sjenkins/Anterior-IaC
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init commit

Browse Source
This commit is contained in:
sjenkins 2025-02-23 15:24:32 -06:00
commit 9a354489ac
19 changed files with 1126 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
doks_spaces/secret-setup.sh Normal file
View File

@ -0,0 +1,27 @@
#!/bin/bash
# Static variables
ENDPOINT="https://ams3.digitaloceanspaces.com"
# Prompt user for access key ID and secret access key
read -p "Enter access key ID: " ACCESS_KEY_ID
read -sp "Enter secret access key: " SECRET_ACCESS_KEY
echo ""
# Ensure the keys are not empty
if [[ -z "$ACCESS_KEY_ID" || -z "$SECRET_ACCESS_KEY" ]]; then
echo "Error: Access key ID and secret access key are required."
exit 1
fi
# Define namespace
NAMESPACE="csi-s3"
# Create the Kubernetes secret
kubectl create secret generic csi-s3-secret \
--from-literal=accessKeyID="$ACCESS_KEY_ID" \
--from-literal=secretAccessKey="$SECRET_ACCESS_KEY" \
--from-literal=endpoint="$ENDPOINT" \
--namespace="$NAMESPACE"
echo "✅ CSI S3 secret created successfully in namespace '$NAMESPACE'."

50
firmware/configMap.yaml Normal file
View File

@ -0,0 +1,50 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: firmware
data:
nginx.conf: |
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
include /etc/nginx/conf.d/*.conf;
}
default.conf: |
server {
listen 80;
server_name localhost;
root /usr/share/nginx/html;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
}
}

55
firmware/deployment.yaml Normal file
View File

@ -0,0 +1,55 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: firmware
namespace: firmware
spec:
replicas: 1
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx
resources:
limits:
memory: "50Mi"
cpu: "50m"
requests:
memory: "5Mi"
cpu: "10m"
volumeMounts:
- mountPath: /usr/share/nginx/html
name: data-volume
readOnly: true
- mountPath: /etc/nginx/nginx.conf
name: nginx-conf
subPath: nginx.conf
readOnly: true
- mountPath: /etc/nginx/conf.d/default.conf
name: default-conf
subPath: default.conf
readOnly: true
ports:
- containerPort: 80
volumes:
- name: data-volume
persistentVolumeClaim:
claimName: firmware-csi-s3-pvc
- name: nginx-conf
configMap:
name: nginx-config
items:
- key: nginx.conf
path: nginx.conf
- name: default-conf
configMap:
name: nginx-config
items:
- key: default.conf
path: default.conf

12
firmware/persistentVolumeClaim.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: firmware-csi-s3-pvc
namespace: firmware
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
storageClassName: csi-s3

13
firmware/service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: firmware
namespace: firmware
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 80
targetPort: 80
type: NodePort

88
phpIPAM/deployment.yaml Normal file
View File

@ -0,0 +1,88 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: phpipam-web
namespace: phpipam
spec:
replicas: 1
selector:
matchLabels:
app: phpipam-web
template:
metadata:
labels:
app: phpipam-web
spec:
containers:
- name: phpipam-web
image: phpipam/phpipam-www:latest
ports:
- containerPort: 80
env:
- name: TZ
value: "America/Chicago"
- name: IPAM_DATABASE_HOST
value: "mariadb"
- name: IPAM_DATABASE_PASS
valueFrom:
secretKeyRef:
name: mariadb-secret
key: root-password
- name: IPAM_DATABASE_WEBHOST
value: "%"
- name: IPAM_TRUST_X_FORWARDED
value: "true"
- name: IPAM_DISABLE_INSTALLER
value: "1"
resources:
limits:
memory: "512Mi"
cpu: "500m"
requests:
memory: "50Mi"
cpu: "50m"
volumeMounts:
- mountPath: /migrate
name: phpipam-migrate
volumes:
- name: phpipam-migrate
persistentVolumeClaim:
claimName: ipam-csi-s3-pvc
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: phpipam-cron
namespace: phpipam
spec:
replicas: 1
selector:
matchLabels:
app: phpipam-cron
template:
metadata:
labels:
app: phpipam-cron
spec:
containers:
- name: phpipam-cron
image: phpipam/phpipam-cron:latest
env:
- name: TZ
value: "America/Chicago"
- name: IPAM_DATABASE_HOST
value: "phpipam-mariadb"
- name: IPAM_DATABASE_PASS
valueFrom:
secretKeyRef:
name: mariadb-secret
key: root-password
- name: SCAN_INTERVAL
value: "1h"
resources:
limits:
memory: "256Mi"
cpu: "250m"
requests:
memory: "25Mi"
cpu: "25m"

68
phpIPAM/mariadb/deployment.yaml Normal file
View File

@ -0,0 +1,68 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mariadb-pvc
namespace: phpipam
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: do-block-storage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mariadb
namespace: phpipam
spec:
replicas: 1
selector:
matchLabels:
app: mariadb
template:
metadata:
labels:
app: mariadb
spec:
containers:
- name: mariadb
image: mariadb:10.6
ports:
- containerPort: 3306
env:
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secret
key: root-password
resources:
limits:
memory: "1Gi"
cpu: "1000m"
requests:
memory: "200Mi"
cpu: "200m"
volumeMounts:
- name: mariadb-storage
mountPath: /var/lib/mysql
volumes:
- name: mariadb-storage
persistentVolumeClaim:
claimName: mariadb-pvc
---
apiVersion: v1
kind: Service
metadata:
name: mariadb
namespace: phpipam
spec:
ports:
- port: 3306
targetPort: 3306
selector:
app: mariadb
clusterIP: None

21
phpIPAM/mariadb/secret-setup.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
# Prompt user for MariaDB root password
read -sp "Enter MariaDB root password: " ROOT_PASSWORD
echo ""
# Ensure the password is not empty
if [[ -z "$ROOT_PASSWORD" ]]; then
echo "Error: Password cannot be empty."
exit 1
fi
# Define namespace
NAMESPACE="phpipam"
# Create the Kubernetes secret
kubectl create secret generic mariadb-secret \
--from-literal=root-password="$ROOT_PASSWORD" \
--namespace="$NAMESPACE"
echo "✅ MariaDB secret created successfully in namespace '$NAMESPACE'."

12
phpIPAM/persistentVolumeClaim.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ipam-csi-s3-pvc
namespace: phpipam
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
storageClassName: csi-s3

13
phpIPAM/service.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: phpipam-web
namespace: phpipam
spec:
selector:
app: phpipam-web
ports:
- protocol: TCP
port: 80
targetPort: 80
type: NodePort

