Unverified Commit c678eba6 authored by Justin Gauthier's avatar Justin Gauthier
Browse files

update to src and docs - added services

parent f6d8f2f7
......@@ -2,4 +2,5 @@
admin.conf
.DS_Store
*.dec
kubectl
\ No newline at end of file
kubectl
working/
\ No newline at end of file
......@@ -4,39 +4,39 @@ Kubernetes Cluster configuration and services documentation, with example source
## Documentation TOC
1. [Installation](docs/installation/installation.md)
* [Server Installation](docs/installation/installation.md#server-installation)
* [Host Configuration and Kubernetes Cluster Installation](docs/installation/installation.md#host-configuration-and-kubernetes-cluster-installation)
* [Login with username and password](docs/installation/installation.md#login-with-username-and-password)
* [Create dashboard user and retrieve access token](docs/installation/installation.md#create-dashboard-user-and-retrieve-access-token)
1. [Installation](docs/installation/README.md)
* [Server Installation](docs/installation/README.md#server-installation)
* [Host Configuration and Kubernetes Cluster Installation](docs/installation/README.md#host-configuration-and-kubernetes-cluster-installation)
* [Login with username and password](docs/installation/README.md#login-with-username-and-password)
* [Create dashboard user and retrieve access token](docs/installation/README.md#create-dashboard-user-and-retrieve-access-token)
a. [Cluster Upgrading](docs/installation/upgrading.md)
2. [Configuration](docs/configuration/configuration.md)
* [Install Helm](docs/configuration/configuration.md#install-helm)
* [Install NFS-Client](docs/configuration/configuration.md#install-nfs-client)
* [Install MetalLB](docs/configuration/configuration.md#install-metallb)
* [Install Consul](docs/configuration/configuration.md#install-consul)
* ~~[Install Traefik](docs/configuration/configuration.md#install-traefik)~~
* [Install Nginx-Ingress](docs/configuration/configuration.md#install-nginx-ingress)
* [Install Cert-Manager](docs/configuration/configuration.md#install-cert-manager)
* [Create Production Issuer](docs/configuration/configuration.md#create-production-issuer)
* [Create Cloudflare API Key Secret](docs/configuration/configuration.md#create-cloudflare-api-key-secret)
* [Create Default Certificate](docs/configuration/configuration.md#create-default-certificate)
* [Create ingress for Consul and Dashboard](docs/configuration/configuration.md#create-ingress-for-consul-and-dashboard)
* [Next Steps](docs/configuration/configuration.md#next-steps)
2. [Configuration](docs/configuration/README.md)
* [Install Helm](docs/configuration/README.md#install-helm)
* [Install NFS-Client](docs/configuration/README.md#install-nfs-client)
* [Install MetalLB](docs/configuration/README.md#install-metallb)
* [Install Consul](docs/configuration/README.md#install-consul)
* ~~[Install Traefik](docs/configuration/README.md#install-traefik)~~
* [Install Nginx-Ingress](docs/configuration/README.md#install-nginx-ingress)
* [Install Cert-Manager](docs/configuration/README.md#install-cert-manager)
* [Create Production Issuer](docs/configuration/README.md#create-production-issuer)
* [Create Cloudflare API Key Secret](docs/configuration/README.md#create-cloudflare-api-key-secret)
* [Create Default Certificate](docs/configuration/README.md#create-default-certificate)
* [Create ingress for Consul and Dashboard](docs/configuration/README.md#create-ingress-for-consul-and-dashboard)
* [Next Steps](docs/configuration/README.md#next-steps)
3. [Services](docs/services/services.md)
* [Guacamole](docs/services/services.md#guacamole)
* [Keycloak](docs/services/services.md#keycloak)
* [Ansible/AWX](docs/services/services.md#ansibleawx)
* [PostgreSQL](docs/services/services.md#postgresql)
* [Home Assistant](docs/services/services.md#home-assistant)
* [Atlassian Jira](docs/services/services.md#atlassian-jira)
* [Atlassian Confluence](docs/services/services.md#atlassian-confluence)
* [Nextcloud](docs/services/services.md#nextcloud)
* [Plex](docs/services/services.md#plex)
* [OAuth2-Proxy](docs/services/services.md#oauth2-proxy)
* [Next Steps](docs/services/services.md#next-steps)
