add privatebin

Author: soerenschneider

apps/privatebin/components/istio-proxy/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1alpha1"
+kind: "Component"
+patches:
+  - target:
+      kind: "Namespace"
+    patch: |-
+      - op: add
+        path: "/metadata/labels/istio-injection"
+        value: "enabled"

apps/privatebin/components/istio/istio-virtualservice.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: networking.istio.io/v1alpha3
+kind: VirtualService
+metadata:
+  name: privatebin
+spec:
+  hosts:
+    - privatebin.local
+  gateways:
+    - istio-system/gateway
+  http:
+    - match:
+        - uri:
+            prefix: /
+      route:
+        - destination:
+            host: privatebin
+            port:
+              number: 80

apps/privatebin/components/istio/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+resources:
+  - istio-virtualservice.yaml

apps/privatebin/conf.php

@@ -0,0 +1,48 @@
+;<?php http_response_code(403);
+; config file for PrivateBin
+;
+; An explanation of each setting can be find online at https://github.com/PrivateBin/PrivateBin/wiki/Configuration.
+
+[main]
+name = "bin"
+discussion = true
+opendiscussion = false
+password = true
+fileupload = true
+burnafterreadingselected = false
+defaultformatter = "plaintext"
+sizelimit = 10485760
+template = "bootstrap"
+languageselection = false
+
+[expire]
+default = "1week"
+
+[expire_options]
+5min = 300
+10min = 600
+1hour = 3600
+1day = 86400
+1week = 604800
+1month = 2592000
+1year = 31536000
+never = 0
+
+[formatter_options]
+plaintext = "Plain Text"
+syntaxhighlighting = "Source Code"
+markdown = "Markdown"
+
+[traffic]
+limit = 10
+
+[purge]
+limit = 300
+batchsize = 10
+
+[model]
+class = Filesystem
+[model_options]
+dir = PATH "data"
+
+[yourls]

apps/privatebin/deployment.yaml

@@ -0,0 +1,77 @@
+---
+apiVersion: "apps/v1"
+kind: "Deployment"
+metadata:
+  name: "privatebin"
+  labels:
+    app: "privatebin"
+  annotations:
+    reloader.stakater.com/auto: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: "privatebin"
+  template:
+    metadata:
+      labels:
+        app: "privatebin"
+        app.kubernetes.io/name: "privatebin"
+        app.kubernetes.io/component: "privatebin"
+        app.kubernetes.io/instance: "privatebin-prod"
+        app.kubernetes.io/part-of: "privatebin"
+    spec:
+      securityContext:
+        runAsUser: 23763
+        runAsGroup: 23763
+        fsGroup: 23763
+        seccompProfile:
+          type: "RuntimeDefault"
+      containers:
+        - name: "privatebin"
+          image: "docker.io/privatebin/nginx-fpm-alpine:1.7.4@sha256:4cc5f26f5b558b734cb084ada4fdacd75bd9f5e4574f3f3df54165b3623d6b86"
+          imagePullPolicy: "IfNotPresent"
+          resources:
+            requests:
+              memory: "128Mi"
+              cpu: "5m"
+            limits:
+              memory: "256Mi"
+          ports:
+            - containerPort: 8080
+              name: "privatebin"
+          readinessProbe:
+            tcpSocket:
+              port: "privatebin"
+          livenessProbe:
+            tcpSocket:
+              port: "privatebin"
+          securityContext:
+            privileged: false
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 23763
+            runAsGroup: 23763
+            seccompProfile:
+              type: "RuntimeDefault"
+            capabilities:
+              drop:
+                - "ALL"
+          volumeMounts:
+            - name: "storage"
+              mountPath: "/srv/data"
+            - name: "config"
+              mountPath: "/srv/cfg"
+            - name: "tmp"
+              mountPath: "/tmp"
+      volumes:
+        - name: "storage"
+          emptyDir:
+            sizeLimit: "1Gi"
+        - name: "config"
+          configMap:
+            name: "privatebin-config"
+        - name: "tmp"
+          emptyDir:
+            sizeLimit: "1Gi"

apps/privatebin/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deployment.yaml
+  - service.yaml
+configMapGenerator:
+  - name: privatebin-config
+    files:
+      - conf.php

apps/privatebin/service.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: "v1"
+kind: "Service"
+metadata:
+  name: "privatebin"
+spec:
+  ports:
+    - port: 80
+      targetPort: "privatebin"
+  selector:
+    app: "privatebin"

clusters/svc.ez.soeren.cloud/privatebin/external-secret-memos.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: "memos"
+spec:
+  refreshInterval: 12h
+  secretStoreRef:
+    name: "vault"
+    kind: "ClusterSecretStore"
+  target:
+    name: "memos"
+    template:
+      engineVersion: v2
+      data:
+        MEMOS_DSN: "memos:{{ .password }}@tcp(dbs.ez.soeren.cloud:3306)/memos?charset=utf8&parseTime=True&loc=Local&tls=true"
+  data:
+    - secretKey: "password"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/mariadb/galera-prod/memos/memos"
+        property: "password"

clusters/svc.ez.soeren.cloud/privatebin/kustomization.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1beta1"
+kind: "Kustomization"
+namespace: "privatebin"
+resources:
+  - "namespace.yaml"
+  - "../../../apps/privatebin"
+components:
+  - "../../../apps/privatebin/components/istio"
+  - "../../../apps/privatebin/components/istio-proxy"
+patches:
+  - target:
+      kind: "VirtualService"
+      name: "privatebin"
+    patch: |-
+      - op: "replace"
+        path: "/spec/hosts"
+        value:
+          - "privatebin.svc.ez.soeren.cloud"

clusters/svc.ez.soeren.cloud/privatebin/namespace.yaml

@@ -0,0 +1,7 @@
+---
+kind: "Namespace"
+apiVersion: "v1"
+metadata:
+  name: "privatebin"
+  labels:
+    name: "privatebin"