[DO-1477] create k8s struct and move openresty (#2)

Co-authored-by: Rustam Tagaev <rustam.tagaev@avroid.tech> Co-authored-by: Denis Patrakeev <denis.patrakeev@avroid.team> Reviewed-on: https://git.avroid.tech/K8s/k8s-configs/pulls/2 Reviewed-by: Denis Patrakeev <denis.patrakeev@avroid.team> Co-authored-by: Rustam Tagaev <rustam.tagaev@avroid.team> Co-committed-by: Rustam Tagaev <rustam.tagaev@avroid.team>
2025-01-17 15:50:41 +03:00
parent 9962ddb2bc
commit 90155cad0b
25 changed files with 392 additions and 0 deletions
--- a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-harbor-secret.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-harbor-secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: harbor-registry-secret
+  namespace: jenkins-builds
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJyb2JvdCRjaSIsInBhc3N3b3JkIjoiSFJqOWlIQXh2VUl1eVRab2d1S1BkR21US082UjlkUnoiLCJhdXRoIjoiY205aWIzUWtZMms2U0ZKcU9XbElRWGgyVlVsMWVWUmFiMmQxUzFCa1IyMVVTMDgyVWpsa1Vubz0ifX19
--- a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role-binding.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role-binding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: jenkins
+  namespace: jenkins-builds
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: jenkins
+subjects:
+  - kind: ServiceAccount
+    name: jenkins
--- a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-role.yaml
@@ -0,0 +1,57 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: jenkins
+  namespace: jenkins-builds
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - persistentvolumes
+  - persistentvolumeclaims
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/exec
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods/log
+  - storageclass
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - events
+  - nodes
+  verbs:
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  - nodes
+  verbs:
+  - get
--- a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-secret.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-secret.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: jenkins
+  namespace: jenkins-builds
+  annotations:
+    kubernetes.io/service-account.name: jenkins
+  labels:
+    name: jenkins-builds
+    app.kubernetes.io/managed-by: manual
+type: kubernetes.io/service-account-token
--- a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-service-account.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/.rbac/jenkins-service-account.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    name: jenkins
+    app.kubernetes.io/managed-by: manual
+  name: jenkins
+  namespace: jenkins-builds
--- a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-builds-namespace.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-builds-namespace.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: jenkins-builds
+  labels:
+    name: jenkins-builds
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/build=
--- a/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-deploy-service-account.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/jenkins-builds/jenkins-deploy-service-account.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: jenkins-deploy
+  namespace: jenkins-builds
+imagePullSecrets:
+  - name: harbor-registry-secret
--- a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/.rbac/vault-service-account.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/.rbac/vault-service-account.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: vault-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/part-of: vault-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: vault
+  namespace: sandbox
--- a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-namespace.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: sandbox
+  labels:
+    name: sandbox
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=
--- a/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/sandbox/sandbox-resourcequota.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: sandbox
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  hard:
+    requests.cpu: "8"
+    requests.memory: 24Gi
+    limits.cpu: "16"
+    limits.memory: 32Gi
--- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/ingress-certs-secret.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/ingress-certs-secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: avroid-tech-tls
+  namespace: tavro-cloud-dev
+data:
+# base64 encoded cert see values in vault. Don't push it to git!