* [Current Services](https://gitlab.com/just.insane/kubernetes/blob/master/docs/services.md#current-services-in-lab)
* [New Services](docs/services/services.md#new-services)
3. [Services](docs/services/README.md)
* [Guacamole](docs/services/README.md#guacamole)
* [Keycloak](docs/services/README.md#keycloak)
* [Ansible/AWX](docs/services/README.md#ansibleawx)
* [PostgreSQL](docs/services/README.md#postgresql)
* [Home Assistant](docs/services/README.md#home-assistant)
* [Atlassian Jira](docs/services/README.md#atlassian-jira)
* [Atlassian Confluence](docs/services/README.md#atlassian-confluence)
* [Nextcloud](docs/services/README.md#nextcloud)
* [Plex](docs/services/README.md#plex)
* [OAuth2-Proxy](docs/services/README.md#oauth2-proxy)
* [Next Steps](docs/services/README.md#next-steps)
* [Current Services](docs/services/README.md#current-services-in-lab)
* [New Services](docs/services/README.md#new-services)
......@@ -6,19 +6,22 @@
<!-- code_chunk_output -->
* [Table of Contents](#table-of-contents)
* [Install Helm](#install-helm)
* [Install NFS-Client](#install-nfs-client)
* [Install MetalLB](#install-metallb)
* [Install Consul](#install-consul)
* [~~Install Traefik~~](#~~install-traefik~~)
* [Install Nginx-Ingress](#install-nginx-ingress)
* [Install Cert-Manager](#install-cert-manager)
* [Create Production Issuer](#create-production-issuer)
* [Create Cloudflare API Key Secret](#create-cloudflare-api-key-secret)
* [Create Default Certificate](#create-default-certificate)
* [Create ingress for Consul and Dashboard](#create-ingress-for-consul-and-dashboard)
* [Next Steps](#next-steps)
- [Configuration](#configuration)
- [Table of Contents](#table-of-contents)
- [Install Helm](#install-helm)
- [Install NFS-Client](#install-nfs-client)
- [Install MetalLB](#install-metallb)
- [Install Consul](#install-consul)
- [~~Install Traefik~~](#install-traefik)
- [Install Nginx-Ingress](#install-nginx-ingress)
- [Install Cert-Manager](#install-cert-manager)
- [Create Production Issuer](#create-production-issuer)
- [Create Cloudflare API Key Secret](#create-cloudflare-api-key-secret)
- [Create Default Certificate](#create-default-certificate)
- [Create ingress for Consul and Dashboard](#create-ingress-for-consul-and-dashboard)
- [Install Prometheus-Operator](#install-prometheus-operator)
- [Install Weave-Scope](#install-weave-scope)
- [Next Steps](#next-steps)
<!-- /code_chunk_output -->
......@@ -53,6 +56,8 @@
## Install Consul
NOTE: Consul will be depreciated in a future version and replaced by [Istio](https://istio.io/)
1. Clone the consul-helm repository found [here](https://github.com/hashicorp/consul-helm)
* `git clone https://github.com/hashicorp/consul-helm.git`
......@@ -164,6 +169,30 @@ Notes:
2. The default locations are at [https://consul.corp.justin-tech.com](https://consul.corp.justin-tech.com) and [https://kubernetes.corp.justin-tech.com](https://kubernetes.corp.justin-tech.com)
## Install Prometheus-Operator
NOTE: There is example source for the prometheus helm chart at [Prometheus](../../src/configuration/prometheus/values.yaml), however we will be using the prometheus-operator installation
1. Review the documentation and values.yaml of [prometheus-operator](https://github.com/helm/charts/tree/master/stable/prometheus-operator)
2. Make any needed changes to [values.yaml](../../src/configuration/prometheus-operator/values.yaml)
3. Install prometheus-operator
* `helm install prometheus stable/prometheus-operator -f values.yaml --namespace monitoring`
## Install Weave-Scope
NOTE: This is an optional install, [Istio](https://istio.io) and [Kiali](https://www.kiali.io/) will be preferred in future versions
1. Review documentation and values.yaml of [weave-scope](https://github.com/helm/charts/tree/master/stable/weave-scope)
2. Make any needed changes to [values.yaml](../../src/configuration/weave-scope/values.yaml)
3. Install weave-scope
* `helm install weave-scope stable/weave-scope -f values.yaml --namespace monitoring`
## Next Steps
* ~~Look at setting up OAuth (SAML/OIDC) authentication for Kubernetes services (I suspect this may require Nginx Ingress)~~ (See #39 - implemented in [Oauth2-Proxy](../../src/services/oauth2-proxy))
......
