autoscaler_image}}|$IMAGE|g" k8s/webrtc-be-daemonset.yaml
+            - pipe: atlassian/kubectl-run:1.1.2
+              variables:
+                KUBE_CONFIG: $KUBE_CONFIG
+                KUBECTL_COMMAND: 'apply'
+                RESOURCE_PATH: 'k8s/'
--- a/k8s/argocd/ingress.yaml
+++ b/k8s/argocd/ingress.yaml
@ -0,0 +1,30 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: argocd-server-ingress
+  namespace: argocd
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    kubernetes.io/ingress.class: nginx
+    kubernetes.io/tls-acme: "true"
+    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    # If you encounter a redirect loop or are getting a 307 response code 
+    # then you need to force the nginx ingress to connect to the backend using HTTPS.
+    #
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
+spec:
+  rules:
+  - host: argocd.video.jamkazam.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service: 
+            name: argocd-server
+            port:
+              name: https
+  tls:
+  - hosts:
+    - argocd.video.jamkazam.com
+    secretName: argocd-secret # do not change, this is provided by Argo CD
--- a/k8s/external-dns/credentials.yaml
+++ b/k8s/external-dns/credentials.yaml
@ -0,0 +1,4 @@
+provider: aws
+aws:
+    secretKey: lj85CIIik/83V980VKEPfqlOWtutEM3s7bSqMZNH
+    accessKey: AKIA2SXEHOQFBQRGCSST
--- a/k8s/external-dns/deployment.yaml
+++ b/k8s/external-dns/deployment.yaml
@ -0,0 +1,31 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: external-dns
+spec:
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: external-dns
+  template:
+    metadata:
+      labels:
+        app: external-dns
+      # If you're using kiam or kube2iam, specify the following annotation.
+      # Otherwise, you may safely omit it.
+      annotations:
+        iam.amazonaws.com/role: arn:aws:iam::ACCOUNT-ID:role/IAM-SERVICE-ROLE-NAME
+    spec:
+      containers:
+      - name: external-dns
+        image: k8s.gcr.io/external-dns/external-dns:v0.7.6
+        args:
+        - --source=service
+        - --source=ingress
+        - --domain-filter=external-dns-test.my-org.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
+        - --provider=aws
+        - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
+        - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
+        - --registry=txt
+        - --txt-owner-id=my-hostedzone-identifier
--- a/k8s/linode-autoscaler/Dockerfile
+++ b/k8s/linode-autoscaler/Dockerfile
@ -0,0 +1,3 @@
+FROM meezaan/linode-k8s-autoscaler
+
+COPY ../video-cluster-kubeconfig.yaml /root/.kube/config
--- a/k8s/linode-autoscaler/webrtc-be-autoscaler.yaml
+++ b/k8s/linode-autoscaler/webrtc-be-autoscaler.yaml
--- a/k8s/monitoring/certificate.yaml
+++ b/k8s/monitoring/certificate.yaml
@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: prometheus-operator-prod
+  namespace: monitoring
+spec:
+  secretName: letsencrypt-secret-prod
+  duration: 2160h # 90d
+  renewBefore: 360h # 15d
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+  - monitoring.video.jamkazam.com
--- a/k8s/monitoring/helm-values.yaml
+++ b/k8s/monitoring/helm-values.yaml
@ -0,0 +1,95 @@
+# Helm chart values for Prometheus Operator with HTTPS and basic auth
+prometheus:
+  ingress:
+    enabled: true
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/rewrite-target: /$2
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      # nginx.ingress.kubernetes.io/auth-type: basic
+      # nginx.ingress.kubernetes.io/auth-secret: basic-auth
+      # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+    hosts:
+    - monitoring.video.jamkazam.com
+    paths:
+    - /prometheus(/|$)(.*)
+    tls:
+    - secretName: letsencrypt-secret-prod
+      hosts:
+      - monitoring.video.jamkazam.com
+  prometheusSpec:
+    routePrefix: /
+    externalUrl: https://monitoring.video.jamkazam.com/prometheus
+    storageSpec:
+      volumeClaimTemplate:
+        spec:
+          storageClassName: linode-block-storage-retain
+          resources:
+            requests:
+              storage: 10Gi
+
+alertmanager:
+  ingress:
+    enabled: true
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/rewrite-target: /$2
+      cert-manager.io/cluster-issuer: letsencrypt-prod
+      # nginx.ingress.kubernetes.io/auth-type: basic
+      # nginx.ingress.kubernetes.io/auth-secret: basic-auth
+      # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+    hosts:
+    - monitoring.video.jamkazam.com
+    paths:
+    - /alertmanager(/|$)(.*)
+    tls:
+    - secretName: letsencrypt-secret-prod
+      hosts:
+      - monitoring.video.jamkazam.com
+  alertmanagerSpec:
+    routePrefix: /
+    externalUrl: https://monitoring.video.jamkazam.com/alertmanager
+    storage:
+      volumeClaimTemplate:
+        spec:
+          storageClassName: linode-block-storage-retain
+          resources:
+            requests:
+              storage: 10Gi
+
+grafana:
+  persistence:
+    enabled: true
+    storageClassName: linode-block-storage-retain
+    size: 10Gi
+  ingress:
+    enabled: true
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/rewrite-target: /$2
+      # nginx.ingress.kubernetes.io/auth-type: basic
+      # nginx.ingress.kubernetes.io/auth-secret: basic-auth
+      # nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required'
+    hosts:
+    - monitoring.video.jamkazam.com
+    path: /grafana(/|$)(.*)
+    tls:
+    - secretName: letsencrypt-secret-prod
+      hosts:
+      - monitoring.video.jamkazam.com
+  grafana.ini:
+    server:
+      domain: monitoring.video.jamkazam.com
+      root_url: "%(protocol)s://%(domain)s/grafana/"
+      enable_gzip: "true"
+
+# Disable control plane metrics
+kubeEtcd:
+  enabled: false
+
+kubeControllerManager:
+  enabled: false
+
+kubeScheduler:
+  enabled: false
+    
--- a/terraform/lke.tf
+++ b/terraform/lke.tf
@ -17,7 +17,8 @@ resource "linode_lke_cluster" "my-cluster" {
  # Coturn pool
  pool {
    type  = "g6-standard-2"
-    count = 3
+    count = 1
  }

 }
+