7 files changed, 200 insertions, 0 deletions
diff --git a/kubernetes/namespaces/default/hastebin/README.md b/kubernetes/namespaces/default/hastebin/README.md
new file mode 100644
index 0000000..9491ed4
--- /dev/null
+++ b/kubernetes/namespaces/default/hastebin/README.md
@@ -0,0 +1,11 @@
+# Hastebin
+These manifests provision an instance of the hastebin service used on https://paste-old.pythondiscord.com
+
+## How to deploy this service
+- Check the defaults in `defaults-configmap.yaml` match what you want.
+
+This deployment expects an environment variable to exist in a secret called `hastebin-redis-password`.
+
+| Environment      | Description                                           |
+|------------------|-------------------------------------------------------|
+| STORAGE_PASSWORD | The password to the redis instance to store pastes to |
diff --git a/kubernetes/namespaces/default/hastebin/defaults-configmap.yaml b/kubernetes/namespaces/default/hastebin/defaults-configmap.yaml
new file mode 100644
index 0000000..b05812b
--- /dev/null
+++ b/kubernetes/namespaces/default/hastebin/defaults-configmap.yaml
@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hastebin-defaults
+data:
+  # Set storage method
+  STORAGE_TYPE: "redis"
+
+  # Set storage host
+  STORAGE_HOST: "redis.default.svc.cluster.local"
+
+  # Set port of storage host
+  STORAGE_PORT: "6379"
+
+  # Expiration of documents in seconds
+  STORAGE_EXPIRE_SECONDS: "2629746" # 1 month
+
+  # Select the Redis DB to use
+  STORAGE_DB: "2"
+
+  # Maximum length in characters of documents
+  MAX_LENGTH: "100000"
+
+  # Logging configuration
+  LOGGING_LEVEL: "verbose"
+  LOGGING_TYPE: "Console"
+  LOGGING_COLORIZE: "true"
+
+  # Host address and port
+  HOST: "0.0.0.0"
+  PORT: "7777"
+
+  # Length of keys
+  KEY_LENGTH: "10"
+
+  # Max length of static asset caching
+  STATIC_MAX_AGE: "86400"
+
+  # Compress assets
+  RECOMPRESS_STATIC_ASSETS: "true"
+
+  # Kegenerator
+  KEYGENERATOR_TYPE: "phonetic"
+
+  # Ratelimits
+  RATELIMITS_NORMAL_TOTAL_REQUESTS: "500"
+  RATELIMITS_NORMAL_EVERY_MILLISECONDS: "60000"
+
+  # Default documents
+  DOCUMENTS: "about=./about.md"
diff --git a/kubernetes/namespaces/default/hastebin/deployment.yaml b/kubernetes/namespaces/default/hastebin/deployment.yaml
new file mode 100644
index 0000000..7f88e05
--- /dev/null
+++ b/kubernetes/namespaces/default/hastebin/deployment.yaml
@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hastebin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hastebin
+  template:
+    metadata:
+      labels:
+        app: hastebin
+    spec:
+      containers:
+        - name: hastebin
+          # Same image as https://github.com/seejohnrun/haste-server/blob/master/Dockerfile
+          image: node:14.8.0-stretch
+          command: [ "bash", "/init/init.sh" ]
+          imagePullPolicy: Always
+          resources:
+            requests:
+              cpu: 5m
+              memory: 70Mi
+            limits:
+              cpu: 100m
+              memory: 100Mi
+          ports:
+            - containerPort: 7777
+          securityContext:
+            readOnlyRootFilesystem: true
+          volumeMounts:
+            - name: hastebin-init-volume
+              mountPath: /init
+            - name: hastebin-code-volume
+              mountPath: /haste-server
+            - name: hastebin-npm-cache
+              mountPath: /home/node/
+          envFrom:
+            - secretRef:
+                name: hastebin-redis-password
+            - configMapRef:
+                name: hastebin-defaults
+      volumes:
+        - name: hastebin-init-volume
+          configMap:
+            name: hastebin-init
+        - name: hastebin-code-volume
+          emptyDir: {}
+        - name: hastebin-npm-cache
+          emptyDir: {}
+      securityContext:
+        fsGroup: 2000
+        runAsUser: 1000
+        runAsNonRoot: true
diff --git a/kubernetes/namespaces/default/hastebin/ingress.yaml b/kubernetes/namespaces/default/hastebin/ingress.yaml
new file mode 100644
index 0000000..26437ec
--- /dev/null
+++ b/kubernetes/namespaces/default/hastebin/ingress.yaml
@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
+    nginx.ingress.kubernetes.io/auth-tls-secret: "kube-system/mtls-client-crt-bundle"
+    nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ"
+  name: hastebin
+spec:
+  tls:
+  - hosts:
+      - "*.pythondiscord.com"
+    secretName: pythondiscord.com-tls
+  rules:
+  - host: paste-old.pythondiscord.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hastebin
+            port:
+              number: 80
diff --git a/kubernetes/namespaces/default/hastebin/init-configmap.yaml b/kubernetes/namespaces/default/hastebin/init-configmap.yaml
new file mode 100644
index 0000000..906060f
--- /dev/null
+++ b/kubernetes/namespaces/default/hastebin/init-configmap.yaml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: hastebin-init
+data:
+  monkeypatch_extensions.sh: |
+    #!/bin/bash
+
+    ORIGINAL="file += '\.' + _this.lookupExtensionByType(ret\.language);"
+    PATCHED="\/\/file += '\.' + _this.lookupExtensionByType(ret\.language);"
+    FILENAME="static/application.js"
+
+    touch changed
+    sed -i "s/$ORIGINAL/$PATCHED/w changed" "$FILENAME"
+  init.sh: |
+    #!/bin/bash
+
+    # Clone the repo
+    git clone https://github.com/toptal/haste-server.git
+    cd haste-server
+
+    # Monkey patch - don't add extensions to the URLs.
+    #
+    # This is a pretty messy monkey patch, and it may break if the hastebin
+    # JS code changes significantly. It makes the URL display as "file"
+    # instead of "file.py" when you save a file, which makes it possible
+    # to share the URL without triggering Discord's suspicious URL filter.
+    cp /init/monkeypatch_extensions.sh ./monkeypatch_extensions.sh
+    chmod +x monkeypatch_extensions.sh
+    ./monkeypatch_extensions.sh
+
+    # Check if monkeypatch succeeded. Otherwise, fail hard.
+    if [ -s changed ]; then
+      echo "Monkey patch executed: Hastebin will no longer add extensions to URLs."
+    else
+      echo "Monkey patch for not adding extension could not be performed. Maybe the hastebin code has changed?"
+      exit 69
+    fi
+
+    # Install and start
+    npm install
+
+    set -e
+
+    # Generate the config file from the environment
+    node docker-entrypoint.js > config.js
+
+    # Start Hastebin
+    npm start
diff --git a/kubernetes/namespaces/default/hastebin/secrets.yaml b/kubernetes/namespaces/default/hastebin/secrets.yaml
new file mode 100644
index 0000000..9cec074
--- /dev/null
+++ b/kubernetes/namespaces/default/hastebin/secrets.yaml
diff --git a/kubernetes/namespaces/default/hastebin/service.yaml b/kubernetes/namespaces/default/hastebin/service.yaml
new file mode 100644
index 0000000..d34bf5c
--- /dev/null
+++ b/kubernetes/namespaces/default/hastebin/service.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: hastebin
+spec:
+  selector:
+    app: hastebin
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 7777