Reorganize project

2020-11-05 10:02:01 +01:00
parent 4876de1547
commit 6fea8b3bc8
57 changed files with 1106 additions and 319 deletions
--- a/kubernetes-config/bin/config-namespace.sh
+++ b/kubernetes-config/bin/config-namespace.sh
@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+TOP="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/.."
+
+if [ x$1 = x ]; then
+    ehco "usage: setup-namespace.sh {namespace}"
+    exit 1
+fi
+
+namespace=$1
+tmpfile=/tmp/helm-$namespace.$$
+
+cat << EOF > $tmpfile
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    name: $namespace
+  name: $namespace
+---
+apiVersion: v1
+metadata:
+  name: gitlab-pull-secret
+  namespace: $namespace
+kind: Secret
+type: kubernetes.io/dockerconfigjson
+data:
+  .dockerconfigjson: ewoJImF1dGhzIjogewoJCSJyZWdpc3RyeS5naXRsYWIuY29tIjogewoJCQkiYXV0aCI6ICJaMmwwYkdGaUsyUmxjR3h2ZVMxMGIydGxiaTB4T1Rnd01qQTZPRmxqU0VoMFZIaENSVUZUTFZKUWRsSnJXbGM9IgoJCX0KCX0sCgkiSHR0cEhlYWRlcnMiOiB7CgkJIlVzZXItQWdlbnQiOiAiRG9ja2VyLUNsaWVudC8xOS4wMy4xMiAobGludXgpIgoJfQp9Cg==
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: kestrel-tls
+  namespace: $namespace
+type: Opaque
+data:
+  kestrel.pfx: MIIJcQIBAzCCCTcGCSqGSIb3DQEHAaCCCSgEggkkMIIJIDCCA9cGCSqGSIb3DQEHBqCCA8gwggPEAgEAMIIDvQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQINE11xXT7iV4CAggAgIIDkBMylQRDdNJTEryjKEYajwYVWfkJDmEXfToulTYOU1Jv1q7z+le15hCGwauS/yDRCS4QjcTmW+XT7MopnqLlVXDF2dZbk+a1ThTiaToTqXbRWpI2sfzuFjbA6cYPJNonBDKKNwUmewnAog37u9qaQk2MCsaUw6t7pBp7HpvtnVR/GbsbY98udx6kqATlyZtNnhg8QhgTF9dfGf7VeQj0wq1gGaiGXq0kNJBwod7my8caQD3gUtRQf0ZKZN6RF8r2a4mjf0YyOBsLtSbZ7bceHtdN5PlOi1wu47XSAhSzqNHpNM8K4o0HvMol1m8QzQSmM6KY6vOrTagX+rSejV5aX82gdpiNjRa8HGO5+S8oRsL2/xX2FoxzUCkpzjyoAHJ6Bd25tem/ls4l921hlVmHZuseMiuwMisBw+bTYXEmug3SK54wkZi0nkjRAUTTZRy5KqYWDYXzxuT6MZPiROQRv66PpAG6IPtnhv0iIyszwAlYf6zZcT8Xlh6M9tMPuDFEKMzUbff8/FUWPrLLAZIuPC1PjbmkQ+bCrqN2JkDoJKbJjs8FEvq45vaG/R9rKnWeXakbrcKt7iEVQRUynHfXheZMPfhyB2QBS5gO5mjVLx062Lf+4h5oAf43Kbu5iGfYDTQHazW1jfMCfq87ufvMVlAlqJ0TQCUDPcDjW0o5MAv5wJibOciw5IJ/AEXV42apWUsei2sKB62JcFSiwUc+7a4QcCh0Cn4pgBjpi4T9v0mOWOCcu26IeJPeBpAW+4fgMfmiL5AfGCeY4YNiTrK0yHaUBA7kLCXCPKUHKYP71WkVeuooih0yJJZ/ZqWN+aIOm0c/DPAjUgkEVVtZXescW2Ae0NgdMhMeJ5kfsPYlTeOtFwzoSRu8wMPBr/Ufg2aEWc5GaZRbQmFzvmcg9aPFpltQ0XXGyaD+c6JR2t5b5YgH5MLRh5uZmYhFIBwBHIUQZ9Sc+7pjHUt9TnnVz3fT72pGi47Py5mm0W95euC2YucqclSQ7wjj4OKqgNKDp4o/ALZaZUURZeLl8xwsQ9liAiw2hEw9tvFvdWb9RM3wVEU5ol9n0OnReOSzYDMfUaUxiVTnA8r3SuavdbsuiyWpZ6lJJQRuwNhUfVat+c39OamXbe1J9E7wRDxAISKE2+JofaTOublkMNsaxP2TYDs9xDL/0oCHCxyu2hoCyOK8b94gw2yyW/+UdqUxLHdBgEvEbjCCBUEGCSqGSIb3DQEHAaCCBTIEggUuMIIFKjCCBSYGCyqGSIb3DQEMCgECoIIE7jCCBOowHAYKKoZIhvcNAQwBAzAOBAi7oqckaHZOQQICCAAEggTIlVZIQOhHhHchiWYqwlt9zdOP21UU3v9ghDAwuimISuLxTyfr+HXC9+5TRW5eKygiBv9czjZuZcUTQxHLlW2KQmz5EVik/CeAbhmgK3XL9YGTZxGccSNGaS9dLvxWVDbeCoNK7rr9R3zV4vWLPerfGjezpT/VWHLie0pBaNbHg8GHhwlLBSzo+ODkSD1N1cf/6wAny3Cdf8mwgRVmT5dQ7DVfnpkXNQ5Mztu8faLeMjURU2XCZecOZ4vVxr5cCCnOn4vWMPxwGeJUQVVt1M1BFyLg3DyTBpHST0qkV4PKDESjmha8d0zc+ifKr10e1a8LU9KHWsb8L0in2gTor8F9QwoYhtx2UQdx4n4qQ3GKoR0nfBl3aZw97hdPJgDKKoM1BFpXMg3LRMQSL/0FP2JfKQt/Qni3vvGE5A207ouMU+0G9qHdniR7DVmbmDEOTJQgbeYivLPOuYlXSx2aK51VUxO+agOnxLg8RYqOo8Ex7ZtnxjpfQQVirMJ3yPdD3cqUVLiJ/Y5xFOvwjoLNdlxxTC+QgsCN1K+Vg3KY+pn8d/iAmrMfUs992jz0xwXrUBG6V2lrXE6dI3SpTT8/h265Cd8KjHiXSJOP02sHm0PWTVQLAeJluV6DLgHB73jQ6fb01AbVkbG8lL2fhWl1R5cD7OdAIP7n6FgoSrzA/eqKTLYPKIbA73HdPCMm2zzb5mdlo8rh+0FJ8vegRJ4DFGag/FpAJRxeUnyLyO29tOKpp/u9uwrYDooYn5ci5gLeehUfGqEJlNp8GPbqiKAkWwNLaNguJA+kT0v7XVoEdNkDB6upObyJOObHl1W6s5vHFarNojcNINgTV3sEJT5tDuLZ282Lw99Wg1lvUGJbdO3dgq5NLey11cmRTBR/KyqSoYPGUfC8Aihfo/djUbXUjs/I6WuPRoqcSzQsjqHt7hR7aHF2ahKw2WxQhT27jgUpTcgd1O00uOsb3BPhskpY9ggRNs9AaVJu2RHyxwX2TWkY/AmMYG8UIRmKkAzLctUVwSIEY27GbluvSLtIhVl4I7DV8SYcWkxu/1NoT8aMlQMJeULgFMzG49GWnJDOgOXxcTRUFL3hniisWU5h8PPNxIGLqYf4C5ocXPCg7sap+6IrEm3lP9nwXlhMfHOMbKRX5p0W+0bzEtf4sZlwt6An5+WJmIP0oegz7tzsJNzEiDShK0TaEgfRyBi+NM781zGOCN7X4Lvzl3L5CAAtRGhfYMH52X7vf70Gf74wREa75O91NurJTaRMlztWoA7vAI2maYoPO9wyBWIsQDyv4cmL3xCai0TIza7Wtu8SHKnJCKGp90fftNU8PNlN6StVi2y8VKY+whRqFcZR1dbx+ClsPOHAcosNkZ3Vv9EuieSZaCSNT7dOvCiSgVgzuLg3CC/SBPfzVeqaoLL4xMVtfKXqZfX7SDoftNlD8rlY+hHR1pdxpvKhZPIgDkMRAZ8Z6IWKWdyRACeNM5NWK56e9D8zm5VDKDZCz1n/zozH577ABvj6+dZkahl/FKpryFxY4qtKxnYXXd8DVYt6t1NFIz3Ybov3r/7fHYqm8OLmF9FZqeC4gqr9HUbuDkaU0mPCHtWrL2nkhhuSKR4sm2VfhUSegJkiTKvD5+DhpIaDMSUwIwYJKoZIhvcNAQkVMRYEFJpr2WGeI1IjCffN9Qs1YLuF26qUMDEwITAJBgUrDgMCGgUABBRuJCgviB/YoTN9wqikECF7WyAN9QQI/4JQvFeDBswCAggA
+EOF
+
+kubectl apply -f $tmpfile
+
+rm $tmpfile
--- a/kubernetes-config/bin/docker-prune-stopped.fish
+++ b/kubernetes-config/bin/docker-prune-stopped.fish
@@ -0,0 +1 @@
+for i in (seq 2 5); ssh k0- docker system prune -a;end
--- a/kubernetes-config/bin/gitlab-prune-registry.sh
+++ b/kubernetes-config/bin/gitlab-prune-registry.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/env bash
+
+token=UTjgSspYQcX-BVUd1UsC
+api=https://gitlab.com/api/v4
+
+prune () {
+    id=$1
+    reg=$(curl -s --header "PRIVATE-TOKEN: $token" \
+        "$api/projects/$id/registry/repositories" \
+        | json_pp | sed -n 's/^ *"id" *: *\([0-9]\+\).*/\1/p')
+    for i in $reg; do
+        curl -s --request DELETE --data 'keep_n=10' \
+            --data 'name_regex=.*[0-9].*' \
+            --header "PRIVATE-TOKEN: $token" \
+            "$api/projects/$id/registry/repositories/$i/tags"
+    done
+}
+
+gc () {
+    pod=$(kubectl get pod -n gitlab -lapp=registry | tail -1 | cut -d' ' -f1)
+    kubectl exec -n gitlab $pod -- \
+      registry garbage-collect /etc/docker/registry/config.yml -m
+}
+
+all () {
+    groups=$(curl -s --header "PRIVATE-TOKEN: $token" "$api/groups" \
+        | json_pp | sed -n 's/^ *"id" *: *\([0-9]\+\).*/\1/p')
+    for g in $groups; do
+        proj=$(curl -s --header "PRIVATE-TOKEN: $token" \
+            "$api/groups/$g/projects?simple=true&include_subgroups=true" \