......@@ -6,20 +6,21 @@
<!-- code_chunk_output -->
* [Table of Contents](#table-of-contents)
* [Guacamole](#guacamole)
* [Keycloak](#keycloak)
* [Ansible/AWX](#ansibleawx)
* [PostgreSQL](#postgresql)
* [Home Assistant](#home-assistant)
* [Atlassian Jira](#atlassian-jira)
* [Atlassian Confluence](#atlassian-confluence)
* [Nextcloud](#nextcloud)
* [Plex](#plex)
* [OAuth2-Proxy](#oauth2-proxy)
* [Next Steps](#next-steps)
* [Current Services (in lab)](#current-services-in-lab)
* [New Services](#new-services)
- [Services](#services)
- [Table of Contents](#table-of-contents)
- [Guacamole](#guacamole)
- [Keycloak](#keycloak)
- [Ansible/AWX](#ansibleawx)
- [PostgreSQL](#postgresql)
- [Home Assistant](#home-assistant)
- [Atlassian Jira](#atlassian-jira)
- [Atlassian Confluence](#atlassian-confluence)
- [Nextcloud](#nextcloud)
- [Plex](#plex)
- [OAuth2-Proxy](#oauth2-proxy)
- [Next Steps](#next-steps)
- [Current Services (in lab)](#current-services-in-lab)
- [New Services](#new-services)
<!-- /code_chunk_output -->
......@@ -214,6 +215,19 @@ or the [upstream](https://github.com/prabhatsharma/apache-guacamole-helm-chart)
* NOTE: Documentation not yet completed
(https://github.com/pusher/oauth2_proxy)
**Note:** this can be replaced with Istio Gateway and a custom EnvoyFilter See:
(https://discuss.istio.io/t/istio-oauth-2-0/668/5)
(https://programmaticponderings.com/2019/01/06/securing-kubernetes-withistio-end-user-authentication-using-json-web-tokens-jwt/)
(https://medium.com/plangrid-technology/custom-user-authentication-in-istio-67c90458b093)
(https://medium.com/@suman_ganta/openid-authentication-with-istio-a32838adb492)
(https://stackoverflow.com/questions/55159887/istio-oauth2-with-keycloak)
(https://stackoverflow.com/questions/54153841/istio-auth-url-support-in-end-user-authentication)
Alternatively, look into [ORY](https://www.ory.sh/docs/ecosystem/overview)
## Next Steps
### Current Services (in lab)
......@@ -222,38 +236,48 @@ or the [upstream](https://github.com/prabhatsharma/apache-guacamole-helm-chart)
* [X] Ansible/AWX
* [X] Atlassian Jira
* [X] Atlassian Confluence
* [ ] Bitwarden
* [ ] Download services
* [ ] [Bitwarden](https://github.com/mcfedr/bitwarden-chart)
* [ ] Download services - no longer in use
* [ ] Radarr
* [ ] Lidarr
* [ ] Sonarr
* [ ] NZBGet
* [ ] Elastic Stack
* [ ] [Elastic Stack](https://github.com/helm/charts/tree/master/stable/elastic-stack)
* [ ] Elasticsearch
* [ ] Logstash
* [ ] Kibana
* [ ] Beats
* [ ] FreeIPA
* [ ] Grafana
* [X] FreeIPA - Done in VMs since the offical docker container is still beta
* [X] [Grafana](https://github.com/helm/charts/tree/master/stable/grafana) - Deployed as part of Prometheus-Operator
* [ ] Documentation
* [X] Guacamole
* [ ] HaProxy (if needed)
* [ ] ~~HaProxy~~ - not needed
* [X] Home Assistant
* [ ] Jupyter
* [ ] [Jupyter](https://zero-to-jupyterhub.readthedocs.io/en/v0.4-doc/setup-jupyterhub.html#setup-jupyterhub)
* [ ] [JupyterHub](https://github.com/jupyterhub/zero-to-jupyterhub-k8s/blob/master/jupyterhub/values.yaml)
* [X] Keycloak
* [ ] Matomo
* [X] [Matomo](https://github.com/jptissot/matomo-chart)
* [ ] Documentation
* [ ] Mayan EDMS
* [X] [Minecraft](https://github.com/helm/charts/tree/master/stable/minecraft)
* [ ] Documentation
* [X] Nextcloud
* [ ] Node-RED
* [ ] PiHole
* [X] Plex
* [X] [Node-RED](https://github.com/helm/charts/tree/master/stable/node-red)
* [ ] Documentation
* [X] [PiHole](https://github.com/ChrisPhillips-cminion/pihole-helm)
* [ ] Documentation
* [X] [Plex](https://github.com/munnerz/kube-plex) - Seems to lack support for newer Plex versions
* [X] PostgreSQL (if needed)
* [ ] Vault (HashiCorp)
* [ ] Vault (HashiCorp) (https://github.com/PremiereGlobal/vault-helm-chart)
* [ ] Zabbix
* [ ] AlertManager - Deployed as part of Prometheus-Operator
* [ ] Documentation
### New Services
* [ ] NZBHydra2
* [ ] Prometheus
* [X] [Prometheus](https://github.com/helm/charts/tree/master/stable/prometheus) - As part of Prometheus-Operator
* [ ] Documentation
* [ ] Eclipse Che
* [ ] Sourcegraph
* [ ] [MonicaHQ](https://www.monicahq.com/)
......
