AllardDCS/kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

initial commit

Browse Source
This commit is contained in:
allard
2025-11-23 18:58:51 +01:00
commit 376a944abc
1553 changed files with 314731 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
dev/nexus/README.md Executable file
View File

@@ -0,0 +1,113 @@
user: admin
password: Nexus01@
#installatie
postgres14 starten als dat nog niet is gebeurd
ingressrouteTCP-route aanmaken voor registry
ingressroutes HTTP en TLS aanmaken voor nexus (nodig voor compileren met maven)
kubectl apply -f nexus.yaml
i.v.m. permissions (zie logfile) indien nodig op sudo chmod +R /mnt/nfs_share/nexus uitvoeren
admin password staat in data-dir op de nfs-share
#Repository-routes configureren:
In nexus kun je een repository definieren van het type "Docker".
Die geef je dan een eigen poortnummer.
Bij TLS-interrupt door Traefik gewoon http-poort 5000 (https kun je leeglaten)
Bij TLS-interrupt door Nexus moet je een https-poort gebruiken (bijv 8444)
#SSL TLS Interrupt voor UI:
gewoon een ingressroute-HTTP en ingressroute-tls aanmaken voor nexus-dev.allarddcs.nl
#SSL TLS Interrupt voor Registry:
TLS-interrupt kun je het best door traefik laten doen.
Dit heeft de voorkeur want dan heb je een trusted certificaat en hoefje geen "insecure registry" te configurenren in docker-config.
#TLS-INTERRUPT DOOR TRAEFIK:
De ingressrouteTCP naar de docker registry ziet er dan alsvolgt uit:
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: registry-tcp
namespace: nexus
spec:
entryPoints:
- websecure # Traefik HTTPS entrypoint
routes:
- match: HostSNI(`registry-dev.allarddcs.nl`)
services:
- name: nexus
port: 5000 # Nexus HTTP port for Docker registry
tls:
certResolver: letsencrypt # Traefik uses this certificate
Dit is dus een bijzondere combinatie van IngressrouteTCP en toch TLS-interrupt.
Vanaf traefik gaat het verkeer dan naar de http-poort van je docker registry.
Daarnaast heb ik ook een ingressroute-http aangemaakt :
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: registry-http
namespace: nexus
spec:
entryPoints:
- web
routes:
- match: Host(`registry-dev.allarddcs.nl`)
kind: Rule
services:
- name: nexus
port: 8081
Deze gaat dus naar de web-kant voor de ACME-challenge van Letsencrypt.
#TLS-INTERRUPT DOOR NEXUS:
Deze optie heeft het nadeel dat je dan bij inloggen met docker de melding krijgt dat het certificaat
self-signed is. Dan moet je insecure registry opvoeren in docker-config.
Met keytool een certificaat aanmaken.
Certificaat zet je dan op nfs-share op data-dir/etc/ssl/keystore.jks
Deze poort moet je ook als ingressrouteTCP ontsluiten met TLS passthrough (want nexus doet TLS-interrupt)
maar dan uiteraard wel op de domeinnaam "registry-dev.allarddcs.nl".
Deze tweede route heeft hetzelfde "entrypoint" als de GUI, namelijk "websecure"
nexus-properties:
nexus-args=${jetty.etc}/jetty.xml,${jetty.etc}/jetty-http.xml,${jetty.etc}/jetty-https.xml,${jetty.etc}/jetty-requestlog.xml
application-port-ssl=8443
ssl-keystore=/nexus-data/etc/ssl/keystore.jks
ssl-keystore-password=password
ssl-keystore-type=JKS
jetty.sslContext.keyStorePath=/opt/sonatype/sonatype-work/nexus3/etc/ssl/keystore.jks
jetty.sslContext.keyStorePassword=password
jetty.sslContext.keyManagerPassword=password
jetty.sslContext.trustStoreType=JKS
#vervelende foutmeldingen in log voorkomen.
Om java in een container te kunnen runnen probeert nexus blijkbaar een .java directory aan te maken in /opt/sonatype/nexus.
Maar use nexus mag dat niet.
Vandaar dat er een emptydir gemount wordt:
volumeMounts:
- name: java-prefs
mountPath: /opt/sonatype/nexus/.java
volumes:
- name: java-prefs
emptyDir: {}
Die emptydir verdwijnt weer als je de container stopt.

19
dev/nexus/catalog-info.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: backstage.io/v1alpha1
kind: Component
metadata:
name: dev-nexus
title: Nexus (dev)
description: Nexus instance running in Kubernetes
annotations:
backstage.io/kubernetes-label-selector: "app=nexus"
links:
- url: https://github.com/AllardKrings/kubernetes/dev/nexus
title: nexus-configuration
docs:
- url: ./README.md
spec:
type: service
lifecycle: production
owner: group:default/allarddcs
subcomponentOf: component:default/DEV-cluster

14
dev/nexus/ingressroute-nexus-http.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nexus-http
namespace: nexus
spec:
entryPoints:
- web
routes:
- match: Host(`nexus-dev.allarddcs.nl`)
kind: Rule
services:
- name: nexus
port: 8081

16
dev/nexus/ingressroute-nexus-tls.yaml Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nexus-tls
namespace: nexus
spec:
entryPoints:
- websecure
routes:
- match: Host(`nexus-dev.allarddcs.nl`)
kind: Rule
services:
- name: nexus
port: 8081
tls:
certResolver: letsencrypt

14
dev/nexus/ingressroute-registry-http.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: registry-http
namespace: nexus
spec:
entryPoints:
- web
routes:
- match: Host(`registry-dev.allarddcs.nl`)
kind: Rule
services:
- name: nexus
port: 8081

16
dev/nexus/ingressroute-registry-tls.yaml Executable file
View File

@@ -0,0 +1,16 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: registry-tls
namespace: nexus
spec:
entryPoints:
- websecure
routes:
- match: Host(`registry-dev.allarddcs.nl`)
kind: Rule
services:
- name: nexus
port: 5000
tls:
certResolver: letsencrypt

15
dev/nexus/ingressrouteTCP-nexus-tls.yaml Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: nexus-tcp-tls
namespace: nexus
spec:
entryPoints:
- websecure
routes:
- match: HostSNI(`nexus-dev.allarddcs.nl`)
services:
- name: nexus
port: 8443
tls:
passthrough: true

15
dev/nexus/ingressrouteTCP-registry-tls.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: registry-tcp
namespace: nexus
spec:
entryPoints:
- websecure # Traefik HTTPS entrypoint
routes:
- match: HostSNI(`registry-dev.allarddcs.nl`)
services:
- name: nexus
port: 5000 # Nexus HTTP port for Docker registry
tls:
certResolver: letsencrypt # Traefik uses this certificate

17
dev/nexus/ingressrouteTCP2-registry-tls.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: docker-registry
namespace: nexus
spec:
entryPoints:
- websecure
routes:
- match: HostSNI(`registry-dev.allarddcs.nl`)
services:
- name: nexus
port: 5000 # Nexus Docker HTTPS port
tls:
certResolver: letsencrypt
domains:
- main: registry-dev.allarddcs.nl

10
dev/nexus/keytool/README.md Normal file
View File

@@ -0,0 +1,10 @@
keytool -genkeypair -keystore keystore.jks -storepass password -alias allarddcs.nl \
-keyalg RSA -keysize 2048 -validity 5000 -keypass password \
-dname 'CN=*.allarddcs.nl, OU=Sonatype, O=Sonatype, L=Unspecified, ST=Unspecified, C=US' \
-ext 'SAN=DNS:nexus-dev.allarddcs.nl,DNS:registry-dev.allarddcs.nl'
keytool -exportcert -keystore keystore.jks -alias allarddcs.nl -rfc > allarddcs.nl.cert
keytool -importkeystore -srckeystore keystore.jks -destkeystore allarddcs.nl.p12 -deststoretype PKCS12
openssl pkcs12 -nocerts -nodes -in allarddcs.nl.p12 -out allarddcs.nl.key

23
dev/nexus/keytool/allarddcs.nl.cert Normal file
View File

@@ -0,0 +1,23 @@
-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIEZRAWmTANBgkqhkiG9w0BAQsFADB4MQswCQYDVQQGEwJV
UzEUMBIGA1UECBMLVW5zcGVjaWZpZWQxFDASBgNVBAcTC1Vuc3BlY2lmaWVkMREw
DwYDVQQKEwhTb25hdHlwZTERMA8GA1UECxMIU29uYXR5cGUxFzAVBgNVBAMMDiou
YWxsYXJkZGNzLm5sMB4XDTI1MTEyMTA3MzA1NloXDTM5MDczMTA3MzA1NloweDEL
MAkGA1UEBhMCVVMxFDASBgNVBAgTC1Vuc3BlY2lmaWVkMRQwEgYDVQQHEwtVbnNw
ZWNpZmllZDERMA8GA1UEChMIU29uYXR5cGUxETAPBgNVBAsTCFNvbmF0eXBlMRcw
FQYDVQQDDA4qLmFsbGFyZGRjcy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAJu7WaXBl8+gIUsrFNjGYIQj0bhkjgYdPWjfo9+oOUiwm2faCBoDmkJx
keo5DKY0MFKuVKA5jxpKLZCpPCiR5jUPDWWZBCCZ1syNoh5sll/GIijZz1rtTCz2
xlbSd+xcUMNLhtt2FPWEH3no8BfTuzOZmFaMw+SSqRv3eeLNmNynIRX/5uK44hol
bn/ikg0RgibBIsCI5WvUP7ai+ZbZNrDjZd2UBOhgUkvIloFBkJY3pnMBa2kGia8T
zzWiEBHaPZs7doOepFZZEfsxcJfNtnN7LTUBVlZi3KPeZcuUAp9u/oxEo8ikANgu
cbtbkV3EGdedUjQF+Wh0DSscQ41wg00CAwEAAaNfMF0wHQYDVR0OBBYEFB2s7Ymg
OmCIufNW0+5rQATZ0zBFMDwGA1UdEQQ1MDOCFm5leHVzLWRldi5hbGxhcmRkY3Mu
bmyCGXJlZ2lzdHJ5LWRldi5hbGxhcmRkY3MubmwwDQYJKoZIhvcNAQELBQADggEB
AAoFam+k4Nwdrrsz/6eGsOQRwQjQkus60ro0c2D/H/a/oGBUYCnRHzmPg2FFEodf
9wXWSgOnRIlDYnf3U6A/IHPhZm8oeSU21v1u/IkXQYW+a9VUlGpkQJYBiFdmGYxs
SyeIbK02geb+8HNMeEnBoeSuGpkW0XJkPEnUi43OUVUSc1W7PcnFXtFDW94anqmh
BHKbLoEnPCXZ/QUbjXPjO67qHeMKbOu4USD3QDy3Hx+UM98z/hwGLNs6ZaCD2slt
LKR4afd7tXVCFPDqM7Fd8MTL23ee76yxeVAOrLF1mxRbrLtQ4fOrsU+tQFu0H+Oi
GeHcu05EXiFEb2bMuGmyF68=
-----END CERTIFICATE-----

32
dev/nexus/keytool/allarddcs.nl.key Normal file
View File

@@ -0,0 +1,32 @@
Bag Attributes
friendlyName: allarddcs.nl
localKeyID: 54 69 6D 65 20 31 37 36 33 37 31 30 33 37 32 34 36 30
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCbu1mlwZfPoCFL
KxTYxmCEI9G4ZI4GHT1o36PfqDlIsJtn2ggaA5pCcZHqOQymNDBSrlSgOY8aSi2Q
qTwokeY1Dw1lmQQgmdbMjaIebJZfxiIo2c9a7Uws9sZW0nfsXFDDS4bbdhT1hB95
6PAX07szmZhWjMPkkqkb93nizZjcpyEV/+biuOIaJW5/4pINEYImwSLAiOVr1D+2
ovmW2Taw42XdlAToYFJLyJaBQZCWN6ZzAWtpBomvE881ohAR2j2bO3aDnqRWWRH7
MXCXzbZzey01AVZWYtyj3mXLlAKfbv6MRKPIpADYLnG7W5FdxBnXnVI0BflodA0r
HEONcINNAgMBAAECggEBAJHbLgKOSCZhHu2tIvBJFHqOpczi+RYG6s4/r9c5UrWf
G15wGehreV5DylsqJYvBE4VM29vZLQt9cCGuL7b7tzX4rB586x2xmDmraay/HTQE
eVfzcD8EQ7VVR7xnkYRhjg7rvRntBYJRxb1DiyN13j5c3A4r9wksx5B2/8SJtWLq
+preLP/BNrrL8rheFCHBqyty2MrYixhk85MLdTh/yug2TuMJ6wlTOvpW6OKFbd16
ZO1y8reOSvhBN/flrBp627VQlDeInOQUA2aCIxfLKxG80nqIteOURYmNPZo6ic65
8g/YoMq4wYlk1ZiNuIVqUS92nrKIicpwsXufGqBYqcECgYEA1nzI02trt0r9GTsc
7v9QpQ+a9P4KvQ8cObV12l3xV2HcIT4ipgeP3LfsuYxlFjmU/JQhWFOSXUuTtu9X
5DlKa6G0HYNRNhoD6JixnynGLbwz+DFEIP5rhOkSj78BolxYrPE44ep5NmtPEdBd
7smZT12NJjpkXwJFTKYJ7GtzOVECgYEAud9mbi6+TZJb3R5deftMiiw9erKIz09t
PUDlSQM5mEyABFWrLQIpcHZCksRL8ARTE71V1B8JuA7aBIrqW8ILZGs2MDc4+uOB
j4W35xv3WSZaGFxQpfAi+t3Bd5ovtMRhCHcniAPWqs143A9+zfyPSxOC5vEHxU2N
g6GAK3fXaz0CgYBR3kltYWg5Czd2RPjzRKLMjhtQfhMtPLJCWMAGPKtc9i5mxefF
xccksVN7M1p2VD5I9mWP6D5KvAlC3zKGG1QLpyovxare4qkxQ+8wWGqblGWly3A8
w7/YeHosQfTmuybhxCU5Hh1sJyOEIitodKy+/W9d8xXSqfQ3oHzTL+RIMQKBgBCo
11N02RW20okFGbe/MGMKCBChQ+Xg5peg42wh392orai1zPvhv7kWwGzLL0s5+ABC
7hhvF73phtz1XoAO6lp7yYWUzYSfM5OblpoeRZM1/slELO5SkbAOhDKmHTSEjXXm
yCJGxczVUcnXkbQAuQ8vloIAhIPIqbBsn0JGIYa5AoGADkaVadmis15UE6hTqyxj
Et5Vzud4bIu9rXrcwK3HNn764RPxMOhcl/NvbeyDaLJMnwwLtZrJp4AMfQBuPAI/
QNIciDAdTVfXSrswlt6cyt+dQDDXV7sZTEHTdoagld62dS/kybG39rwGXo857tJ0
WndxZ5j6ncrIQLnFSciQSbA=
-----END PRIVATE KEY-----

BIN
dev/nexus/keytool/allarddcs.nl.p12 Normal file
View File

Binary file not shown.

BIN
dev/nexus/keytool/keystore.jks Normal file
View File

Binary file not shown.

34
dev/nexus/nexus-pvc.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: nexus-pv
spec:
storageClassName: ""
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
mountOptions:
- hard
- nfsvers=4.1
nfs:
server: 192.168.2.110
path: /mnt/nfs_share/nexus/dev
readOnly: false
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nexus-pvc
namespace: nexus
spec:
storageClassName: ""
volumeName: nexus-pv
accessModes:
- ReadWriteMany
volumeMode: Filesystem
resources:
requests:
storage: 1Gi