191
snipeit/ReadMe.md Normal file
View File

@ -0,0 +1,191 @@
# Snipe-IT
[Snipeit-IT](http://www.snipeitapp.com) is free open source IT asset/license management system
## Generate config.snipeit.key
In order for Snipe-IT to work correctly you need to set the yaml-key config.snipeit.key in the values.yaml.
This must be a Base64 Encoded key, which you have to set *before deploying* this Chart.
```
$ docker run -i -t snipe/snipe-it php artisan key:generate --show
```
Then set the generated key from the output with *--set config.snipeit.key* when you're deploying.
## TL;DR;
```
$ helm repo add t3n https://storage.googleapis.com/t3n-helm-charts
$ helm install t3n/snipeit --set config.snipeit.key="base64:....."
```
## Introduction
This chart bootstraps a [Snipe-IT](https://github.com/snipe/snipe-it)
deployment on a [Kubernetes](http://kubernetes.io) cluster using the
[Helm](https://helm.sh) package manager.
## Installing the Chart
To install the chart with the release name `my-release`:
```
$ helm install --name my-release t3n/snipeit --set config.snipeit.key="base64:....."
```
The command deploys Snipe-IT on the Kubernetes cluster in the default
configuration. The [configuration](#configuration) section lists the parameters
that can be configured during installation.
> **Tip**: List all releases using `helm list`
## Uninstalling the Chart
To uninstall/delete the `my-release` deployment:
```
$ helm delete my-release
```
The command removes all the Kubernetes components associated with the chart and
deletes the release.
## Configuration
The following table lists the configurable parameters of the Snipe-IT chart
and their default values.
| Parameter | Description | Default |
|--------------------------------------|-------------------------------------------------------|--------------------------------|
| `config.mysql.externalDatabase.user` | Username of external MySQL Database User | `snipeit` |
| `config.mysql.externalDatabase.pass` | Password of external MySQL Database User | `""` |
| `config.mysql.externalDatabase.name` | Name of external MySQL Database | `db-snipeit` |
| `config.mysql.externalDatabase.host` | Hostname/IP of external MySQL Database | `mysql` |
| `config.mysql.externalDatabase.port` | Port of external MySQL Database | `3306` |
| `config.snipeit.env` | Snipe-IT Environment to use | `production` |
| `config.snipeit.debug` | Whether to enable Debug mode or not | `false` |
| `config.snipeit.url` | URL of Snipe-IT | `http://snipeit.example.local` |
| `config.snipeit.key` | Application-Key for Snipe-IT | `""` |
| `config.snipeit.timezone` | Snipe-IT Timezone | `Europe/Berlin` |
| `config.snipeit.locale` | Snipe-IT Locale | `en` |
| `config.snipeit.envConfig` | Configure Environment Values | `{}` |
| `config.externalSecrets ` | External Secrets to for db configuration | `[]` |
| `image.repository` | Image Repository | `snipe/snipe-it` |
| `image.tag` | Image Tag | `4.6.16` |
| `image.pullPolicy` | Image Pull Policy | `IfNotPresent` |
| `ingress.enabled` | Whether or not to enable Ingress | `true` |
| `ingress.className` | Ingress Class Name | `""` |
| `ingress.annotations` | Custom Ingress Annotations | `{}` |
| `ingress.path` | Root Path for the Ingress Ressource | `/` |
| `ingress.hosts` | URL where Snipe-IT will be accessed | `example.local` |
| `ingress.tls` | Configuration for SecretName and TLS-Hosts | `[]` |
| `mysql.enabled` | Whether or not to deploy a MySQL Deployment | `true` |
| `mysql.mysqlUser` | MySQL User to create | `snipeit` |
| `mysql.mysqlPassword` | MySQL Password for the User | `""` |
| `mysql.mysqlDatabase` | Name of MySQL Database to create | `db-snipeit` |
| `mysql.persistence.enabled` | Whether or not to enable Persistence | `true` |
| `mysql.persistence.storageClass` | StorageClass for MySQL Deployment persistence | `""` |
