diff --git a/kubernetes/prod/us-west-2/00-default-storage-class.yml b/kubernetes/prod/us-west-2/00-default-storage-class.yml index f9d12fe32..584210105 100644 --- a/kubernetes/prod/us-west-2/00-default-storage-class.yml +++ b/kubernetes/prod/us-west-2/00-default-storage-class.yml @@ -1,4 +1,4 @@ -apiVersion: storage.k8s.io/v1beta1 +apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: default diff --git a/kubernetes/prod/us-west-2/ark/00-prereqs.yaml b/kubernetes/prod/us-west-2/ark/00-prereqs.yaml index fa9de43fe..0cdafb751 100644 --- a/kubernetes/prod/us-west-2/ark/00-prereqs.yaml +++ b/kubernetes/prod/us-west-2/ark/00-prereqs.yaml @@ -13,7 +13,7 @@ # limitations under the License. --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: backups.ark.heptio.com @@ -21,14 +21,25 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: backups kind: Backup --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: schedules.ark.heptio.com @@ -36,14 +47,25 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: schedules kind: Schedule --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: restores.ark.heptio.com @@ -51,14 +73,25 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: restores kind: Restore --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: downloadrequests.ark.heptio.com @@ -66,14 +99,25 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: downloadrequests kind: DownloadRequest --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: deletebackuprequests.ark.heptio.com @@ -81,14 +125,25 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: deletebackuprequests kind: DeleteBackupRequest --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: podvolumebackups.ark.heptio.com @@ -96,14 +151,25 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: podvolumebackups kind: PodVolumeBackup --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: podvolumerestores.ark.heptio.com @@ -111,14 +177,25 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: podvolumerestores kind: PodVolumeRestore --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: resticrepositories.ark.heptio.com @@ -126,14 +203,25 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: resticrepositories kind: ResticRepository --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: backupstoragelocations.ark.heptio.com @@ -141,14 +229,25 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: backupstoragelocations kind: BackupStorageLocation --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: volumesnapshotlocations.ark.heptio.com @@ -156,7 +255,18 @@ metadata: component: ark spec: group: ark.heptio.com - version: v1 + versions: + - additionalPrinterColumns: + - description: |- + CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. + + Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + served: true + storage: true scope: Namespaced names: plural: volumesnapshotlocations @@ -178,7 +288,7 @@ metadata: component: ark --- -apiVersion: rbac.authorization.k8s.io/v1beta1 +apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: ark diff --git a/kubernetes/prod/us-west-2/ark/10-deployment-kube2iam.yaml b/kubernetes/prod/us-west-2/ark/10-deployment-kube2iam.yaml index 8ab15c733..b2c67542e 100644 --- a/kubernetes/prod/us-west-2/ark/10-deployment-kube2iam.yaml +++ b/kubernetes/prod/us-west-2/ark/10-deployment-kube2iam.yaml @@ -1,4 +1,4 @@ -apiVersion: apps/v1beta1 +apiVersion: apps/v1 kind: Deployment metadata: namespace: heptio-ark diff --git a/kubernetes/prod/us-west-2/calico/calico.yaml b/kubernetes/prod/us-west-2/calico/calico.yaml index cfb617d69..fc1605ac6 100644 --- a/kubernetes/prod/us-west-2/calico/calico.yaml +++ b/kubernetes/prod/us-west-2/calico/calico.yaml @@ -142,7 +142,7 @@ spec: # Create