From 3ecceb6e071b55300a0de036f2d8f5370796266a Mon Sep 17 00:00:00 2001 From: Dmitrij Prokov Date: Fri, 28 Feb 2025 15:07:25 +0300 Subject: [PATCH] [DO-1628] Resize limit/requests (!28) Co-authored-by: Denis Patrakeev Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/28 Reviewed-by: Rustam Tagaev Reviewed-by: Denis Patrakeev --- .../.rbac/ingress-certs-secret.yaml | 10 ---- .../namespaces/tavro-cloud-test/README.md | 47 +++++++++++++++++++ .../tavro-cloud-test/tavro-cloud-test.yaml | 13 ++--- .../namespaces/tavro-cloud-test/vault_cred.sh | 20 ++++++++ 4 files changed, 72 insertions(+), 18 deletions(-) delete mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/.rbac/ingress-certs-secret.yaml create mode 100644 clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/README.md create mode 100755 clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/vault_cred.sh diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/.rbac/ingress-certs-secret.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/.rbac/ingress-certs-secret.yaml deleted file mode 100644 index 35cc022..0000000 --- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/.rbac/ingress-certs-secret.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: avroid-tech-tls - namespace: tavro-cloud-test -data: -# base64 encoded cert see values in vault. Don't push it to git! - tls.crt: "" - tls.key: "" -type: kubernetes.io/tls diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/README.md b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/README.md new file mode 100644 index 0000000..8e21b1e --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/README.md @@ -0,0 +1,47 @@ +## Project structure +```text +. +├── README.md +├── tavro-cloud-test.yaml +├── .rbac +├── msg-messenger-core-api +│ ├── msg-messenger-core-api-network-policy.yaml +| └──README.md +├── vault_cred.sh + +Назначение: +msg-messenger-core-api/msg-messenger-core-api-network-policy.yaml - манифест для создания NetworkPolicy +tavro-cloud-test.yaml - манифест для создания namespace tavro-cloud-test, квот и NetworkPolicy +.rbac - кастомные правила для RBAC +``` +## Steps + +1. Настраиваем env для подключения к Vault + +```bash +export VAULT_ADDR=https://vault.avroid.tech +export VAULT_TOKEN=xxxxxx # заменить на актуальный +``` +Чтобы каждый раз не назначать эти переменные, можно их записать в ~/.bashrc или ~/.zshrc + + +2. Готовим namespace: +```bash +kubectl apply -f tavro-cloud-test.yaml +``` + +2. Запускаем скрипт + +```bash +./vault_cred.sh +``` + +3. Применяем команду в выводе скрипта + +4. Применяем остальные манифесты: +```bash +kubectl apply -f msg-messenger-core-api/ +kubectl apply -f.rbac/ +``` + + diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/tavro-cloud-test.yaml b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/tavro-cloud-test.yaml index 0ccd465..25dae61 100644 --- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/tavro-cloud-test.yaml +++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/tavro-cloud-test.yaml @@ -18,17 +18,14 @@ metadata: app.kubernetes.io/managed-by: manual spec: hard: - configmaps: "20" limits.cpu: "5" limits.memory: 5Gi - persistentvolumeclaims: "1" - pods: "10" - requests.cpu: "5" - requests.memory: "5Gi" - requests.storage: "2Gi" + limits.storage: "2Gi" + requests.cpu: "100m" + requests.memory: "256Mi" + requests.storage: "100Mi" resourcequotas: "1" - secrets: "10" - services: "10" + --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy diff --git a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/vault_cred.sh b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/vault_cred.sh new file mode 100755 index 0000000..f2d1895 --- /dev/null +++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-test/vault_cred.sh @@ -0,0 +1,20 @@ +#!/bin/sh +set -e + +rm -rf .secrets + +cert_key=$(vault kv get -field="certificate.key" team-devops/ssl/avroid.tech/wildcard.avroid.tech) +cert_data=$(vault kv get -field="certificate_fullchain.crt" team-devops/ssl/avroid.tech/wildcard.avroid.tech) + +mkdir .secrets + +cat > .secrets/key.pem << EOF +${cert_key} +EOF + +cat > .secrets/cert.pem << EOF +${cert_data} +EOF + +echo "Run this command previously then apply all manisfest and before create namespace:" +echo "kubectl -n tavro-cloud-test create secret tls avroid-tech-tls --cert=.secrets/cert.pem --key=.secrets/key.pem"