cyberia 3.2.9 → 3.2.22

package/manifests/deployment/dd-cyberia-development/deployment.yaml

@@ -20,11 +20,14 @@ spec:
     spec:
       containers:
         - name: dd-cyberia-development-blue
-          image: underpost/underpost-engine:v3.2.9
+          image: underpost/underpost-engine:v3.2.22
           imagePullPolicy: IfNotPresent
           envFrom:
             - secretRef:
                 name: underpost-config
+          env:
+            - name: UNDERPOST_INTERNAL_PORT
+              value: "4004"
 
           command:
             - /bin/sh
@@ -32,6 +35,40 @@ spec:
             - >
               underpost secret underpost --create-from-env &&
               underpost start --build --run dd-cyberia development
+          readinessProbe:
+            {
+              "httpGet": {
+                "path": "/_internal/ready",
+                "port": 4004
+              },
+              "initialDelaySeconds": 5,
+              "periodSeconds": 5,
+              "timeoutSeconds": 3,
+              "failureThreshold": 3
+            }
+          livenessProbe:
+            {
+              "httpGet": {
+                "path": "/_internal/health",
+                "port": 4004
+              },
+              "initialDelaySeconds": 30,
+              "periodSeconds": 15,
+              "timeoutSeconds": 3,
+              "failureThreshold": 3
+            }
+          startupProbe:
+            {
+              "httpGet": {
+                "path": "/_internal/ready",
+                "port": 4004
+              },
+              "initialDelaySeconds": 10,
+              "periodSeconds": 10,
+              "timeoutSeconds": 3,
+              "failureThreshold": 180
+            }
+
 
     
           volumeMounts:
@@ -192,11 +229,14 @@ spec:
     spec:
       containers:
         - name: dd-cyberia-development-green
-          image: underpost/underpost-engine:v3.2.9
+          image: underpost/underpost-engine:v3.2.22
           imagePullPolicy: IfNotPresent
           envFrom:
             - secretRef:
                 name: underpost-config
+          env:
+            - name: UNDERPOST_INTERNAL_PORT
+              value: "4004"
 
           command:
             - /bin/sh
@@ -204,6 +244,40 @@ spec:
             - >
               underpost secret underpost --create-from-env &&
               underpost start --build --run dd-cyberia development
+          readinessProbe:
+            {
+              "httpGet": {
+                "path": "/_internal/ready",
+                "port": 4004
+              },
+              "initialDelaySeconds": 5,
+              "periodSeconds": 5,
+              "timeoutSeconds": 3,
+              "failureThreshold": 3
+            }
+          livenessProbe:
+            {
+              "httpGet": {
+                "path": "/_internal/health",
+                "port": 4004
+              },
+              "initialDelaySeconds": 30,
+              "periodSeconds": 15,
+              "timeoutSeconds": 3,
+              "failureThreshold": 3
+            }
+          startupProbe:
+            {
+              "httpGet": {
+                "path": "/_internal/ready",
+                "port": 4004
+              },
+              "initialDelaySeconds": 10,
+              "periodSeconds": 10,
+              "timeoutSeconds": 3,
+              "failureThreshold": 180
+            }
+
 
     
           volumeMounts:

package/manifests/deployment/dd-default-development/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-blue
-          image: underpost/underpost-engine:v3.2.9
+          image: underpost/underpost-engine:v3.2.22
           #          resources:
           #            requests:
           #              memory: "124Ki"
@@ -98,7 +98,7 @@ spec:
     spec:
       containers:
         - name: dd-default-development-green
-          image: underpost/underpost-engine:v3.2.9
+          image: underpost/underpost-engine:v3.2.22
           #          resources:
           #            requests:
           #              memory: "124Ki"

package/manifests/kind-config-dev.yaml

@@ -1,8 +1,16 @@
 kind: Cluster
 apiVersion: kind.x-k8s.io/v1alpha4
+networking:
+  ipFamily: ipv4
 nodes:
   - role: control-plane
+    extraMounts:
+      - hostPath: /data/mongodb
+        containerPath: /data/mongodb
   - role: worker
+    extraMounts:
+      - hostPath: /data/mongodb
+        containerPath: /data/mongodb
     # extraPortMappings:
     # - containerPort: 80
     #   hostPort: 80

