From eba053309e26fabd8c883a5b9dc1de0d3976afbe Mon Sep 17 00:00:00 2001 From: Tanguy Herbron Date: Mon, 3 Mar 2025 20:08:05 +0100 Subject: [PATCH] feat: Add all configuration --- manifests/deployment.yaml | 209 ++++++++++++++++++++++++++++------- manifests/ingress.yaml | 88 ++++++++++++--- manifests/kustomization.yaml | 5 +- manifests/pvc.yaml | 31 ++++++ manifests/secrets.yaml | 24 ++++ manifests/service.yaml | 72 +++++++++++- 6 files changed, 366 insertions(+), 63 deletions(-) create mode 100644 manifests/pvc.yaml create mode 100644 manifests/secrets.yaml diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml index 671d164..46bbe60 100644 --- a/manifests/deployment.yaml +++ b/manifests/deployment.yaml @@ -1,10 +1,43 @@ -# TODO -# -# Update var envs -# Create necessary secrets -# Explore volume organisation -# Test multiple replicas configuration - +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbird-dashboard + namespace: netbird +spec: + replicas: 1 + selector: + matchLabels: + app: netbird-dashboard + template: + metadata: + labels: + app: netbird-dashboard + spec: + containers: + - name: dashboard + image: netbirdio/dashboard:v2.9.0 + ports: + - containerPort: 80 + env: + - name: NETBIRD_MGMT_API_ENDPOINT + value: "https://netbird.halis.io" + - name: NETBIRD_MGMT_GRPC_API_ENDPOINT + value: "https://netbird.halis.io" + - name: AUTH_CLIENT_SECRET + value: "" + - name: AUTH_AUTHORITY + value: "https://zitadel.halis.io" + - name: USE_AUTH0 + value: "false" + - name: AUTH_SUPPORTED_SCOPES + value: "openid profile email offline_access" + - name: AUTH_REDIRECT_URI + value: "/nb-auth" + - name: AUTH_SILENT_REDIRECT_URI + value: "/nb-silent-auth" + - name: NETBIRD_TOKEN_SOURCE + value: "" +--- apiVersion: apps/v1 kind: Deployment metadata: @@ -20,42 +53,134 @@ spec: labels: app: netbird spec: - hostname: netbird - subdomain: netbird containers: - - name: dashboard - image: netbirdio/dashboard:v2.3.0 - ports: - - containerPort: 80 - env: - - name: NETBIRD_MGMT_API_ENDPOINT - value: "" - - name: NETBIRD_MGMT_GRPC_API_ENDPOINT - value: "" - # OIDC - - name: AUTH_AUDIENCE - value: "" - - name: AUTH_CLIENT_ID - value: "" - - name: AUTH_CLIENT_SECRET - value: "" - - name: AUTH_AUTHORITY - value: "" - - name: USE_AUTH0 - value: "" - - name: AUTH_SUPPORTED_SCOPES - value: "" - - name: AUTH_REDIRECT_URI - value: "" - - name: AUTH_SILENT_REDIRECT_URI - value: "" - - name: NETBIRD_TOKEN_SOURCE - value: "" - name: management - image: netbirdio/management:0.27.5 - #command: [""] + image: netbirdio/management:0.36.7 + args: [ + "--port", "443", + "--log-file", "console", + "--log-level", "info", + "--disable-anonymous-metrics=true", + "--single-account-mode-domain=entos.kerux", + "--dns-domain=entos.kerux" + #"--disable-single-account-mode" + ] ports: - containerPort: 443 - # MISSING - # - coturn - # - signal + volumeMounts: + - mountPath: "/etc/netbird/management.json" + name: management-config + subPath: management.json + - mountPath: "/var/lib/netbird" + name: management-pvc + volumes: + - name: management-config + secret: + secretName: netbird-management-secrets + - name: management-pvc + persistentVolumeClaim: + claimName: management-pvc +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbird-signal + namespace: netbird +spec: + replicas: 1 + selector: + matchLabels: + app: netbird-signal + template: + metadata: + labels: + app: netbird-signal + spec: + containers: + - name: signal + image: netbirdio/signal:0.36.7 + ports: + - containerPort: 10000 + volumeMounts: + - mountPath: "/var/lib/netbird" + name: signal-pvc + volumes: + - name: signal-pvc + persistentVolumeClaim: + claimName: signal-pvc +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbird-relay + namespace: netbird +spec: + replicas: 1 + selector: + matchLabels: + app: netbird-relay + template: + metadata: + labels: + app: netbird-relay + spec: + containers: + - name: relay + image: netbirdio/relay:0.36.7 + ports: + - containerPort: 33080 + protocol: TCP + - containerPort: 33080 + protocol: UDP + env: + - name: NB_LOG_LEVEL + value: "debug" + - name: NB_LISTEN_ADDRESS + value: ":33080" + - name: NB_EXPOSED_ADDRESS + value: "rels://netbird.halis.io:33080" + # Add Relay section in configmap + - name: NB_AUTH_SECRET + valueFrom: + secretKeyRef: + name: netbird-relay-secrets + key: auth_secret +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbird-turn + namespace: netbird +spec: + replicas: 1 + selector: + matchLabels: + app: netbird-turn + template: + metadata: + labels: + app: netbird-turn + spec: + containers: + - name: coturn + image: coturn/coturn:4.6.3 + args: [ + "-c", "/etc/turnserver.conf" + ] + ports: + - containerPort: 3478 + protocol: UDP + - containerPort: 3478 + protocol: TCP + - containerPort: 5349 + protocol: UDP + - containerPort: 5349 + protocol: TCP + volumeMounts: + - mountPath: "/etc/turnserver.conf:ro" + name: coturn-config + subPath: turnserver.conf + volumes: + - name: coturn-config + secret: + secretName: netbird-turn-secrets diff --git a/manifests/ingress.yaml b/manifests/ingress.yaml index f4b2330..9a29b88 100644 --- a/manifests/ingress.yaml +++ b/manifests/ingress.yaml @@ -1,18 +1,74 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute +apiVersion: networking.k8s.io/v1 +kind: Ingress metadata: - name: netbird-ingress - namespace: netbird - annotations: - kubernetes.io/ingress.class: "traefik" + name: netbird-ingress + namespace: netbird + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + kubernetes.io/ingress.class: nginx-external + acme.cert-manager.io/http01-edit-in-place: "true" spec: - entryPoints: - - websecure - routes: - - kind: Rule - match: Host(`netbird.beta.halia.dev`) - services: - - name: netbird-svc - namespace: netbird - port: 80 - passHostHeader: true + tls: + - hosts: + - netbird.halis.io + secretName: netbird-halis-io-tls + ingressClassName: nginx-external + rules: + - host: netbird.halis.io + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: netbird-svc + port: + number: 80 + - path: /api + pathType: Prefix + backend: + service: + name: netbird-management-svc + port: + number: 443 + - path: /relay + pathType: Prefix + backend: + service: + name: netbird-relay-svc + port: + number: 33080 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: netbird-grpc-ingress + namespace: netbird + annotations: + kubernetes.io/ingress.class: nginx-external + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/backend-protocol: "GRPC" +spec: + tls: + - hosts: + - netbird.halis.io + secretName: netbird-halis-io-tls + ingressClassName: nginx-external + rules: + - host: netbird.halis.io + http: + paths: + - path: "/management.ManagementService" + pathType: Prefix + backend: + service: + name: netbird-management-svc + port: + number: 443 + - path: "/signalexchange.SignalExchange" + pathType: Prefix + backend: + service: + name: netbird-signal-svc + port: + number: 10000 diff --git a/manifests/kustomization.yaml b/manifests/kustomization.yaml index f9c389a..95c826e 100644 --- a/manifests/kustomization.yaml +++ b/manifests/kustomization.yaml @@ -1,11 +1,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: netbird - resources: - namespace.yaml + - secrets.yaml - service.yaml - ingress.yaml + - pvc.yaml - deployment.yaml - diff --git a/manifests/pvc.yaml b/manifests/pvc.yaml new file mode 100644 index 0000000..c23f290 --- /dev/null +++ b/manifests/pvc.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: management-pvc + namespace: netbird + labels: + recurring-job.longhorn.io/source: enabled + recurring-job-group.longhorn.io/standard-pvc: enabled +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi + storageClassName: redundant-storage-class +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: signal-pvc + namespace: netbird + labels: + recurring-job.longhorn.io/source: enabled + recurring-job-group.longhorn.io/standard-pvc: enabled +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: redundant-storage-class diff --git a/manifests/secrets.yaml b/manifests/secrets.yaml new file mode 100644 index 0000000..ad88003 --- /dev/null +++ b/manifests/secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: netbird-secrets + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + source: + repoURL: https://git.halis.io/athens-school/k3s-secrets + targetRevision: prod-migration + path: netbird + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false + - ApplyOutOfSyncOnly=true + - PruneLast=true + destination: + server: https://kubernetes.default.svc + namespace: netbird diff --git a/manifests/service.yaml b/manifests/service.yaml index 577d4c0..4042afa 100644 --- a/manifests/service.yaml +++ b/manifests/service.yaml @@ -8,10 +8,78 @@ spec: - name: dashboard port: 80 protocol: TCP - targetPort: 8080 + targetPort: 80 + selector: + app: netbird-dashboard +--- +apiVersion: v1 +kind: Service +metadata: + name: netbird-management-svc + namespace: netbird +spec: + ports: - name: management port: 443 protocol: TCP - targetPort: 4443 + targetPort: 443 selector: app: netbird +--- +apiVersion: v1 +kind: Service +metadata: + name: netbird-signal-svc + namespace: netbird +spec: + ports: + - name: signal + port: 10000 + protocol: TCP + targetPort: 10000 + selector: + app: netbird-signal +--- +apiVersion: v1 +kind: Service +metadata: + name: netbird-relay-svc + namespace: netbird +spec: + ports: + - name: relay-udp + port: 33080 + protocol: UDP + targetPort: 33080 + - name: relay-tcp + port: 33080 + protocol: TCP + targetPort: 33080 + selector: + app: netbird-relay +--- +apiVersion: v1 +kind: Service +metadata: + name: netbird-turn-svc + namespace: netbird +spec: + ports: + - name: turn-one-udp + port: 3478 + protocol: UDP + targetPort: 3478 + - name: turn-one-tcp + port: 3478 + protocol: TCP + targetPort: 3478 + - name: turn-two-udp + port: 5349 + protocol: UDP + targetPort: 5349 + - name: turn-two-tcp + port: 5349 + protocol: TCP + targetPort: 5349 + selector: + app: netbird-turn