diff --git a/hieradata/common.yaml b/hieradata/common.yaml index 125e76ed9..6a1eeafe0 100644 --- a/hieradata/common.yaml +++ b/hieradata/common.yaml @@ -111,5 +111,5 @@ kube_dev::controller_nodes: - hozer-74 # Prometheus config -prometheus::node_exporter::version: 1.3.1 +prometheus::node_exporter::version: 1.4.0 prometheus::node_exporter::extra_options: '--collector.textfile.directory /srv/prometheus' diff --git a/hieradata/dummy_secrets.yaml b/hieradata/dummy_secrets.yaml index 65aa0c278..9b6efca5a 100644 --- a/hieradata/dummy_secrets.yaml +++ b/hieradata/dummy_secrets.yaml @@ -58,8 +58,12 @@ kubernetes::keepalived::secret: dummysecret prometheus::docker_metrics_password: dummypassword mirrors::archlinuxcn_sync_password: dummypassword +mirrors::blender_sync_password: dummypassword mirrors::finnix_sync_password: dummypassword +mirrors::gimp_sync_password: dummypassword mirrors::gnome_sync_password: dummypassword +mirrors::mx_linux_sync_password: dummypassword +mirrors::mx_packages_sync_password: dummypassword xmpp::root_password: dummypassword xmpp::prosody_mysql_password: dummypassword diff --git a/hieradata/nodes/arsenic.yaml b/hieradata/nodes/arsenic.yaml new file mode 100644 index 000000000..d63e45eca --- /dev/null +++ b/hieradata/nodes/arsenic.yaml @@ -0,0 +1 @@ +ocf_desktop::xsession::scale: 1.5 diff --git a/hieradata/nodes/bigbang.yaml b/hieradata/nodes/bigbang.yaml new file mode 100644 index 000000000..d63e45eca --- /dev/null +++ b/hieradata/nodes/bigbang.yaml @@ -0,0 +1 @@ +ocf_desktop::xsession::scale: 1.5 diff --git a/hieradata/nodes/blizzard.yaml b/hieradata/nodes/blizzard.yaml index 488227e65..1c5f8418c 100644 --- a/hieradata/nodes/blizzard.yaml +++ b/hieradata/nodes/blizzard.yaml @@ -1 +1,2 @@ opstaff: true +ocf_desktop::xsession::scale: 1.5 diff --git a/hieradata/nodes/chaos.yaml b/hieradata/nodes/chaos.yaml new file mode 100644 index 000000000..d63e45eca --- /dev/null +++ b/hieradata/nodes/chaos.yaml @@ -0,0 +1 @@ +ocf_desktop::xsession::scale: 1.5 diff --git a/hieradata/nodes/dataloss.yaml b/hieradata/nodes/dataloss.yaml index 50514f6ce..7c122187c 100644 --- a/hieradata/nodes/dataloss.yaml +++ b/hieradata/nodes/dataloss.yaml @@ -5,7 +5,6 @@ ocf::packages::ntp::master: true ocf::packages::ntp::peers: - hal.ocf.berkeley.edu - pandemic.ocf.berkeley.edu - - jaws.ocf.berkeley.edu - riptide.ocf.berkeley.edu ocf_filehost::storage_device: '/dev/md/nfs' diff --git a/hieradata/nodes/famine.yaml b/hieradata/nodes/famine.yaml new file mode 100644 index 000000000..d63e45eca --- /dev/null +++ b/hieradata/nodes/famine.yaml @@ -0,0 +1 @@ +ocf_desktop::xsession::scale: 1.5 diff --git a/hieradata/nodes/hal.yaml b/hieradata/nodes/hal.yaml index 6a1e70715..7e0665ce4 100644 --- a/hieradata/nodes/hal.yaml +++ b/hieradata/nodes/hal.yaml @@ -7,7 +7,6 @@ ocf::networking::bond: true ocf::packages::ntp::master: true ocf::packages::ntp::peers: - - jaws.ocf.berkeley.edu - pandemic.ocf.berkeley.edu - riptide.ocf.berkeley.edu - dataloss.ocf.berkeley.edu diff --git a/hieradata/nodes/jaws.yaml b/hieradata/nodes/jaws.yaml deleted file mode 100644 index 4da081f6d..000000000 --- a/hieradata/nodes/jaws.yaml +++ /dev/null @@ -1,12 +0,0 @@ -classes: - - ocf_kvm - - ocf_kube::controller - -ocf::networking::bridge: true -ocf::networking::bond: true - -ocf::packages::ntp::master: true -ocf::packages::ntp::peers: - - hal.ocf.berkeley.edu - - pandemic.ocf.berkeley.edu - - riptide.ocf.berkeley.edu diff --git a/hieradata/nodes/meteorstorm.yaml b/hieradata/nodes/meteorstorm.yaml new file mode 100644 index 000000000..d63e45eca --- /dev/null +++ b/hieradata/nodes/meteorstorm.yaml @@ -0,0 +1 @@ +ocf_desktop::xsession::scale: 1.5 diff --git a/hieradata/nodes/pandemic.yaml b/hieradata/nodes/pandemic.yaml index b07ee969d..a033df96b 100644 --- a/hieradata/nodes/pandemic.yaml +++ b/hieradata/nodes/pandemic.yaml @@ -8,6 +8,5 @@ ocf::networking::bond: true ocf::packages::ntp::master: true ocf::packages::ntp::peers: - hal.ocf.berkeley.edu - - jaws.ocf.berkeley.edu - riptide.ocf.berkeley.edu - dataloss.ocf.berkeley.edu diff --git a/hieradata/nodes/riptide.yaml b/hieradata/nodes/riptide.yaml index 3f9a8853c..e2260d21e 100644 --- a/hieradata/nodes/riptide.yaml +++ b/hieradata/nodes/riptide.yaml @@ -9,5 +9,4 @@ ocf::packages::ntp::master: true ocf::packages::ntp::peers: - hal.ocf.berkeley.edu - pandemic.ocf.berkeley.edu - - jaws.ocf.berkeley.edu - dataloss.ocf.berkeley.edu diff --git a/hieradata/nodes/surge.yaml b/hieradata/nodes/surge.yaml new file mode 100644 index 000000000..d63e45eca --- /dev/null +++ b/hieradata/nodes/surge.yaml @@ -0,0 +1 @@ +ocf_desktop::xsession::scale: 1.5 diff --git a/hieradata/nodes/wildfire.yaml b/hieradata/nodes/wildfire.yaml new file mode 100644 index 000000000..d63e45eca --- /dev/null +++ b/hieradata/nodes/wildfire.yaml @@ -0,0 +1 @@ +ocf_desktop::xsession::scale: 1.5 diff --git a/modules/ocf/files/munin/munin-node.conf b/modules/ocf/files/munin/munin-node.conf deleted file mode 100644 index f42d214cb..000000000 --- a/modules/ocf/files/munin/munin-node.conf +++ /dev/null @@ -1,58 +0,0 @@ -# -# Example config-file for munin-node -# - -log_level 4 -log_file /var/log/munin/munin-node.log -pid_file /var/run/munin/munin-node.pid - -background 1 -setsid 1 - -user root -group root - - -# Regexps for files to ignore -ignore_file [\#~]$ -ignore_file DEADJOE$ -ignore_file \.bak$ -ignore_file %$ -ignore_file \.dpkg-(tmp|new|old|dist)$ -ignore_file \.rpm(save|new)$ -ignore_file \.pod$ - -# Set this if the client doesn't report the correct hostname when -# telnetting to localhost, port 4949 -# -#host_name localhost.localdomain - -# A list of addresses that are allowed to connect. This must be a -# regular expression, since Net::Server does not understand CIDR-style -# network notation unless the perl module Net::CIDR is installed. You -# may repeat the allow line as many times as you'd like - -allow ^169\.229\.226\.33$ -allow ^2607:f140:8801::1:33$ -allow ^169\.229\.226\.24$ -allow ^2607:f140:8801::1:24$ -allow ^127\.0\.0\.1$ -allow ^::1$ - -# If you have installed the Net::CIDR perl module, you can use one or more -# cidr_allow and cidr_deny address/mask patterns. A connecting client must -# match any cidr_allow, and not match any cidr_deny. Note that a netmask -# *must* be provided, even if it's /32 -# -# Example: -# -# cidr_allow 127.0.0.1/32 -# cidr_allow 192.0.2.0/24 -# cidr_deny 192.0.2.42/32 - -# Which address to bind to; -host * -# host 127.0.0.1 - -# And which port -port 4949 diff --git a/modules/ocf/manifests/init.pp b/modules/ocf/manifests/init.pp index 1a2523697..2856065df 100644 --- a/modules/ocf/manifests/init.pp +++ b/modules/ocf/manifests/init.pp @@ -13,7 +13,6 @@ include ocf::locale include ocf::logging include ocf::motd - include ocf::munin::node include ocf::networking include ocf::node_exporter include ocf::packages diff --git a/modules/ocf/manifests/munin/node.pp b/modules/ocf/manifests/munin/node.pp deleted file mode 100644 index aa188c19f..000000000 --- a/modules/ocf/manifests/munin/node.pp +++ /dev/null @@ -1,25 +0,0 @@ -# munin node config -class ocf::munin::node { - package { - ['munin-node', 'munin-plugins-core', 'munin-plugins-extra', - 'munin-libvirt-plugins']:; - } - - service { 'munin-node': - require => Package['munin-node']; - } - - file { '/etc/munin/munin-node.conf': - source => 'puppet:///modules/ocf/munin/munin-node.conf', - mode => '0644', - notify => Service['munin-node'], - require => Package['munin-node']; - } - - file { '/etc/munin/plugin-conf.d/ocf-plugin-conf': - content => template('ocf/munin/ocf-plugin-conf.erb'), - mode => '0644', - notify => Service['munin-node'], - require => Package['munin-node']; - } -} diff --git a/modules/ocf/manifests/munin/plugin.pp b/modules/ocf/manifests/munin/plugin.pp deleted file mode 100644 index be46d6d40..000000000 --- a/modules/ocf/manifests/munin/plugin.pp +++ /dev/null @@ -1,38 +0,0 @@ -# Munin plugin resource -# -# Can be used to produce custom graphs in Munin. The config should be applied -# at the *node* level, not on the master. -# -# Example usage: -# ocf::munin::plugin { 'csgo': -# source => 'puppet:///modules/ocf_srcds/munin'; -# } -# -# See for instructions on writing new plugins: -# http://munin-monitoring.org/wiki/HowToWritePlugins -define ocf::munin::plugin($source, $user = undef) { - $file_defaults = { - notify => Service['munin-node'], - require => Package['munin-node'], - } - - file { - "/etc/munin/plugins/${title}": - source => $source, - mode => '0755', - * => $file_defaults; - } - - if $user != undef { - file { "/etc/munin/plugin-conf.d/plugin-${title}": - ensure => present, - content => "[${title}]\nuser ${user}\n", - * => $file_defaults; - } - } else { - file { "/etc/munin/plugin-conf.d/plugin-${title}": - ensure => absent, - * => $file_defaults; - } - } -} diff --git a/modules/ocf/templates/firefox/prefs.js.erb b/modules/ocf/templates/firefox/prefs.js.erb index 6d04a6c74..310f89aab 100644 --- a/modules/ocf/templates/firefox/prefs.js.erb +++ b/modules/ocf/templates/firefox/prefs.js.erb @@ -3,8 +3,12 @@ pref("intl.locale.requested", ""); pref("browser.startup.homepage", "<%= @browser_homepage %>", locked); pref("browser.cache.disk.capacity", 0); pref("browser.download.useDownloadDir", false); +pref("browser.newtabpage.activity-stream.discoverystream.enabled", false); pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); +pref("browser.newtabpage.activity-stream.feeds.topsites", false); pref("browser.newtabpage.activity-stream.showSponsored", false); +pref("browser.newtabpage.activity-stream.showSponsoredTopSite", false); +pref("browser.newtabpage.activity-stream.telemetry", false); pref("browser.privatebrowsing.autostart", true); pref("browser.search.geoSpecificDefaults", false); pref("browser.shell.checkDefaultBrowser", false); diff --git a/modules/ocf/templates/ssl/dehydrated-hook-ddns-tsig.conf.erb b/modules/ocf/templates/ssl/dehydrated-hook-ddns-tsig.conf.erb index 93b27580e..7294c95a0 100644 --- a/modules/ocf/templates/ssl/dehydrated-hook-ddns-tsig.conf.erb +++ b/modules/ocf/templates/ssl/dehydrated-hook-ddns-tsig.conf.erb @@ -5,5 +5,5 @@ verbosity = 1 # not seem to be actually documented anywhere key_name = letsencrypt.ocf.io key_secret = "<%= @letsencrypt_ddns_key -%>" -key_algorithm = hmac-md5 +key_algorithm = hmac-sha512 dns_rewrite = s/^_acme-challenge\.(.*)(ocf\.berkeley\.edu|ocf\.io)$/\1letsencrypt.ocf.io/ diff --git a/modules/ocf_apt/manifests/init.pp b/modules/ocf_apt/manifests/init.pp index 6aa058a11..a47ab833f 100644 --- a/modules/ocf_apt/manifests/init.pp +++ b/modules/ocf_apt/manifests/init.pp @@ -10,8 +10,6 @@ package { [ - 'nginx-full', - 'libnginx-mod-http-fancyindex', 'reprepro', ]:; } @@ -84,19 +82,13 @@ ipv6_enable => true, ipv6_listen_port => 80, format_log => 'main', - raw_append => @(END), - fancyindex on; - fancyindex_exact_size off; - END + autoindex => 'on', } nginx::resource::location { '= /': - ensure => present, - server => ['apt.ocf.berkeley.edu', 'apt'], - www_root => '/opt/apt/ftp', - ssl => true, - raw_append => @(END), - fancyindex_header README.html; - END + ensure => present, + server => ['apt.ocf.berkeley.edu', 'apt'], + www_root => '/opt/apt/ftp', + ssl => true, } nginx::resource::location { '~ /\.(?!well-known).