diff --git a/chaoscenter/manifests/litmus-cluster-scope.yaml b/chaoscenter/manifests/litmus-cluster-scope.yaml new file mode 100644 index 00000000000..628412c0d11 --- /dev/null +++ b/chaoscenter/manifests/litmus-cluster-scope.yaml @@ -0,0 +1,456 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: litmus-server-cr +rules: + - apiGroups: [networking.k8s.io, extensions] + resources: [ingresses] + verbs: [get] + - apiGroups: [""] + resources: [services, nodes, pods/log] # Will have to remove this for namespaced scope + verbs: [get, watch] + - apiGroups: [""] # To get TLS Cert from secrets incase of cluster scope + resources: [secrets] + verbs: [get] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: litmus-server-crb +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: litmus-server-cr +subjects: + - kind: ServiceAccount + name: litmus-server-account + namespace: litmus +## Control plane manifests +--- +apiVersion: v1 +kind: Namespace +metadata: + name: litmus +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: litmus-server-account + namespace: litmus +--- +apiVersion: v1 +kind: Secret +metadata: + name: litmus-portal-admin-secret + namespace: litmus +stringData: + JWT_SECRET: "litmus-portal@123" + DB_USER: "root" + DB_PASSWORD: "1234" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: litmus-portal-admin-config + namespace: litmus +data: + DB_SERVER: mongodb://my-release-mongodb-0.my-release-mongodb-headless:27017,my-release-mongodb-1.my-release-mongodb-headless:27017,my-release-mongodb-2.my-release-mongodb-headless:27017/admin + VERSION: "ci" + SKIP_SSL_VERIFY: "false" + # Configurations if you are using dex for OAuth + DEX_ENABLED: "false" + OIDC_ISSUER: "http://:32000" + DEX_OAUTH_CALLBACK_URL: "http://:8080/auth/dex/callback" + DEX_OAUTH_CLIENT_ID: "LitmusPortalAuthBackend" + DEX_OAUTH_CLIENT_SECRET: "ZXhhbXBsZS1hcHAtc2VjcmV0" + OAuthJwtSecret: "litmus-oauth@123" +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: litmusportal-frontend-nginx-configuration + namespace: litmus +data: + nginx.conf: | + pid /tmp/nginx.pid; + + events { + worker_connections 1024; + } + + http { + map $http_upgrade $connection_upgrade { + default upgrade; + '' close; + } + + client_body_temp_path /tmp/client_temp; + proxy_temp_path /tmp/proxy_temp_path; + fastcgi_temp_path /tmp/fastcgi_temp; + uwsgi_temp_path /tmp/uwsgi_temp; + scgi_temp_path /tmp/scgi_temp; + + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + server_tokens off; + + include /etc/nginx/mime.types; + + gzip on; + gzip_disable "msie6"; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + server { + listen 8185 default_server; + root /opt/chaos; + + location /health { + return 200; + } + + location / { + proxy_http_version 1.1; + add_header Cache-Control "no-cache"; + try_files $uri /index.html; + autoindex on; + } + + # redirect server error pages to the static page /50x.html + # + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + location /auth/ { + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass "http://litmusportal-auth-server-service:9003/"; + } + + location /api/ { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass "http://litmusportal-server-service:9002/"; + } + } + } +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: litmusportal-frontend + namespace: litmus + labels: + component: litmusportal-frontend +spec: + replicas: 1 + selector: + matchLabels: + component: litmusportal-frontend + template: + metadata: + labels: + component: litmusportal-frontend + spec: + automountServiceAccountToken: false + containers: + - name: litmusportal-frontend + image: litmuschaos/litmusportal-frontend:ci + imagePullPolicy: Always + # securityContext: + # runAsUser: 2000 + # allowPrivilegeEscalation: false + # runAsNonRoot: true + ports: + - containerPort: 8185 + resources: + requests: + memory: "150Mi" + cpu: "125m" + ephemeral-storage: "500Mi" + limits: + memory: "512Mi" + cpu: "550m" + ephemeral-storage: "1Gi" + volumeMounts: + - name: nginx-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + volumes: + - name: nginx-config + configMap: + name: litmusportal-frontend-nginx-configuration +--- +apiVersion: v1 +kind: Service +metadata: + name: litmusportal-frontend-service + namespace: litmus +spec: + type: NodePort + ports: + - name: http + port: 9091 + targetPort: 8185 + selector: + component: litmusportal-frontend +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: litmusportal-server + namespace: litmus + labels: + component: litmusportal-server +spec: + replicas: 1 + selector: + matchLabels: + component: litmusportal-server + template: + metadata: + labels: + component: litmusportal-server + spec: + volumes: + - name: gitops-storage + emptyDir: {} + - name: hub-storage + emptyDir: {} + containers: + - name: graphql-server + image: litmuschaos/litmusportal-server:ci + volumeMounts: + - mountPath: /tmp/ + name: gitops-storage + - mountPath: /tmp/version + name: hub-storage + securityContext: + runAsUser: 2000 + allowPrivilegeEscalation: false + runAsNonRoot: true + readOnlyRootFilesystem: true + envFrom: + - configMapRef: + name: litmus-portal-admin-config + - secretRef: + name: litmus-portal-admin-secret + env: + # if self-signed certificate are used pass the k8s tls secret name created in portal ns, to allow agents to use tls for communication + - name: TLS_SECRET_NAME + value: "" + - name: LITMUS_PORTAL_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + - name: CHAOS_CENTER_SCOPE + value: "cluster" + - name: ENABLE_GQL_INTROSPECTION + value: "false" + - name: SUBSCRIBER_IMAGE + value: "litmuschaos/litmusportal-subscriber:ci" + - name: EVENT_TRACKER_IMAGE + value: "litmuschaos/litmusportal-event-tracker:ci" + - name: ARGO_WORKFLOW_CONTROLLER_IMAGE + value: "litmuschaos/workflow-controller:v3.3.1" + - name: ARGO_WORKFLOW_EXECUTOR_IMAGE + value: "litmuschaos/argoexec:v3.3.1" + - name: LITMUS_CHAOS_OPERATOR_IMAGE + value: "litmuschaos/chaos-operator:ci" + - name: LITMUS_CHAOS_RUNNER_IMAGE + value: "litmuschaos/chaos-runner:ci" + - name: LITMUS_CHAOS_EXPORTER_IMAGE + value: "litmuschaos/chaos-exporter:ci" + - name: SERVER_SERVICE_NAME + value: "litmusportal-server-service" + - name: INFRA_DEPLOYMENTS + value: '["app=chaos-exporter", "name=chaos-operator", "app=workflow-controller", "app=event-tracker"]' + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CHAOS_CENTER_UI_ENDPOINT + value: "" + - name: INGRESS + value: "false" + - name: INGRESS_NAME + value: "litmus-ingress" + - name: CONTAINER_RUNTIME_EXECUTOR + value: "k8sapi" + - name: DEFAULT_HUB_BRANCH_NAME + value: "master" + - name: LITMUS_AUTH_GRPC_ENDPOINT + value: "litmusportal-auth-server-service" + - name: LITMUS_AUTH_GRPC_PORT + value: ":3030" + - name: WORKFLOW_HELPER_IMAGE_VERSION + value: "3.7.0" + - name: REMOTE_HUB_MAX_SIZE + value: "5000000" + - name: INFRA_COMPATIBLE_VERSIONS + value: '["ci"]' + - name: ALLOWED_ORIGINS + value: ^(http://|https://|)litmuschaos.io(:[0-9]+|)?,^(http://|https://|)litmusportal-server-service(:[0-9]+|)? + ports: + - containerPort: 8080 + - containerPort: 8000 + imagePullPolicy: Always + resources: + requests: + memory: "250Mi" + cpu: "225m" + ephemeral-storage: "500Mi" + limits: + memory: "712Mi" + cpu: "550m" + ephemeral-storage: "1Gi" + serviceAccountName: litmus-server-account +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: litmusportal-server + namespace: litmus + labels: + component: litmusportal-server +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + component: litmusportal-server + ingress: + - from: + - podSelector: + matchLabels: + component: litmusportal-frontend +--- +apiVersion: v1 +kind: Service +metadata: + name: litmusportal-server-service + namespace: litmus +spec: + type: NodePort + ports: + - name: graphql-server + port: 9002 + targetPort: 8080 + - name: graphql-rpc-server + port: 8000 + targetPort: 8000 + selector: + component: litmusportal-server +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: litmusportal-auth-server + namespace: litmus + labels: + component: litmusportal-auth-server +spec: + replicas: 1 + selector: + matchLabels: + component: litmusportal-auth-server + template: + metadata: + labels: + component: litmusportal-auth-server + spec: + automountServiceAccountToken: false + containers: + - name: auth-server + image: litmuschaos/litmusportal-auth-server:ci + securityContext: + runAsUser: 2000 + allowPrivilegeEscalation: false + runAsNonRoot: true + readOnlyRootFilesystem: true + envFrom: + - configMapRef: + name: litmus-portal-admin-config + - secretRef: + name: litmus-portal-admin-secret + env: + - name: STRICT_PASSWORD_POLICY + value: "false" + - name: ADMIN_USERNAME + value: "admin" + - name: ADMIN_PASSWORD + value: "litmus" + - name: LITMUS_GQL_GRPC_ENDPOINT + value: "litmusportal-server-service" + - name: LITMUS_GQL_GRPC_PORT + value: ":8000" + - name: ALLOWED_ORIGINS + value: ^(http://|https://|)litmuschaos.io(:[0-9]+|)?,^(http://|https://|)litmusportal-auth-server-service(:[0-9]+|)? + resources: + requests: + memory: "250Mi" + cpu: "225m" + ephemeral-storage: "500Mi" + limits: + memory: "712Mi" + cpu: "550m" + ephemeral-storage: "1Gi" + ports: + - containerPort: 3000 + - containerPort: 3030 + imagePullPolicy: Always +--- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: litmusportal-auth-server + namespace: litmus + labels: + component: litmusportal-auth-server +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + component: litmusportal-auth-server + ingress: + - from: + - podSelector: + matchLabels: + component: litmusportal-frontend + - from: + - podSelector: + matchLabels: + component: litmusportal-server +--- +apiVersion: v1 +kind: Service +metadata: + name: litmusportal-auth-server-service + namespace: litmus +spec: + type: NodePort + ports: + - name: auth-server + port: 9003 + targetPort: 3000 + - name: auth-rpc-server + port: 3030 + targetPort: 3030 + selector: + component: litmusportal-auth-server diff --git a/chaoscenter/manifests/litmus-namespaced-scope.yaml b/chaoscenter/manifests/litmus-namespaced-scope.yaml index 0edbe9827d8..ce9d4edc9a7 100644 --- a/chaoscenter/manifests/litmus-namespaced-scope.yaml +++ b/chaoscenter/manifests/litmus-namespaced-scope.yaml @@ -273,6 +273,25 @@ spec: cpu: "550m" ephemeral-storage: "1Gi" --- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: litmusportal-server + namespace: litmus + labels: + component: litmusportal-server +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + component: litmusportal-server + ingress: + - from: + - podSelector: + matchLabels: + component: litmusportal-frontend +--- apiVersion: v1 kind: Service metadata: @@ -362,6 +381,29 @@ spec: cpu: "550m" ephemeral-storage: "1Gi" --- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: litmusportal-auth-server + namespace: litmus + labels: + component: litmusportal-auth-server +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + component: litmusportal-auth-server + ingress: + - from: + - podSelector: + matchLabels: + component: litmusportal-frontend + - from: + - podSelector: + matchLabels: + component: litmusportal-server +--- apiVersion: v1 kind: Service metadata: diff --git a/chaoscenter/manifests/litmus-without-resources.yaml b/chaoscenter/manifests/litmus-without-resources.yaml index 075b4d239c4..1c8c6fc6fe4 100644 --- a/chaoscenter/manifests/litmus-without-resources.yaml +++ b/chaoscenter/manifests/litmus-without-resources.yaml @@ -248,6 +248,25 @@ spec: - containerPort: 8001 imagePullPolicy: Always --- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: litmusportal-server + namespace: litmus + labels: + component: litmusportal-server +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + component: litmusportal-server + ingress: + - from: + - podSelector: + matchLabels: + component: litmusportal-frontend +--- apiVersion: v1 kind: Service metadata: @@ -328,6 +347,29 @@ spec: - containerPort: 3031 imagePullPolicy: Always --- +kind: NetworkPolicy +apiVersion: networking.k8s.io/v1 +metadata: + name: litmusportal-auth-server + namespace: litmus + labels: + component: litmusportal-auth-server +spec: + policyTypes: + - Ingress + podSelector: + matchLabels: + component: litmusportal-auth-server + ingress: + - from: + - podSelector: + matchLabels: + component: litmusportal-frontend + - from: + - podSelector: + matchLabels: + component: litmusportal-server +--- apiVersion: v1 kind: Service metadata: