waylon 0.2.0 → 0.2.2

data/examples/deploying/helm/waylon/templates/web-ingress.yaml

@@ -0,0 +1,48 @@
+{{- if .Values.web.ingress.enabled -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: web
+  labels:
+    app.kubernetes.io/name: web
+    app.kubernetes.io/component: ingress
+    {{- include "waylon.commonLabels" . | nindent 4 }}
+    {{- with .Values.web.ingress.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  annotations:
+    kubernetes.io/ingress.class: {{ .Values.web.ingress.class }}
+    nginx.ingress.kubernetes.io/preserve-host: "true"
+    {{- if .Values.web.ingress.tls.enabled }}
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    {{- if eq .Values.web.ingress.tls.issuer "letsencrypt" }}
+    {{- if eq .Values.web.ingress.tls.issuerClass "ClusterIssuer" }}
+    cert-manager.io/cluster-issuer: letsencrypt
+    {{- else }}
+    cert-manager.io/issuer: letsencrypt
+    {{- end }}
+    cert-manager.io/acme-challenge-type: http01
+    {{- end }}
+    {{- end }}
+    {{- with .Values.web.ingress.annotations }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  rules:
+  - host: {{ .Values.web.ingress.hostname }}
+    http:
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: waylon
+            port:
+              name: waylon
+  {{- if .Values.web.ingress.tls.enabled }}
+  tls:
+  - hosts:
+    - {{ .Values.web.ingress.hostname }}
+    secretName: web-ingress-tls
+  {{- end }}
+{{- end -}}

data/examples/deploying/helm/waylon/templates/web-service.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: web
+  labels:
+    app.kubernetes.io/name: web
+    app.kubernetes.io/component: service
+    {{- include "waylon.commonLabels" . | nindent 4 }}
+    {{- with .Values.web.service.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.web.service.annotations }}
+  annotations:
+    {{- toYaml .Values.web.service.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  type: {{ .Values.web.service.type }}
+  ports:
+  - port: {{ .Values.web.service.port }}
+    targetPort: 9292
+    protocol: TCP
+    name: waylon
+  selector:
+    app.kubernetes.io/component: web
+    {{- include "waylon.commonLabels" . | nindent 4 }}
+  

data/examples/deploying/helm/waylon/templates/worker-deployment.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: worker
+  labels:
+    app.kubernetes.io/name: worker
+    app.kubernetes.io/component: worker
+    {{- include "waylon.commonLabels" . | nindent 4 }}
+    {{- with .Values.worker.deployment.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- if .Values.worker.deployment.annotations }}
+  annotations:
+    {{- toYaml .Values.worker.deployment.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.worker.deployment.replicas }}
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: {{ .Values.worker.deployment.maxSurge }}
+      maxUnavailable: {{ .Values.worker.deployment.maxUnavailable }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: worker
+      {{- include "waylon.commonLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: worker
+        app.kubernetes.io/component: worker
+        {{- include "waylon.commonLabels" . | nindent 8 }}
+    spec:
+      {{- if .Values.common.strictSecurity }}
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+      {{- end }}
+      {{- if .Values.common.imagePullSecret }}
+      imagePullSecrets:
+      - name: {{ .Values.common.imagePullSecret }}
+      {{- end }}
+      volumes:
+      - name: tmpvol
+        emptyDir: {}
+      containers:
+      - name: worker
+        image: {{ .Values.common.waylonImage }}
+        imagePullPolicy: {{ .Values.worker.deployment.imagePullPolicy }}
+        stdin: true
+        tty: true
+        args: ["worker"]
+        env:
+        - name: REDIS
+          value: {{ .Values.redis.hostAndPort }}
+        - name: LOG_LEVEL
+          value: {{ .Values.worker.deployment.logLevel }}
+        - name: QUEUE
+          value: "senses,skills"
+        envFrom:
+        - secretRef:
+            name: waylon-secret
+        resources:
+          limits:
+            memory: {{ .Values.worker.deployment.memoryLimit }}
+            cpu: {{ .Values.worker.deployment.cpuLimit }}
+          requests:
+            memory: 64Mi
+            cpu: 20m
+        livenessProbe:
+          tcpSocket:
+            port: waylon
+          timeoutSeconds: 2
+          initialDelaySeconds: 2
+          periodSeconds: 2
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: waylon
+          timeoutSeconds: 6
+          initialDelaySeconds: 2
+          periodSeconds: 10
+          failureThreshold: 3
+        ports:
+        - name: waylon
+          containerPort: 9292
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmpvol
+        {{- if .Values.common.strictSecurity }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - all
+        {{- end }}