+  tls.crt: ""
+  tls.key: ""
+type: kubernetes.io/tls
--- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-deploy-tavro-cloud-dev-role-binding.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-deploy-tavro-cloud-dev-role-binding.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: jenkins-deploy-tavro-cloud-dev
+  namespace: tavro-cloud-dev
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: tavro-cloud-dev-full
+subjects:
+  - kind: ServiceAccount
+    name: jenkins-deploy
+    namespace: jenkins-builds
--- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-harbor-secret.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/jenkins-harbor-secret.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/managed-by: manual
+  name: harbor-registry-secret
+  namespace: tavro-cloud-dev
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: eyJhdXRocyI6eyJoYXJib3IuYXZyb2lkLnRlY2giOnsidXNlcm5hbWUiOiJyb2JvdCRjaSIsInBhc3N3b3JkIjoiSFJqOWlIQXh2VUl1eVRab2d1S1BkR21US082UjlkUnoiLCJhdXRoIjoiY205aWIzUWtZMms2U0ZKcU9XbElRWGgyVlVsMWVWUmFiMmQxUzFCa1IyMVVTMDgyVWpsa1Vubz0ifX19
--- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/tavro-cloud-dev-role.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/tavro-cloud-dev-role.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: tavro-cloud-dev-full
+  namespace: tavro-cloud-dev
+  labels:
+    app.kubernetes.io/managed-by: manual
+rules:
+- apiGroups:
+  - '*'
+  resources:
+  - '*'
+  verbs:
+  - '*'
--- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/vault-service-account.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/.rbac/vault-service-account.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: vault-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/part-of: vault-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: vault
+  namespace: tavro-cloud-dev
--- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/cloud-messenger-core-api/README.md
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/cloud-messenger-core-api/README.md
@@ -0,0 +1,8 @@
+# Install
+
+Для установки нужно забрать values и использовать их. Тут указан только пример, так как все это делается через jenkins
+
+```bash
+curl -o values.yaml https://git.avroid.tech/Apps-Backend/cloud-messenger-core-api/src/branch/develop/.helm/values.dev.yaml
+helm upgrade --install -f values.yaml cloud-messenger-core-api avroid/cloud-messenger-core-api
+```
--- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/values.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/openresty/values.yaml
@@ -0,0 +1 @@
+# see https://git.avroid.tech/Apps-Backend/helm-values/src/branch/master/avroid.local/api-gateway/openresty/values.yaml
--- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-namespace.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: tavro-cloud-dev
+  labels:
+    name: tavro-cloud-dev
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=
--- a/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/tavro-cloud-dev/tavro-cloud-dev-resourcequota.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: ResourceQuota
+metadata:
+  name: tavro-cloud-dev
+  labels:
+    app.kubernetes.io/managed-by: manual
+spec:
+  hard:
+    requests.cpu: "8"
+    requests.memory: 24Gi
+    limits.cpu: "16"
+    limits.memory: 32Gi
--- a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-infra-namespace.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vault-infra
+  labels:
+    name: vault-infra
+    app.kubernetes.io/managed-by: manual
+  annotations:
+    scheduler.alpha.kubernetes.io/node-selector: node-role.kubernetes.io/worker=
--- a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/values.yaml
@@ -0,0 +1 @@
+# helm upgrade -n vault-infra --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook
--- a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-cluster_role_binding.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-cluster_role_binding.yaml
@@ -0,0 +1,19 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: clusterrolebinding
+    app.kubernetes.io/instance: manager-rolebinding
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/part-of: vault-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: vault-auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: vault
+  namespace: vault-infra
--- a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-secret.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-secret.yaml
@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: vault
+  namespace: vault-infra
+  annotations:
+    kubernetes.io/service-account.name: vault
+type: kubernetes.io/service-account-token
--- a/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-service-account.yaml
+++ b/clusters/k8s-avroid-office.prod.local/namespaces/vault-infra/vault-secrets-webhook/vault-service-account.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: serviceaccount
+    app.kubernetes.io/instance: vault-sa
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: vault-operator
+    app.kubernetes.io/part-of: vault-operator
+    app.kubernetes.io/managed-by: kustomize
+  name: vault
+  namespace: vault-infra
				`@@ -0,0 +1 @@`
				`# see https://git.avroid.tech/Apps-Backend/helm-values/src/branch/master/avroid.local/api-gateway/openresty/values.yaml`
				`@@ -0,0 +1 @@`
				`# helm upgrade -n vault-infra --install --wait vault-secrets-webhook oci://ghcr.io/bank-vaults/helm-charts/vault-secrets-webhook`