rbac:
create: true
pspEnabled: true
pspUseAppArmor: true
namespaced: false
extraRoleRules: []
# - apiGroups: []
# resources: []
# verbs: []
extraClusterRoleRules: []
# - apiGroups: []
# resources: []
# verbs: []
serviceAccount:
create: true
name:
nameTest:
replicas: 1
## See `kubectl explain deployment.spec.strategy` for more
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
deploymentStrategy:
type: RollingUpdate
readinessProbe:
httpGet:
path: /api/health
port: 3000
initialDelaySeconds: 120
timeoutSeconds: 10
failureThreshold: 10
livenessProbe:
httpGet:
path: /api/health
port: 3000
initialDelaySeconds: 60
timeoutSeconds: 30
failureThreshold: 10
## Use an alternate scheduler, e.g. "stork".
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
# schedulerName: "default-scheduler"
image:
repository: grafana/grafana
tag: 6.3.4
pullPolicy: IfNotPresent
## Optionally specify an array of imagePullSecrets.
## Secrets must be manually created in the namespace.
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
##
# pullSecrets:
# - myRegistrKeySecretName
testFramework:
image: "dduportal/bats"
tag: "0.4.0"
securityContext: {}
securityContext:
runAsUser: 472
fsGroup: 472
extraConfigmapMounts: []
# - name: certs-configmap
# mountPath: /etc/grafana/ssl/
# subPath: certificates.crt # (optional)
# configMap: certs-configmap
# readOnly: true
extraEmptyDirMounts: []
# - name: provisioning-notifiers
# mountPath: /etc/grafana/provisioning/notifiers
## Assign a PriorityClassName to pods if set
# priorityClassName:
downloadDashboardsImage:
repository: appropriate/curl
tag: latest
pullPolicy: IfNotPresent
downloadDashboards:
env: {}
## Pod Annotations
# podAnnotations: {}
## Deployment annotations
# annotations: {}
## Expose the grafana service to be accessed from outside the cluster (LoadBalancer service).
## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
## ref: http://kubernetes.io/docs/user-guide/services/
##
service:
type: ClusterIP
port: 80
targetPort: 3000
# targetPort: 4181 To be used with a proxy extraContainer
annotations: {}
labels: {}
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
kubernetes.io/tls-acme: "true"
labels: {}
path: /
hosts:
- grafana.corp.justin-tech.com
tls:
- hosts:
- grafana.corp.justin-tech.com
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## Node labels for pod assignment
## ref: https://kubernetes.io/docs/user-guide/node-selection/
#
nodeSelector: {}
## Tolerations for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
##
tolerations: []
## Affinity for pod assignment
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
##
affinity: {}
extraInitContainers: []
## Enable an Specify container in extraContainers. This is meant to allow adding an authentication proxy to a grafana pod
extraContainers: |
# - name: proxy
# image: quay.io/gambol99/keycloak-proxy:latest
# args:
# - -provider=github
# - -client-id=
# - -client-secret=
# - -github-org=<ORG_NAME>
# - -email-domain=*
# - -cookie-secret=
# - -http-address=http://0.0.0.0:4181
# - -upstream-url=http://127.0.0.1:3000
# ports:
# - name: proxy-web
# containerPort: 4181
## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
enabled: true
storageClassName: "nfs-client"
accessModes:
- ReadWriteOnce
size: 10Gi
# annotations: {}
finalizers:
- kubernetes.io/pvc-protection
# subPath: ""
# existingClaim:
initChownData:
## If false, data ownership will not be reset at startup
## This allows the prometheus-server to be run with an arbitrary user
##
enabled: true
## initChownData container image
##
image:
repository: busybox
tag: "1.30"