package/manifests/lxd/lxd-admin-profile.yaml

@@ -1,13 +1,22 @@
 config:
-  limits.cpu: "2"
+  limits.cpu: '2'
   limits.memory: 4GB
-description: vm nat network
+  # Host-safety hardening:
+  #   boot.autostart=false  → the LXD daemon will NOT start any VM created with
+  #     this profile when the host boots. The user explicitly brings VMs up
+  #     after the host is verified healthy. Prevents a broken VM from blocking
+  #     boot via snap.lxd.daemon.
+  #   boot.host_shutdown_timeout=60 → bound the time the daemon waits for this
+  #     VM to stop when the host is going down. Prevents an unresponsive VM
+  #     from holding the host in an indefinite shutdown.
+  boot.autostart: 'false'
+  boot.host_shutdown_timeout: '60'
+description: vm nat network (host-safe defaults)
 devices:
   eth0:
     name: eth0
     network: lxdbr0
     type: nic
-    ipv4.address: 10.250.250.100
   root:
     path: /
     pool: local # lxc storage list

package/manifests/mongodb/pv-pvc.yaml

@@ -1,23 +1,59 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: mongodb-pv
+  name: mongodb-pv-0
+  labels:
+    app: mongodb
 spec:
   capacity:
     storage: 5Gi
   accessModes:
     - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: mongodb-storage-class
+  claimRef:
+    namespace: default
+    name: mongodb-storage-mongodb-0
   hostPath:
-    path: /data/mongodb
+    path: /data/mongodb/v0
+    type: DirectoryOrCreate
 ---
 apiVersion: v1
-kind: PersistentVolumeClaim
+kind: PersistentVolume
+metadata:
+  name: mongodb-pv-1
+  labels:
+    app: mongodb
+spec:
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: mongodb-storage-class
+  claimRef:
+    namespace: default
+    name: mongodb-storage-mongodb-1
+  hostPath:
+    path: /data/mongodb/v1
+    type: DirectoryOrCreate
+---
+apiVersion: v1
+kind: PersistentVolume
 metadata:
-  name: mongodb-pvc
+  name: mongodb-pv-2
+  labels:
+    app: mongodb
 spec:
-  storageClassName: ''
+  capacity:
+    storage: 5Gi
   accessModes:
     - ReadWriteOnce
-  resources:
-    requests:
-      storage: 5Gi
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: mongodb-storage-class
+  claimRef:
+    namespace: default
+    name: mongodb-storage-mongodb-2
+  hostPath:
+    path: /data/mongodb/v2
+    type: DirectoryOrCreate