93
dev/nexus/nexus.yaml Executable file
View File

@@ -0,0 +1,93 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nexus
namespace: nexus
labels:
app: nexus
spec:
replicas: 1
selector:
matchLabels:
app: nexus
template:
metadata:
labels:
app: nexus
spec:
terminationGracePeriodSeconds: 30
tolerations:
- key: "memory"
operator: "Equal"
value: "high"
effect: "NoSchedule"
containers:
- name: nexus
image: sonatype/nexus3:latest
resources:
requests:
memory: "2Gi"
cpu: "500m"
limits:
memory: "4Gi"
cpu: "1000m"
ports:
- containerPort: 8081
name: web
- containerPort: 8443
name: websecure
- containerPort: 5000
name: docker
env:
- name: INSTALL4J_ADD_VM_PARAMS
value: "-XX:ActiveProcessorCount=4"
- name: NEXUS_DATASTORE_NEXUS_USERNAME
value: "nexus"
- name: NEXUS_DATASTORE_NEXUS_PASSWORD
value: "nexus"
- name: NEXUS_DATASTORE_NEXUS_JDBCURL
value: "jdbc:postgresql://postgres16.postgres.svc.cluster.local:5432/nexus"
# - name: NEXUS_DB_TYPE
# value: postgresql
# - name: NEXUS_DB_HOST
# value: postgres16.postgres.svc.cluster.local
# - name: NEXUS_DB_PORT
# value: "5432"
# - name: NEXUS_DB_NAME
# value: nexus
# - name: NEXUS_DB_USER
# value: nexus
# - name: NEXUS_DB_PASSWORD
# value: nexus
volumeMounts:
- mountPath: /nexus-data
name: nexus
subPath: data-dir
- name: java-prefs
mountPath: /opt/sonatype/nexus/.java
volumes:
- name: nexus
persistentVolumeClaim:
claimName: nexus-pvc
- name: java-prefs
emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
name: nexus
namespace: nexus
spec:
ports:
- name: web
targetPort: 8081
port: 8081
- name: websecure
targetPort: 8443
port: 8443
- name: docker
targetPort: 5000
port: 5000
selector:
app: nexus
type: ClusterIP

94
dev/nexus/nietnodig/amd/nexus.yaml Executable file
View File

@@ -0,0 +1,94 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: nexus-pv
spec:
storageClassName: ""
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
mountOptions:
- hard
- nfsvers=4.1
nfs:
server: 192.168.40.100
path: /mnt/nfs_share/nexus
readOnly: false
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nexus-pvc
spec:
storageClassName: ""
volumeName: nexus-pv
accessModes:
- ReadWriteMany
volumeMode: Filesystem
resources:
requests:
storage: 1Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nexus
labels:
app: nexus
spec:
replicas: 1
selector:
matchLabels:
app: nexus
template:
metadata:
labels:
app: nexus
spec:
containers:
- name: nexus
image: sonatype/nexus3
ports:
- containerPort: 8081
name: web
- containerPort: 8443
name: websecure
- containerPort: 8444
name: docker
# volumeMounts:
# - mountPath: /nexus-data
# name: nexus
# subPath: data-dir
# - mountPath: /opt/sonatype/nexus/etc
# name: nexus
# subPath: app-dir
env:
- name: INSTALL4J_ADD_VM_PARAMS
value: "-XX:ActiveProcessorCount=4"
- name: Djava.util.prefs.userRoot
value: "/opt/sonatype/sonatype-work/nexus3/javaprefs"
# volumes:
# - name: nexus
# persistentVolumeClaim:
# claimName: nexus-pvc
---
apiVersion: v1
kind: Service
metadata:
name: nexus
spec:
ports:
- name: http
targetPort: 8081
port: 8081
- name: https
targetPort: 8443
port: 8443
- name: nexus
targetPort: 8444
port: 8444
selector:
app: nexus
type: ClusterIP

15
dev/nexus/nietnodig/certificate.yaml Executable file
View File

@@ -0,0 +1,15 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nexus.alldcs.nl-tls
spec:
dnsNames:
- nexus.alldcs.nl
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: letsencrypt
secretName: nexus.allarddcs.nl-tls
usages:
- digital signature
- key encipherment

13
dev/nexus/nietnodig/ingressroute-http.yaml Executable file
View File

@@ -0,0 +1,13 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: nexus-http
spec:
entryPoints:
- web
routes:
- match: Host(`nexus.alldcs.nl`)
kind: Rule
services:
- name: nexus
port: 8081

38
dev/nexus/nietnodig/ingressrouteTCP-backup.yaml Executable file
View File

@@ -0,0 +1,38 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: nexus-tcp-tls
spec:
entryPoints:
- websecure
routes:
- match: HostSNI(`nexus.alldcs.nl`)
services:
- name: nexus
port: 8443
- match: HostSNI(`nexus.alldcs.nl`)
services:
- name: nexus
port: 8443
tls:
passthrough: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: nexus-tcp-docker
spec:
entryPoints:
- websecure
routes:
- match: HostSNI(`registry.alldcs.nl`)
services:
- name: nexus
port: 8444
- match: HostSNI(`registry.alldcs.nl`) && PathPrefix(`/v2/`)
services:
- name: nexus
port: 8444
tls:
passthrough: true