data/examples/deploying/helm/waylon/values.yaml

@@ -0,0 +1,50 @@
+common:
+  strictSecurity: true
+  waylonImage: MISSING
+
+redis:
+  enabled: true
+  hostAndPort: redis:6379
+  image: redis:6-alpine
+  imagePullPolicy: Always
+  command:
+  - "redis-server"
+  - "--appendonly yes"
+  cpuLimit: 200m
+  memoryLimit: 512Mi
+  storage:
+    capacity: 1Gi
+    class: longhorn
+
+web:
+  deployment:
+    imagePullPolicy: IfNotPresent
+    logLevel: DEBUG
+    # Rollout settings
+    maxSurge: 2
+    maxUnavailable: 0
+    replicas: 1
+    cpuLimit: 250m
+    memoryLimit: 256Mi
+  ingress:
+    enabled: true
+    class: nginx
+    hostname: MISSING
+    tls:
+      enabled: true
+      issuer: letsencrypt
+      issuerClass: ClusterIssuer
+  service:
+    port: 80
+    type: ClusterIP
+
+worker:
+  deployment:
+    imagePullPolicy: IfNotPresent
+    logLevel: DEBUG
+    # Rollout settings
+    maxSurge: 2
+    maxUnavailable: 0
+    replicas: 2
+    cpuLimit: 500m
+    memoryLimit: 768Mi

data/examples/deploying/k8s/README.md

@@ -0,0 +1,11 @@
+# Deploying Waylon to Kubernetes
+
+This is an example of deploying a Waylon image to Kubernetes. To use it, you must identify a hostname for Waylon to be externally accessible (for plugins that require that) in `web-ingress.yaml`. You must also set the image used for the containers in `web-deployment.yaml` and `worker-deployment.yaml` to your pre-built Waylon docker image.
+
+Once these modifications are made, you can launch Waylon on your Kubernetes cluster using something like:
+
+```sh
+$ kubectl -n some-namespace apply -f *.yaml
+```
+
+The files in this example make some hefty assumptions, such as that your cluster has a `StorageClass` called `longhorn` and that you won't need credentials to pull images from your registry. Please be sure to review the files fully and make any necessary changes before using them.

data/examples/deploying/k8s/redis-statefulset.yaml

@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis
+  labels:
+    app.kubernetes.io/name: redis
+    app.kubernetes.io/component: redis
+    app.kubernetes.io/part-of: waylon
+spec:
+  serviceName: redis
+  # set to 1 because we're not configuring clustering
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: redis
+      app.kubernetes.io/component: redis
+      app.kubernetes.io/part-of: waylon
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: redis
+        app.kubernetes.io/component: redis
+        app.kubernetes.io/part-of: waylon
+    spec:
+      containers:
+      - name: redis
+        image: redis:6-alpine
+        imagePullPolicy: Always
+        stdin: true
+        tty: true
+        command: 
+        - redis-server
+        - --appendonly yes
+        securityContext:
+          readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
+          privileged: false
+          runAsNonRoot: true
+          runAsUser: 999
+          runAsGroup: 999
+          capabilities:
+            drop:
+            - ALL
+        resources:
+          limits:
+            memory: 512Mi
+            cpu: 200m
+          requests:
+            memory: 8Mi
+            cpu: 20m
+        ports:
+        - containerPort: 6379
+          protocol: TCP
+          name: redis
+        readinessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - "/usr/local/bin/redis-cli -h $(hostname) ping"
+          initialDelaySeconds: 15
+          timeoutSeconds: 5
+        livenessProbe:
+          exec:
+            command:
+            - sh
+            - -c
+            - "/usr/local/bin/redis-cli -h $(hostname) ping"
+          initialDelaySeconds: 30
+          periodSeconds: 2
+          successThreshold: 1
+          failureThreshold: 3
+          timeoutSeconds: 5
+        volumeMounts:
+        - name: datadir
+          mountPath: /data
+  volumeClaimTemplates:
+  - metadata:
+      name: datadir
+    spec:
+      accessModes:
+      - "ReadWriteOnce"
+      resources:
+        requests:
+          storage: 1Gi
+      storageClassName: "longhorn"