| `mysql.persistence.accessMode` | Access Mode of PV | `ReadWriteOnce` |
| `mysql.persistence.size` | Size of the PV | `8Gi` |
| `persistence.enabled` | Whether or not Snipe-IT Data should be persisted | `true` |
| `persistence.annotations` | Annotations for the PVC | `{}` |
| `persistence.size` | Size of the persistent Snipe-IT Volume | `2Gi` |
| `replicaCount` | Number of Snipe-IT Pods to run | `1` |
| `deploymentStrategy` | Deployment strategy | `{ "type": "RollingUpdate" }` |
| `revisionHistoryLimit` | The number of old Replicas to keep to allow rollback. | `0` |
| `service.type` | Type of service to create | `ClusterIP` |
| `service.annotations` | Annotations of service to create | `{}` |
| `service.clusterIP` | Internal cluster service IP | `nil` |
| `service.loadBalancerIP` | IP address to assign to load balancer (if supported) | `nil` |
| `service.loadBalancerSourceRanges` | list of IP CIDRs allowed access to lb (if supported) | `[]` |
| `service.externalIPs` | service external IP addresses | `[]` |
| `resources` | CPU/Memory resource requests/limits | `{}` |
| `nodeSelector` | Node labels for pod assignment | `{}` |
| `tolerations` | Toleration labels for pod assignment | `[]` |
| `affinity` | Affinity settings for pod assignment | `{}` |
| `extraManifests` | Add additional manifests to deploy | `[]` |
| `extraVolumeMounts` | Additional volumeMounts to the container | `[]` |
| `extraVolume` | Additional volumes to the pod | `[]` |
Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,
```
$ helm install --name my-release \
--set service.type=LoadBalancer \
t3n/snipeit
```
The above command sets the service type LoadBalancer.
Alternatively, a YAML file that specifies the values for the above parameters
can be provided while installing the chart. For example,
```
$ helm install --name my-release -f values.yaml t3n/snipeit
```
> **Tip**: You can use the default [values.yaml](values.yaml)
### Persistence
The Snipe-IT image stores persistence under `/var/lib/snipeit` path of the
container. A dynamically managed Persistent Volume Claim is used to keep the
data across deployments, by default. This is known to work in GCE, AWS, and
minikube.
Alternatively, a previously configured Persistent Volume Claim can be used.
#### Existing PersistentVolumeClaim
1. Create the PersistentVolume
1. Create the PersistentVolumeClaim
1. Install the chart
```bash
$ helm install --name my-release \
--set persistence.existingClaim=PVC_NAME \
t3n/snipeit
```
### Custom Environment Values
Snipe-IT uses `.env` file to store configuration variables. This includes
Email configuration, advanced configurations like proxy, login throttling etc.
To override the default values for these variables, use the `config.snipeit.envConfig`.
```yaml
config:
snipeit:
envConfig:
MAIL_HOST: smtp.example.com
MAIL_PORT: 25
MAIL_USERNAME: username
MAIL_PASSWORD: password
MAIL_FROM_ADDR: snipeit@example.com
MAIL_FROM_NAME: Snipe-IT
```
### External Secrets
To use manually created secrets for the database configuration, use the `config.externalSecret`.
You can create a secret with the following command:
```bash
kubectl create secret generic my-db-secret \
--from-literal=MYSQL_USER=<your_mysql_user> \
--from-literal=MYSQL_DATABASE=<your_mysql_database> \
--from-literal=MYSQL_PASSWORD=<your_mysql_password> \
--from-literal=MYSQL_PORT_3306_TCP_ADDR=<your_mysql_host> \
--from-literal=MYSQL_PORT_3306_TCP_PORT=<your_mysql_port> \
--from-literal=APP_KEY=<your_app_key>
```
## Additional manifests
It is possible to add additional manifests into a deployment, to extend the chart. One of the reason is to deploy a manifest specific to a cloud provider ( BackendConfig on GKE for example ).
```yaml
extraManifests:
- apiVersion: cloud.google.com/v1beta1
kind: BackendConfig
metadata:
name: "{{ .Release.Name }}-test"
spec:
securityPolicy:
name: "gcp-cloud-armor-policy-test"
```

67
snipeit/mariadb/deployment.yaml Normal file
View File

@ -0,0 +1,67 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mariadb-pvc
namespace: snipeit
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: do-block-storage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mariadb
namespace: snipeit
spec:
replicas: 1
selector:
matchLabels:
app: mariadb
template:
metadata:
labels:
app: mariadb
spec:
containers:
- name: mariadb
image: mariadb:10.6
ports:
- containerPort: 3306
env:
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secret
key: root-password
resources:
limits:
memory: "1Gi"
cpu: "1000m"
requests:
memory: "200Mi"
cpu: "50m"
volumeMounts:
- name: mariadb-storage
mountPath: /var/lib/mysql
volumes:
- name: mariadb-storage
persistentVolumeClaim:
claimName: mariadb-pvc
---
apiVersion: v1
kind: Service
metadata:
name: mariadb
namespace: snipeit
spec:
ports:
- port: 3306
targetPort: 3306
selector:
app: mariadb
clusterIP: None

29
snipeit/mariadb/job.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: batch/v1
kind: Job
metadata:
name: init-mariadb
namespace: snipeit
spec:
ttlSecondsAfterFinished: 3600
template:
spec:
containers:
- name: init-mariadb
image: mariadb:10.6
command:
- sh
- -c
- >
until mysql -h mariadb -P 3306 -u root -p"$MARIADB_ROOT_PASSWORD" -e "CREATE DATABASE IF NOT EXISTS \`db-snipeit\`; CREATE USER IF NOT EXISTS 'snipeit'@'%' IDENTIFIED BY '$SNIPEIT_DB_PASSWORD'; GRANT ALL PRIVILEGES ON \`db-snipeit\`.* TO 'snipeit'@'%'; FLUSH PRIVILEGES;"; do echo "Waiting for MariaDB to be ready..."; sleep 5; done
env:
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mariadb-secret
key: root-password
- name: SNIPEIT_DB_PASSWORD
valueFrom:
secretKeyRef:
name: snipeit-db-secret
key: MYSQL_PASSWORD
restartPolicy: OnFailure

21
snipeit/mariadb/secret-setup.sh Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
# Prompt user for MariaDB root password
read -sp "Enter MariaDB root password: " ROOT_PASSWORD
echo ""
# Ensure the password is not empty
if [[ -z "$ROOT_PASSWORD" ]]; then
echo "Error: Password cannot be empty."
exit 1
fi
# Define namespace
NAMESPACE="snipeit"
# Create the Kubernetes secret
kubectl create secret generic mariadb-secret \
--from-literal=root-password="$ROOT_PASSWORD" \
--namespace="$NAMESPACE"
echo "✅ MariaDB secret created successfully in namespace '$NAMESPACE'."

42
snipeit/secret-setup.sh Executable file
View File

@ -0,0 +1,42 @@
#!/bin/bash
# Define static values
MYSQL_USER="snipeit"
MYSQL_DATABASE="db-snipeit"
MYSQL_HOST="mariadb"
MYSQL_PORT="3306"
# Prompt user for MariaDB root password
read -sp "Enter MariaDB root password: " ROOT_PASSWORD
echo ""
# Ensure the password is not empty
if [[ -z "$ROOT_PASSWORD" ]]; then
echo "Error: Password cannot be empty."
exit 1
fi
# Prompt user for APP_KEY
read -sp "Enter APP_KEY: " APP_KEY
echo ""
# Ensure the APP_KEY is not empty
if [[ -z "$APP_KEY" ]]; then
echo "Error: APP_KEY cannot be empty."
exit 1
fi
# Define namespace
NAMESPACE="snipeit"
# Create the Kubernetes secret
kubectl create secret generic snipeit-db-secret \
--from-literal=MYSQL_USER="$MYSQL_USER" \
--from-literal=MYSQL_DATABASE="$MYSQL_DATABASE" \
--from-literal=MYSQL_PASSWORD="$ROOT_PASSWORD" \
--from-literal=MYSQL_PORT_3306_TCP_ADDR="$MYSQL_HOST" \
--from-literal=MYSQL_PORT_3306_TCP_PORT="$MYSQL_PORT" \
--from-literal=APP_KEY="$APP_KEY" \
--namespace="$NAMESPACE"
echo "✅ Secrets created successfully in namespace '$NAMESPACE'."

