OrgGo/Mainflux.mainflux
1
0
Fork 0
mirror of https://github.com/mainflux/mainflux.git synced 2025-04-26 13:48:53 +08:00
Code Issues Projects Releases Wiki Activity

MF-136 - Setup staging and test environments (#226)

Browse Source
This commit is contained in:
Dušan Borovčanin 2018-04-30 13:32:38 +02:00 committed by Dejan Mijić
parent aea7db14b7
commit 38d4c3fcea
15 changed files with 677 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

107
k8s/README.md Normal file
View File

@ -0,0 +1,107 @@
# Deploy Mainflux on Kubernetes - WIP
Scripts to deploy Mainflux on Kubernetes (https://kubernetes.io). Work in progress. Not ready for deployment.
## Steps
### 1. Setup PosgreSQL
- Create Persistent Volume for PosgreSQL to store data to.
```bash
kubectl create -f 1-mainflux-postgres-persistence.yml
```
- Claim Persistent Volume
```bash
kubectl create -f 2-mainflux-postgres-claim.yml
```
- Create PosgreSQL Pod
```bash
kubectl create -f 3-mainflux-postgres-pod.yml
```
- Create PosgreSQL Service
```bash
kubectl create -f 4-mainflux-postgres-service.yml
```
### 2. Setup NATS
- Change `nats.conf` according to your needs.
Create a Kubernetes configmap to store it:
```bash
kubectl create configmap nats-config --from-file nats.conf
```
- Deploy NATS:
```bash
kubectl create -f nats.yml
```
### 3. Setup Mainflux Services
- Create Manager Service
```bash
kubectl create -f 1-mainflux-manager.yml
```
- Create HTTP Service
```bash
kubectl create -f 2-mainflux-http.yml
```
- Create CoAP Service
```bash
kubectl create -f 4-mainflux-coap.yml
```
- Create Normalizer Service
```bash
kubectl create -f 5-mainflux-normalizer.yml
```
### 4. Setup Dashflux Services
- Create Dashflux Deployment and Service
```bash
kubectl create -f mainflux-dashflux.yaml
```
### 5. Setup NginX Reverse Proxy for Mainflux Services
- Create TLS server side certificate and keys
```bash
cd certs
kubectl create secret tls mainflux-secret --key mainflux-server.key --cert mainflux-server.crt
```
- Create Config Map based on the default.conf file.
```bash
cd ..
kubectl create configmap mainflux-nginx-config --from-file=default.conf
```
- Create Deployment and Service from mainflux-dashflux.yaml file.
```bash
kubectl create -f mainflux-nginx.yaml
```
### 6. Configure Internet Access
Configure NAT on your Firewall to forward ports 80 (HTTP) and 443 (HTTPS) to mainflux-nginx service

44
k8s/mainflux/1-mainflux-manager.yml Normal file
View File

@ -0,0 +1,44 @@
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: manager
spec:
replicas: 3
selector:
matchLabels:
app: manager
template:
metadata:
labels:
app: manager
spec:
containers:
- name: manager
image: mainflux/manager:latest
ports:
- containerPort: 8180
env:
- name: MF_DB_HOST
value: "mainflux-postgres"
- name: MF_MANAGER_DB
value: "mainflux"
- name: MF_MANAGER_PORT
value: "8180"
- name: MF_MANAGER_SECRET
value: "test-secret"
---
apiVersion: v1
kind: Service
metadata:
name: manager
labels:
app: manager
spec:
ports:
- port: 8180
targetPort: 8180
protocol: TCP
name: http
selector:
app: manager
type: LoadBalancer