+            | json_pp | sed -n 's/^ \{6\}"id" *: *\([0-9]\+\).*/\1/p')
+        for p in $proj; do
+            prune $p
+        done
+    done
+}
+
+projects () {
+    for i in $@; do
+      prune $(echo $i | sed 's,/,%2F,g')
+    done
+}
+
+case $1 in
+    --all) all ;;
+    *) projects $@
+esac
+
+gc
--- a/kubernetes-config/bin/initial-kube-system-bootstrap
+++ b/kubernetes-config/bin/initial-kube-system-bootstrap
@@ -0,0 +1,92 @@
+#!/usr/bin/env bash
+
+TOP=@out@/share/kube-system-bootstrap
+
+ca=@initca@
+apiserver="@apiserver@"
+filseserver="@fileserver@"
+grafana_ldap_toml="@grafana_ldap_toml@"
+
+apply_configs () {
+    d=$TOP/config
+    configs[0]=$d/cluster-auth-rbac.yaml
+    configs[1]=$d/kube-proxy.yaml
+    configs[2]=$d/front-proxy-client.yaml
+    configs[3]=$d/grafana-smtp-secret.yaml
+    [ ! -z $grafana_ldap_toml ] && configs[4]=$d/grafana-ldap-toml.yaml
+
+    kubectl delete secret cluster-ca -n kube-system >/dev/null 2>&1
+    kubectl create secret tls cluster-ca \
+        --namespace=kube-system --cert=${ca}/ca.pem --key=${ca}/ca-key.pem
+
+    for i in ${configs[@]}; do
+        kubectl apply -f $i
+    done
+}
+
+install_certmgr () {
+    kubectl apply -f https://raw.githubusercontent.com/jetstack/cert-manager/release-0.12/deploy/manifests/00-crds.yaml
+    helm repo add jetstack https://charts.jetstack.io
+    helm install -n kube-system -f $TOP/charts/cert-manager.yaml \
+        cert-manager jetstack/cert-manager
+}
+
+helm_install () {
+    echo "helm install $1"
+    helm install -n kube-system -f $TOP/charts/$1.yaml $1 stable/$1
+}
+
+helm_delete () {
+    echo "helm delete existing $1"
+    helm delete -n kube-system $1
+}
+
+install_prometheus () {
+    helm_delete prometheus-operator
+    yaml=/tmp/prometheus-operator.yaml
+    cp $TOP/charts/prometheus-operator.yaml $yaml
+    chmod 640 $yaml
+    # disable ldap for grafana
+    [ -z $grafana_ldap_toml ] && \
+        sed -i '/auth\.ldap:/,+1 s/true/false/; /ldap:/,+1 d' $yaml
+    # disable storage
+    [ -z $fileserver ] && \
+        sed -i '/prometheusSpec:/,+10d' $yaml
+    helm_install prometheus-operator $yaml
+}
+
+install_charts () {
+    [ ! -z $fileserver ] && charts[0]=nfs-client-provisioner
+    charts[1]=nginx-ingress
+    charts[2]=metrics-server
+    charts[3]=kubernetes-dashboard
+
+    for i in ${charts[@]};do
+        helm_install $i
+        sleep 30
+    done
+}
+
+install_prometheus_crds () {
+    url=https://raw.githubusercontent.com/helm/charts/master/stable/prometheus-operator/crds
+    kubectl apply -f $url/crd-alertmanager.yaml
+    kubectl apply -f $url/crd-prometheus.yaml
+    kubectl apply -f $url/crd-prometheusrules.yaml
+    kubectl apply -f $url/crd-servicemonitor.yaml
+    kubectl apply -f $url/crd-podmonitor.yaml
+}
+
+helm repo add stable https://kubernetes-charts.storage.googleapis.com
+helm repo update
+
+apply_configs
+install_prometheus_crds
+install_certmgr
+install_charts
+install_prometheus
+
+# helm install -n kube-system -f sentry.yaml --wait --timeout=1000s sentry stable/sentry
+# helm install -n vault -f vault-values.yaml vault hashicorp/vault
+# helm install -n monitoring -f kube-prometheus-stack.yaml prometheus prometheus-community/kube-prometheus-stack
+
+# vim:ft=sh
--- a/kubernetes-config/bin/reset-sa-tokens.sh
+++ b/kubernetes-config/bin/reset-sa-tokens.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+kubectl delete secrets --all-namespaces --field-selector='type=kubernetes.io/service-account-token'
--- a/kubernetes-config/bin/restart-flannel.sh
+++ b/kubernetes-config/bin/restart-flannel.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+master="etcd.service"
+node="flannel.service"
+
+nodes=$(kubectl get nodes --no-headers | cut -d' ' -f1)
+master_node=$(echo $nodes | cut -d' ' -f1)
+
+echo "$master_node: systemctl restart $master"
+sudo systemctl restart $master
+
+for n in $nodes; do
+    echo "$n: systemctl restart $node"
+    ssh root@$n systemctl restart $node &
+done
+
+echo "Waiting..."
+wait
--- a/kubernetes-config/bin/restart-kubernetes.sh
+++ b/kubernetes-config/bin/restart-kubernetes.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+master="kube-apiserver kube-scheduler kube-controller-manager"
+node="kube-proxy kubelet kube-certmgr-apitoken-bootstrap"
+
+nodes=$(kubectl get nodes --no-headers | cut -d' ' -f1)
+master_node=$(echo $nodes | cut -d' ' -f1)
+
+echo "$master_node: systemctl restart $master"
+sudo systemctl restart $master
+
+for n in $nodes; do
+    echo "$n: systemctl restart $node"
+    ssh root@$n systemctl restart $node &
+done
+
+echo "Waiting..."
+wait
--- a/kubernetes-config/bin/setup-helm.sh
+++ b/kubernetes-config/bin/setup-helm.sh
@@ -0,0 +1,12 @@
+read -r -d '' repos << EOF
+jetstack;https://charts.jetstack.io
+stable;https://kubernetes-charts.storage.googleapis.com/
+minio;https://helm.min.io/
+anchore;https://charts.anchore.io
+bitnami;https://charts.bitnami.com/bitnami
+hashicorp;https://helm.releases.hashicorp.com
+ingress-nginx;https://kubernetes.github.io/ingress-nginx
+prometheus-community;https://prometheus-community.github.io/helm-charts
+EOF
+for i in $repos; do IFS=";"; set $i; helm repo add $1 $2; done
+
--- a/kubernetes-config/bin/taint-node-no-schedule.sh
+++ b/kubernetes-config/bin/taint-node-no-schedule.sh
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+kubectl taint node $1 ClusterService="true":NoSchedule
--- a/kubernetes-config/bin/ws-curl.sh
+++ b/kubernetes-config/bin/ws-curl.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+
+host=$1; shift
+
+curl -i -N \
+    -H "Connection: upgrade"\
+    -H "Upgrade: websocket"\
+    -H "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ=="\
+    -H "Sec-WebSocket-Version: 13"\
+    -H "Origin: http://foo.com/"\
+    -H "Host: $host" $@
+
				`@@ -0,0 +1 @@`
				`for i in (seq 2 5); ssh k0- docker system prune -a;end`