package/manifests/mongodb/statefulset.yaml

@@ -4,7 +4,8 @@ metadata:
   name: mongodb # Specifies the name of the statefulset
 spec:
   serviceName: 'mongodb-service' # Specifies the service to use
-  replicas: 2
+  podManagementPolicy: OrderedReady # or Parallel
+  replicas: 3
   selector:
     matchLabels:
       app: mongodb
@@ -13,80 +14,58 @@ spec:
       labels:
         app: mongodb
     spec:
+      subdomain: mongodb-service
+      securityContext:
+        fsGroup: 999
+      initContainers:
+        - name: internal-keyfile-provisioner
+          image: docker.io/library/mongo:latest
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          command:
+            - sh
+            - -c
+            - |
+              set -ex
+              mkdir -p /opt/mongodb
+              cp /tmp/raw-keyfile/mongodb-keyfile /opt/mongodb/mongodb-keyfile
+              chmod 400 /opt/mongodb/mongodb-keyfile
+              chown -R 999:999 /opt/mongodb
+              chown -R 999:999 /data/db
+              rm -f /data/db/mongod.lock
+          volumeMounts:
+            - name: raw-secret-keyfile-volume
+              mountPath: /tmp/raw-keyfile
+            - name: isolated-runtime-keyfile-volume
+              mountPath: /opt/mongodb
+            - name: mongodb-storage
+              mountPath: /data/db
       containers:
         - name: mongodb
           image: docker.io/library/mongo:latest
           command:
             - mongod
+          args:
             - '--replSet'
             - 'rs0'
-            # - '--config'
-            # - '-f'
-            # - '/etc/mongod.conf'
-            # - '--auth'
-            # - '--clusterAuthMode'
-            # - 'keyFile'
-            # - '--keyFile'
-            # - '/etc/mongodb-keyfile'
-            # - '--interleave'
-            # - 'all'
-            # - '--wiredTigerCacheSizeGB'
-            # - '0.25'
-            # - '--setParameter'
-            # - 'authenticationMechanisms=SCRAM-SHA-1'
-            # - '--fork'
-            - '--logpath'
-            - '/var/log/mongodb/mongod.log'
+            - '--auth'
+            - '--clusterAuthMode'
+            - 'keyFile'
+            - '--keyFile'
+            - '/opt/mongodb/mongodb-keyfile'
             - '--bind_ip_all'
-          # command: ['sh', '-c']
-          # args:
-          #   - |
-          #     mongod --replSet rs0 --bind_ip_all &
-          #     sleep 1000
-          #     if mongosh --host mongodb-0.mongodb-service:27017 --eval "rs.status()" | grep -q "not yet initialized"; then
-          #       mongosh --host mongodb-0.mongodb-service:27017 <<EOF
-          #       use admin;
-          #       rs.initiate({
-          #         _id: "rs0",
-          #         members: [
-          #           { _id: 0, host: "mongodb-0.mongodb-service:27017", priority: 1 },
-          #           { _id: 1, host: "mongodb-1.mongodb-service:27017", priority: 1 }
-          #         ]
-          #       });
-          #       db.getSiblingDB("admin").createUser({
-          #         user: process.env.MONGO_INITDB_ROOT_USERNAME,
-          #         pwd: process.env.MONGO_INITDB_ROOT_PASSWORD,
-          #         roles: [{ role: "userAdminAnyDatabase", db: "admin" }]
-          #       });
-          #       use default;
-          #       db.createUser(
-          #         {
-          #           user: process.env.MONGO_INITDB_ROOT_USERNAME,
-          #           pwd: process.env.MONGO_INITDB_ROOT_PASSWORD,
-          #           roles: [
-          #             { role: "read", db: "test" },
-          #             { role: "readWrite", db: "default" }
-          #           ]
-          #         }
-          #       );
-          #       EOF
-          #     fi
-          #     wait
+
           ports:
             - containerPort: 27017
           volumeMounts:
+            - name: isolated-runtime-keyfile-volume
+              mountPath: /opt/mongodb
             - name: mongodb-storage
               mountPath: /data/db
-            - name: keyfile
-              mountPath: /etc/mongodb-keyfile
-              readOnly: true
-            # - name: mongodb-configuration-file
-            #   mountPath: /etc/mongod.conf
-            #   subPath: mongod.conf
-            #   readOnly: true
-            # - name: mongodb-config
-            #   mountPath: /config
           env:
+            - name: MONGO_REPLICA_SET_NAME
+              value: rs0
             - name: MONGO_INITDB_ROOT_USERNAME
               valueFrom:
                 secretKeyRef:
@@ -97,6 +76,18 @@ spec:
                 secretKeyRef:
                   name: mongodb-secret
                   key: password
+          readinessProbe:
+            tcpSocket:
+              port: 27017
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 5
+          livenessProbe:
+            tcpSocket:
+              port: 27017
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
           resources:
             requests:
               cpu: '100m'
@@ -105,16 +96,12 @@ spec:
               cpu: '500m'
               memory: '512Mi'
       volumes:
-        - name: keyfile
+        - name: raw-secret-keyfile-volume
           secret:
             secretName: mongodb-keyfile
             defaultMode: 0400
-        # - name: mongodb-configuration-file
-        #   configMap:
-        #     name: mongodb-config-file
-        # - name: mongodb-config
-        #   configMap:
-        #     name: mongodb-config
+        - name: isolated-runtime-keyfile-volume
+          emptyDir: {}
   volumeClaimTemplates:
     - metadata:
         name: mongodb-storage

package/manifests/mongodb-4.4/headless-service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongodb-service
+spec:
+  clusterIP: None
+  selector:
+    app: mongodb
+  ports:
+    - port: 27017

