diff --git a/bootstrap/config/cluster-issuer.yaml b/bootstrap/config/cluster-issuer.yaml index 234aac7..4890d90 100644 --- a/bootstrap/config/cluster-issuer.yaml +++ b/bootstrap/config/cluster-issuer.yaml @@ -7,13 +7,15 @@ spec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory - # Email address used for ACME registration email: @acme_email@ - # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-production + solvers: + - http01: + ingress: + class: nginx --- apiVersion: cert-manager.io/v1alpha2 diff --git a/clusters/kube0/default.nix b/clusters/kube0/default.nix index e5ff247..5522fc6 100644 --- a/clusters/kube0/default.nix +++ b/clusters/kube0/default.nix @@ -4,6 +4,7 @@ let clusterName = "kube0"; master = { name = "k0-0"; address = "10.253.18.100"; + extraSANs = [ "k0.itpartner.no" ]; }; workers = [ { name = "k0-1"; address = "10.253.18.101"; } diff --git a/clusters/kube1/default.nix b/clusters/kube1/default.nix index 47ea2eb..17b524b 100644 --- a/clusters/kube1/default.nix +++ b/clusters/kube1/default.nix @@ -4,12 +4,13 @@ let clusterName = "kube1"; master = { name = "k1-0"; address = "10.253.18.109"; + extraSANs = [ "k1.itpartner.no" ]; }; workers = [ { name = "k1-1"; address = "10.253.18.110"; } { name = "k1-2"; address = "10.253.18.111"; } { name = "k1-3"; address = "10.253.18.108"; } - { name = "k1-4"; address = "10.253.18.107"; } + # { name = "k1-4"; address = "10.253.18.107"; } ]; cidr = "10.11.0.0/16"; initca = ./ca; diff --git a/clusters/kube2/default.nix b/clusters/kube2/default.nix index a9c7d48..6f09bc4 100644 --- a/clusters/kube2/default.nix +++ b/clusters/kube2/default.nix @@ -4,6 +4,7 @@ let clusterName = "kube2"; master = { name = "k2-0"; address = "10.253.18.114"; + extraSANs = [ "k2.itpartner.no" ]; }; workers = [ { name = "k2-1"; address = "10.253.18.115"; } diff --git a/lib/k8s.nix b/lib/k8s.nix index bb882c3..84af010 100644 --- a/lib/k8s.nix +++ b/lib/k8s.nix @@ -109,6 +109,7 @@ let securePort = 4443; insecurePort = 8080; extraOpts = "--requestheader-client-ca-file ${pki.ca.cert}"; + extraSANs = settings.master.extraSANs; # verbosity = 4; }; diff --git a/old/scripts/copy-score-backups.sh b/old/scripts/copy-score-backups.sh new file mode 100755 index 0000000..7a33394 --- /dev/null +++ b/old/scripts/copy-score-backups.sh @@ -0,0 +1,8 @@ +#!/usr/bin/env bash + +pod=`kubectl get pods -n mssql | grep Running | grep consto-ks | cut -d' ' -f1` +bak=`kubectl exec -n mssql $pod ls -- -1 /var/opt/mssql/data/ | grep '.bak$'` + +for i in $bak; do + kubectl cp mssql/$pod:/var/opt/mssql/data/$i . +done diff --git a/old/scripts/docker-prune-stopped.fish b/old/scripts/docker-prune-stopped.fish new file mode 100755 index 0000000..e83a66c --- /dev/null +++ b/old/scripts/docker-prune-stopped.fish @@ -0,0 +1 @@ +for i in (seq 2 5); ssh k0- docker system prune -a;end diff --git a/old/scripts/gitlab-prune-registry.sh b/old/scripts/gitlab-prune-registry.sh new file mode 100755 index 0000000..4a0f2e7 --- /dev/null +++ b/old/scripts/gitlab-prune-registry.sh @@ -0,0 +1,49 @@ +#!