lnmch/kops-arm64
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added Openshift example deployments

Browse Source
This commit is contained in:
Armin Kunaschik
2023-05-22 01:11:41 +02:00
parent 3e2a051cb2
commit b79285b4fb
17 changed files with 486 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
openshift/README.md Normal file
View File

@@ -0,0 +1,18 @@
### Directory [deploy](deploy) contains a standard deployment for Openshift 4.x (3.x is also working)
- Changes from the original
- standard namespace is ocp-ops-view instead of default
- create the namespace with an infra node selector, this is technically not necessary but nice to have
- RunAsUser and RunAsNonRoot removed from kube-ops-view and redis deployment, Openshift deployments run with a random uid, choosing a specific one is unnecessary
- added an emptydir to redis to create a directory which is writeable for the random user
- added an edge encrypt route to expose the service via TLS only + redirect from port 80
- set requests and limits a bit higher, your mileage may vary
### Directory [deploy-with-oauth-proxy](deploy-with-oauth-oauth-proxy) contains an additional oauth proxy to protect the application from unauthorized access
- Change from Openshift deploy
- switched to reencrypt route to be able to use the service CA
- added Openshift oauth proxy as a sidecar
- added necessary service annotation for the Openshift oauth proxy
- added service CA certificate to the proxy service to encrypt traffic between router and proxy
- all users with permission to read the namespace are allowed to use the service by the oauth proxy

115
openshift/deploy-with-oauth-proxy/deployment.yaml Normal file
View File

@@ -0,0 +1,115 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
application: kube-ops-view
component: frontend
name: kube-ops-view
spec:
replicas: 1
selector:
matchLabels:
application: kube-ops-view
component: frontend
template:
metadata:
labels:
application: kube-ops-view
component: frontend
spec:
serviceAccountName: kube-ops-view
containers:
- name: service
# see https://github.com/hjacobs/kube-ops-view/releases
image: hjacobs/kube-ops-view:23.5.0
args:
# remove this option to use built-in memory store
- --redis-url=redis://kube-ops-view-redis:6379
# example to add external links for nodes and pods
# - --node-link-url-template=https://kube-web-view.example.org/clusters/{cluster}/nodes/{name}
# - --pod-link-url-template=https://kube-web-view.example.org/clusters/{cluster}/namespaces/{namespace}/pods/{name}
ports:
- containerPort: 8080
protocol: TCP
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 5
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 5
resources:
limits:
cpu: 750m
memory: 512Mi
requests:
cpu: 500m
memory: 512Mi
securityContext:
readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000
- name: oauth-proxy
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
image: registry.redhat.io/openshift4/ose-oauth-proxy:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8443
name: public
args:
- --https-address=:8443
- --provider=openshift
- --openshift-service-account=kube-ops-view
- '-openshift-sar={"namespace":"$(MY_POD_NAMESPACE)","resource": "namespaces", "verb": "get"}'
- --upstream=http://localhost:8080
- --tls-cert=/etc/tls/private/tls.crt
- --tls-key=/etc/tls/private/tls.key
- --client-secret-file=/var/run/secrets/kubernetes.io/serviceaccount/token
- --openshift-ca=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt
- --openshift-ca=/etc/pki/tls/cert.pem
- --cookie-secret=dGVzdGNvb2tpZQo=
- -skip-provider-button
resources:
limits:
cpu: 200m
memory: 256Mi
requests:
cpu: 100m
memory: 256Mi
livenessProbe:
httpGet:
path: /oauth/healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 60
failureThreshold: 60
periodSeconds: 10
timeoutSeconds: 10
readinessProbe:
httpGet:
path: /oauth/healthz
port: 8443
scheme: HTTPS
initialDelaySeconds: 5
failureThreshold: 20
periodSeconds: 10
timeoutSeconds: 5
volumeMounts:
- mountPath: /etc/tls/private
name: proxy-tls
volumes:
- name: proxy-tls
secret:
secretName: proxy-tls

10
openshift/deploy-with-oauth-proxy/kustomization.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- deployment.yaml
- rbac.yaml
- service.yaml
- redis-deployment.yaml
- redis-service.yaml
- route.yaml

7
openshift/deploy-with-oauth-proxy/namespace.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/node-selector: "node-role.kubernetes.io/infra=true"
name: ocp-ops-view

36
openshift/deploy-with-oauth-proxy/rbac.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"proxy"}}'
name: kube-ops-view
namespace: ocp-ops-view
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-ops-view
rules:
- apiGroups: [""]
resources: ["nodes", "pods"]
verbs:
- list
- apiGroups: ["metrics.k8s.io"]
resources: ["nodes", "pods"]
verbs:
- get
- list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-ops-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kube-ops-view
subjects:
- kind: ServiceAccount
name: kube-ops-view
namespace: ocp-ops-view

47
openshift/deploy-with-oauth-proxy/redis-deployment.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
application: kube-ops-view
component: redis
name: kube-ops-view-redis
spec:
replicas: 1
selector:
matchLabels:
application: kube-ops-view
template:
metadata:
labels:
application: kube-ops-view
component: redis
spec:
containers:
- name: redis
image: redis:7-alpine
ports:
- containerPort: 6379
protocol: TCP
readinessProbe:
tcpSocket:
port: 6379
resources:
limits:
cpu: 200m
memory: 300Mi
requests:
cpu: 100m
memory: 300Mi
securityContext:
readOnlyRootFilesystem: true
# runAsNonRoot: true
# we need to use the "redis" uid
# runAsUser: 999
volumeMounts:
- name: redis-data
mountPath: /data
volumes:
- name: redis-data
emptyDir: {}
# defaultMode: 0775

16
openshift/deploy-with-oauth-proxy/redis-service.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
labels:
application: kube-ops-view
component: redis
name: kube-ops-view-redis
spec:
selector:
application: kube-ops-view
component: redis
type: ClusterIP
ports:
- port: 6379
protocol: TCP
targetPort: 6379

14
openshift/deploy-with-oauth-proxy/route.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: proxy
spec:
host: ocp-ops-view.apps.<cluster.domain>
port:
targetPort: proxy
to:
kind: Service
name: proxy
tls:
insecureEdgeTerminationPolicy: Redirect
termination: reencrypt

18
openshift/deploy-with-oauth-proxy/service.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v1
kind: Service
metadata:
annotations:
service.alpha.openshift.io/serving-cert-secret-name: proxy-tls
labels:
application: kube-ops-view
component: frontend
name: proxy
spec:
selector:
application: kube-ops-view
component: frontend
type: ClusterIP
ports:
- name: proxy
port: 8443
targetPort: 8443

58
openshift/deploy/deployment.yaml Normal file
View File

@@ -0,0 +1,58 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
application: kube-ops-view
component: frontend
name: kube-ops-view
spec:
replicas: 1
selector:
matchLabels:
application: kube-ops-view
component: frontend
template:
metadata:
labels:
application: kube-ops-view
component: frontend
spec:
serviceAccountName: kube-ops-view
containers:
- name: service
# see https://github.com/hjacobs/kube-ops-view/releases
image: hjacobs/kube-ops-view:23.5.0
args:
# remove this option to use built-in memory store
- --redis-url=redis://kube-ops-view-redis:6379
# example to add external links for nodes and pods
# - --node-link-url-template=https://kube-web-view.example.org/clusters/{cluster}/nodes/{name}
# - --pod-link-url-template=https://kube-web-view.example.org/clusters/{cluster}/namespaces/{namespace}/pods/{name}
ports:
- containerPort: 8080
protocol: TCP
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
timeoutSeconds: 5
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 5
resources:
limits:
cpu: 750m
memory: 512Mi
requests:
cpu: 500m
memory: 512Mi
securityContext:
readOnlyRootFilesystem: true
# runAsNonRoot: true
# runAsUser: 1000

10
openshift/deploy/kustomization.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- deployment.yaml
- rbac.yaml
- service.yaml
- redis-deployment.yaml
- redis-service.yaml
- route.yaml

7
openshift/deploy/namespace.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
openshift.io/node-selector: "node-role.kubernetes.io/infra=true"
name: ocp-ops-view

36
openshift/deploy/rbac.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"proxy"}}'
name: kube-ops-view
namespace: ocp-ops-view
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-ops-view
rules:
- apiGroups: [""]
resources: ["nodes", "pods"]
verbs:
- list
- apiGroups: ["metrics.k8s.io"]
resources: ["nodes", "pods"]
verbs:
- get
- list
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: kube-ops-view
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kube-ops-view
subjects:
- kind: ServiceAccount
name: kube-ops-view
namespace: ocp-ops-view

48
openshift/deploy/redis-deployment.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
application: kube-ops-view
component: redis
name: kube-ops-view-redis
spec:
replicas: 1
selector:
matchLabels:
application: kube-ops-view
component: redis
template:
metadata:
labels:
application: kube-ops-view
component: redis
spec:
containers:
- name: redis
image: redis:7-alpine
ports:
- containerPort: 6379
protocol: TCP
readinessProbe:
tcpSocket:
port: 6379
resources:
limits:
cpu: 200m
memory: 300Mi
requests:
cpu: 100m
memory: 300Mi
securityContext:
readOnlyRootFilesystem: true
# runAsNonRoot: true
# we need to use the "redis" uid
# runAsUser: 999
volumeMounts:
- name: redis-data
mountPath: /data
volumes:
- name: redis-data
emptyDir: {}
# defaultMode: 0775

16
openshift/deploy/redis-service.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
labels:
application: kube-ops-view
component: redis
name: kube-ops-view-redis
spec:
selector:
application: kube-ops-view
component: redis
type: ClusterIP
ports:
- port: 6379
protocol: TCP
targetPort: 6379

14
openshift/deploy/route.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: proxy
spec:
host: ocp-ops-view.apps.<cluster.domain>
port:
targetPort: 8080
to:
kind: Service
name: kube-ops-view
tls:
insecureEdgeTerminationPolicy: Redirect
termination: edge

16
openshift/deploy/service.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
labels:
application: kube-ops-view
component: frontend
name: kube-ops-view
spec:
selector:
application: kube-ops-view
component: frontend
type: ClusterIP
ports:
- port: 8080
protocol: TCP
targetPort: 8080