data/examples/deploying/k8s/web-deployment.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web
+  labels:
+    app.kubernetes.io/name: web
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: waylon
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 2
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: web
+      app.kubernetes.io/part-of: waylon
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: web
+        app.kubernetes.io/component: web
+        app.kubernetes.io/part-of: waylon
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+      volumes:
+      - name: tmpvol
+        emptyDir: {}
+      containers:
+      - name: web
+        # This MUST be set to a real image
+        image: MISSING
+        imagePullPolicy: IfNotPresent
+        stdin: true
+        tty: true
+        args: ["web"]
+        env:
+        - name: REDIS
+          value: redis:6379
+        - name: LOG_LEVEL
+          value: DEBUG
+        envFrom:
+        - secretRef:
+            name: waylon-secret
+        resources:
+          limits:
+            memory: 256Mi
+            cpu: 250m
+          requests:
+            memory: 64Mi
+            cpu: 10m
+        livenessProbe:
+          tcpSocket:
+            port: waylon
+          timeoutSeconds: 2
+          initialDelaySeconds: 2
+          periodSeconds: 2
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: waylon
+          timeoutSeconds: 6
+          initialDelaySeconds: 2
+          periodSeconds: 10
+          failureThreshold: 3
+        ports:
+        - name: waylon
+          containerPort: 9292
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmpvol
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - all

data/examples/deploying/k8s/web-ingress.yaml

@@ -0,0 +1,32 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: web
+  labels:
+    app.kubernetes.io/name: web
+    app.kubernetes.io/component: ingress
+    app.kubernetes.io/part-of: waylon
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/preserve-host: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: letsencrypt
+    cert-manager.io/acme-challenge-type: http01
+spec:
+  rules:
+  # This needs to be a real name accessible from the Internet
+  - host: foo.bar
+    http:
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: waylon
+            port:
+              name: waylon
+  tls:
+  - hosts:
+    # This needs to be a real name accessible from the Internet, same as above
+    - foo.bar
+    secretName: web-ingress-tls

data/examples/deploying/k8s/web-service.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: web
+  labels:
+    app.kubernetes.io/name: web
+    app.kubernetes.io/component: service
+    app.kubernetes.io/part-of: waylon
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 9292
+    protocol: TCP
+    name: waylon
+  selector:
+    app.kubernetes.io/component: web
+    app.kubernetes.io/part-of: waylon

data/examples/deploying/k8s/worker-deployment.yaml

@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: worker
+  labels:
+    app.kubernetes.io/name: worker
+    app.kubernetes.io/component: worker
+    app.kubernetes.io/part-of: waylon
+spec:
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxSurge: 2
+      maxUnavailable: 0
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: worker
+      app.kubernetes.io/part-of: waylon
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: worker
+        app.kubernetes.io/component: worker
+        app.kubernetes.io/part-of: waylon
+    spec:
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+      volumes:
+      - name: tmpvol
+        emptyDir: {}
+      containers:
+      - name: worker
+        # This MUST be set to a real image
+        image: MISSING
+        imagePullPolicy: IfNotPresent
+        stdin: true
+        tty: true
+        args: ["worker"]
+        env:
+        - name: REDIS
+          value: redis:6379
+        - name: LOG_LEVEL
+          value: DEBUG
+        - name: QUEUE
+          value: "senses,skills"
+        envFrom:
+        - secretRef:
+            name: waylon-secret
+        resources:
+          limits:
+            memory: 768Mi
+            cpu: 500m
+          requests:
+            memory: 64Mi
+            cpu: 20m
+        livenessProbe:
+          tcpSocket:
+            port: waylon
+          timeoutSeconds: 2
+          initialDelaySeconds: 2
+          periodSeconds: 2
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /ping
+            port: waylon
+          timeoutSeconds: 6
+          initialDelaySeconds: 2
+          periodSeconds: 10
+          failureThreshold: 3
+        ports:
+        - name: waylon
+          containerPort: 9292
+          protocol: TCP
+        volumeMounts:
+        - mountPath: /tmp
+          name: tmpvol
+        securityContext:
+          allowPrivilegeEscalation: false
+          privileged: false
+          runAsNonRoot: true
+          readOnlyRootFilesystem: true
+          capabilities:
+            drop:
+              - all