Move all bots to designated namespaces

author: Joe Banks <[email protected]> 2024-04-14 23:12:48 +0100
committer: Joe Banks <[email protected]> 2024-04-14 23:12:48 +0100
commit: 85afb3b8ca98db360c863cc56af18c411c6489e2 (patch)
tree: c5adcf0fe35eeebc1eaaf0a20c44656ed36b018b /kubernetes/namespaces/modmail
parent: Configure Ansible for user authentication (#213) (diff)
9 files changed, 161 insertions, 0 deletions
diff --git a/kubernetes/namespaces/modmail/README.md b/kubernetes/namespaces/modmail/README.md
new file mode 100644
index 0000000..b78857b
--- /dev/null
+++ b/kubernetes/namespaces/modmail/README.md
@@ -0,0 +1,12 @@
+# Modmail
+
+This folder contains the manifests for our Modmail service.
+
+## Secrets
+
+The services require one shared secret called `modmail` containing the following:
+
+| Key                     | Value                            | Description                                                  |
+| ------------------------| ---------------------------------|--------------------------------------------------------------|
+| `CONNECTION_URI`        | MongoDB connection URI           | Used for storing data                                        |
+| `TOKEN`                 | Discord Token                    | Used to connect to Discord                                   |
diff --git a/kubernetes/namespaces/modmail/bot/README.md b/kubernetes/namespaces/modmail/bot/README.md
new file mode 100644
index 0000000..ac29ac2
--- /dev/null
+++ b/kubernetes/namespaces/modmail/bot/README.md
@@ -0,0 +1,7 @@
+# Modmail bot
+These manifests will provision the resources for an instance of our Modmail bot.
+
+To deploy this bot simply run:
+```
+kubectl apply -f deployment.yaml
+```
diff --git a/kubernetes/namespaces/modmail/bot/deployment.yaml b/kubernetes/namespaces/modmail/bot/deployment.yaml
new file mode 100644
index 0000000..6084927
--- /dev/null
+++ b/kubernetes/namespaces/modmail/bot/deployment.yaml
@@ -0,0 +1,51 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: modmail-bot
+  namespace: modmail
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: modmail-bot
+  template:
+    metadata:
+      labels:
+        app: modmail-bot
+    spec:
+      containers:
+        - name: modmail-bot
+          image: ghcr.io/python-discord/modmail:latest
+          resources:
+            requests:
+              cpu: 75m
+              memory: 500Mi
+            limits:
+              cpu: 125m
+              memory: 750Mi
+          imagePullPolicy: "Always"
+          volumeMounts:
+          - mountPath: /modmailbot/plugins
+            name: plugins-vol
+          - mountPath: /modmailbot/temp
+            name: temp-vol
+          env:
+          - name: TMPDIR
+            value: /modmailbot/temp
+          envFrom:
+            - secretRef:
+                name: modmail
+            - configMapRef:
+                name: modmail-config-env
+          securityContext:
+            readOnlyRootFilesystem: true
+      volumes:
+      - name: plugins-vol
+        emptyDir: {}
+      - name: temp-vol
+        emptyDir:
+          medium: Memory
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/modmail/configmap.yaml b/kubernetes/namespaces/modmail/configmap.yaml
new file mode 100644
index 0000000..9117464
--- /dev/null
+++ b/kubernetes/namespaces/modmail/configmap.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: modmail-config-env
+  namespace: modmail
+data:
+  DATABASE_TYPE: 'mongodb'  # The type of database to use, only supports mongodb right now
+  DATA_COLLECTION: 'false'  # Disable bot metadata collection by modmail devs
+  DISABLE_AUTOUPDATES: 'yes'
+  GUILD_ID: '267624335836053506'
+  LOG_URL: https://modmail.pythondiscord.com/
+  OWNERS: 165023948638126080,95872159741644800,336843820513755157
+  REGISTRY_PLUGINS_ONLY: 'false'  # Allow the usage of plugins outside of the official registry
diff --git a/kubernetes/namespaces/modmail/secrets.yaml b/kubernetes/namespaces/modmail/secrets.yaml
new file mode 100644
index 0000000..c376565
--- /dev/null
+++ b/kubernetes/namespaces/modmail/secrets.yaml
diff --git a/kubernetes/namespaces/modmail/web/README.md b/kubernetes/namespaces/modmail/web/README.md
new file mode 100644
index 0000000..7b7e19e
--- /dev/null
+++ b/kubernetes/namespaces/modmail/web/README.md
@@ -0,0 +1,2 @@
+# Modmail web
+These manifests provision an instance of the web logviewer for our Modmail system.
diff --git a/kubernetes/namespaces/modmail/web/deployment.yaml b/kubernetes/namespaces/modmail/web/deployment.yaml
new file mode 100644
index 0000000..877e945
--- /dev/null
+++ b/kubernetes/namespaces/modmail/web/deployment.yaml
@@ -0,0 +1,39 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: modmail-web
+  namespace: modmail
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: modmail-web
+  template:
+    metadata:
+      labels:
+        app: modmail-web
+    spec:
+      containers:
+        - name: modmail-web
+          image: ghcr.io/python-discord/logviewer:latest
+          imagePullPolicy: Always
+          resources:
+            requests:
+              cpu: 50m
+              memory: 100Mi
+            limits:
+              cpu: 100m
+              memory: 150Mi
+          ports:
+            - containerPort: 8000
+          envFrom:
+            - secretRef:
+                name: modmail
+            - configMapRef:
+                name: modmail-config-env
+          securityContext:
+            readOnlyRootFilesystem: true
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/modmail/web/ingress.yaml b/kubernetes/namespaces/modmail/web/ingress.yaml
new file mode 100644
index 0000000..b610b09
--- /dev/null
+++ b/kubernetes/namespaces/modmail/web/ingress.yaml
@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: modmail-web
+  namespace: modmail
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: modmail.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: modmail-web
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/modmail/web/service.yaml b/kubernetes/namespaces/modmail/web/service.yaml
new file mode 100644
index 0000000..2ea2e7d
--- /dev/null
+++ b/kubernetes/namespaces/modmail/web/service.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: modmail-web
+  namespace: modmail
+spec:
+  selector:
+    app: modmail-web
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 8000
author	Joe Banks <[email protected]>	2024-04-14 23:12:48 +0100
committer	Joe Banks <[email protected]>	2024-04-14 23:12:48 +0100
commit	85afb3b8ca98db360c863cc56af18c411c6489e2 (patch)
tree	c5adcf0fe35eeebc1eaaf0a20c44656ed36b018b /kubernetes/namespaces/modmail
parent	Configure Ansible for user authentication (#213) (diff)