package/manifests/mongodb-4.4/kustomization.yaml

@@ -4,4 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - pv-pvc.yaml
-  - service-deployment.yaml
+  - storage-class.yaml
+  - headless-service.yaml
+  - statefulset.yaml

package/manifests/mongodb-4.4/mongodb-nodeport.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mongodb-nodeport
+  labels:
+    app: mongodb
+spec:
+  type: NodePort
+  externalTrafficPolicy: Cluster
+  selector:
+    app: mongodb
+  ports:
+    - name: mongodb
+      protocol: TCP
+      port: 27017
+      targetPort: 27017
+      nodePort: 32017

package/manifests/mongodb-4.4/pv-pvc.yaml

@@ -1,23 +1,19 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: mongodb-pv
+  name: mongodb-pv-0
+  labels:
+    app: mongodb
 spec:
   capacity:
     storage: 5Gi
   accessModes:
     - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: mongodb-storage-class
+  claimRef:
+    namespace: default
+    name: mongodb-storage-mongodb-0
   hostPath:
-    path: /data/mongodb
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: mongodb-pvc
-spec:
-  storageClassName: ''
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 5Gi
+    path: /data/mongodb/v0
+    type: DirectoryOrCreate

package/manifests/mongodb-4.4/statefulset.yaml

@@ -0,0 +1,79 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: mongodb # Specifies the name of the statefulset
+spec:
+  serviceName: 'mongodb-service' # Specifies the service to use
+  podManagementPolicy: OrderedReady # or Parallel
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mongodb
+  template:
+    metadata:
+      labels:
+        app: mongodb
+    spec:
+      subdomain: mongodb-service
+      securityContext:
+        fsGroup: 999
+      initContainers:
+        - name: data-dir-permissions
+          image: docker.io/library/mongo:4.4
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          command:
+            - sh
+            - -c
+            - |
+              chown -R 999:999 /data/db
+              rm -f /data/db/mongod.lock
+          volumeMounts:
+            - name: mongodb-storage
+              mountPath: /data/db
+      containers:
+        - name: mongodb
+          image: docker.io/library/mongo:4.4
+          command:
+            - mongod
+          args:
+            - '--replSet'
+            - 'rs0'
+            - '--bind_ip_all'
+          ports:
+            - containerPort: 27017
+          volumeMounts:
+            - name: mongodb-storage
+              mountPath: /data/db
+          env:
+            - name: MONGO_REPLICA_SET_NAME
+              value: rs0
+          readinessProbe:
+            tcpSocket:
+              port: 27017
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 5
+          livenessProbe:
+            tcpSocket:
+              port: 27017
+            initialDelaySeconds: 30
+            periodSeconds: 20
+            timeoutSeconds: 5
+          resources:
+            requests:
+              cpu: '100m'
+              memory: '256Mi'
+            limits:
+              cpu: '500m'
+              memory: '512Mi'
+  volumeClaimTemplates:
+    - metadata:
+        name: mongodb-storage
+      spec:
+        accessModes: ['ReadWriteOnce']
+        storageClassName: mongodb-storage-class
+        resources:
+          requests:
+            storage: 5Gi

package/manifests/mongodb-4.4/storage-class.yaml

@@ -0,0 +1,9 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: mongodb-storage-class
+  annotations:
+    storageclass.kubernetes.io/is-default-class: 'false'
+provisioner: rancher.io/local-path
+reclaimPolicy: Retain
+volumeBindingMode: WaitForFirstConsumer

package/manifests/valkey/statefulset.yaml

@@ -19,7 +19,7 @@ spec:
           image: docker.io/valkey/valkey:latest
           imagePullPolicy: IfNotPresent
           command: ['valkey-server']
-          args: ['--port', '6379']
+          args: ['--port', '6379', '--bind', '0.0.0.0', '--protected-mode', 'no']
           ports:
             - containerPort: 6379
           startupProbe:

package/manifests/valkey/valkey-nodeport.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: valkey-nodeport
+  labels:
+    app: valkey-service
+spec:
+  type: NodePort
+  externalTrafficPolicy: Cluster
+  selector:
+    app: valkey-service
+  ports:
+    - name: valkey
+      protocol: TCP
+      port: 6379
+      targetPort: 6379
+      nodePort: 32079