/usr/bin/env bash + +token=UTjgSspYQcX-BVUd1UsC +api=https://gitlab.itpartner.no/api/v4 + +prune () { + id=$1 + reg=$(curl -s --header "PRIVATE-TOKEN: $token" \ + "$api/projects/$id/registry/repositories" \ + | json_pp | sed -n 's/^ *"id" *: *\([0-9]\+\).*/\1/p') + for i in $reg; do + curl -s --request DELETE --data 'keep_n=10' \ + --data 'name_regex=.*[0-9].*' \ + --header "PRIVATE-TOKEN: $token" \ + "$api/projects/$id/registry/repositories/$i/tags" + done +} + +gc () { + pod=$(kubectl get pod -n gitlab -lapp=registry | tail -1 | cut -d' ' -f1) + kubectl exec -n gitlab $pod -- \ + registry garbage-collect /etc/docker/registry/config.yml -m +} + +all () { + groups=$(curl -s --header "PRIVATE-TOKEN: $token" "$api/groups" \ + | json_pp | sed -n 's/^ *"id" *: *\([0-9]\+\).*/\1/p') + for g in $groups; do + proj=$(curl -s --header "PRIVATE-TOKEN: $token" \ + "$api/groups/$g/projects?simple=true&include_subgroups=true" \ + | json_pp | sed -n 's/^ \{6\}"id" *: *\([0-9]\+\).*/\1/p') + for p in $proj; do + prune $p + done + done +} + +projects () { + for i in $@; do + prune $(echo $i | sed 's,/,%2F,g') + done +} + +case $1 in + --all) all ;; + *) projects $@ +esac + +gc diff --git a/old/scripts/install-namespace.sh b/old/scripts/install-namespace.sh new file mode 100755 index 0000000..df47e10 --- /dev/null +++ b/old/scripts/install-namespace.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +TOP="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)/.." + +if [ x$1 = x ]; then + ehco "usage: install-namespace.sh {namespace}" + exit 1 +fi + +namespace=$1 +tmpfile=/tmp/new-$namespace.$$ + +cat << EOF > $tmpfile +apiVersion: v1 +kind: Namespace +metadata: + labels: + name: $namespace + name: $namespace +--- +apiVersion: v1 +kind: Secret +metadata: + name: gitlab-registry-auth + namespace: $namespace +data: + .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL3JlZ2lzdHJ5Lml0cGFydG5lci5ubyI6eyJ1c2VybmFtZSI6ImpvbmFzIiwicGFzc3dvcmQiOiJTRldwLVk0bkVfdXpNZFJxeHp6SyIsImF1dGgiOiJhbTl1WVhNNlUwWlhjQzFaTkc1RlgzVjZUV1JTY1hoNmVrcz0ifX19 +type: kubernetes.io/dockerconfigjson +EOF + +kubectl apply -f $tmpfile + +rm $tmpfile diff --git a/old/scripts/reset-sa-tokens.sh b/old/scripts/reset-sa-tokens.sh new file mode 100755 index 0000000..62e8a73 --- /dev/null +++ b/old/scripts/reset-sa-tokens.sh @@ -0,0 +1,3 @@ +#!/usr/bin/env bash + +kubectl delete secrets --all-namespaces --field-selector='type=kubernetes.io/service-account-token' diff --git a/old/scripts/taint-node-no-schedule.sh b/old/scripts/taint-node-no-schedule.sh new file mode 100755 index 0000000..34e2431 --- /dev/null +++ b/old/scripts/taint-node-no-schedule.sh @@ -0,0 +1,3 @@ +#!/bin/sh + +kubectl taint node $1 ClusterService="true":NoSchedule diff --git a/old/scripts/ws-curl.sh b/old/scripts/ws-curl.sh new file mode 100755 index 0000000..81166b5 --- /dev/null +++ b/old/scripts/ws-curl.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +host=$1; shift + +curl -i -N \ + -H "Connection: upgrade"\ + -H "Upgrade: websocket"\ + -H "Sec-WebSocket-Key: SGVsbG8sIHdvcmxkIQ=="\ + -H "Sec-WebSocket-Version: 13"\ + -H "Origin: http://foo.com/"\ + -H "Host: $host" $@ +