*': ensure => present, diff --git a/modules/ocf_backups/files/rsnapshot.conf b/modules/ocf_backups/files/rsnapshot.conf index 23739a2c6..f37a6e42b 100644 --- a/modules/ocf_backups/files/rsnapshot.conf +++ b/modules/ocf_backups/files/rsnapshot.conf @@ -53,7 +53,6 @@ backup_script /opt/share/backups/backup-pgsql pgsql/ # remote servers backup ocfbackups@hal:/etc/libvirt/qemu/ servers/vm_xml/hal/ -backup ocfbackups@jaws:/etc/libvirt/qemu/ servers/vm_xml/jaws/ backup ocfbackups@pandemic:/etc/libvirt/qemu/ servers/vm_xml/pandemic/ backup ocfbackups@riptide:/etc/libvirt/qemu/ servers/vm_xml/riptide/ backup ocfbackups@scurvy:/etc/libvirt/qemu/ servers/vm_xml/scurvy/ @@ -69,8 +68,6 @@ backup ocfbackups@puppet:/opt/puppetlabs/ servers/puppet/ backup ocfbackups@puppetdb:/etc/puppetlabs/puppet/ssl/ servers/puppetdb/ -backup ocfbackups@munin:/var/lib/munin/ servers/munin/ - backup ocfbackups@apt:/opt/apt/ servers/apt/ backup ocfbackups@jenkins:/var/lib/jenkins/ servers/jenkins/ diff --git a/modules/ocf_csgo/files/bin/update-csgo b/modules/ocf_csgo/files/bin/update-csgo deleted file mode 100755 index 05088b15f..000000000 --- a/modules/ocf_csgo/files/bin/update-csgo +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -e -/opt/csgo/bin/steamcmd.sh +runscript /opt/csgo/etc/csgo-update.cmd diff --git a/modules/ocf_csgo/files/etc/csgo-update.cmd b/modules/ocf_csgo/files/etc/csgo-update.cmd deleted file mode 100644 index 6ce4c3a5b..000000000 --- a/modules/ocf_csgo/files/etc/csgo-update.cmd +++ /dev/null @@ -1,18 +0,0 @@ -// steamcmd command script to update the cs:go server -// -// run with: -// ./steamcmd.sh +runscript /opt/csgo/etc/csgo-update.cmd -// a full run takes about ~2 minutes (even if no updates exist) -// -// see https://developer.valvesoftware.com/wiki/SteamCMD#Automating_SteamCMD - -@ShutdownOnFailedCommand 1 -@NoPromptForPassword 1 - -login anonymous - -// install or update cs:go -force_install_dir /opt/csgo/srcds -app_update 740 validate - -quit diff --git a/modules/ocf_csgo/files/munin b/modules/ocf_csgo/files/munin deleted file mode 100755 index d65a84984..000000000 --- a/modules/ocf_csgo/files/munin +++ /dev/null @@ -1,37 +0,0 @@ -#!/usr/bin/env python3 -# Munin plugin for reporting the number of players currently on the OCF CS:GO -# server. -import socket -import sys - -SERVER = ('csgo', 27015) - - -def get_num_players(server): - """Returns the number of players on a Source Engine server, excluding - bots.""" - - sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) - sock.connect(SERVER) - - # https://developer.valvesoftware.com/wiki/Server_queries#A2S_INFO - req = b'\xff\xff\xff\xffTSource Engine Query\x00' - sock.send(req) - - response = sock.recv(4096) - response = response[4:] # cut off header - response = response.split(b'\0', 4)[4] # cut off 4 strings - - players, max_players, bots = map(int, response[2:5]) - return players - bots - - -if __name__ == '__main__': - if len(sys.argv) == 2 and sys.argv[1] == 'config': - print('graph_title CS:GO players') - print('graph_vlabel players') - print('graph_scale no') - print('players.label players') - sys.exit(0) - - print('players.value {}'.format(get_num_players(SERVER))) diff --git a/modules/ocf_csgo/manifests/init.pp b/modules/ocf_csgo/manifests/init.pp deleted file mode 100644 index 537bf2691..000000000 --- a/modules/ocf_csgo/manifests/init.pp +++ /dev/null @@ -1,47 +0,0 @@ -class ocf_csgo { - include ocf::apt::i386 - include ocf::firewall::allow_desktops - - user { 'ocfcsgo': - comment => 'Counter-Strike Server', - home => '/opt/csgo', - groups => ['sys'], - shell => '/bin/false'; - } - - file { - default: - owner => ocfcsgo, - group => ocfcsgo; - - ['/opt/csgo', '/opt/csgo/bin', '/opt/csgo/etc']: - ensure => directory, - mode => '0755'; - - '/opt/csgo/bin/update-csgo': - source => 'puppet:///modules/ocf_csgo/bin/update-csgo', - mode => '0755'; - - '/opt/csgo/etc/csgo-update.cmd': - source => 'puppet:///modules/ocf_csgo/etc/csgo-update.cmd'; - } - - exec { - 'download-steamcmd': - command => 'curl http://media.steampowered.com/installer/steamcmd_linux.tar.gz | tar