146
snipeit/values.yaml Normal file
View File

@ -0,0 +1,146 @@
replicaCount: 1
revisionHistoryLimit: 0
deploymentStrategy:
type: RollingUpdate
## PodDisruptionBudget
## ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/#specifying-a-poddisruptionbudget
# maxUnavailable: 1
image:
repository: snipe/snipe-it
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: ""
service:
type: NodePort
annotations: {}
config:
mysql:
## All of these values are only used when mysql.enabled is set to false
externalDatabase:
user: "snipeit"
pass: ""
name: db-snipeit
host: mariadb
port: 3306
snipeit:
env: production
debug: false
url: https://snipeit.anteriorsolutions.com
key: ""
timezone: "America/Chicago"
locale: en
envConfig: {}
## Name of the secret containing the database connection details
## kubectl create secret generic my-db-secret \
## --from-literal=MYSQL_USER=<your_mysql_user> \
## --from-literal=MYSQL_DATABASE=<your_mysql_database> \
## --from-literal=MYSQL_PASSWORD=<your_mysql_password> \
## --from-literal=MYSQL_PORT_3306_TCP_ADDR=<your_mysql_host> \
## --from-literal=MYSQL_PORT_3306_TCP_PORT=<your_mysql_port> \
## --from-literal=APP_KEY=<your_app_key>
externalSecrets: "snipeit-db-secret"
mysql:
## Whether to deploy a mysql server to satisfy the applications database requirements. To use an external database set this to false and configure the externalDatabase parameters
enabled: false
## Create a database and a database user
##
mysqlUser: snipeit
mysqlPassword: "snipeit"
mysqlDatabase: db-snipeit
persistence:
enabled: true
## mysql data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
accessMode: ReadWriteOnce
size: 8Gi
persistence:
enabled: true
annotations: {}
accessMode: ReadWriteOnce
existingClaim: ""
## database data Persistent Volume Storage Class
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack)
##
# storageClass: "-"
size: 2Gi
www:
mountPath: /var/lib/snipeit
subPath: www
sessions:
mountPath: /var/www/html/storage/framework/sessions
subPath: sessions
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# kubernetes.io/tls-acme: "true"
path: /
pathType: ImplementationSpecific
hosts:
- example.local
tls: []
# - secretName: example-local
# hosts:
# - example.local
mysql-backup:
enabled: false
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
extraAnnotations: {}
# Extra Annotations that will be added to the SnipeIT Pod(s)
# app.kubernetes.io/instance: snipeit
extraManifests: []
extraVolumeMounts: []
# Additional volumeMounts to the container
# - name: secrets-store01-inline
# mountPath: /mnt/secrets-store
extraVolumes: []
# Additional volumes to the pod
# - csi:
# driver: secrets-store.csi.k8s.io
# readOnly: true
# volumeAttributes:
# secretProviderClass: "secret-csi-provider"
# name : secrets-store01-inline

118
unifi/deployment.yaml Normal file
View File

@ -0,0 +1,118 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: unifi-data
namespace: unifi
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: do-block-storage
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: unifi-network-application
spec:
replicas: 1
selector:
matchLabels:
app: unifi-network-application
template:
metadata:
labels:
app: unifi-network-application
spec:
containers:
- name: unifi-network-application
image: lscr.io/linuxserver/unifi-network-application:7.5.187-ls15
env:
- name: TZ
value: "America/Chicago"
- name: MONGO_USER
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_USER
- name: MONGO_PASS
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_PASS
- name: MONGO_HOST
value: "mongodb"
- name: MONGO_PORT
value: "27017"
- name: MONGO_DBNAME
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_DBNAME
- name: MONGO_AUTHSOURCE
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_AUTHSOURCE
- name: MEM_LIMIT
value: "1024" # optional
- name: MEM_STARTUP
value: "1024" # optional
- name: MONGO_TLS
value: "" # optional
volumeMounts:
- name: config-volume
mountPath: /config
ports:
- containerPort: 8443
- containerPort: 3478
protocol: UDP
- containerPort: 10001
protocol: UDP
- containerPort: 8080
- containerPort: 1900
protocol: UDP # optional
- containerPort: 8843 # optional
- containerPort: 8880 # optional
- containerPort: 6789 # optional
- containerPort: 5514
protocol: UDP # optional
resources:
limits:
memory: "1024Mi"
cpu: "500m"
requests:
memory: "512Mi"
cpu: "200m"
volumes:
- name: config-volume
persistentVolumeClaim:
claimName: unifi-data
---
apiVersion: v1
kind: Service
metadata:
name: unifi
namespace: unifi
spec:
ports:
- name: https
port: 8443
targetPort: 8443
protocol: TCP
- name: http
port: 8080
targetPort: 8080
protocol: TCP
- name: stun
port: 3478
targetPort: 3478
protocol: UDP
- name: discovery
port: 10001
targetPort: 10001
protocol: UDP
type: NodePort
selector:
app: unifi-network-application