all the CustomResourceDefinitions needed for # Calico policy-only mode. -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: felixconfigurations.crd.projectcalico.org @@ -160,7 +160,7 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ipamblocks.crd.projectcalico.org @@ -178,7 +178,7 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: blockaffinities.crd.projectcalico.org @@ -196,7 +196,7 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org @@ -213,7 +213,7 @@ spec: singular: bgpconfiguration --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bgppeers.crd.projectcalico.org @@ -230,7 +230,7 @@ spec: singular: bgppeer --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ippools.crd.projectcalico.org @@ -248,7 +248,7 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: hostendpoints.crd.projectcalico.org @@ -266,7 +266,7 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterinformations.crd.projectcalico.org @@ -284,7 +284,7 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: globalnetworkpolicies.crd.projectcalico.org @@ -302,7 +302,7 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: globalnetworksets.crd.projectcalico.org @@ -320,7 +320,7 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: networkpolicies.crd.projectcalico.org @@ -338,7 +338,7 @@ spec: --- -apiVersion: apiextensions.k8s.io/v1beta1 +apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: networksets.crd.projectcalico.org @@ -599,7 +599,7 @@ spec: --- # This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict -apiVersion: policy/v1beta1 +apiVersion: policy/v1 kind: PodDisruptionBudget metadata: name: calico-typha diff --git a/kubernetes/prod/us-west-2/coredns/system-coredns.clusterrole.yml b/kubernetes/prod/us-west-2/coredns/system-coredns.clusterrole.yml new file mode 100644 index 000000000..9bcd565b9 --- /dev/null +++ b/kubernetes/prod/us-west-2/coredns/system-coredns.clusterrole.yml @@ -0,0 +1,32 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + eks.amazonaws.com/component: coredns + k8s-app: kube-dns + kubernetes.io/bootstrapping: rbac-defaults + name: system:coredns +rules: +- apiGroups: + - "" + resources: + - endpoints + - services + - pods + - namespaces + verbs: + - list + - watch +- apiGroups: + - "" + resources: + - nodes + verbs: + - get +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - list + - watch diff --git a/kubernetes/prod/us-west-2/coredns/system-coredns.clusterrolebinding.yml b/kubernetes/prod/us-west-2/coredns/system-coredns.clusterrolebinding.yml new file mode 100644 index 000000000..e46ab45bb --- /dev/null +++ b/kubernetes/prod/us-west-2/coredns/system-coredns.clusterrolebinding.yml @@ -0,0 +1,18 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + annotations: + rbac.authorization.kubernetes.io/autoupdate: "true" + labels: + eks.amazonaws.com/component: coredns + k8s-app: kube-dns + kubernetes.io/bootstrapping: rbac-defaults + name: system:coredns +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: system:coredns +subjects: +- kind: ServiceAccount + name: coredns + namespace: kube-system diff --git a/kubernetes/prod/us-west-2/dinopark-prod/dino-park-packs-expirations-cron.cronjob.yml b/kubernetes/prod/us-west-2/dinopark-prod/dino-park-packs-expirations-cron.cronjob.yml new file mode 100644 index 000000000..da37fe58d --- /dev/null +++ b/kubernetes/prod/us-west-2/dinopark-prod/dino-park-packs-expirations-cron.cronjob.yml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: dino-park-packs-expirations-cron + namespace: dinopark-prod +spec: + concurrencyPolicy: Allow + failedJobsHistoryLimit: 1 + jobTemplate: + metadata: + creationTimestamp: null + spec: + template: + metadata: + creationTimestamp: null + spec: + containers: + - args: + - /bin/sh + - -c + - curl -X POST dino-park-packs-service/internal/expire/all + image: curlimages/curl + imagePullPolicy: Always + name: dino-park-packs-notify-cron + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: OnFailure + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + schedule: '0 * * * * ' + successfulJobsHistoryLimit: 3 + suspend: false +status: + lastScheduleTime: "2023-05-31T06:00:00Z" + lastSuccessfulTime: "2023-05-31T06:00:08Z" diff --git a/kubernetes/prod/us-west-2/dinopark-prod/dino-park-packs-notify-cron.cronjob.yml b/kubernetes/prod/us-west-2/dinopark-prod/dino-park-packs-notify-cron.cronjob.yml new file mode 100644 index 000000000..e3d754132 --- /dev/null +++ b/kubernetes/prod/us-west-2/dinopark-prod/dino-park-packs-notify-cron.cronjob.yml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: dino-park-packs-notify-cron + namespace: dinopark-prod +spec: + concurrencyPolicy: Allow + failedJobsHistoryLimit: 1 + jobTemplate: + metadata: + creationTimestamp: null + spec: + template: + metadata: + creationTimestamp: null + spec: + containers: + - args: + - /bin/sh + - -c + - curl -X POST dino-park-packs-service/internal/notify/all + image: curlimages/curl + imagePullPolicy: Always + name: dino-park-packs-notify-cron + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: OnFailure + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + schedule: '0 12 * * * ' + successfulJobsHistoryLimit: 3 + suspend: false +status: + lastScheduleTime: "2023-05-30T12:00:00Z" + lastSuccessfulTime: "2023-05-30T12:00:08Z" diff --git a/kubernetes/prod/us-west-2/dinopark-test/dino-park-packs-expirations-cron.cronjob.yml b/kubernetes/prod/us-west-2/dinopark-test/dino-park-packs-expirations-cron.cronjob.yml new file mode 100644 index 000000000..c3785c31a --- /dev/null +++ b/kubernetes/prod/us-west-2/dinopark-test/dino-park-packs-expirations-cron.cronjob.yml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: dino-park-packs-expirations-cron + namespace: dinopark-test +spec: + concurrencyPolicy: Allow + failedJobsHistoryLimit: 1 + jobTemplate: + metadata: + creationTimestamp: null + spec: + template: + metadata: + creationTimestamp: null + spec: + containers: + - args: + - /bin/sh + - -c + - curl -X POST dino-park-packs-service/internal/expire/all + image: curlimages/curl + imagePullPolicy: Always + name: dino-park-packs-notify-cron + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: OnFailure + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + schedule: '0 * * * * ' + successfulJobsHistoryLimit: 3 + suspend: false +status: + lastScheduleTime: "2023-05-31T06:00:00Z" + lastSuccessfulTime: "2023-05-31T06:00:07Z" diff --git a/kubernetes/prod/us-west-2/dinopark-test/dino-park-packs-notify-cron.cronjob.yml b/kubernetes/prod/us-west-2/dinopark-test/dino-park-packs-notify-cron.cronjob.yml new file mode 100644 index 000000000..453b6f67a --- /dev/null +++ b/kubernetes/prod/us-west-2/dinopark-test/dino-park-packs-notify-cron.cronjob.yml @@ -0,0 +1,38 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: dino-park-packs-notify-cron + namespace: dinopark-test +spec: + concurrencyPolicy: Allow + failedJobsHistoryLimit: 1 + jobTemplate: + metadata: + creationTimestamp: null + spec: + template: + metadata: + creationTimestamp: null + spec: + containers: + - args: + - /bin/sh + - -c + - curl -X POST dino-park-packs-service/internal/notify/all + image: curlimages/curl + imagePullPolicy: Always + name: dino-park-packs-notify-cron + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + dnsPolicy: ClusterFirst + restartPolicy: OnFailure + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 30 + schedule: '0 12 * * * ' + successfulJobsHistoryLimit: 3 + suspend: false +status: + lastScheduleTime: "2023-05-30T12:00:00Z" + lastSuccessfulTime: "2023-05-30T12:00:10Z" diff --git a/kubernetes/prod/us-west-2/graylog/01-storage-class.yml b/kubernetes/prod/us-west-2/graylog/01-storage-class.yml index 0da7ff177..6959cf611 100644 --- a/kubernetes/prod/us-west-2/graylog/01-storage-class.yml +++ b/kubernetes/prod/us-west-2/graylog/01-storage-class.yml @@ -1,9 +1,8 @@ -apiVersion: storage.k8s.io/v1beta1 +apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: name: logging-storage provisioner: kubernetes.io/aws-ebs parameters: type: gp2 -allowVolumeExpansion: true diff --git a/kubernetes/prod/us-west-2/ingress-controller-global/nginx-ingress-role.role.yml b/kubernetes/prod/us-west-2/ingress-controller-global/nginx-ingress-role.role.yml new file mode 100644 index 000000000..c2a3226a8 --- /dev/null +++ b/kubernetes/prod/us-west-2/ingress-controller-global/nginx-ingress-role.role.yml @@ -0,0 +1,36 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: nginx-ingress-role + namespace: ingress-nginx +rules: +- apiGroups: + - "" + resources: + - configmaps + - pods + - secrets + - namespaces + verbs: + - get +- apiGroups: + - "" + resourceNames: + - ingress-controller-leader-nginx + resources: + - configmaps + verbs: + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - endpoints + verbs: + - get diff --git a/kubernetes/prod/us-west-2/kube2iam/kube2iam.clusterrole.yml b/kubernetes/prod/us-west-2/kube2iam/kube2iam.clusterrole.yml new file mode 100644 index 000000000..cf8f8b7d4 --- /dev/null +++ b/kubernetes/prod/us-west-2/kube2iam/kube2iam.clusterrole.yml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kube2iam +rules: +- apiGroups: + - "" + resources: + - namespaces + - pods + verbs: + - get + - watch + - list diff --git a/kubernetes/prod/us-west-2/kube2iam/kube2iam.clusterrolebinding.yml b/kubernetes/prod/us-west-2/kube2iam/kube2iam.clusterrolebinding.yml new file mode 100644 index 000000000..25254242b --- /dev/null +++ b/kubernetes/prod/us-west-2/kube2iam/kube2iam.clusterrolebinding.yml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kube2iam +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube2iam +subjects: +- kind: ServiceAccount + name: kube2iam + namespace: kube-system diff --git a/kubernetes/prod/us-west-2/monitoring/26-grafana-ingress.yml b/kubernetes/prod/us-west-2/monitoring/26-grafana-ingress.yml index 2f4e44fed..020080aef 100644 --- a/kubernetes/prod/us-west-2/monitoring/26-grafana-ingress.yml +++ b/kubernetes/prod/us-west-2/monitoring/26-grafana-ingress.yml @@ -1,8 +1,9 @@ -apiVersion: extensions/v1beta1 +apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - certmanager.k8s.io/cluster-issuer: letsencrypt-production + cert-manager.io/issuer: letsencrypt-production + cert-manager.io/revision-history-limit: "1" kubernetes.io/ingress.class: nginx-monitoring nginx.ingress.kubernetes.io/force-ssl-redirect: "true" name: grafana @@ -13,20 +14,20 @@ spec: http: paths: - backend: - serviceName: grafana - servicePort: 3000 + service: + name: grafana + port: + number: 3000 path: / - # We are disabling serving the /metrics endpoint from the external Loadbalancer - # because it's not authenticated, so we leak Grafana metrics. + pathType: ImplementationSpecific - backend: - serviceName: non-existent - servicePort: 3000 + service: + name: non-existent + port: + number: 3000 path: /metrics + pathType: ImplementationSpecific tls: - hosts: - grafana.infra.iam.mozilla.com secretName: grafana-cert-secret -status: - loadBalancer: - ingress: - - hostname: a00435690f99111e8989b0ace417809a-10479801.us-west-2.elb.amazonaws.com diff --git a/kubernetes/prod/us-west-2/monitoring/60-dinopark-metrics-cronjob.yml b/kubernetes/prod/us-west-2/monitoring/60-dinopark-metrics-cronjob.yml index 2d322627a..397e6afe5 100644 --- a/kubernetes/prod/us-west-2/monitoring/60-dinopark-metrics-cronjob.yml +++ b/kubernetes/prod/us-west-2/monitoring/60-dinopark-metrics-cronjob.yml @@ -1,4 +1,4 @@ -apiVersion: batch/v1beta1 +apiVersion: batch/v1 kind: CronJob metadata: name: dinopark-metrics diff --git a/kubernetes/prod/us-west-2/monitoring/nginx-ingress-role-nisa-binding.rolebinding.yml b/kubernetes/prod/us-west-2/monitoring/nginx-ingress-role-nisa-binding.rolebinding.yml new file mode 100644 index 000000000..f1cfbcda7 --- /dev/null +++ b/kubernetes/prod/us-west-2/monitoring/nginx-ingress-role-nisa-binding.rolebinding.yml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nginx-ingress-role-nisa-binding + namespace: monitoring +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress-role +subjects: +- kind: ServiceAccount + name: nginx-ingress-serviceaccount + namespace: monitoring diff --git a/kubernetes/prod/us-west-2/pod-identity-webhook.MutatingWebhookConfiguration.yml b/kubernetes/prod/us-west-2/pod-identity-webhook.MutatingWebhookConfiguration.yml new file mode 100644 index 000000000..0053e59b2 --- /dev/null +++ b/kubernetes/prod/us-west-2/pod-identity-webhook.MutatingWebhookConfiguration.yml @@ -0,0 +1,28 @@ +apiVersion: admissionregistration.k8s.io/v1 +kind: MutatingWebhookConfiguration +metadata: + name: pod-identity-webhook +webhooks: +- admissionReviewVersions: + - v1beta1 + clientConfig: + caBundle: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUN5RENDQWJDZ0F3SUJBZ0lCQURBTkJna3Foa2lHOXcwQkFRc0ZBREFWTVJNd0VRWURWUVFERXdwcmRXSmwKY201bGRHVnpNQjRYRFRFNE1USXdOakU0TVRJek5sb1hEVEk0TVRJd016RTRNVEl6Tmxvd0ZURVRNQkVHQTFVRQpBeE1LYTNWaVpYSnVaWFJsY3pDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTFJkCjlaaXA1My9nWllNeDJhejVYZkxTRWFma2xqU251YkF4WjhiaUZ3dmpPeVNzbnluMWlmNnFQcTlnQkkyd2ZHNUMKdmgrV3NYZXA1RmpEUmFOK3VnajFsVjJhT3MwcDhtUk5ickUxSjZnSWw4MGFLVXZ1ZzJDT2VtNi90a1A1dnp6OQpabzBwRDhRV1ZTN1p3b2IwTURCdlJENHFiRjZ5dVczUUNsa2ZBUTE4d1B0UURmSzV1NVNzNTFDZGVjbXYwMGFnCnljWElXNm9ncjhQd2ZodW9uSWhnUWlzVlMxMEJoU3IvWXlEdnMwMldLZ054Rkt0SHpRQTVDbDhMNXA3Q1czdTEKYWorNHpvdDJpMnR2Y0NEZUE0OVlFU25tSkk1T1JEaXFoKzFNbW5ZbVZBQW1YcUt1amJrRWh3N3M1cmZxemtmeApaYVp6TzNEWGdjckQwRGhPVklzQ0F3RUFBYU1qTUNFd0RnWURWUjBQQVFIL0JBUURBZ0trTUE4R0ExVWRFd0VCCi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFGU2dDRHY1RjdHcEFPVFpxeXgvUk9acy9UUUYKcmdWbmY3OXVYcDVmRG1KOTNBV1FHY0h6SGE5N0c5b2RjNlFUUGFJbHREQm83a0U5TXVHZ0ozWmRtUDNLNXNjQQpTVEZGMnI3aGxzK2FJMit3ZWdjMis5aDNuZ3Baa244NTJwTTFGRjh2SnVlbWVVcEw3MUgrV1VpRDdJVkgvRHQxCkNVQnNPTk9XYkdFK1lCeHJaQ2xDMG1Iai9QK0JMSE8vY3Z1ZXpOZFdzWHUrVXgrbWNSZGxEUGlJTHk0RWZ3aGkKdGdVMGhWVElpL3dsa3lIY1N6WGoxbGwwM0R0KzBSSnVoZUhJTEtnV3hKa01CSHNENzc3V0NLaFEveEI3MzQ0RAp2K0t6UGJzbGFKWUV1TUxHQktCKzhmOFNNR21XUkVhS0FxY1VjYm1GSEMxVnVOdU9CSlA5TkFaR1V5cz0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= + url: https://127.0.0.1:23443/mutate + failurePolicy: Ignore + matchPolicy: Exact + name: iam-for-pods.amazonaws.com + namespaceSelector: {} + objectSelector: {} + reinvocationPolicy: Never + rules: + - apiGroups: + - "" + apiVersions: + - v1 + operations: + - CREATE + resources: + - pods + scope: '*' + sideEffects: Unknown + timeoutSeconds: 30 diff --git a/kubernetes/prod/us-west-2/sealed-secrets/sealed-secrets-controller.deployment.yml b/kubernetes/prod/us-west-2/sealed-secrets/sealed-secrets-controller.deployment.yml new file mode 100644 index 000000000..12d6c4052 --- /dev/null +++ b/kubernetes/prod/us-west-2/sealed-secrets/sealed-secrets-controller.deployment.yml @@ -0,0 +1,74 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + name: sealed-secrets-controller + name: sealed-secrets-controller + namespace: kube-system +spec: + minReadySeconds: 30 + progressDeadlineSeconds: 600 + replicas: 1 + revisionHistoryLimit: 