42
k8s/mainflux/2-mainflux-http.yml Normal file
View File

@ -0,0 +1,42 @@
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: http-adapter
labels:
component: http-adapter
spec:
serviceName: http-adapter
replicas: 3
template:
metadata:
labels:
component: http-adapter
spec:
containers:
- name: mainflux-http
image: mainflux/http:latest
imagePullPolicy: Always
ports:
- containerPort: 8182
env:
- name: MF_MANAGER_URL
value: "http://manager:8180"
- name: MF_NATS_URL
value: "nats://nats:4222"
- name: MF_HTTP_ADAPTER_PORT
value: "8182"
---
apiVersion: v1
kind: Service
metadata:
name: http-adapter
labels:
component: http-adapter
spec:
selector:
component: http-adapter
ports:
- port: 8182
targetPort: 8182
type: LoadBalancer

37
k8s/mainflux/5-mainflux-normalizer.yml Normal file
View File

@ -0,0 +1,37 @@
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: normalizer
labels:
component: normalizer
spec:
serviceName: normalizer
replicas: 3
template:
metadata:
labels:
component: normalizer
spec:
containers:
- name: mainflux-normalizer
image: mainflux/normalizer:latest
imagePullPolicy: Always
env:
- name: MF_NATS_URL
value: "nats://nats:4222"
- name: MF_NORMALIZER_PORT
value: "8181"
---
apiVersion: v1
kind: Service
metadata:
name: normalizer
labels:
component: normalizer
spec:
selector:
component: normalizer
ports:
- port: 8181
targetPort: 8181
clusterIP: None

33
k8s/mainflux/6-mainflux-dashflux.yml Normal file
View File

@ -0,0 +1,33 @@
apiVersion: apps/v1beta1
kind: Deployment
metadata:
name: dashflux
labels:
component: dashflux
spec:
replicas: 1
template:
metadata:
labels:
component: dashflux
spec:
containers:
- name: dashflux
image: mainflux/dashflux:latest
imagePullPolicy: Always
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: dashflux
labels:
component: dashflux
spec:
selector:
component: dashflux
ports:
- port: 80
targetPort: 80
type: LoadBalancer

27
k8s/nats/nats.conf Normal file
View File

@ -0,0 +1,27 @@
listen: 0.0.0.0:4222
http: 0.0.0.0:8222
# Cluster definition
cluster {
listen: 0.0.0.0:6222
}
# logging options
debug: false
trace: true
logtime: true
# Some system overides
# max_connections
#max_connections: 100
# maximum protocol control line
#max_control_line: 512
# maximum payload
max_payload: 65536
# Duration the server can block on a socket write to a client. Exceeding the
# deadline will designate a client as a slow consumer.
write_deadline: "2s"

71
k8s/nats/nats.yml Normal file
View File

@ -0,0 +1,71 @@
apiVersion: v1
kind: Service
metadata:
name: nats
labels:
component: nats
spec:
selector:
component: nats
clusterIP: None
ports:
- name: client
port: 4222
- name: cluster
port: 6222
- name: monitor
port: 8222
---
apiVersion: apps/v1beta1
kind: StatefulSet
metadata:
name: nats
labels:
component: nats
spec:
serviceName: nats
replicas: 5
template:
metadata:
labels:
component: nats
spec:
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: component
operator: In
values:
- nats
topologyKey: kubernetes.io/hostname
containers:
- name: nats
image: nats:1.0.4
args: [ "--config", "/etc/nats/nats.conf"]
volumeMounts:
- name: tls-volume
mountPath: /etc/nats/tls
- name: config-volume
mountPath: /etc/nats
ports:
- containerPort: 4222
name: client
- containerPort: 6222
name: cluster
- containerPort: 8222
name: monitor
livenessProbe:
httpGet:
path: /
port: 8222
initialDelaySeconds: 10
timeoutSeconds: 5
volumes:
- name: tls-volume
secret:
secretName: tls-nats-server
- name: config-volume
configMap:
name: nats-config

30
k8s/nginx/certs/mainflux-server.crt Normal file
View File

@ -0,0 +1,30 @@
-----BEGIN CERTIFICATE-----
MIIFFTCCA/2gAwIBAgIJAPtBp1R03oQDMA0GCSqGSIb3DQEBDQUAMFcxEjAQBgNV
BAMMCWxvY2FsaG9zdDERMA8GA1UECgwITWFpbmZsdXgxDDAKBgNVBAsMA0lvVDEg
MB4GCSqGSIb3DQEJARYRaW5mb0BtYWluZmx1eC5jb20wHhcNMTcwMTA3MDA1NTIw
WhcNMzIwMTA0MDA1NTIwWjBdMRgwFgYDVQQDDA9tYWluZmx1eC1zZXJ2ZXIxETAP
BgNVBAoMCE1haW5mbHV4MQwwCgYDVQQLDANJb1QxIDAeBgkqhkiG9w0BCQEWEWlu
Zm9AbWFpbmZsdXguY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
mGShbFfHhE/Q/CvVgpfas9o2B2H4E1nrDSmQXqwUPJ2U5+ExqpPkM/xX77yC9gut
k0RrM3fhB5AET9GnGMyFFlNYNPnWZOS6iQN2u5dg02TRqKdIhZZhs438u2wSRVwg
oAqYyiVpoV3QFa2BWTYbWwAhQGPXMUmUN8ZaUcWJ+s8PNhisj458hbWl7HuJ3ICB
xEAXiyd529YVHYJZVHyyEF5GwIvw3DOzZ++Ip6IVd0zYbdHw1pV5SAI5fbc4cb0C
cKXkSlqtjmz6ZeUWLJV98rYHc0YhUR7y2a6zNNFS/ROU6KEsWIdDTNDph0nHS1dB
sj4Abj2Kmf9InIPHHvqF+wIDAQABo4IB3DCCAdgwDAYDVR0TAQH/BAIwADARBglg
hkgBhvhCAQEEBAMCBkAwCwYDVR0PBAQDAgXgMCoGCWCGSAGG+EIBDQQdFhtNYWlu
Zmx1eCBTZXJ2ZXIgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFB7OnWLMd24Eo5dcmJss
lLMkq59vMIGIBgNVHSMEgYAwfoAUiBGMTsVJvNuSKvwoi/7aEvGfRX2hW6RZMFcx
EjAQBgNVBAMMCWxvY2FsaG9zdDERMA8GA1UECgwITWFpbmZsdXgxDDAKBgNVBAsM
A0lvVDEgMB4GCSqGSIb3DQEJARYRaW5mb0BtYWluZmx1eC5jb22CCQDzlkP5P+dv
3TBEBgNVHREEPTA7hwTAqAAuhxD+gAAAAAAAAGJsZv/+yw+7hwR/AAABhxAAAAAA
AAAAAAAAAAAAAAABgglsb2NhbGhvc3QwgYsGA1UdIASBgzCBgDB+BgMrBQgwdzAc
BggrBgEFBQcCARYQaHR0cDovL2xvY2FsaG9zdDBXBggrBgEFBQcCAjBLMA8WCE1h
aW5mbHV4MAMCAQEaOFRoaXMgQ0EgaXMgZm9yIGEgbG9jYWwgTWFpbmZsdXggc2Vy
dmVyIGluc3RhbGxhdGlvbiBvbmx5MA0GCSqGSIb3DQEBDQUAA4IBAQBxGCqJRbnw
lKHhpqZVEEWV1t87wQnf2qOV8SOzh1evF5sYeYEOnb2d802r0p08kuiJNETZdJOh
K/f7dVCL+mtSzHiK8SY8WJ8l0xfW+0qo/GW9jd9QDGbuwi6cRUw1lRhr5p/0ge9N
e3VlI7cjpG/Kv3x1AtCjMpMLzAxOLZmbSWgrMvtJIsMHcQTiV1HexIq9/A3XVthf
zuRUr1qyj3nx6ga2eHqaJQ5/Zu1A7zjHbZTiW4U5Ikl1PDWL3V0uEb3bXZ7xABb9
pjYjDA1Bm4eQMPJ+ZWRs5EFHBnLJc/Kz+4sfUuwiqI4xz2LMeCrdMbh0YSP/rhi4
wERrPpFmvpN3
-----END CERTIFICATE-----

27
k8s/nginx/certs/mainflux-server.key Normal file
View File

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmGShbFfHhE/Q/CvVgpfas9o2B2H4E1nrDSmQXqwUPJ2U5+Ex
qpPkM/xX77yC9gutk0RrM3fhB5AET9GnGMyFFlNYNPnWZOS6iQN2u5dg02TRqKdI
hZZhs438u2wSRVwgoAqYyiVpoV3QFa2BWTYbWwAhQGPXMUmUN8ZaUcWJ+s8PNhis
j458hbWl7HuJ3ICBxEAXiyd529YVHYJZVHyyEF5GwIvw3DOzZ++Ip6IVd0zYbdHw
1pV5SAI5fbc4cb0CcKXkSlqtjmz6ZeUWLJV98rYHc0YhUR7y2a6zNNFS/ROU6KEs
WIdDTNDph0nHS1dBsj4Abj2Kmf9InIPHHvqF+wIDAQABAoIBAGyneyyrXXbqDcBu
ZHoLWYTYdaNH57+sYdnto6DMolUhqdS2jFnpvlCOgAhPaTSS2PxiUOjOdWSV+20J
t1EIKW/klsSWyZUAPDuKe7J+2St/+7h7JUsSELEb8HGVOWW4rQ5O3+dpS2ohYEbE
gbAg0tpMOmkVho3+vy4RP76D0MBAnhgl99fjo9jpNxPmBis+L/IJS5SNO1JFXMCf
rvyOIekmtmHBI4PgubVylwOIt03r867gi6WpSOBq5rTusDqwCdmDCeRWDL4EP3Zr
VH8EPbS1Zlcw0FH8yXjp2ts5UcJZL5CdLY7jJ6vkIiw64nNWx7cR4qd55ut280K4
tx4yqnkCgYEAxkQRZgxNHu+7KMUt7gjYRLaNhiSFrcwuSVb8HlhsYYYMH3GPQhvr
dQOOiibzsCna96GLbfdOpi9iwF82uuwNpdeKptPNb5Mht4oNqu5kKg1sl6S6fjSv
yrJACC0NcLRS2LYuBcylUCKsU7g3C9X6VmaSsh415v1s2qFHFik2AycCgYEAxMTt
kHP+pIwr35IvamRCGtUvI0D9R62gxxovpfQeetQMhc/3tOBJe/GOXDP4jitrz1l1
YMcLiCqktFxJqi6UKxcTwnGgcyPyC2UZSJJ/0lOIZDSP7JM7dT1xkrGeQyMjC09C
AwRi/ZAUUwLsMRxfTrj8igF8Md+LIjKBcYdm2w0CgYEAxg6hQsvvDoR09pli9HKp
eJrUbbh2QdPCOUlHuhiizBlYauDKN0QkxlOzRJb8wHJPZyhdXJC8ZI7Zm0qCJeBB
EfZrb5QNmPPlrq+eT66tKMUYQbQxCHohUd8W0BQRZRD94ba76tcwHQlGFKvlcVFk
LoNw77X2KrXm09BgbubkKekCgYAygztZMe3U4AcDRcvWTBaMPN309uIOXIxBkH9a
4uhQL89nKpQ0Yr96ifA5yz2rgYoTmKuBRJe5RPkzM93VSk/PIAV6jSDbbgbc1f8/
mhwmKjuBPd0UpldFKZjWR7KRGZwNczNHAwFGho4xITbxBI+S7fomk2sGgpR9GuoP
8up8oQKBgEMd9Mbo3xC0xW29V5P3FUKH4zRYJYlpk+30bZ4VCrgim9cVBgN/xrIA
l4yEnitEi1591b/r+Uz3b6yWOiLEHRE2U7sQLbfh2fvF0VhFCOE11FeAuoZp89/k
TVnL/FelAMbL1iZFIf9LRY2DdfAUKlO//cXMHcC2iatBUwfylSVS
-----END RSA PRIVATE KEY-----

148
k8s/nginx/default.conf Normal file
View File

@ -0,0 +1,148 @@
##
# Basic Settings
##
#tcp_nopush on;
#tcp_nodelay on;
#keepalive_timeout 65;
#types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
#include /etc/nginx/mime.types;
#default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
# access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
# upstream k8s-manager {
# server manager:8180;
# }
# upstream k8s-http {
# server http-adapter:8182;
# }
##
# Virtual Host Configs
##
# HTTP
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name mainflux-iot.ha.rs;
access_log off;
error_log off;
return 301 https://$server_name$request_uri;
}
# HTTPS
server {
# SSL configuration
#
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
# Certificates
ssl_certificate /etc/nginx/ssl/tls.crt;
ssl_certificate_key /etc/nginx/ssl/tls.key;
#ssl_dhparam /etc/ssl/certs/dhparam.pem;
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_tickets off;
ssl_stapling off;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Access-Control-Allow-Origin '*';
add_header Access-Control-Allow-Methods '*';
add_header Access-Control-Allow-Headers "*";
server_name mainflux-iot.ha.rs;
# Proxy pass to manager service
location /api/ {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://manager:8180/;
# Allow OPTIONS method CORS
if ($request_method = OPTIONS ) {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 200;
}
}
# Proxy pass to mainflux-http-adapter
location /http/ {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://http-adapter:8182/;
# Allow OPTIONS method CORS
if ($request_method = OPTIONS ) {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 200;
}
}
location / {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://dashflux/;
# Allow OPTIONS method CORS
if ($request_method = OPTIONS ) {
add_header Content-Length 0;
add_header Content-Type text/plain;
return 200;
}
}
}

48
k8s/nginx/mainflux-nginx.yml Normal file
View File

@ -0,0 +1,48 @@
apiVersion: v1
kind: Service
metadata:
name: mainflux-nginx
labels:
app: nginx
spec:
type: LoadBalancer
ports:
- port: 80
protocol: TCP
name: http
- port: 443
protocol: TCP
name: https
selector:
app: nginx
---
apiVersion: v1
kind: ReplicationController
metadata:
name: mainflux-nginx
spec:
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
volumes:
- name: secret-volume
secret:
secretName: mainflux-secret
- name: configmap-volume
configMap:
name: mainflux-nginx-config
containers:
- name: maiflux-nginx
image: ymqytw/nginxhttps:1.5
command: ["/home/auto-reload-nginx.sh"]
ports:
- containerPort: 443
- containerPort: 80
volumeMounts:
- mountPath: /etc/nginx/ssl
name: secret-volume
- mountPath: /etc/nginx/conf.d
name: configmap-volume

14
k8s/postgres/1-mainflux-postgres-persistence.yml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: mainflux-postgres-data-disk
labels:
name: mainflux-postgres-data-disk
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
hostPath:
path: /tmp/data/postgres-0
persistentVolumeReclaimPolicy: Recycle

10
k8s/postgres/2-mainflux-postgres-claim.yml Normal file
View File

@ -0,0 +1,10 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: mainflux-postgres-data-claim
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi

28
k8s/postgres/3-mainflux-postgres-pod.yml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: v1
kind: Pod
metadata:
name: mainflux-postgres
labels:
name: mainflux-postgres
spec:
containers:
- name: mainflux-postgres
image: postgres:10.2-alpine
env:
- name: POSTGRES_USER
value: "mainflux"
- name: POSTGRES_PASSWORD
value: "mainflux"
- name: POSTGRES_DB
value: "mainflux"
- name: PGDATA
value: /var/lib/postgresql/data/mainflux-postgres-data
ports:
- containerPort: 5432
volumeMounts:
- mountPath: /var/lib/postgresql/data
name: mainflux-postgres-data
volumes:
- name: mainflux-postgres-data
persistentVolumeClaim:
claimName: mainflux-postgres-data-claim

11
k8s/postgres/4-mainflux-postgres-service.yml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: mainflux-postgres
labels:
name: mainflux-postgres
spec:
ports:
- port: 5432
selector:
name: mainflux-postgres