From f285e4f9fd3369aaf11e486ee82789729ddb9fe2 Mon Sep 17 00:00:00 2001 From: Florian Herrengt Date: Wed, 7 Dec 2022 11:00:34 +0000 Subject: [PATCH] update dashboard --- k8s-dashboard.yml | 323 ++++++++++++++++++ kuma.yml | 126 +++++++ kustomization/bases/kustomization.yaml | 1 + .../bases/nocodelytics-dashboard.yaml | 30 +- .../bases/nocodelytics-events-worker.yaml | 37 ++ .../bases/nocodelytics-tracker-api.yaml | 7 +- .../overlays/production/kustomization.yaml | 14 + .../production/nocodelytics-dashboard.yaml | 57 ++++ 8 files changed, 591 insertions(+), 4 deletions(-) create mode 100644 k8s-dashboard.yml create mode 100644 kuma.yml create mode 100644 kustomization/bases/nocodelytics-events-worker.yaml create mode 100644 kustomization/overlays/production/kustomization.yaml create mode 100644 kustomization/overlays/production/nocodelytics-dashboard.yaml diff --git a/k8s-dashboard.yml b/k8s-dashboard.yml new file mode 100644 index 0000000..e4c0545 --- /dev/null +++ b/k8s-dashboard.yml @@ -0,0 +1,323 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: kubernetes-dashboard + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + type: NodePort + ports: + - port: 443 + targetPort: 8443 + nodePort: 30003 + selector: + k8s-app: kubernetes-dashboard + +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-certs + namespace: kubernetes-dashboard +type: Opaque + +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-csrf + namespace: kubernetes-dashboard +type: Opaque +data: + csrf: "" + +--- +apiVersion: v1 +kind: Secret +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-key-holder + namespace: kubernetes-dashboard +type: Opaque + +--- +kind: ConfigMap +apiVersion: v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard-settings + namespace: kubernetes-dashboard + +--- +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +rules: + # Allow Dashboard to get, update and delete Dashboard exclusive secrets. + - apiGroups: [""] + resources: ["secrets"] + resourceNames: + [ + "kubernetes-dashboard-key-holder", + "kubernetes-dashboard-certs", + "kubernetes-dashboard-csrf", + ] + verbs: ["get", "update", "delete"] + # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. + - apiGroups: [""] + resources: ["configmaps"] + resourceNames: ["kubernetes-dashboard-settings"] + verbs: ["get", "update"] + # Allow Dashboard to get metrics. + - apiGroups: [""] + resources: ["services"] + resourceNames: ["heapster", "dashboard-metrics-scraper"] + verbs: ["proxy"] + - apiGroups: [""] + resources: ["services/proxy"] + resourceNames: + [ + "heapster", + "http:heapster:", + "https:heapster:", + "dashboard-metrics-scraper", + "http:dashboard-metrics-scraper", + ] + verbs: ["get"] + +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard +rules: + # Allow Metrics Scraper to get metrics from the Metrics server + - apiGroups: ["metrics.k8s.io"] + resources: ["pods", "nodes"] + verbs: ["get", "list", "watch"] + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kubernetes-dashboard +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kubernetes-dashboard +subjects: + - kind: ServiceAccount + name: kubernetes-dashboard + namespace: kubernetes-dashboard + +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: kubernetes-dashboard + name: kubernetes-dashboard + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: kubernetes-dashboard + template: + metadata: + labels: + k8s-app: kubernetes-dashboard + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: kubernetes-dashboard + image: kubernetesui/dashboard:v2.6.1 + imagePullPolicy: Always + ports: + - containerPort: 8443 + protocol: TCP + args: + - --auto-generate-certificates + - --namespace=kubernetes-dashboard + - --token-ttl=0 + # Uncomment the following line to manually specify Kubernetes API server Host + # If not specified, Dashboard will attempt to auto discover the API server and connect + # to it. Uncomment only if the default does not work. + # - --apiserver-host=https://52.211.62.142:30003 + volumeMounts: + - name: kubernetes-dashboard-certs + mountPath: /certs + # Create on-disk volume to store exec logs + - mountPath: /tmp + name: tmp-volume + livenessProbe: + httpGet: + scheme: HTTPS + path: / + port: 8443 + initialDelaySeconds: 30 + timeoutSeconds: 30 + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + volumes: + - name: kubernetes-dashboard-certs + secret: + secretName: kubernetes-dashboard-certs + - name: tmp-volume + emptyDir: {} + serviceAccountName: kubernetes-dashboard + nodeSelector: + "kubernetes.io/os": linux + kubernetes.io/arch: arm64 + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: "arch" + operator: "Equal" + value: "arm64" + effect: "NoSchedule" + +--- +kind: Service +apiVersion: v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + ports: + - port: 8000 + targetPort: 8000 + selector: + k8s-app: dashboard-metrics-scraper + +--- +kind: Deployment +apiVersion: apps/v1 +metadata: + labels: + k8s-app: dashboard-metrics-scraper + name: dashboard-metrics-scraper + namespace: kubernetes-dashboard +spec: + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: dashboard-metrics-scraper + template: + metadata: + labels: + k8s-app: dashboard-metrics-scraper + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: dashboard-metrics-scraper + image: kubernetesui/metrics-scraper:v1.0.8 + ports: + - containerPort: 8000 + protocol: TCP + livenessProbe: + httpGet: + scheme: HTTP + path: / + port: 8000 + initialDelaySeconds: 30 + timeoutSeconds: 30 + volumeMounts: + - mountPath: /tmp + name: tmp-volume + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsUser: 1001 + runAsGroup: 2001 + serviceAccountName: kubernetes-dashboard + nodeSelector: + "kubernetes.io/os": linux + kubernetes.io/arch: arm64 + # Comment the following tolerations if Dashboard must not be deployed on master + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + - key: "arch" + operator: "Equal" + value: "arm64" + effect: "NoSchedule" + volumes: + - name: tmp-volume + emptyDir: {} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: admin-user +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: admin-user + namespace: kubernetes-dashboard +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: admin-user + namespace: kubernetes-dashboard diff --git a/kuma.yml b/kuma.yml new file mode 100644 index 0000000..edb4301 --- /dev/null +++ b/kuma.yml @@ -0,0 +1,126 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: kuma-pvc-2 + namespace: default +spec: + accessModes: + - ReadWriteOnce + storageClassName: local-path + resources: + requests: + storage: 1Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kuma + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + ms: kuma + template: + metadata: + labels: + ms: kuma + spec: + containers: + - name: kuma + image: louislam/uptime-kuma + volumeMounts: + - name: volv + mountPath: /app/data + # resources: + # limits: + # memory: "512Mi" + # cpu: "100m" + volumes: + - name: volv + persistentVolumeClaim: + claimName: kuma-pvc-2 + nodeSelector: + kubernetes.io/arch: arm64 + tolerations: + - key: "arch" + operator: "Equal" + value: "arm64" + effect: "NoSchedule" +--- +apiVersion: v1 +kind: Service +metadata: + name: kuma + namespace: default +spec: + type: NodePort + selector: + ms: kuma + ports: + - port: 3001 + targetPort: 3001 +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: kuma-letsencrypt-prod + namespace: default +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: florian@nocodelytics.com + privateKeySecretRef: + name: kuma-letsencrypt-prod + solvers: + - http01: + ingress: + class: traefik +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: kuma + namespace: default +spec: + secretName: kuma-net-tls + issuerRef: + name: kuma-letsencrypt-prod + kind: Issuer + commonName: status.nocodelytics.com + dnsNames: + - status.nocodelytics.com +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: kuma-nginx-ingress + namespace: default + annotations: + kubernetes.io/ingress.class: "traefik" + cert-manager.io/issuer: letsencrypt-prod + traefik.ingress.kubernetes.io/redirect-entry-point: https + cert-manager.io/acme-challenge-type: http01 +spec: + rules: + - host: status.nocodelytics.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: ssl-redirect + port: + name: use-annotation + - path: / + pathType: Prefix + backend: + service: + name: kuma + port: + number: 3001 + tls: + - hosts: + - status.nocodelytics.com + secretName: kuma-net-tls diff --git a/kustomization/bases/kustomization.yaml b/kustomization/bases/kustomization.yaml index ae396f3..9fbdb38 100644 --- a/kustomization/bases/kustomization.yaml +++ b/kustomization/bases/kustomization.yaml @@ -1,6 +1,7 @@ resources: - ./namespace.yaml - ./nocodelytics-dashboard.yaml + # - ./nocodelytics-events-worker.yaml # - ./nocodelytics-tracker-api.yaml # - ./clickhouse.yaml - ./cert-manager.yaml diff --git a/kustomization/bases/nocodelytics-dashboard.yaml b/kustomization/bases/nocodelytics-dashboard.yaml index 329c9a6..a343ff5 100644 --- a/kustomization/bases/nocodelytics-dashboard.yaml +++ b/kustomization/bases/nocodelytics-dashboard.yaml @@ -17,6 +17,11 @@ metadata: name: nocodelytics-dashboard spec: replicas: 1 + strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 1 + maxUnavailable: 0 selector: matchLabels: ms: nocodelytics-dashboard @@ -31,18 +36,41 @@ spec: - name: nocodelytics-dashboard imagePullPolicy: Always image: container-registry.nocodelytics.com/nocodelytics/dashboard:latest + readinessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 8080 + initialDelaySeconds: 10 + failureThreshold: 5 + periodSeconds: 10 + terminationGracePeriodSeconds: 60 env: - name: PORT value: "8080" + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: K8S_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace - name: ENCRYPTION_KEY valueFrom: secretKeyRef: name: secrets key: ENCRYPTION_KEY resources: + requests: + memory: "256Mi" + cpu: "50m" limits: memory: "512Mi" - cpu: "100m" + cpu: "200m" nodeSelector: kubernetes.io/arch: arm64 tolerations: diff --git a/kustomization/bases/nocodelytics-events-worker.yaml b/kustomization/bases/nocodelytics-events-worker.yaml new file mode 100644 index 0000000..6938a60 --- /dev/null +++ b/kustomization/bases/nocodelytics-events-worker.yaml @@ -0,0 +1,37 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nocodelytics-events-worker +spec: + replicas: 1 + selector: + matchLabels: + ms: nocodelytics-events-worker + template: + metadata: + labels: + ms: nocodelytics-events-worker + spec: + containers: + - name: nocodelytics-events-worker + image: container-registry.nocodelytics.com/nocodelytics/dashboard:latest + command: + [ + "node", + "./api/.build/src/queue/workers/metricEventWorker/metricEventWorker.js", + ] + resources: + requests: + memory: "256Mi" + cpu: "50m" + limits: + memory: "512Mi" + cpu: "200m" + env: + - name: ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: secrets + key: ENCRYPTION_KEY + imagePullSecrets: + - name: regcred diff --git a/kustomization/bases/nocodelytics-tracker-api.yaml b/kustomization/bases/nocodelytics-tracker-api.yaml index e44ad84..01e2cd1 100644 --- a/kustomization/bases/nocodelytics-tracker-api.yaml +++ b/kustomization/bases/nocodelytics-tracker-api.yaml @@ -32,9 +32,12 @@ spec: imagePullPolicy: Always image: container-registry.nocodelytics.com/nocodelytics-tracker-api:latest resources: + requests: + memory: "128Mi" + cpu: "50m" limits: memory: "512Mi" - cpu: "100m" + cpu: "200m" nodeSelector: kubernetes.io/arch: arm64 tolerations: @@ -81,8 +84,6 @@ spec: backend: service: name: nocodelytics-tracker-api - # port: - # number: 3001 tls: - hosts: - nocodelytics-tracker-api.nocodelytics.com diff --git a/kustomization/overlays/production/kustomization.yaml b/kustomization/overlays/production/kustomization.yaml new file mode 100644 index 0000000..58dc1aa --- /dev/null +++ b/kustomization/overlays/production/kustomization.yaml @@ -0,0 +1,14 @@ +namespace: production +resources: + - ../../bases +patchesStrategicMerge: + - ./nocodelytics-dashboard.yaml +# - ./nocodelytics-tracker-api.yaml +patches: + - target: + kind: Namespace + name: default + patch: |- + - op: replace + path: /metadata/name + value: production diff --git a/kustomization/overlays/production/nocodelytics-dashboard.yaml b/kustomization/overlays/production/nocodelytics-dashboard.yaml new file mode 100644 index 0000000..750063d --- /dev/null +++ b/kustomization/overlays/production/nocodelytics-dashboard.yaml @@ -0,0 +1,57 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: nocodelytics-dashboard +spec: + commonName: api.nocodelytics.com + dnsNames: + - api.nocodelytics.com +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nocodelytics-dashboard-nginx-ingress +spec: + rules: + - host: api.nocodelytics.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: ssl-redirect + port: + name: use-annotation + - path: / + pathType: Prefix + backend: + service: + name: nocodelytics-dashboard + port: + number: 8080 + tls: + - hosts: + - api.nocodelytics.com + secretName: nocodelytics-dashboard-net-tls +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nocodelytics-dashboard +spec: + replicas: 2 + selector: + matchLabels: + ms: nocodelytics-dashboard + template: + metadata: + labels: + ms: nocodelytics-dashboard + spec: + containers: + - name: nocodelytics-dashboard + image: container-registry.nocodelytics.com/nocodelytics/dashboard:latest + env: + - name: NODE_ENV + value: production