diff options
Diffstat (limited to 'kubernetes')
24 files changed, 67 insertions, 35 deletions
diff --git a/kubernetes/namespaces/cert-manager/cert-manager/certificates/pydis.wtf.yaml b/kubernetes/namespaces/cert-manager/cert-manager/certificates/pydis.wtf.yaml index 318e71f..979395d 100644 --- a/kubernetes/namespaces/cert-manager/cert-manager/certificates/pydis.wtf.yaml +++ b/kubernetes/namespaces/cert-manager/cert-manager/certificates/pydis.wtf.yaml @@ -10,3 +10,9 @@ spec: issuerRef: name: letsencrypt kind: ClusterIssuer + secretTemplate: + annotations: + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "monitoring,modmail,tooling,pixels" + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "monitoring,modmail,tooling,pixels" diff --git a/kubernetes/namespaces/cert-manager/cert-manager/certificates/pythondiscord.com.yaml b/kubernetes/namespaces/cert-manager/cert-manager/certificates/pythondiscord.com.yaml index 94bd7dc..6d095de 100644 --- a/kubernetes/namespaces/cert-manager/cert-manager/certificates/pythondiscord.com.yaml +++ b/kubernetes/namespaces/cert-manager/cert-manager/certificates/pythondiscord.com.yaml @@ -10,3 +10,9 @@ spec: issuerRef: name: letsencrypt kind: ClusterIssuer + secretTemplate: + annotations: + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "apis,forms,monitoring,pixels,prestashop,tooling,web" + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "apis,forms,monitoring,pixels,prestashop,tooling,web" diff --git a/kubernetes/namespaces/databases/blackbox/blackbox-configmap.yaml b/kubernetes/namespaces/databases/blackbox/blackbox-configmap.yaml index 5220a57..fb7013e 100644 --- a/kubernetes/namespaces/databases/blackbox/blackbox-configmap.yaml +++ b/kubernetes/namespaces/databases/blackbox/blackbox-configmap.yaml @@ -15,6 +15,13 @@ data: password: {{ POSTGRES_PASSWORD }} host: postgres.databases.svc.cluster.local port: "5432" + + lovelace_postgres: + username: {{ LOVELACE_BLACKBOX_POSTGRES_USER }} + password: {{ LOVELACE_BLACKBOX_POSTGRES_PASSWORD }} + host: lovelace.box.pydis.wtf + port: "5432" + redis: main_redis: password: {{ REDIS_PASSWORD }} diff --git a/kubernetes/namespaces/databases/blackbox/secrets.yaml b/kubernetes/namespaces/databases/blackbox/secrets.yaml Binary files differindex 4255b48..78169fb 100644 --- a/kubernetes/namespaces/databases/blackbox/secrets.yaml +++ b/kubernetes/namespaces/databases/blackbox/secrets.yaml diff --git a/kubernetes/namespaces/kube-system/reflector/README.md b/kubernetes/namespaces/kube-system/reflector/README.md new file mode 100644 index 0000000..aaeceb7 --- /dev/null +++ b/kubernetes/namespaces/kube-system/reflector/README.md @@ -0,0 +1,11 @@ +# Kubernetes reflector + +We use [kubernetes-reflector](github.com/emberstack/kubernetes-reflector) to mirror certificate resources into all namespaces that need access to the wildcard certificates used for the cluster. + +It is deployed using Helm with no additional configuration using the following steps: + +``` sh +$ helm repo add emberstack https://emberstack.github.io/helm-charts +$ helm repo update +$ helm upgrade -n kube-system --install reflector emberstack/reflector +``` diff --git a/kubernetes/namespaces/modmail/configmap.yaml b/kubernetes/namespaces/modmail/configmap.yaml index 9117464..5d5d850 100644 --- a/kubernetes/namespaces/modmail/configmap.yaml +++ b/kubernetes/namespaces/modmail/configmap.yaml @@ -8,6 +8,6 @@ data: DATA_COLLECTION: 'false' # Disable bot metadata collection by modmail devs DISABLE_AUTOUPDATES: 'yes' GUILD_ID: '267624335836053506' - LOG_URL: https://modmail.pythondiscord.com/ + LOG_URL: https://modmail.pydis.wtf/ OWNERS: 165023948638126080,95872159741644800,336843820513755157 REGISTRY_PLUGINS_ONLY: 