parent
fc9d4f0175
commit
1fcb74a772
@ -0,0 +1,264 @@ |
||||
AWSTemplateFormatVersion: "2010-09-09" |
||||
Description: Jitsi platform |
||||
Parameters: |
||||
ClusterName: |
||||
Description: "Cluster name" |
||||
Type: String |
||||
Default: "dev" |
||||
Subnet1AvailabilityZone: |
||||
Description: "The availability zone for the subnet #1" |
||||
Type: "AWS::EC2::AvailabilityZone::Name" |
||||
Default: "us-east-1a" |
||||
Subnet2AvailabilityZone: |
||||
Description: "The availability zone for the subnet #2" |
||||
Type: "AWS::EC2::AvailabilityZone::Name" |
||||
Default: "us-east-1b" |
||||
Subnet3AvailabilityZone: |
||||
Description: "The availability zone for the subnet #3" |
||||
Type: "AWS::EC2::AvailabilityZone::Name" |
||||
Default: "us-east-1c" |
||||
Resources: |
||||
Role: |
||||
Type: AWS::IAM::Role |
||||
Properties: |
||||
AssumeRolePolicyDocument: |
||||
Version: '2012-10-17' |
||||
Statement: |
||||
- Effect: Allow |
||||
Principal: |
||||
Service: |
||||
- eks.amazonaws.com |
||||
Action: |
||||
- sts:AssumeRole |
||||
Policies: |
||||
- PolicyDocument: |
||||
Version: '2012-10-17' |
||||
Statement: |
||||
- Effect: Allow |
||||
Resource: '*' |
||||
Action: |
||||
- autoscaling:DescribeAutoScalingGroups |
||||
- autoscaling:DescribeLaunchConfigurations |
||||
- autoscaling:DescribeTags |
||||
- ec2:DescribeInstances |
||||
- ec2:DescribeRegions |
||||
- ec2:DescribeAccountAttributes |
||||
- ec2:DescribeInternetGateways |
||||
- ec2:DescribeRouteTables |
||||
- ec2:DescribeSecurityGroups |
||||
- ec2:DescribeSubnets |
||||
- ec2:DescribeVolumes |
||||
- ec2:CreateSecurityGroup |
||||
- ec2:CreateTags |
||||
- ec2:CreateVolume |
||||
- ec2:ModifyInstanceAttribute |
||||
- ec2:ModifyVolume |
||||
- ec2:AttachVolume |
||||
- ec2:AuthorizeSecurityGroupIngress |
||||
- ec2:CreateRoute |
||||
- ec2:DeleteRoute |
||||
- ec2:DeleteSecurityGroup |
||||
- ec2:DeleteVolume |
||||
- ec2:DetachVolume |
||||
- ec2:RevokeSecurityGroupIngress |
||||
- ec2:DescribeVpcs |
||||
- elasticloadbalancing:AddTags |
||||
- elasticloadbalancing:AttachLoadBalancerToSubnets |
||||
- elasticloadbalancing:ApplySecurityGroupsToLoadBalancer |
||||
- elasticloadbalancing:CreateLoadBalancer |
||||
- elasticloadbalancing:CreateLoadBalancerPolicy |
||||
- elasticloadbalancing:CreateLoadBalancerListeners |
||||
- elasticloadbalancing:ConfigureHealthCheck |
||||
- elasticloadbalancing:DeleteLoadBalancer |
||||
- elasticloadbalancing:DeleteLoadBalancerListeners |
||||
- elasticloadbalancing:DescribeLoadBalancers |
||||
- elasticloadbalancing:DescribeLoadBalancerAttributes |
||||
- elasticloadbalancing:DetachLoadBalancerFromSubnets |
||||
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer |
||||
- elasticloadbalancing:ModifyLoadBalancerAttributes |
||||
- elasticloadbalancing:RegisterInstancesWithLoadBalancer |
||||
- elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer |
||||
- elasticloadbalancing:AddTags |
||||
- elasticloadbalancing:CreateListener |
||||
- elasticloadbalancing:CreateTargetGroup |
||||
- elasticloadbalancing:DeleteListener |
||||
- elasticloadbalancing:DeleteTargetGroup |
||||
- elasticloadbalancing:DescribeListeners |
||||
- elasticloadbalancing:DescribeLoadBalancerPolicies |
||||
- elasticloadbalancing:DescribeTargetGroups |
||||
- elasticloadbalancing:DescribeTargetHealth |
||||
- elasticloadbalancing:ModifyListener |
||||
- elasticloadbalancing:ModifyTargetGroup |
||||
- elasticloadbalancing:RegisterTargets |
||||
- elasticloadbalancing:DeregisterTargets |
||||
- elasticloadbalancing:SetLoadBalancerPoliciesOfListener |
||||
- iam:CreateServiceLinkedRole |
||||
- kms:DescribeKey |
||||
PolicyName: 'eks-master' |
||||
ManagedPolicyArns: |
||||
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSClusterPolicy' |
||||
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonEKSServicePolicy' |
||||
|
||||
NodeInstanceRole: |
||||
Type: "AWS::IAM::Role" |
||||
Properties: |
||||
AssumeRolePolicyDocument: |
||||
Version: "2012-10-17" |
||||
Statement: |
||||
- Effect: Allow |
||||
Principal: |
||||
Service: |
||||
- eks.amazonaws.com |
||||
Action: |
||||
- "sts:AssumeRole" |
||||
- Effect: Allow |
||||
Principal: |
||||
Service: |
||||
- ec2.amazonaws.com |
||||
Action: |
||||
- "sts:AssumeRole" |
||||
ManagedPolicyArns: |
||||
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy" |
||||
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy" |
||||
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" |
||||
- !Sub 'arn:${AWS::Partition}:iam::aws:policy/AmazonElasticFileSystemReadOnlyAccess' |
||||
Policies: |
||||
- PolicyDocument: |
||||
Version: '2012-10-17' |
||||
Statement: |
||||
- Effect: Allow |
||||
Action: |
||||
- ec2:DescribeInstances |
||||
- ec2:DescribeRegions |
||||
- ecr:GetAuthorizationToken |
||||
- ecr:BatchCheckLayerAvailability |
||||
- ecr:GetDownloadUrlForLayer |
||||
- ecr:GetRepositoryPolicy |
||||
- ecr:DescribeRepositories |
||||
- ecr:ListImages |
||||
- ecr:BatchGetImage |
||||
Resource: '*' |
||||
PolicyName: 'eks-node' |
||||
Path: / |
||||
|
||||
Vpc: |
||||
Type: "AWS::EC2::VPC" |
||||
Properties: |
||||
CidrBlock: "10.0.0.0/24" |
||||
EnableDnsHostnames: true |
||||
EnableDnsSupport: true |
||||
|
||||
PublicRouteTable: |
||||
Type: "AWS::EC2::RouteTable" |
||||
Properties: |
||||
VpcId: !Ref Vpc |
||||
|
||||
Subnet1: |
||||
Type: "AWS::EC2::Subnet" |
||||
Properties: |
||||
CidrBlock: "10.0.0.0/26" |
||||
VpcId: !Ref Vpc |
||||
AvailabilityZone: !Ref Subnet1AvailabilityZone |
||||
MapPublicIpOnLaunch: true |
||||
Tags: |
||||
- Key: !Join |
||||
- "/" |
||||
- - "kubernetes.io/cluster" |
||||
- !Ref ClusterName |
||||
Value: shared |
||||
Subnet1Assoc: |
||||
Type: "AWS::EC2::SubnetRouteTableAssociation" |
||||
Properties: |
||||
RouteTableId: !Ref PublicRouteTable |
||||
SubnetId: !Ref Subnet1 |
||||
|
||||
Subnet2: |
||||
Type: "AWS::EC2::Subnet" |
||||
Properties: |
||||
CidrBlock: "10.0.0.192/26" |
||||
VpcId: !Ref Vpc |
||||
AvailabilityZone: !Ref Subnet2AvailabilityZone |
||||
MapPublicIpOnLaunch: true |
||||
Tags: |
||||
- Key: !Join |
||||
- "/" |
||||
- - "kubernetes.io/cluster" |
||||
- !Ref ClusterName |
||||
Value: shared |
||||
Subnet2Assoc: |
||||
Type: "AWS::EC2::SubnetRouteTableAssociation" |
||||
Properties: |
||||
RouteTableId: !Ref PublicRouteTable |
||||
SubnetId: !Ref Subnet2 |
||||
|
||||
# Elastic IP |
||||
Eip: |
||||
Type: AWS::EC2::EIP |
||||
DependsOn: VpcIgPairing |
||||
Properties: |
||||
Domain: vpc |
||||
# Gateways |
||||
InternetGateway: |
||||
Type: "AWS::EC2::InternetGateway" |
||||
InternetRoute: |
||||
Type: "AWS::EC2::Route" |
||||
Properties: |
||||
RouteTableId: !Ref PublicRouteTable |
||||
DestinationCidrBlock: "0.0.0.0/0" |
||||
GatewayId: !Ref InternetGateway |
||||
VpcIgPairing: |
||||
Type: "AWS::EC2::VPCGatewayAttachment" |
||||
Properties: |
||||
InternetGatewayId: !Ref InternetGateway |
||||
VpcId: !Ref Vpc |
||||
|
||||
SecurityGroup: |
||||
Type: "AWS::EC2::SecurityGroup" |
||||
Properties: |
||||
GroupDescription: "Cluster SG" |
||||
GroupName: cluster-sg |
||||
VpcId: !Ref Vpc |
||||
SecurityGroupIngress: |
||||
- FromPort: 0 |
||||
ToPort: 65535 |
||||
IpProtocol: "-1" |
||||
CidrIp: "0.0.0.0/0" |
||||
SecurityGroupEgress: |
||||
- IpProtocol: "-1" |
||||
FromPort: 0 |
||||
ToPort: 65535 |
||||
CidrIp: "0.0.0.0/0" |
||||
|
||||
Cluster: |
||||
Type: "AWS::EKS::Cluster" |
||||
Properties: |
||||
RoleArn: !GetAtt Role.Arn |
||||
Name: !Ref ClusterName |
||||
ResourcesVpcConfig: |
||||
SubnetIds: |
||||
- !Ref Subnet1 |
||||
- !Ref Subnet2 |
||||
SecurityGroupIds: |
||||
- !Ref SecurityGroup |
||||
|
||||
BaseNodeGroup: |
||||
Type: "AWS::EKS::Nodegroup" |
||||
DependsOn: Cluster |
||||
Properties: |
||||
ClusterName: !Ref ClusterName |
||||
NodegroupName: base |
||||
AmiType: AL2_x86_64 |
||||
RemoteAccess: |
||||
Ec2SshKey: "eks-dev-nodes" |
||||
SourceSecurityGroups: |
||||
- !Ref SecurityGroup |
||||
ScalingConfig: |
||||
MinSize: 2 |
||||
DesiredSize: 3 |
||||
MaxSize: 5 |
||||
InstanceTypes: |
||||
- t2.small |
||||
NodeRole: !GetAtt NodeInstanceRole.Arn |
||||
Subnets: |
||||
- !Ref Subnet1 |
||||
- !Ref Subnet2 |
@ -0,0 +1,92 @@ |
||||
jicofo: |
||||
userAuth: |
||||
enabled: true |
||||
name: "focus" |
||||
secret: dG90bw== |
||||
componentSecret: dG90bw== |
||||
environment: |
||||
- name: TZ |
||||
value: Europe/Amsterdam |
||||
- name: JVB_BREWERY_MUC |
||||
value: jvbbrewery |
||||
- name: XMPP_DOMAIN |
||||
value: meet.jitsi |
||||
- name: XMPP_AUTH_DOMAIN |
||||
value: auth.meet.jitsi |
||||
- name: XMPP_INTERNAL_MUC_DOMAIN |
||||
value: internal-muc.meet.jitsi |
||||
|
||||
jvb: |
||||
userAuth: |
||||
enabled: true |
||||
name: "jvb" |
||||
secret: dG90bw== |
||||
environment: |
||||
- name: TZ |
||||
value: Europe/Amsterdam |
||||
- name: JVB_BREWERY_MUC |
||||
value: jvbbrewery |
||||
- name: XMPP_DOMAIN |
||||
value: meet.jitsi |
||||
- name: XMPP_AUTH_DOMAIN |
||||
value: auth.meet.jitsi |
||||
- name: XMPP_MUC_DOMAIN |
||||
value: muc.meet.jitsi |
||||
- name: XMPP_INTERNAL_MUC_DOMAIN |
||||
value: internal-muc.meet.jitsi |
||||
- name: JVB_STUN_SERVERS |
||||
value: stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302 |