119
unifi/mongodb/deployment.yaml Normal file
View File

@ -0,0 +1,119 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mongodb-pvc
namespace: unifi
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: do-block-storage
---
apiVersion: v1
kind: ConfigMap
metadata:
name: init-mongo-script
namespace: unifi
data:
init-mongo.sh: |
#!/bin/bash
if which mongosh > /dev/null 2>&1; then
mongo_init_bin='mongosh'
else
mongo_init_bin='mongo'
fi
"${mongo_init_bin}" <<EOF
use ${MONGO_AUTHSOURCE}
db.auth("${MONGO_INITDB_ROOT_USERNAME}", "${MONGO_INITDB_ROOT_PASSWORD}")
db.createUser({
user: "${MONGO_USER}",
pwd: "${MONGO_PASS}",
roles: [
{ db: "${MONGO_DBNAME}", role: "dbOwner" },
{ db: "${MONGO_DBNAME}_stat", role: "dbOwner" }
]
})
EOF
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: mongo
spec:
replicas: 1
selector:
matchLabels:
app: mongo
template:
metadata:
labels:
app: mongo
spec:
containers:
- name: mongo
image: mongo:8.0.3
env:
- name: MONGO_INITDB_ROOT_USERNAME
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_INITDB_ROOT_USERNAME
- name: MONGO_INITDB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_INITDB_ROOT_PASSWORD
- name: MONGO_USER
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_USER
- name: MONGO_PASS
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_PASS
- name: MONGO_DBNAME
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_DBNAME
- name: MONGO_AUTHSOURCE
valueFrom:
secretKeyRef:
name: mongodb-secret
key: MONGO_AUTHSOURCE
volumeMounts:
- name: data-volume
mountPath: /data/db
- name: init-script
mountPath: /docker-entrypoint-initdb.d/init-mongo.sh
subPath: init-mongo.sh
resources:
limits:
memory: "1Gi"
cpu: "500m"
requests:
memory: "200Mi"
cpu: "50m"
volumes:
- name: data-volume
persistentVolumeClaim:
claimName: mongodb-pvc
- name: init-script
configMap:
name: init-mongo-script
---
apiVersion: v1
kind: Service
metadata:
name: mongodb
namespace: unifi
spec:
ports:
- port: 27017
selector:
app: mongo

34
unifi/mongodb/secret-setup.sh Executable file
View File

@ -0,0 +1,34 @@
#!/bin/bash
# Static variables
MONGO_INITDB_ROOT_USERNAME="root"
MONGO_USER="unifi"
MONGO_DBNAME="unifi"
MONGO_AUTHSOURCE="admin"
# Prompt user for MongoDB passwords
read -sp "Enter MongoDB root password: " MONGO_INITDB_ROOT_PASSWORD
echo ""
read -sp "Enter MongoDB user password: " MONGO_PASS
echo ""
# Ensure the passwords are not empty
if [[ -z "$MONGO_INITDB_ROOT_PASSWORD" || -z "$MONGO_PASS" ]]; then
echo "Error: Password fields are required."
exit 1
fi
# Define namespace
NAMESPACE="unifi"
# Create the Kubernetes secret
kubectl create secret generic mongodb-secret \
--from-literal=MONGO_INITDB_ROOT_USERNAME="$MONGO_INITDB_ROOT_USERNAME" \
--from-literal=MONGO_INITDB_ROOT_PASSWORD="$MONGO_INITDB_ROOT_PASSWORD" \
--from-literal=MONGO_USER="$MONGO_USER" \
--from-literal=MONGO_PASS="$MONGO_PASS" \
--from-literal=MONGO_DBNAME="$MONGO_DBNAME" \
--from-literal=MONGO_AUTHSOURCE="$MONGO_AUTHSOURCE" \
--namespace="$NAMESPACE"
echo "✅ MongoDB secret created successfully in namespace '$NAMESPACE'."