From a62cbc5180fddbc9cec99e793334a8a1b0c4421d Mon Sep 17 00:00:00 2001 From: Julius de Jeu Date: Tue, 24 May 2022 09:12:16 +0200 Subject: [PATCH] Add keel --- flux/cluster/apps/keel/deployment.yaml | 101 ++++++++++++++++++ flux/cluster/apps/keel/kustomization.yaml | 9 ++ .../apps/keel/pod-disruption-budget.yaml | 10 ++ flux/cluster/apps/keel/rbac.yaml | 49 +++++++++ flux/cluster/apps/keel/rolebinding.yaml | 12 +++ flux/cluster/apps/keel/service-account.yaml | 7 ++ flux/cluster/apps/keel/service.yaml | 17 +++ flux/cluster/apps/kustomization.yaml | 1 + flux/cluster/core/namespaces/keel.yaml | 6 ++ .../core/namespaces/kustomization.yaml | 1 + nixos/machines/registry/default.nix | 14 +-- 11 files changed, 220 insertions(+), 7 deletions(-) create mode 100644 flux/cluster/apps/keel/deployment.yaml create mode 100644 flux/cluster/apps/keel/kustomization.yaml create mode 100644 flux/cluster/apps/keel/pod-disruption-budget.yaml create mode 100644 flux/cluster/apps/keel/rbac.yaml create mode 100644 flux/cluster/apps/keel/rolebinding.yaml create mode 100644 flux/cluster/apps/keel/service-account.yaml create mode 100644 flux/cluster/apps/keel/service.yaml create mode 100644 flux/cluster/core/namespaces/keel.yaml diff --git a/flux/cluster/apps/keel/deployment.yaml b/flux/cluster/apps/keel/deployment.yaml new file mode 100644 index 0000000..e5c604b --- /dev/null +++ b/flux/cluster/apps/keel/deployment.yaml @@ -0,0 +1,101 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keel + namespace: "keel" + labels: + app: keel +spec: + replicas: 1 + selector: + matchLabels: + app: keel + template: + metadata: + labels: + app: keel + spec: + serviceAccountName: keel + containers: + + - name: keel + # Note that we use appVersion to get images tag. + image: "keelhq/keel:latest" + imagePullPolicy: Always + command: ["/bin/keel"] + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # Enable GCR with pub/sub support + - name: PROJECT_ID + value: "" + - name: PUBSUB + value: "" # Set to '1' or 'true' to enable GCR pubsub + # Basic auth (to enable UI/API) + - name: BASIC_AUTH_USER + value: j00lz + - name: BASIC_AUTH_PASSWORD + value: admin + - name: AUTHENTICATED_WEBHOOKS + value: "false" + # Helm configuration + + # Enable AWS ECR + - name: AWS_ACCESS_KEY_ID + value: "" + - name: AWS_SECRET_ACCESS_KEY + value: "" + - name: AWS_REGION + value: "" + # Enable webhook endpoint + - name: WEBHOOK_ENDPOINT + value: "" + # Enable mattermost endpoint + - name: MATTERMOST_ENDPOINT + value: "" + # Enable MS Teams webhook endpoint + - name: TEAMS_WEBHOOK_URL + value: "" + - name: SLACK_TOKEN + value: "" + - name: SLACK_CHANNELS + value: "general" + - name: SLACK_APPROVALS_CHANNEL + value: "general" + - name: SLACK_BOT_NAME + value: "keel" + # Enable hipchat approvials and notification + - name: HIPCHAT_TOKEN + value: "" + - name: HIPCHAT_CHANNELS + value: "" + - name: HIPCHAT_APPROVALS_CHANNEL + value: "" + - name: HIPCHAT_APPROVALS_BOT_NAME + value: "" + - name: HIPCHAT_APPROVALS_USER_NAME + value: "" + - name: HIPCHAT_APPROVALS_PASSWORT + value: "" + - name: NOTIFICATION_LEVEL + value: "info" + # Enable insecure registries + - name: INSECURE_REGISTRY + value: "false" + ports: + - containerPort: 9300 + livenessProbe: + httpGet: + path: /healthz + port: 9300 + initialDelaySeconds: 30 + timeoutSeconds: 10 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi \ No newline at end of file diff --git a/flux/cluster/apps/keel/kustomization.yaml b/flux/cluster/apps/keel/kustomization.yaml new file mode 100644 index 0000000..b0e20de --- /dev/null +++ b/flux/cluster/apps/keel/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - pod-disruption-budget.yaml + - rbac.yaml + - rolebinding.yaml + - service-account.yaml + - service.yaml diff --git a/flux/cluster/apps/keel/pod-disruption-budget.yaml b/flux/cluster/apps/keel/pod-disruption-budget.yaml