xzf - -C /opt/csgo/bin', - user => ocfcsgo, - creates => '/opt/csgo/bin/steamcmd.sh', - notify => Exec['update-csgo'], - require => File['/opt/csgo/bin']; - - 'update-csgo': - command => '/opt/csgo/bin/update-csgo', - user => ocfcsgo, - refreshonly => true, - require => [File['/opt/csgo/bin/update-csgo']]; - } - - ocf::munin::plugin { 'csgo': - source => 'puppet:///modules/ocf_csgo/munin'; - } -} diff --git a/modules/ocf_desktop/manifests/packages.pp b/modules/ocf_desktop/manifests/packages.pp index 80b1394db..04bbb0018 100644 --- a/modules/ocf_desktop/manifests/packages.pp +++ b/modules/ocf_desktop/manifests/packages.pp @@ -20,13 +20,16 @@ 'gnome-calculator', 'gparted', 'hexchat', 'imagej', 'inkscape', 'lyx', 'musescore3', 'mpv', 'mssh', 'mumble', 'numlockx', 'simple-scan', 'ssh-askpass-gnome', 'texmaker', - 'texstudio', 'vlc', 'xarchiver', 'xcape', 'xournal', 'xterm']:; + 'texstudio', 'tigervnc-viewer', 'vlc', 'xarchiver', 'xcape', 'xournal', + 'xterm']:; # desktop ['desktop-base', 'anacron', 'accountsservice', 'arc-theme', 'desktop-file-utils', 'gnome-icon-theme', 'paper-icon-theme', 'redshift', 'xfce4-whiskermenu-plugin']:; # desktop helpers ['libimage-exiftool-perl']:; + # development: + ['openjdk-17-jdk']:; # display manager ['lightdm', 'lightdm-gtk-greeter', 'libpam-trimspaces']:; # games @@ -46,63 +49,10 @@ ['wakeonlan']:; # Xorg ['xclip', 'xdotool', 'xsel', 'xserver-xorg', 'xscreensaver', 'freerdp2-x11']:; - } - - if $::lsbdistcodename == 'stretch' { - package { - [ - # preload hasn't been updated since 2009, and I'm not sure we really - # get anything out of it in terms of performance improvements at this - # point anyway. - 'preload', - - # Zenmap depends on Python 2 and is therefore no longer in bullseye - 'zenmap', - - # FUSE and exfat - 'fuse', - 'exfat-fuse', - - # Florence was removed from bullseye due to deprecated dependency - # We should find an alternative - # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947521 - 'florence', - ]:; - } - } - if $::lsbdistcodename == 'buster' { - package { - [ - # Zenmap depends on Python 2 and is therefore no longer in bullseye - 'zenmap', - - # FUSE and exfat - 'fuse', - 'exfat-fuse', - - # Florence was removed from bullseye due to deprecated dependency - # We should find an alternative - # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=947521 - 'florence', - ]:; - } - } - if $::lsbdistcodename == 'bullseye' { - package { - [ - # OpenJDK 17 (LTS) is in bullseye - 'openjdk-17-jdk', - - # Matchbox is what we use on our RPi - 'matchbox-keyboard', - - # x4vncviewer is no longer present - 'tigervnc-viewer', - - # sshfs depends on fuse3 on bullseye - 'fuse3', - ]:; - } + # Matchbox is what we use on our RPi + ['matchbox-keyboard']:; + # sshfs depends on fuse3 on bullseye + ['fuse3']:; } # Remove some packages diff --git a/modules/ocf_kubernetes/files/ingress_deploy.yaml b/modules/ocf_kubernetes/files/ingress_deploy.yaml new file mode 100644 index 000000000..31589db7a --- /dev/null +++ b/modules/ocf_kubernetes/files/ingress_deploy.yaml @@ -0,0 +1,659 @@ + +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + +--- +# Source: ingress-nginx/templates/controller-serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: ingress-nginx +automountServiceAccountToken: true +--- +# Source: ingress-nginx/templates/controller-configmap.yaml +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +data: + allow-snippet-annotations: 'true' +--- +# Source: ingress-nginx/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + name: ingress-nginx +rules: + - apiGroups: + - '' + resources: + - configmaps + - endpoints + - nodes + - pods + - secrets + verbs: + - list + - watch + - apiGroups: + - '' + resources: + - nodes + verbs: + - get + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io # k8s 1.14+ + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch + - apiGroups: + - extensions + - networking.k8s.io # k8s 1.14+ + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io # k8s 1.14+ + resources: + - ingressclasses + verbs: + - get + - list + - watch +--- +# Source: ingress-nginx/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + name: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/controller-role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: ingress-nginx +rules: + - apiGroups: + - '' + resources: + - namespaces + verbs: + - get + - apiGroups: + - '' + resources: + - configmaps + - pods + - secrets + - endpoints + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - services + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io # k8s 1.14+ + resources: + - ingresses + verbs: + - get + - list + - watch + - apiGroups: + - extensions + - networking.k8s.io # k8s 1.14+ + resources: + - ingresses/status + verbs: + - update + - apiGroups: + - networking.k8s.io # k8s 1.14+ + resources: + - ingressclasses + verbs: + - get + - list + - watch + - apiGroups: + - '' + resources: + - configmaps + resourceNames: + - ingress-controller-leader-nginx + verbs: + - get + - update + - apiGroups: + - '' + resources: + - configmaps + verbs: + - create + - apiGroups: + - '' + resources: + - events + verbs: + - create + - patch +--- +# Source: ingress-nginx/templates/controller-rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx + namespace: ingress-nginx +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx +subjects: + - kind: ServiceAccount + name: ingress-nginx + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/controller-service-webhook.yaml +apiVersion: v1 +kind: Service +metadata: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller-admission + namespace: ingress-nginx +spec: + type: ClusterIP + ports: + - name: https-webhook + port: 443 + targetPort: webhook + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller +--- +# Source: ingress-nginx/templates/controller-service.yaml +apiVersion: v1 +kind: Service +metadata: + annotations: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + type: NodePort + ports: + - name: http + port: 80 + protocol: TCP + targetPort: http + - name: https + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller +--- +# Source: ingress-nginx/templates/controller-deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: controller + name: ingress-nginx-controller + namespace: ingress-nginx +spec: + selector: + matchLabels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + revisionHistoryLimit: 10 + minReadySeconds: 0 + template: + metadata: + labels: + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/component: controller + spec: + dnsPolicy: ClusterFirst + containers: + - name: controller + image: k8s.gcr.io/ingress-nginx/controller:v0.50.0@sha256:f46fc2d161c97a9d950635acb86fb3f8d4adcfb03ee241ea89c6cde16aa3fdf8 + imagePullPolicy: IfNotPresent + lifecycle: + preStop: + exec: + command: + - /wait-shutdown + args: + - /nginx-ingress-controller + - --election-id=ingress-controller-leader + - --ingress-class=nginx + - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller + - --validating-webhook=:8443 + - --validating-webhook-certificate=/usr/local/certificates/cert + - --validating-webhook-key=/usr/local/certificates/key + securityContext: + capabilities: + drop: + - ALL + add: + - NET_BIND_SERVICE + runAsUser: 101 + allowPrivilegeEscalation: true + env: + - name: POD_NAME + valueFrom: + fieldRef: + fieldPath: metadata.name + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: LD_PRELOAD + value: /usr/local/lib/libmimalloc.so + livenessProbe: + failureThreshold: 5 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + httpGet: + path: /healthz + port: 10254 + scheme: HTTP + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + ports: + - name: http + containerPort: 80 + protocol: TCP + - name: https + containerPort: 443 + protocol: TCP + - name: webhook + containerPort: 8443 + protocol: TCP + volumeMounts: + - name: webhook-cert + mountPath: /usr/local/certificates/ + readOnly: true + resources: + requests: + cpu: 100m + memory: 90Mi + priorityClassName: system-cluster-critical + nodeSelector: + kubernetes.io/os: linux + serviceAccountName: ingress-nginx + terminationGracePeriodSeconds: 300 + volumes: + - name: webhook-cert + secret: + secretName: ingress-nginx-admission +--- +# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml +# before changing this value, check the required kubernetes version +# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingWebhookConfiguration +metadata: + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + name: ingress-nginx-admission +webhooks: + - name: validate.nginx.ingress.kubernetes.io + matchPolicy: Equivalent + rules: + - apiGroups: + - networking.k8s.io + apiVersions: + - v1beta1 + operations: + - CREATE + - UPDATE + resources: + - ingresses + failurePolicy: Fail + sideEffects: None + admissionReviewVersions: + - v1 + - v1beta1 + clientConfig: + service: + namespace: ingress-nginx + name: ingress-nginx-controller-admission + path: /networking/v1beta1/ingresses +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: ingress-nginx-admission + namespace: ingress-nginx + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: ingress-nginx-admission + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - admissionregistration.k8s.io + resources: + - validatingwebhookconfigurations + verbs: + - get + - update +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: ingress-nginx-admission + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: ingress-nginx-admission +subjects: + - kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: ingress-nginx-admission + namespace: ingress-nginx + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +rules: + - apiGroups: + - '' + resources: + - secrets + verbs: + - get + - create +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: ingress-nginx-admission + namespace: ingress-nginx + annotations: + helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: ingress-nginx-admission +subjects: + - kind: ServiceAccount + name: ingress-nginx-admission + namespace: ingress-nginx +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-nginx-admission-create + namespace: ingress-nginx + annotations: + helm.sh/hook: pre-install,pre-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +spec: + template: + metadata: + name: ingress-nginx-admission-create + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: create + image: docker.io/jettech/kube-webhook-certgen:v1.5.1 + imagePullPolicy: IfNotPresent + args: + - create + - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc + - --namespace=$(POD_NAMESPACE) + - --secret-name=ingress-nginx-admission + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + runAsUser: 2000 +--- +# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml +apiVersion: batch/v1 +kind: Job +metadata: + name: ingress-nginx-admission-patch + namespace: ingress-nginx + annotations: + helm.sh/hook: post-install,post-upgrade + helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook +spec: + template: + metadata: + name: ingress-nginx-admission-patch + labels: + helm.sh/chart: ingress-nginx-3.41.0 + app.kubernetes.io/name: ingress-nginx + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/version: 0.51.0 + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/component: admission-webhook + spec: + containers: + - name: patch + image: docker.io/jettech/kube-webhook-certgen:v1.5.1 + imagePullPolicy: IfNotPresent + args: + - patch + - --webhook-name=ingress-nginx-admission + - --namespace=$(POD_NAMESPACE) + - --patch-mutating=false + - --secret-name=ingress-nginx-admission + - --patch-failure-policy=Fail + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + restartPolicy: OnFailure + serviceAccountName: ingress-nginx-admission + nodeSelector: + kubernetes.io/os: linux + securityContext: + runAsNonRoot: true + runAsUser: 2000 diff --git a/modules/ocf_kubernetes/manifests/master/ingress/nginx.pp b/modules/ocf_kubernetes/manifests/master/ingress/nginx.pp index 7b6581401..0491e7b9e 100644 --- a/modules/ocf_kubernetes/manifests/master/ingress/nginx.pp +++ b/modules/ocf_kubernetes/manifests/master/ingress/nginx.pp @@ -2,8 +2,6 @@ $kubernetes_worker_nodes = lookup('kubernetes::worker_nodes') $kubernetes_workers_ipv4 = $kubernetes_worker_nodes.map |$worker| { ldap_attr($worker, 'ipHostNumber') } - $nginx_version = lookup('kubernetes::nginx_version') - $ingress_nginx_url = "https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v${nginx_version}/deploy/static/provider/baremetal/deploy.yaml" file { default: @@ -16,11 +14,15 @@ '/etc/ocf-kubernetes/manifests/ingress/ingress-expose.yaml': content => template('ocf_kubernetes/ingress/ingress_expose.yaml.erb'), mode => '0644'; + + '/etc/ocf-kubernetes/manifests/ingress/ingress-deploy.yaml': + content => 'puppet:///modules/ocf_kubernetes/ingress_deploy.yaml', + mode => '0644'; } # Add ingress-nginx to the cluster ocf_kubernetes::apply { 'ingress-init': - target => $ingress_nginx_url + target => '/etc/ocf-kubernetes/manifests/ingress/ingress-deploy.yaml', } -> # Set up a NodePort service so all kubernetes workers diff --git a/modules/ocf_ldap/files/munin/slapd-open-files b/modules/ocf_ldap/files/munin/slapd-open-files deleted file mode 100755 index 472a34478..000000000 --- a/modules/ocf_ldap/files/munin/slapd-open-files +++ /dev/null @@ -1,18 +0,0 @@ -#!/bin/bash -eu -# Munin plugin for reporting the number of open files by slapd. - -if [ $# -eq 1 ] && [ "$1" == "config" ]; then - echo 'graph_title slapd open files' - echo 'graph_vlabel open files' - echo 'graph_scale no' - echo 'open_files.label open_files' - exit 0 -fi - -pid=$(pidof slapd) - -if [ "$pid" -gt 0 ]; then - echo "open_files.value $(find "/proc/$pid/fd/" | wc -l)" -else - exit 1 -fi diff --git a/modules/ocf_ldap/manifests/init.pp b/modules/ocf_ldap/manifests/init.pp index 26d3c538a..eacf5c0ec 100644 --- a/modules/ocf_ldap/manifests/init.pp +++ b/modules/ocf_ldap/manifests/init.pp @@ -152,11 +152,6 @@ special => 'daily', } - ocf::munin::plugin { 'slapd-open-files': - source => 'puppet:///modules/ocf_ldap/munin/slapd-open-files', - user => root, - } - # firewall input rule, allow ldaps, port number 636 ocf::firewall::firewall46 { '101 allow ldaps': diff --git a/modules/ocf_mail/files/site_ocf/aliases b/modules/ocf_mail/files/site_ocf/aliases index 18607d51a..658b26273 100644 --- a/modules/ocf_mail/files/site_ocf/aliases +++ b/modules/ocf_mail/files/site_ocf/aliases @@ -12,7 +12,6 @@ ocfstats: root jenkins: root rancid: root rancid-ocf: root -munin: root # archive of outgoing mail for nomail'd users nomail: /var/mail/nomail/nomail diff --git a/modules/ocf_mail/manifests/logging.pp b/modules/ocf_mail/manifests/logging.pp index 0eae64d63..03f596085 100644 --- a/modules/ocf_mail/manifests/logging.pp +++ b/modules/ocf_mail/manifests/logging.pp @@ -10,9 +10,4 @@ ensure => file, source => 'puppet:///modules/ocf_mail/site_ocf/logrotate/nomail'; } - - ocf::munin::plugin { 'mails-past-hour': - source => 'puppet:///modules/ocf_mail/site_ocf/munin/mails-past-hour', - user => root, - } } diff --git a/modules/ocf_mirrors/files/FOOTER.html b/modules/ocf_mirrors/files/FOOTER.html index 97f5701dd..a781b550b 100644 --- a/modules/ocf_mirrors/files/FOOTER.html +++ b/modules/ocf_mirrors/files/FOOTER.html @@ -1 +1 @@ -
Hosted by the Open Computing Facility at UC Berkeley.