pullPolicy: IfNotPresent
## initChownData resource requests and limits
## Ref: http://kubernetes.io/docs/user-guide/compute-resources/
##
resources: {}
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
# Administrator credentials when not using an existing secret (see below)
adminUser: admin
adminPassword: changeme
# Use an existing secret for the admin user.
#admin:
# existingSecret: ""
# userKey: admin-user
# passwordKey: admin-password
## Define command to be executed at startup by grafana container
## Needed if using `vault-env` to manage secrets (ref: https://banzaicloud.com/blog/inject-secrets-into-pods-vault/)
## Default is "run.sh" as defined in grafana's Dockerfile
# command:
# - "sh"
# - "/run.sh"
## Use an alternate scheduler, e.g. "stork".
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
##
# schedulerName:
## Extra environment variables that will be pass onto deployment pods
env: {}
## The name of a secret in the same kubernetes namespace which contain values to be added to the environment
## This can be useful for auth tokens, etc
envFromSecret: ""
## Additional grafana server secret mounts
# Defines additional mounts with secrets. Secrets must be manually created in the namespace.
extraSecretMounts: []
# - name: secret-files
# mountPath: /etc/secrets
# secretName: grafana-secret-files
# readOnly: true
## Additional grafana server volume mounts
# Defines additional volume mounts.
extraVolumeMounts: []
# - name: extra-volume
# mountPath: /mnt/volume
# readOnly: true
# existingClaim: volume-claim
## Pass the plugins you want installed as a list.
##
plugins:
# - digrich-bubblechart-panel
- grafana-clock-panel
- grafana-piechart-panel
- grafana-worldmap-panel
- raintank-worldping-app
- satellogic-3d-globe-panel
- yesoreyeram-boomtable-panel
- yesoreyeram-boomtheme-panel
- cloudflare-app
- sbueringer-consul-datasource
- andig-darksky-datasource
- agenty-flowcharting-panel
- grafana-kubernetes-app
- camptocamp-prometheus-alertmanager-datasource
- snuids-radar-panel
- snuids-trafficlights-panel
- blackmirror1-statusbygroup-panel
## Configure grafana datasources
## ref: http://docs.grafana.org/administration/provisioning/#datasources
##
datasources:
datasources.yaml:
apiVersion: 1
datasources:
- name: Prometheus
type: prometheus
url: http://prometheus-server:80
access: proxy
isDefault: true
## Configure notifiers
## ref: http://docs.grafana.org/administration/provisioning/#alert-notification-channels
##
notifiers: {}
# notifiers.yaml:
# notifiers:
# - name: email-notifier
# type: email
# uid: email1
# # either:
# org_id: 1
# # or
# org_name: Main Org.
# is_default: true
# settings:
# addresses: an_email_address@example.com
# delete_notifiers:
## Configure grafana dashboard providers
## ref: http://docs.grafana.org/administration/provisioning/#dashboards
##
## `path` must be /var/lib/grafana/dashboards/<provider_name>
##
dashboardProviders: {}
# dashboardproviders.yaml:
# apiVersion: 1
# providers:
# - name: 'default'
# orgId: 1
# folder: ''
# type: file
# disableDeletion: false
# editable: true
# options:
# path: /var/lib/grafana/dashboards/default
# - name: 'dashboards'
# orgId: 2
# folder: ''
# type: file
# disableDeletion: false
# editable: true
# options:
# path: /var/lib/grafana/dashboards/dashboards
## Configure grafana dashboard to import
## NOTE: To use dashboards you must also enable/configure dashboardProviders
## ref: https://grafana.com/dashboards
##
## dashboards per provider, use provider name as key.
##
dashboards: {}
# default:
# cluster-monitoring-for-kubernetes:
# gnetId: 10000
# revision: 1
# datasource: Prometheus
# dashboards:
# kubernetes-capacity: