diff --git a/redxen/dovecot/deployment.yml b/redxen/dovecot/deployment.yml new file mode 100644 index 0000000..8303401 --- /dev/null +++ b/redxen/dovecot/deployment.yml @@ -0,0 +1,93 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: redxen + labels: + app: dovecot + name: dovecot-dp +spec: + replicas: 1 + selector: + matchLabels: + app: dovecot + template: + metadata: + namespace: redxen + labels: + app: dovecot + spec: + hostUsers: false + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + initContainers: + - name: volume-permissions + image: busybox + command: ["chown", "-c", "10000:10000", "/var/mail", "/run/dovecot", "/var/lib/dovecot"] + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"] + runAsUser: 0 + runAsNonRoot: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: mail-storage + mountPath: /var/mail + - name: dovecot-storage + mountPath: /var/lib/dovecot + - name: tmpfs-run + mountPath: /run/dovecot + - name: directories + image: busybox + command: ["mkdir", "-vp", "/run/dovecot/login"] + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["ALL"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: tmpfs-run + mountPath: /run/dovecot + containers: + - name: dovecot + image: redxen.eu/daemons/dovecot:latest + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: mail-storage + mountPath: /var/mail + - name: dovecot-storage + mountPath: /var/lib/dovecot + - name: tmpfs-run + mountPath: /run/dovecot + ports: + - name: imap + containerPort: 143 + - name: lmtp + containerPort: 11555 + - name: auth + containerPort: 11666 + volumes: + - name: mail-storage + persistentVolumeClaim: + claimName: mail-pvc + readOnly: false + - name: dovecot-storage + emptyDir: + medium: Memory + sizeLimit: 4Mi + - name: tmpfs-run + emptyDir: + medium: Memory + sizeLimit: 4Mi diff --git a/redxen/dovecot/kustomization.yaml b/redxen/dovecot/kustomization.yaml new file mode 100644 index 0000000..e39d762 --- /dev/null +++ b/redxen/dovecot/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yml + - persistentvolume.yml + - persistentvolumeclaim.yml + - service.yml diff --git a/redxen/dovecot/persistentvolume.yml b/redxen/dovecot/persistentvolume.yml new file mode 100644 index 0000000..f1174f0 --- /dev/null +++ b/redxen/dovecot/persistentvolume.yml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolume-v1.json +kind: PersistentVolume +apiVersion: v1 +metadata: + namespace: redxen + name: mail-pv +spec: + storageClassName: local-storage + claimRef: + namespace: redxen + name: mail-pvc + capacity: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + #persistentVolumeReclaimPolicy: Retain + hostPath: + path: /var/lib/mail + type: DirectoryOrCreate + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - bournemouth.united-kingdom diff --git a/redxen/dovecot/persistentvolumeclaim.yml b/redxen/dovecot/persistentvolumeclaim.yml new file mode 100644 index 0000000..b7d33e8 --- /dev/null +++ b/redxen/dovecot/persistentvolumeclaim.yml @@ -0,0 +1,15 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolumeclaim-v1.json +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + namespace: redxen + name: mail-pvc +spec: + volumeName: mail-pv + storageClassName: local-storage + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/redxen/dovecot/service.yml b/redxen/dovecot/service.yml new file mode 100644 index 0000000..190a1ed --- /dev/null +++ b/redxen/dovecot/service.yml @@ -0,0 +1,22 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json +kind: Service +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: dovecot + name: dovecot-sv +spec: + selector: + app: dovecot + type: ClusterIP + ports: + - name: imap + port: 143 + protocol: TCP + - name: lmtp + port: 11555 + protocol: TCP + - name: auth + port: 11666 + protocol: TCP diff --git a/redxen/gitea/deployment.yml b/redxen/gitea/deployment.yml index 7a3ad9b..3749bef 100644 --- a/redxen/gitea/deployment.yml +++ b/redxen/gitea/deployment.yml @@ -58,11 +58,11 @@ spec: containerPort: 2442 livenessProbe: httpGet: - port: http + port: 3000 httpHeaders: - name: "Host" value: "git.redxen.eu" - path: / + path: /api/healthz volumes: - name: gitea-storage persistentVolumeClaim: diff --git a/redxen/gitea/persistentvolumeclaim.yml b/redxen/gitea/persistentvolumeclaim.yml index 72091f1..755a537 100644 --- a/redxen/gitea/persistentvolumeclaim.yml +++ b/redxen/gitea/persistentvolumeclaim.yml @@ -7,6 +7,7 @@ metadata: app: gitea name: gitea-pvc spec: + volumeName: gitea-pv selector: matchLabels: app: gitea diff --git a/redxen/grafana/deployment.yml b/redxen/grafana/deployment.yml index ea325d4..eda1084 100644 --- a/redxen/grafana/deployment.yml +++ b/redxen/grafana/deployment.yml @@ -52,11 +52,10 @@ spec: - name: grafana-storage mountPath: /var/lib/grafana ports: - - name: http - containerPort: 3000 + - containerPort: 3000 livenessProbe: httpGet: - port: http + port: 3000 httpHeaders: - name: "Host" value: "stats.redxen.eu" diff --git a/redxen/grafana/persistentvolumeclaim.yml b/redxen/grafana/persistentvolumeclaim.yml index bd67051..ea972fa 100644 --- a/redxen/grafana/persistentvolumeclaim.yml +++ b/redxen/grafana/persistentvolumeclaim.yml @@ -7,6 +7,7 @@ metadata: app: grafana name: grafana-pvc spec: + volumeName: grafana-pv selector: matchLabels: app: grafana diff --git a/redxen/haproxy/daemonset.yml b/redxen/haproxy/daemonset.yml index 5c86208..1aeed36 100644 --- a/redxen/haproxy/daemonset.yml +++ b/redxen/haproxy/daemonset.yml @@ -39,12 +39,18 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true ports: - - containerPort: 80 + - name: http + containerPort: 80 hostPort: 80 protocol: TCP - - containerPort: 443 + - name: https + containerPort: 443 hostPort: 443 protocol: TCP - - containerPort: 5000 + - name: registry + containerPort: 5000 hostPort: 5000 protocol: TCP + - name: metrics + containerPort: 9100 + protocol: TCP diff --git a/redxen/haproxy/kustomization.yaml b/redxen/haproxy/kustomization.yaml index 88ead83..66078e1 100644 --- a/redxen/haproxy/kustomization.yaml +++ b/redxen/haproxy/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - daemonset.yml + - service.yml diff --git a/redxen/haproxy/service.yml b/redxen/haproxy/service.yml new file mode 100644 index 0000000..11cca5c --- /dev/null +++ b/redxen/haproxy/service.yml @@ -0,0 +1,16 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json +kind: Service +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: haproxy + name: haproxy-sv +spec: + selector: + app: haproxy + type: ClusterIP + ports: + - name: prometheus + port: 9100 + protocol: TCP diff --git a/redxen/homepage/deployment.yml b/redxen/homepage/deployment.yml index 5de31ff..cf774d1 100644 --- a/redxen/homepage/deployment.yml +++ b/redxen/homepage/deployment.yml @@ -52,11 +52,10 @@ spec: - name: tmpfs-run mountPath: /run/nginx ports: - - name: http - containerPort: 80 + - containerPort: 80 livenessProbe: httpGet: - port: http + port: 80 httpHeaders: - name: "Host" value: "redxen.eu" diff --git a/redxen/kustomization.yaml b/redxen/kustomization.yaml index dc6e6c2..f0c013d 100644 --- a/redxen/kustomization.yaml +++ b/redxen/kustomization.yaml @@ -13,3 +13,7 @@ resources: - redis/ - registry/ - nsd/ + - opendkim/ + - rspamd/ + - prometheus/ + - loki/ diff --git a/redxen/loki/deployment.yml b/redxen/loki/deployment.yml new file mode 100644 index 0000000..c2c547a --- /dev/null +++ b/redxen/loki/deployment.yml @@ -0,0 +1,68 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: redxen + labels: + app: loki + name: loki-dp +spec: + replicas: 1 + selector: + matchLabels: + app: loki + template: + metadata: + namespace: redxen + labels: + app: loki + spec: + hostUsers: false + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + initContainers: + - name: volume-permissions + image: busybox + command: ["chown", "-c", "10000:10000", "/var/lib/loki"] + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"] + runAsUser: 0 + runAsNonRoot: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: loki-storage + mountPath: /var/lib/loki + containers: + - name: loki + image: redxen.eu/daemons/loki:latest + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["ALL"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: loki-storage + mountPath: /var/lib/loki + ports: + - containerPort: 3100 + readinessProbe: + httpGet: + port: 3100 + path: /ready + livenessProbe: + httpGet: + port: 3100 + path: /ready + volumes: + - name: loki-storage + persistentVolumeClaim: + claimName: loki-pvc + readOnly: false diff --git a/redxen/loki/kustomization.yaml b/redxen/loki/kustomization.yaml new file mode 100644 index 0000000..e39d762 --- /dev/null +++ b/redxen/loki/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yml + - persistentvolume.yml + - persistentvolumeclaim.yml + - service.yml diff --git a/redxen/loki/persistentvolume.yml b/redxen/loki/persistentvolume.yml new file mode 100644 index 0000000..b7d8d35 --- /dev/null +++ b/redxen/loki/persistentvolume.yml @@ -0,0 +1,30 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolume-v1.json +kind: PersistentVolume +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: loki + name: loki-pv +spec: + storageClassName: local-storage + claimRef: + namespace: redxen + name: loki-pvc + capacity: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + #persistentVolumeReclaimPolicy: Retain + hostPath: + path: /var/lib/loki + type: DirectoryOrCreate + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - bournemouth.united-kingdom diff --git a/redxen/loki/persistentvolumeclaim.yml b/redxen/loki/persistentvolumeclaim.yml new file mode 100644 index 0000000..285b535 --- /dev/null +++ b/redxen/loki/persistentvolumeclaim.yml @@ -0,0 +1,20 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolumeclaim-v1.json +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: loki + name: loki-pvc +spec: + volumeName: loki-pv + selector: + matchLabels: + app: loki + storageClassName: local-storage + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/redxen/loki/service.yml b/redxen/loki/service.yml new file mode 100644 index 0000000..93f558a --- /dev/null +++ b/redxen/loki/service.yml @@ -0,0 +1,16 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json +kind: Service +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: loki + name: loki-sv +spec: + selector: + app: loki + type: ClusterIP + ports: + - name: http + port: 3100 + protocol: TCP diff --git a/redxen/murmur/deployment.yml b/redxen/murmur/deployment.yml index 80bae2b..39eeead 100644 --- a/redxen/murmur/deployment.yml +++ b/redxen/murmur/deployment.yml @@ -44,4 +44,4 @@ spec: protocol: UDP livenessProbe: tcpSocket: - port: murmur-tcp + port: 64738 diff --git a/redxen/node_exporter/daemonset.yml b/redxen/node_exporter/daemonset.yml index 2f0fd80..5b82729 100644 --- a/redxen/node_exporter/daemonset.yml +++ b/redxen/node_exporter/daemonset.yml @@ -40,13 +40,18 @@ spec: allowPrivilegeEscalation: false readOnlyRootFilesystem: true ports: - - containerPort: 9100 + - name: http + containerPort: 9100 hostPort: 9100 protocol: TCP volumeMounts: - name: host-ro readOnly: true mountPath: /host + livenessProbe: + httpGet: + port: 9100 + path: /metrics volumes: - name: host-ro hostPath: diff --git a/redxen/node_exporter/kustomization.yaml b/redxen/node_exporter/kustomization.yaml index 88ead83..66078e1 100644 --- a/redxen/node_exporter/kustomization.yaml +++ b/redxen/node_exporter/kustomization.yaml @@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - daemonset.yml + - service.yml diff --git a/redxen/node_exporter/service.yml b/redxen/node_exporter/service.yml new file mode 100644 index 0000000..0ed0bbc --- /dev/null +++ b/redxen/node_exporter/service.yml @@ -0,0 +1,16 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json +kind: Service +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: node-exporter + name: node-exporter-sv +spec: + selector: + app: node-exporter + type: ClusterIP + ports: + - name: http + port: 9100 + protocol: TCP diff --git a/redxen/nsd/deployment.yml b/redxen/nsd/deployment.yml index 66d6346..f1320b3 100644 --- a/redxen/nsd/deployment.yml +++ b/redxen/nsd/deployment.yml @@ -10,7 +10,7 @@ spec: selector: matchLabels: app: nsd - replicas: 3 + replicas: 2 template: metadata: namespace: redxen diff --git a/redxen/opendkim/deployment.yml b/redxen/opendkim/deployment.yml new file mode 100644 index 0000000..6cf7503 --- /dev/null +++ b/redxen/opendkim/deployment.yml @@ -0,0 +1,37 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: redxen + labels: + app: opendkim + name: opendkim-dp +spec: + replicas: 1 + selector: + matchLabels: + app: opendkim + template: + metadata: + namespace: redxen + labels: + app: opendkim + spec: + hostUsers: false + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + containers: + - name: opendkim + image: redxen.eu/daemons/opendkim:latest + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["ALL"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + ports: + - containerPort: 8891 diff --git a/redxen/opendkim/kustomization.yaml b/redxen/opendkim/kustomization.yaml new file mode 100644 index 0000000..68074df --- /dev/null +++ b/redxen/opendkim/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yml + - service.yml diff --git a/redxen/opendkim/service.yml b/redxen/opendkim/service.yml new file mode 100644 index 0000000..1abf005 --- /dev/null +++ b/redxen/opendkim/service.yml @@ -0,0 +1,16 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json +kind: Service +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: opendkim + name: opendkim-sv +spec: + selector: + app: opendkim + type: ClusterIP + ports: + - name: opendkim + port: 8891 + protocol: TCP diff --git a/redxen/postgresql/persistentvolumeclaim.yml b/redxen/postgresql/persistentvolumeclaim.yml index 3d83d5e..e89e8e0 100644 --- a/redxen/postgresql/persistentvolumeclaim.yml +++ b/redxen/postgresql/persistentvolumeclaim.yml @@ -7,6 +7,7 @@ metadata: app: postgresql name: postgresql-pvc spec: + volumeName: postgresql-pv selector: matchLabels: app: postgresql diff --git a/redxen/prometheus/deployment.yml b/redxen/prometheus/deployment.yml new file mode 100644 index 0000000..13fac9f --- /dev/null +++ b/redxen/prometheus/deployment.yml @@ -0,0 +1,64 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: redxen + labels: + app: prometheus + name: prometheus-dp +spec: + replicas: 1 + selector: + matchLabels: + app: prometheus + template: + metadata: + namespace: redxen + labels: + app: prometheus + spec: + hostUsers: false + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + initContainers: + - name: volume-permissions + image: busybox + command: ["chown", "-c", "10000:10000", "/var/lib/prometheus"] + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"] + runAsUser: 0 + runAsNonRoot: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: prometheus-storage + mountPath: /var/lib/prometheus + containers: + - name: prometheus + image: redxen.eu/daemons/prometheus:latest + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["ALL"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: prometheus-storage + mountPath: /var/lib/prometheus + ports: + - containerPort: 9090 + livenessProbe: + httpGet: + port: 9090 + path: / + volumes: + - name: prometheus-storage + persistentVolumeClaim: + claimName: prometheus-pvc + readOnly: false diff --git a/redxen/prometheus/kustomization.yaml b/redxen/prometheus/kustomization.yaml new file mode 100644 index 0000000..e39d762 --- /dev/null +++ b/redxen/prometheus/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yml + - persistentvolume.yml + - persistentvolumeclaim.yml + - service.yml diff --git a/redxen/prometheus/persistentvolume.yml b/redxen/prometheus/persistentvolume.yml new file mode 100644 index 0000000..8ea8baa --- /dev/null +++ b/redxen/prometheus/persistentvolume.yml @@ -0,0 +1,30 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolume-v1.json +kind: PersistentVolume +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: prometheus + name: prometheus-pv +spec: + storageClassName: local-storage + claimRef: + namespace: redxen + name: prometheus-pvc + capacity: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + #persistentVolumeReclaimPolicy: Retain + hostPath: + path: /var/lib/prometheus + type: DirectoryOrCreate + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - bournemouth.united-kingdom diff --git a/redxen/prometheus/persistentvolumeclaim.yml b/redxen/prometheus/persistentvolumeclaim.yml new file mode 100644 index 0000000..24bbf27 --- /dev/null +++ b/redxen/prometheus/persistentvolumeclaim.yml @@ -0,0 +1,20 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolumeclaim-v1.json +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: prometheus + name: prometheus-pvc +spec: + volumeName: prometheus-pv + selector: + matchLabels: + app: prometheus + storageClassName: local-storage + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/redxen/prometheus/service.yml b/redxen/prometheus/service.yml new file mode 100644 index 0000000..e9d10e8 --- /dev/null +++ b/redxen/prometheus/service.yml @@ -0,0 +1,16 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json +kind: Service +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: prometheus + name: prometheus-sv +spec: + selector: + app: prometheus + type: ClusterIP + ports: + - name: http + port: 9090 + protocol: TCP diff --git a/redxen/redis/persistentvolumeclaim.yml b/redxen/redis/persistentvolumeclaim.yml index 235de05..33a6e62 100644 --- a/redxen/redis/persistentvolumeclaim.yml +++ b/redxen/redis/persistentvolumeclaim.yml @@ -7,6 +7,7 @@ metadata: app: redis name: redis-pvc spec: + volumeName: redis-pv selector: matchLabels: app: redis diff --git a/redxen/registry/persistentvolumeclaim.yml b/redxen/registry/persistentvolumeclaim.yml index b1007a9..bccc459 100644 --- a/redxen/registry/persistentvolumeclaim.yml +++ b/redxen/registry/persistentvolumeclaim.yml @@ -7,6 +7,7 @@ metadata: app: registry name: registry-pvc spec: + volumeName: registry-pv selector: matchLabels: app: registry diff --git a/redxen/rspamd/deployment.yml b/redxen/rspamd/deployment.yml new file mode 100644 index 0000000..43d505b --- /dev/null +++ b/redxen/rspamd/deployment.yml @@ -0,0 +1,63 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: redxen + labels: + app: rspamd + name: rspamd-dp +spec: + replicas: 1 + selector: + matchLabels: + app: rspamd + template: + metadata: + namespace: redxen + labels: + app: rspamd + spec: + hostUsers: false + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + initContainers: + - name: volume-permissions + image: busybox + command: ["chown", "-c", "10000:10000", "/var/lib/rspamd"] + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"] + runAsUser: 0 + runAsNonRoot: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: rspamd-data + mountPath: /var/lib/rspamd + containers: + - name: rspamd + image: redxen.eu/daemons/rspamd:latest + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["ALL"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: rspamd-data + mountPath: /var/lib/rspamd + ports: + - containerPort: 7510 + - containerPort: 7511 + - containerPort: 7512 + - containerPort: 7513 + volumes: + - name: rspamd-data + emptyDir: + medium: Memory + sizeLimit: 128Mi diff --git a/redxen/rspamd/kustomization.yaml b/redxen/rspamd/kustomization.yaml new file mode 100644 index 0000000..68074df --- /dev/null +++ b/redxen/rspamd/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yml + - service.yml diff --git a/redxen/rspamd/service.yml b/redxen/rspamd/service.yml new file mode 100644 index 0000000..5c70538 --- /dev/null +++ b/redxen/rspamd/service.yml @@ -0,0 +1,25 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json +kind: Service +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: rspamd + name: rspamd-sv +spec: + selector: + app: rspamd + type: ClusterIP + ports: + - name: normal + port: 7511 + protocol: TCP + - name: controller + port: 7512 + protocol: TCP + - name: proxy + port: 7510 + protocol: TCP + - name: fuzzy + port: 7513 + protocol: TCP