||||
- name: JVB_TCP_HARVESTER_DISABLED |
||||
value: "true" |
||||
- name: DOCKER_HOST_ADDRESS |
||||
valueFrom: |
||||
fieldRef: |
||||
fieldPath: status.hostIP |
||||
|
||||
prosody: |
||||
environment: |
||||
- name: JVB_TCP_HARVESTER_DISABLED |
||||
value: "true" |
||||
- name: TZ |
||||
value: Europe/Amsterdam |
||||
- name: JVB_BREWERY_MUC |
||||
value: jvbbrewery |
||||
- name: XMPP_DOMAIN |
||||
value: meet.jitsi |
||||
- name: XMPP_AUTH_DOMAIN |
||||
value: auth.meet.jitsi |
||||
- name: XMPP_INTERNAL_MUC_DOMAIN |
||||
value: internal-muc.meet.jitsi |
||||
- name: JVB_TCP_HARVESTER_DISABLED |
||||
value: "true" |
||||
- name: XMPP_MUC_DOMAIN |
||||
value: muc.meet.jitsi |
||||
|
||||
web: |
||||
ingress: |
||||
enabled: true |
||||
annotations: |
||||
kubernetes.io/ingress.class: "nginx" |
||||
nginx.ingress.kubernetes.io/force-ssl-redirect: "true" |
||||
cert-manager.io/cluster-issuer: "letsencrypt" |
||||
hosts: |
||||
- host: jitsi.meat-project.tk |
||||
paths: |
||||
- "/" |
||||
tls: |
||||
- hosts: |
||||
- jitsi.meat-project.tk |
||||
secretName: jitsi-web |
||||
environment: |
||||
- name: XMPP_DOMAIN |
||||
value: meet.jitsi |
||||
- name: XMPP_AUTH_DOMAIN |
||||
value: auth.meet.jitsi |
||||
- name: XMPP_INTERNAL_MUC_DOMAIN |
||||
value: internal-muc.meet.jitsi |
||||
- name: XMPP_MUC_DOMAIN |
||||
value: muc.meet.jitsi |
||||
- name: TZ |
||||
value: America/Los_Angeles |
||||
- name: JVB_TCP_HARVESTER_DISABLED |
||||
value: "true" |
@ -0,0 +1,20 @@ |
||||
controller: |
||||
resources: |
||||
limits: |
||||
cpu: 150m |
||||
memory: 128Mi |
||||
requests: |
||||
cpu: 100m |
||||
memory: 64Mi |
||||
proxySetHeaders: |
||||
use-proxy-protocol: 'true' |
||||
proxy-real-ip-cidr: 'true' |
||||
autoscaling: |
||||
enabled: true |
||||
service: |
||||
externalTrafficPolicy: Local |
||||
annotations: |
||||
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp |
||||
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60' |
||||
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' |
||||
service.beta.kubernetes.io/aws-load-balancer-type: nlb |
@ -0,0 +1,14 @@ |
||||
apiVersion: cert-manager.io/v1alpha2 |
||||
kind: ClusterIssuer |
||||
metadata: |
||||
name: letsencrypt |
||||
spec: |
||||
acme: |
||||
email: youremail@address.com |
||||
server: https://acme-v02.api.letsencrypt.org/directory |
||||
privateKeySecretRef: |
||||
name: letsencrypt-secret |
||||
solvers: |
||||
- http01: |
||||
ingress: |
||||
class: nginx |
@ -0,0 +1,23 @@ |
||||
apiVersion: v1 |
||||
kind: Namespace |
||||
metadata: |
||||
name: helm |
||||
--- |
||||
apiVersion: v1 |
||||
kind: ServiceAccount |
||||
metadata: |
||||
name: tiller |
||||
namespace: helm |
||||
--- |
||||
apiVersion: rbac.authorization.k8s.io/v1 |
||||
kind: ClusterRoleBinding |
||||
metadata: |
||||
name: tiller |
||||
roleRef: |
||||
apiGroup: rbac.authorization.k8s.io |
||||
kind: ClusterRole |
||||
name: cluster-admin |
||||
subjects: |
||||
- kind: ServiceAccount |
||||
name: tiller |
||||
namespace: helm |
Loading…
Reference in new issue