new file mode 100644 index 0000000..65a608d --- /dev/null +++ b/flux/cluster/apps/keel/pod-disruption-budget.yaml @@ -0,0 +1,10 @@ +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: keel + namespace: "keel" +spec: + maxUnavailable: 1 + selector: + matchLabels: + app: keel \ No newline at end of file diff --git a/flux/cluster/apps/keel/rbac.yaml b/flux/cluster/apps/keel/rbac.yaml new file mode 100644 index 0000000..461b1b3 --- /dev/null +++ b/flux/cluster/apps/keel/rbac.yaml @@ -0,0 +1,49 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keel +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - watch + - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list + - apiGroups: + - "" + - extensions + - apps + - batch + resources: + - pods + - replicasets + - replicationcontrollers + - statefulsets + - deployments + - daemonsets + - jobs + - cronjobs + verbs: + - get + - delete # required to delete pods during force upgrade of the same tag + - watch + - list + - update + - apiGroups: + - "" + resources: + - configmaps + - pods/portforward + verbs: + - get + - create + - update diff --git a/flux/cluster/apps/keel/rolebinding.yaml b/flux/cluster/apps/keel/rolebinding.yaml new file mode 100644 index 0000000..8ba6554 --- /dev/null +++ b/flux/cluster/apps/keel/rolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keel +subjects: + - kind: ServiceAccount + name: keel + namespace: "keel" \ No newline at end of file diff --git a/flux/cluster/apps/keel/service-account.yaml b/flux/cluster/apps/keel/service-account.yaml new file mode 100644 index 0000000..19fb448 --- /dev/null +++ b/flux/cluster/apps/keel/service-account.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keel + namespace: "keel" + labels: + app: keel \ No newline at end of file diff --git a/flux/cluster/apps/keel/service.yaml b/flux/cluster/apps/keel/service.yaml new file mode 100644 index 0000000..6ecded2 --- /dev/null +++ b/flux/cluster/apps/keel/service.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: keel + namespace: "keel" + labels: + app: keel +spec: + type: LoadBalancer + ports: + - port: 9300 + targetPort: 9300 + protocol: TCP + name: keel + selector: + app: keel + sessionAffinity: None \ No newline at end of file diff --git a/flux/cluster/apps/kustomization.yaml b/flux/cluster/apps/kustomization.yaml index 6ca5412..e74e3af 100644 --- a/flux/cluster/apps/kustomization.yaml +++ b/flux/cluster/apps/kustomization.yaml @@ -5,3 +5,4 @@ resources: - authentik - networking - drone + - keel diff --git a/flux/cluster/core/namespaces/keel.yaml b/flux/cluster/core/namespaces/keel.yaml new file mode 100644 index 0000000..53dad74 --- /dev/null +++ b/flux/cluster/core/namespaces/keel.yaml @@ -0,0 +1,6 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: keel + labels: + name: keel \ No newline at end of file diff --git a/flux/cluster/core/namespaces/kustomization.yaml b/flux/cluster/core/namespaces/kustomization.yaml index e77257f..79d7a38 100644 --- a/flux/cluster/core/namespaces/kustomization.yaml +++ b/flux/cluster/core/namespaces/kustomization.yaml @@ -6,3 +6,4 @@ resources: - authentik.yaml - traefik.yaml - drone.yaml + - keel.yaml diff --git a/nixos/machines/registry/default.nix b/nixos/machines/registry/default.nix index 866070b..2ab68c5 100644 --- a/nixos/machines/registry/default.nix +++ b/nixos/machines/registry/default.nix @@ -27,13 +27,13 @@ path = "/var/lib/keys/htaccess"; }; - # notifications.endpoints = [{ - # name = "keel"; - # url = "http://10.42.20.5:9300/v1/webhooks/registry"; - # timeout = "500ms"; - # treshold = 5; - # backoff = "1s"; - # }]; + notifications.endpoints = [{ + name = "keel"; + url = "http://kubernetes.lxd:9300/v1/webhooks/registry"; + timeout = "500ms"; + treshold = 5; + backoff = "1s"; + }]; }; }; systemd.services.docker-registry.serviceConfig.EnvironmentFile =