'false' # Allow the usage of plugins outside of the official registry diff --git a/kubernetes/namespaces/modmail/web/ingress.yaml b/kubernetes/namespaces/modmail/web/ingress.yaml index b610b09..f54c022 100644 --- a/kubernetes/namespaces/modmail/web/ingress.yaml +++ b/kubernetes/namespaces/modmail/web/ingress.yaml @@ -10,10 +10,10 @@ metadata: spec: tls: - hosts: - - "*.pythondiscord.com" - secretName: pythondiscord.com-tls + - "*.pydis.wtf" + secretName: pydis.wtf-tls rules: - - host: modmail.pythondiscord.com + - host: modmail.pydis.wtf http: paths: - path: / diff --git a/kubernetes/namespaces/monitoring/alerts/alertmanager/deployment.yaml b/kubernetes/namespaces/monitoring/alerts/alertmanager/deployment.yaml index 4f1c322..dfdc155 100644 --- a/kubernetes/namespaces/monitoring/alerts/alertmanager/deployment.yaml +++ b/kubernetes/namespaces/monitoring/alerts/alertmanager/deployment.yaml @@ -52,7 +52,7 @@ spec: - | exec /bin/alertmanager \ --config.file=/opt/pydis/alertmanager/config.d/alertmanager.yaml \ - --web.external-url=https://alertmanager.pythondiscord.com \ + --web.external-url=https://alertmanager.pydis.wtf \ --storage.path=/data/alertmanager \ $(cat /tmp/peers) ports: diff --git a/kubernetes/namespaces/monitoring/alerts/alertmanager/ingress.yaml b/kubernetes/namespaces/monitoring/alerts/alertmanager/ingress.yaml index 0f2de08..31c93d7 100644 --- a/kubernetes/namespaces/monitoring/alerts/alertmanager/ingress.yaml +++ b/kubernetes/namespaces/monitoring/alerts/alertmanager/ingress.yaml @@ -7,7 +7,7 @@ metadata: nginx.ingress.kubernetes.io/auth-tls-error-page: "https://www.youtube.com/watch?v=dQw4w9WgXcQ" nginx.ingress.kubernetes.io/affinity: "cookie" nginx.ingress.kubernetes.io/session-cookie-name: "AlertManager_LB" - nginx.ingress.kubernetes.io/session-cookie-domain: "alertmanager.pythondiscord.com" + nginx.ingress.kubernetes.io/session-cookie-domain: "alertmanager.pydis.wtf" nginx.ingress.kubernetes.io/session-cookie-samesite: "Strict" nginx.ingress.kubernetes.io/session-cookie-expires: "3600" name: alertmanager @@ -15,9 +15,10 @@ metadata: spec: tls: - hosts: - - "*.pythondiscord.com" + - "*.pydis.wtf" + secretName: pydis.wtf-tls rules: - - host: alertmanager.pythondiscord.com + - host: alertmanager.pydis.wtf http: paths: - path: / diff --git a/kubernetes/namespaces/monitoring/grafana/configmap.yaml b/kubernetes/namespaces/monitoring/grafana/configmap.yaml index 931e2da..5424038 100644 --- a/kubernetes/namespaces/monitoring/grafana/configmap.yaml +++ b/kubernetes/namespaces/monitoring/grafana/configmap.yaml @@ -6,8 +6,8 @@ metadata: data: # Root settings GF_INSTANCE_NAME: "pythondiscord" - GF_SERVER_DOMAIN: "grafana.pythondiscord.com" - GF_SERVER_ROOT_URL: "https://grafana.pythondiscord.com" + GF_SERVER_DOMAIN: "grafana.pydis.wtf" + GF_SERVER_ROOT_URL: "https://grafana.pydis.wtf" GF_SECURITY_COOKIE_SECURE: "true" # GitHub Auth diff --git a/kubernetes/namespaces/monitoring/grafana/ingress.yaml b/kubernetes/namespaces/monitoring/grafana/ingress.yaml index 4331333..60336e7 100644 --- a/kubernetes/namespaces/monitoring/grafana/ingress.yaml +++ b/kubernetes/namespaces/monitoring/grafana/ingress.yaml @@ -10,10 +10,10 @@ metadata: spec: tls: - hosts: - - "*.pythondiscord.com" - secretName: pythondiscord.com-tls + - "*.pydis.wtf" + secretName: pydis.wtf-tls rules: - - host: grafana.pythondiscord.com + - host: grafana.pydis.wtf http: paths: - path: / diff --git a/kubernetes/namespaces/monitoring/prometheus/deployment.yaml b/kubernetes/namespaces/monitoring/prometheus/deployment.yaml index 5a806ff..2dd1e2d 100644 --- a/kubernetes/namespaces/monitoring/prometheus/deployment.yaml +++ b/kubernetes/namespaces/monitoring/prometheus/deployment.yaml @@ -21,7 +21,7 @@ spec: args: [ "--storage.tsdb.path", "/opt/prometheus/data", "--config.file", "/etc/prometheus/prometheus.yaml", - "--web.external-url", "https://prometheus.pythondiscord.com", + "--web.external-url", "https://prometheus.pydis.wtf", "--web.enable-lifecycle", "--web.enable-admin-api", "--web.page-title", "Python Discord Prometheus", diff --git a/kubernetes/namespaces/monitoring/prometheus/ingress.yaml b/kubernetes/namespaces/monitoring/prometheus/ingress.yaml index 69e240a..ac5d6be 100644 --- a/kubernetes/namespaces/monitoring/prometheus/ingress.yaml +++ b/kubernetes/namespaces/monitoring/prometheus/ingress.yaml @@ -10,9 +10,10 @@ metadata: spec: tls: - hosts: - - "*.pythondiscord.com" + - "*.pydis.wtf" + secretName: pydis.wtf-tls rules: - - host: prometheus.pythondiscord.com + - host: prometheus.pydis.wtf http: paths: - path: / diff --git a/kubernetes/namespaces/pixels/pixels-modsite/README.md b/kubernetes/namespaces/pixels/pixels-modsite/README.md index ee95650..3526004 100644 --- a/kubernetes/namespaces/pixels/pixels-modsite/README.md +++ b/kubernetes/namespaces/pixels/pixels-modsite/README.md @@ -1,6 +1,6 @@ # Pixels -The deployment for the [Pixels modsite project](https://git.pydis.com/pixels-modsite), hosted at https://pixels-modsite.pythondiscord.com. +The deployment for the [Pixels modsite project](https://git.pydis.com/pixels-modsite), hosted at https://pixels-mod.pydis.wtf. This mod site will give Discord mods easy access to moderation actions for the pixels event. diff --git a/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml b/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml index 7992344..d4f3649 100644 --- a/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml +++ b/kubernetes/namespaces/pixels/pixels-modsite/ingress.yaml @@ -10,10 +10,10 @@ metadata: spec: tls: - hosts: - - "*.pythondiscord.com" - secretName: pythondiscord.com-tls + - "*.pydis.wtf" + secretName: pydis.wtf-tls rules: - - host: pixels-modsite.pythondiscord.com + - host: pixels-mod.pydis.wtf http: paths: - path: / diff --git a/kubernetes/namespaces/tooling/bitwarden/README.md b/kubernetes/namespaces/tooling/bitwarden/README.md index 37f01eb..68b1176 100644 --- a/kubernetes/namespaces/tooling/bitwarden/README.md +++ b/kubernetes/namespaces/tooling/bitwarden/README.md @@ -1,6 +1,6 @@ # BitWarden -Our internal password manager, used by the admins to share passwords for our services. Hosted at https://bitwarden.pythondiscord.com +Our internal password manager, used by the admins to share passwords for our services. Hosted at https://bitwarden.pydis.wtf To deploy this, first set up the secrets (see below) and then run `kubectl apply -f .` in this folder. diff --git a/kubernetes/namespaces/tooling/bitwarden/configmap.yaml b/kubernetes/namespaces/tooling/bitwarden/configmap.yaml index 29b9a84..3b8c62d 100644 --- a/kubernetes/namespaces/tooling/bitwarden/configmap.yaml +++ b/kubernetes/namespaces/tooling/bitwarden/configmap.yaml @@ -5,7 +5,7 @@ metadata: namespace: tooling data: # Domain to access bitwarden by - DOMAIN: "https://bitwarden.pythondiscord.com" + DOMAIN: "https://bitwarden.pydis.wtf" # Password hint must be sent to an email when this is false. # When it's true, it'll be shown right on the page. diff --git a/kubernetes/namespaces/tooling/bitwarden/ingress.yaml b/kubernetes/namespaces/tooling/bitwarden/ingress.yaml index e7eab59..a1f7d16 100644 --- a/kubernetes/namespaces/tooling/bitwarden/ingress.yaml +++ b/kubernetes/namespaces/tooling/bitwarden/ingress.yaml @@ -10,10 +10,10 @@ metadata: spec: tls: - hosts: - - "*.pythondiscord.com" - secretName: pythondiscord.com-tls + - "*.pydis.wtf" + secretName: pydis.wtf-tls rules: - - host: bitwarden.pythondiscord.com + - host: bitwarden.pydis.wtf http: paths: - path: / diff --git a/kubernetes/namespaces/tooling/metabase/ingress.yaml b/kubernetes/namespaces/tooling/metabase/ingress.yaml index b29bdd8..c2c5436 100644 --- a/kubernetes/namespaces/tooling/metabase/ingress.yaml +++ b/kubernetes/namespaces/tooling/metabase/ingress.yaml @@ -10,10 +10,10 @@ metadata: spec: tls: - hosts: - - "*.pythondiscord.com" - secretName: pythondiscord.com-tls + - "*.pydis.wtf" + secretName: pydis.wtf-tls rules: - - host: metabase.pythondiscord.com + - host: metabase.pydis.wtf http: paths: - path: / diff --git a/kubernetes/namespaces/tooling/policy-bot/README.md b/kubernetes/namespaces/tooling/policy-bot/README.md index ed44a63..392d50f 100644 --- a/kubernetes/namespaces/tooling/policy-bot/README.md +++ b/kubernetes/namespaces/tooling/policy-bot/README.md @@ -5,7 +5,7 @@ Actual review policy is stored inside our GitHub repositories in the `.github/re ## GitHub Configuration -Follow the instructions in the [repository](https://github.com/palantir/policy-bot#deployment) to provision a GitHub application. Our manifests are configured to run the policy bot at https://policy-bot.pythondiscord.com/. +Follow the instructions in the [repository](https://github.com/palantir/policy-bot#deployment) to provision a GitHub application. Our manifests are configured to run the policy bot at https://policy-bot.pydis.wtf/. ## Secrets @@ -21,4 +21,4 @@ This app requires a `policy-bot-defaults` secret with the following entries: Run `kubectl apply -f .` inside this directory to apply the the configuration. -Access the running application over [policy-bot.pythondiscord.com]([https://policy-bot.pythondiscord.com/])! +Access the running application over [policy-bot.pydis.wtf]([https://policy-bot.pydis.wtf/])! diff --git a/kubernetes/namespaces/tooling/policy-bot/configmap.yaml b/kubernetes/namespaces/tooling/policy-bot/configmap.yaml index c3e3660..ec56f26 100644 --- a/kubernetes/namespaces/tooling/policy-bot/configmap.yaml +++ b/kubernetes/namespaces/tooling/policy-bot/configmap.yaml @@ -11,7 +11,7 @@ data: address: "0.0.0.0" port: 8080 # The public URL, used for URL generation when the server is behind a proxy - public_url: https://policy-bot.pythondiscord.com/ + public_url: https://policy-bot.pydis.wtf/ # Options for logging output logging: diff --git a/kubernetes/namespaces/tooling/policy-bot/ingress.yaml b/kubernetes/namespaces/tooling/policy-bot/ingress.yaml index 79c2f74..cd7d529 100644 --- a/kubernetes/namespaces/tooling/policy-bot/ingress.yaml +++ b/kubernetes/namespaces/tooling/policy-bot/ingress.yaml @@ -10,10 +10,10 @@ metadata: spec: tls: - hosts: - - "*.pythondiscord.com" - secretName: pythondiscord.com-tls + - "*.pydis.wtf" + secretName: pydis.wtf-tls rules: - - host: policy-bot.pythondiscord.com + - host: policy-bot.pydis.wtf http: paths: - path: / diff --git a/kubernetes/namespaces/web/pinnwand/deployment.yaml b/kubernetes/namespaces/web/pinnwand/deployment.yaml index 90bc7e9..61d65ae 100644 --- a/kubernetes/namespaces/web/pinnwand/deployment.yaml +++ b/kubernetes/namespaces/web/pinnwand/deployment.yaml @@ -22,7 +22,7 @@ spec: mountPath: /tmp/ containers: - name: pinnwand - image: ghcr.io/supakeen/pinnwand:v1.5.0-psql + image: ghcr.io/python-discord/pinnwand:latest-psql command: ["venv/bin/python3", "-m", "pinnwand", "-vvvvvvvv", "--configuration-path", "/config/config.toml", "http"] imagePullPolicy: Always resources: diff --git a/kubernetes/namespaces/web/pinnwand/secrets.yaml b/kubernetes/namespaces/web/pinnwand/secrets.yaml Binary files differindex a8f4811..ee7bec2 100644 --- a/kubernetes/namespaces/web/pinnwand/secrets.yaml +++ b/kubernetes/namespaces/web/pinnwand/secrets.yaml |