underpost 2.8.652 → 2.8.781

package/manifests/kubeadm-calico-config.yaml

@@ -0,0 +1,119 @@
+# This consolidated YAML file contains configurations for:
+# 1. Calico Installation (Installation and APIServer resources)
+# 2. A permissive Egress NetworkPolicy for the 'default' namespace
+#
+# These are standard Kubernetes resources that can be applied directly using 'kubectl apply'.
+# The kubeadm-specific ClusterConfiguration and InitConfiguration have been removed
+# as they are only processed by the 'kubeadm init' command, not 'kubectl apply'.
+
+# --- Calico Installation: Base configuration for Calico ---
+# For more information, see: https://projectcalico.docs.tigera.io/master/reference/installation/api#operator.tigera.io/v1.Installation
+apiVersion: operator.tigera.io/v1
+kind: Installation
+metadata:
+  name: default
+spec:
+  # Configures Calico networking.
+  calicoNetwork:
+    # Note: The ipPools section cannot be modified post-install.
+    ipPools:
+      - blockSize: 26
+        cidr: 192.168.0.0/16
+        encapsulation: VXLANCrossSubnet
+        natOutgoing: Enabled
+        nodeSelector: all()
+
+---
+# This section configures the Calico API server.
+# For more information, see: https://projectcalico.docs.tigera.io/master/reference/installation/api#operator.tigera.io/v1.APIServer
+apiVersion: operator.tigera.io/v1
+kind: APIServer
+metadata:
+  name: default
+spec: {}
+
+---
+# This consolidated NetworkPolicy file ensures that all pods in the specified namespaces
+# have unrestricted egress (outbound) access.
+# This is useful for troubleshooting or for environments where strict egress control
+# is not immediately required for these system/default namespaces.
+
+---
+# Policy for the 'default' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-default-namespace
+  namespace: default # This policy applies to the 'default' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address
+
+---
+# Policy for the 'kube-system' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-kube-system-namespace
+  namespace: kube-system # This policy applies to the 'kube-system' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address
+
+---
+# Policy for the 'kube-node-lease' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-kube-node-lease-namespace
+  namespace: kube-node-lease # This policy applies to the 'kube-node-lease' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address
+
+---
+# Policy for the 'kube-public' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-kube-public-namespace
+  namespace: kube-public # This policy applies to the 'kube-public' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address
+
+---
+# Policy for the 'tigera-operator' namespace
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-all-egress-tigera-operator-namespace
+  namespace: tigera-operator # This policy applies to the 'tigera-operator' namespace
+spec:
+  podSelector: {} # Selects all pods in this namespace
+  policyTypes:
+    - Egress
+  egress:
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0 # Allows traffic to any IPv4 address

package/manifests/kubelet-config.yaml

@@ -0,0 +1,65 @@
+apiVersion: v1
+data:
+  kubelet: |
+    apiVersion: kubelet.config.k8s.io/v1beta1
+    authentication:
+      anonymous:
+        enabled: false
+      webhook:
+        cacheTTL: 0s
+        enabled: true
+      x509:
+        clientCAFile: /etc/kubernetes/pki/ca.crt
+    authorization:
+      mode: Webhook
+      webhook:
+        cacheAuthorizedTTL: 0s
+        cacheUnauthorizedTTL: 0s
+    cgroupDriver: systemd
+    clusterDNS:
+    - 10.96.0.10
+    clusterDomain: cluster.local
+    containerRuntimeEndpoint: unix:///run/containerd/containerd.sock
+    cpuManagerReconcilePeriod: 0s
+    crashLoopBackOff: {}
+    evictionHard:
+      imagefs.available: "5%" # Adjusted for more tolerance
+      memory.available: "100Mi"
+      nodefs.available: "5%" # Adjusted for more tolerance
+      nodefs.inodesFree: "5%"
+    evictionPressureTransitionPeriod: 0s
+    fileCheckFrequency: 0s
+    healthzBindAddress: 127.0.0.1
+    healthzPort: 10248
+    httpCheckFrequency: 0s
+    imageMaximumGCAge: 0s
+    imageMinimumGCAge: 0s
+    kind: KubeletConfiguration
+    logging:
+      flushFrequency: 0
+      options:
+        json:
+          infoBufferSize: "0"
+        text:
+          infoBufferSize: "0"
+      verbosity: 0
+    memorySwap: {}
+    nodeStatusReportFrequency: 0s
+    nodeStatusUpdateFrequency: 0s
+    rotateCertificates: true
+    runtimeRequestTimeout: 0s
+    shutdownGracePeriod: 0s
+    shutdownGracePeriodCriticalPods: 0s
+    staticPodPath: /etc/kubernetes/manifests
+    streamingConnectionIdleTimeout: 0s
+    syncFrequency: 0s
+    volumeStatsAggPeriod: 0s
+kind: ConfigMap
+metadata:
+  annotations:
+    kubeadm.kubernetes.io/component-config.hash: sha256:26488e9fc7c5cb5fdda9996cda2e6651a9af5febce07ea02de11bd3ef3f49e9c
+  creationTimestamp: "2025-06-30T12:42:00Z"
+  name: kubelet-config
+  namespace: kube-system
+  resourceVersion: "204"
+  uid: a85321a8-f3e0-40fa-8e4e-9d33b8842e7a

package/manifests/mongodb/kustomization.yaml

@@ -6,6 +6,6 @@ resources:
   - pv-pvc.yaml
   - headless-service.yaml
   - statefulset.yaml
-  - backup-pv-pvc.yaml
+  # - backup-pv-pvc.yaml
   # - backup-cronjob.yaml
   # - backup-access.yaml

package/manifests/mongodb/statefulset.yaml

@@ -3,7 +3,7 @@ kind: StatefulSet
 metadata:
   name: mongodb # Specifies the name of the statefulset
 spec:
-  serviceName: 'mongodb-service' # Specifies the service to use
+  serviceName: "mongodb-service" # Specifies the service to use
   replicas: 2
   selector:
     matchLabels:
@@ -18,8 +18,8 @@ spec:
           image: docker.io/library/mongo:latest
           command:
             - mongod
-            - '--replSet'
-            - 'rs0'
+            - "--replSet"
+            - "rs0"
             # - '--config'
             # - '-f'
             # - '/etc/mongod.conf'
@@ -35,9 +35,9 @@ spec:
             # - '--setParameter'
             # - 'authenticationMechanisms=SCRAM-SHA-1'
             # - '--fork'
-            - '--logpath'
-            - '/var/log/mongodb/mongod.log'
-            - '--bind_ip_all'
+            - "--logpath"
+            - "/var/log/mongodb/mongod.log"
+            - "--bind_ip_all"
           # command: ['sh', '-c']
           # args:
           #   - |
@@ -99,11 +99,11 @@ spec:
                   key: password
           resources:
             requests:
-              cpu: '100m'
-              memory: '256Mi'
+              cpu: "100m"
+              memory: "256Mi"
             limits:
-              cpu: '500m'
-              memory: '512Mi'
+              cpu: "500m"
+              memory: "512Mi"
       volumes:
         - name: keyfile
           secret:
@@ -119,7 +119,8 @@ spec:
     - metadata:
         name: mongodb-storage
       spec:
-        accessModes: ['ReadWriteOnce']
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: mongodb-storage-class
         resources:
           requests:
             storage: 5Gi

package/manifests/mongodb/storage-class.yaml

@@ -0,0 +1,9 @@
+apiVersion: storage.k8s.io/v1
+kind: StorageClass
+metadata:
+  name: mongodb-storage-class
+  annotations:
+    storageclass.kubernetes.io/is-default-class: "false"
+provisioner: rancher.io/local-path
+reclaimPolicy: Retain
+volumeBindingMode: WaitForFirstConsumer

package/manifests/mongodb-4.4/service-deployment.yaml

@@ -16,7 +16,7 @@ spec:
       hostname: mongo
       containers:
         - name: mongodb
-          image: docker.io/library/mongo:4.4
+          image: mongo:4.4
           command: ['mongod', '--replSet', 'rs0', '--bind_ip_all']
           # -- bash
           # mongo

package/manifests/mysql/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# kubectl apply -k core/.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - pv-pvc.yaml
+  - statefulset.yaml

package/manifests/mysql/pv-pvc.yaml

@@ -0,0 +1,27 @@
+# pv-pvc.yaml
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mysql-pv
+  labels:
+    type: local
+spec:
+  storageClassName: manual
+  capacity:
+    storage: 20Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/mnt/data"
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mysql-pv-claim
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Gi

package/manifests/mysql/statefulset.yaml

@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mysql
+  labels:
+    app: mysql
+spec:
+  ports:
+    - port: 3306
+      name: mysql
+  selector:
+    app: mysql
+  clusterIP: None
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: mysql
+spec:
+  serviceName: "mysql"
+  selector:
+    matchLabels:
+      app: mysql
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: mysql
+    spec:
+      containers:
+        - image: mysql:9
+          name: mysql
+          env:
+            - name: MYSQL_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mysql-secret
+                  key: password
+          ports:
+            - containerPort: 3306
+              name: mysql
+          volumeMounts:
+            - name: mysql-persistent-storage
+              mountPath: /var/lib/mysql
+              subPath: mysql
+  volumeClaimTemplates:
+    - metadata:
+        name: mysql-persistent-storage
+      spec:
+        storageClassName: manual
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 20Gi

package/manifests/postgresql/configmap.yaml

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-config
+  labels:
+    app: postgres
+data:
+  POSTGRES_DB: postgresdb
+  POSTGRES_USER: admin

package/manifests/postgresql/kustomization.yaml

@@ -0,0 +1,10 @@
+---
+# kubectl apply -k postgresql/.
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - pv.yaml
+  - pvc.yaml
+  - configmap.yaml
+  - statefulset.yaml
+  - service.yaml

package/manifests/postgresql/pv.yaml

@@ -0,0 +1,15 @@
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: postgres-pv-volume
+  labels:
+    type: local
+    app: postgres
+spec:
+  storageClassName: manual
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteMany
+  hostPath:
+    path: '/mnt/data'

package/manifests/postgresql/pvc.yaml

@@ -0,0 +1,13 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: postgres-pv-claim
+  labels:
+    app: postgres
+spec:
+  storageClassName: manual
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi

package/manifests/postgresql/service.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres-service
+spec:
+  clusterIP: None
+  selector:
+    app: postgres
+  ports:
+    - port: 5432

package/manifests/postgresql/statefulset.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+spec:
+  serviceName: postgres
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:latest
+          imagePullPolicy: Never
+          ports:
+            - containerPort: 5432
+          envFrom:
+            - configMapRef:
+                name: postgres-config
+          env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres-secret
+                  key: password
+          volumeMounts:
+            - mountPath: /var/lib/postgresql/data
+              name: postgredb
+      volumes:
+        - name: postgredb
+          persistentVolumeClaim:
+            claimName: postgres-pv-claim

package/manifests/valkey/statefulset.yaml

@@ -1,4 +1,3 @@
----
 apiVersion: apps/v1
 kind: StatefulSet
 metadata:
@@ -15,9 +14,13 @@ spec:
       labels:
         app: service-valkey
     spec:
+      # Prevent automatic token mounting if you're not using the default ServiceAccount
+      automountServiceAccountToken: false
+
       containers:
         - name: service-valkey
           image: docker.io/valkey/valkey:latest
+          imagePullPolicy: IfNotPresent
           env:
             - name: TZ
               value: Europe/Zurich
@@ -35,5 +38,3 @@ spec:
             failureThreshold: 2
             periodSeconds: 30
             timeoutSeconds: 5
-      restartPolicy: Always
-      automountServiceAccountToken: false

package/package.json

@@ -2,7 +2,7 @@
     "type": "module",
     "main": "src/index.js",
     "name": "underpost",
-    "version": "2.8.652",
+    "version": "2.8.781",
     "description": "pwa api rest template",
     "scripts": {
         "start": "env-cmd -f .env.production node --max-old-space-size=8192 src/server",
@@ -11,6 +11,7 @@
         "dev": "env-cmd -f .env.development node src/client.dev default",
         "dev-img": "env-cmd -f .env.development node src/server",
         "prod-img": "env-cmd -f .env.production node src/server",
+        "monitor": "pm2 start bin/deploy.js --name monitor -- monitor",
         "dev-api": "env-cmd -f .env.development nodemon --watch src --ignore src/client src/api",
         "dev-client": "env-cmd -f .env.development node src/client.dev",
         "proxy": "node src/proxy proxy",