10 + selector: + matchLabels: + name: sealed-secrets-controller + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + creationTimestamp: null + labels: + name: sealed-secrets-controller + spec: + containers: + - command: + - controller + image: docker.io/bitnami/sealed-secrets-controller:v0.9.7 + imagePullPolicy: Always + livenessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + name: sealed-secrets-controller + ports: + - containerPort: 8080 + name: http + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: http + scheme: HTTP + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + resources: {} + securityContext: + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 1001 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: tmp + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: sealed-secrets-controller + serviceAccountName: sealed-secrets-controller + terminationGracePeriodSeconds: 30 + volumes: + - emptyDir: {} + name: tmp diff --git a/kubernetes/prod/us-west-2/sealed-secrets/sealedsecrets.bitnami.com.crd.yml b/kubernetes/prod/us-west-2/sealed-secrets/sealedsecrets.bitnami.com.crd.yml new file mode 100644 index 000000000..b07df0715 --- /dev/null +++ b/kubernetes/prod/us-west-2/sealed-secrets/sealedsecrets.bitnami.com.crd.yml @@ -0,0 +1,43 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: sealedsecrets.bitnami.com +spec: + conversion: + strategy: None + group: bitnami.com + names: + kind: SealedSecret + listKind: SealedSecretList + plural: sealedsecrets + singular: sealedsecret + preserveUnknownFields: true + scope: Namespaced + versions: + - name: v1alpha1 + served: true + storage: true +status: + acceptedNames: + kind: SealedSecret + listKind: SealedSecretList + plural: sealedsecrets + singular: sealedsecret + conditions: + - lastTransitionTime: "2019-11-21T10:40:44Z" + message: no conflicts found + reason: NoConflicts + status: "True" + type: NamesAccepted + - lastTransitionTime: null + message: the initial names have been accepted + reason: InitialNamesAccepted + status: "True" + type: Established + - lastTransitionTime: "2022-07-22T14:53:19Z" + message: 'spec.preserveUnknownFields: Invalid value: true: must be false' + reason: Violations + status: "True" + type: NonStructuralSchema + storedVersions: + - v1alpha1 diff --git a/kubernetes/prod/us-west-2/sso-dashboard-prod/nginx-ingress-role-nisa-binding.rolebinding.yml b/kubernetes/prod/us-west-2/sso-dashboard-prod/nginx-ingress-role-nisa-binding.rolebinding.yml new file mode 100644 index 000000000..05122a11b --- /dev/null +++ b/kubernetes/prod/us-west-2/sso-dashboard-prod/nginx-ingress-role-nisa-binding.rolebinding.yml @@ -0,0 +1,13 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: nginx-ingress-role-nisa-binding + namespace: sso-dashboard-prod +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: nginx-ingress-role +subjects: +- kind: ServiceAccount + name: nginx-ingress-serviceaccount + namespace: sso-dashboard-prod diff --git a/kubernetes/prod/us-west-2/sso-dashboard-prod/sso-dashboard-prod.ingress.yml b/kubernetes/prod/us-west-2/sso-dashboard-prod/sso-dashboard-prod.ingress.yml new file mode 100644 index 000000000..35719ca6f --- /dev/null +++ b/kubernetes/prod/us-west-2/sso-dashboard-prod/sso-dashboard-prod.ingress.yml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + cert-manager.io/revision-history-limit: "1" + kubernetes.io/ingress.class: nginx + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + name: sso-dashboard + namespace: sso-dashboard-prod +spec: + rules: + - host: sso.mozilla.com + http: + paths: + - backend: + service: + name: sso-dashboard + port: + number: 8000 + path: / + pathType: ImplementationSpecific + tls: + - hosts: + - sso.mozilla.com + secretName: sso-dashboard-secret