apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: cr-bunkerweb rules: - apiGroups: [""] resources: ["services", "pods", "configmaps"] verbs: ["get", "watch", "list"] - apiGroups: ["networking.k8s.io"] resources: ["ingresses"] verbs: ["get", "watch", "list"] --- apiVersion: v1 kind: ServiceAccount metadata: name: sa-bunkerweb --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: crb-bunkerweb subjects: - kind: ServiceAccount name: sa-bunkerweb namespace: default apiGroup: "" roleRef: kind: ClusterRole name: cr-bunkerweb apiGroup: rbac.authorization.k8s.io --- apiVersion: apps/v1 kind: DaemonSet metadata: name: bunkerweb spec: selector: matchLabels: app: bunkerweb template: metadata: labels: app: bunkerweb # mandatory annotation annotations: bunkerweb.io/INSTANCE: "yes" spec: containers: # using bunkerweb as name is mandatory - name: bunkerweb image: bunkerity/bunkerweb:1.5.4 imagePullPolicy: Always securityContext: runAsUser: 101 runAsGroup: 101 allowPrivilegeEscalation: false capabilities: drop: - ALL ports: - containerPort: 8080 hostPort: 80 - containerPort: 8443 hostPort: 443 env: - name: KUBERNETES_MODE value: "yes" # replace with your DNS resolvers # e.g. : kube-dns.kube-system.svc.cluster.local - name: DNS_RESOLVERS value: "coredns.kube-system.svc.cluster.local" - name: USE_API value: "yes" # 10.0.0.0/8 is the cluster internal subnet - name: API_WHITELIST_IP value: "127.0.0.0/8 10.0.0.0/8" - name: SERVER_NAME value: "" - name: MULTISITE value: "yes" - name: USE_REDIS value: "yes" - name: REDIS_HOST value: "svc-bunkerweb-redis.default.svc.cluster.local" livenessProbe: exec: command: - /usr/share/bunkerweb/helpers/healthcheck.sh initialDelaySeconds: 30 periodSeconds: 5 timeoutSeconds: 1 failureThreshold: 3 readinessProbe: exec: command: - /usr/share/bunkerweb/helpers/healthcheck.sh initialDelaySeconds: 30 periodSeconds: 1 timeoutSeconds: 1 failureThreshold: 3 --- apiVersion: apps/v1 kind: Deployment metadata: name: bunkerweb-controller spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: bunkerweb-controller template: metadata: labels: app: bunkerweb-controller spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-controller image: bunkerity/bunkerweb-autoconf:1.5.4 imagePullPolicy: Always env: - name: KUBERNETES_MODE value: "yes" - name: "DATABASE_URI" value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" --- apiVersion: apps/v1 kind: Deployment metadata: name: bunkerweb-scheduler spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: bunkerweb-scheduler template: metadata: labels: app: bunkerweb-scheduler spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-scheduler image: bunkerity/bunkerweb-scheduler:1.5.4 imagePullPolicy: Always env: - name: KUBERNETES_MODE value: "yes" - name: "DATABASE_URI" value: "mariadb+pymysql://bunkerweb:changeme@svc-bunkerweb-db:3306/db" --- apiVersion: apps/v1 kind: Deployment metadata: name: bunkerweb-redis spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: bunkerweb-redis template: metadata: labels: app: bunkerweb-redis spec: containers: - name: bunkerweb-redis image: redis:7-alpine imagePullPolicy: Always --- apiVersion: apps/v1 kind: Deployment metadata: name: bunkerweb-db spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: bunkerweb-db template: metadata: labels: app: bunkerweb-db spec: containers: - name: bunkerweb-db image: mariadb:10.10 imagePullPolicy: Always env: - name: MYSQL_RANDOM_ROOT_PASSWORD value: "yes" - name: "MYSQL_DATABASE" value: "db" - name: "MYSQL_USER" value: "bunkerweb" - name: "MYSQL_PASSWORD" value: "changeme" volumeMounts: - mountPath: "/var/lib/mysql" name: vol-db volumes: - name: vol-db persistentVolumeClaim: claimName: pvc-bunkerweb --- apiVersion: apps/v1 kind: Deployment metadata: name: bunkerweb-ui spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: bunkerweb-ui template: metadata: labels: app: bunkerweb-ui spec: serviceAccountName: sa-bunkerweb containers: - name: bunkerweb-ui image: bunkerity/bunkerweb-ui:1.5.4 imagePullPolicy: Always env: - name: ADMIN_USERNAME value: "changeme" - name: "ADMIN_PASSWORD" value: "changeme" - name: KUBERNETES_MODE value: "YES" - name: "DATABASE_URI" value: "mariadb+pymysql://bunkerweb:testor@svc-bunkerweb-db:3306/db" --- apiVersion: v1 kind: Service metadata: name: svc-bunkerweb spec: clusterIP: None selector: app: bunkerweb --- apiVersion: v1 kind: Service metadata: name: svc-bunkerweb-db spec: type: ClusterIP selector: app: bunkerweb-db ports: - name: sql protocol: TCP port: 3306 targetPort: 3306 --- apiVersion: v1 kind: Service metadata: name: svc-bunkerweb-redis spec: type: ClusterIP selector: app: bunkerweb-redis ports: - name: redis protocol: TCP port: 6379 targetPort: 6379 --- apiVersion: v1 kind: Service metadata: name: svc-bunkerweb-ui spec: type: ClusterIP selector: app: bunkerweb-ui ports: - name: http protocol: TCP port: 7000 targetPort: 7000 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: pvc-bunkerweb spec: accessModes: - ReadWriteOnce resources: requests: storage: 5Gi volumeName: pv-bunkerweb --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress annotations: bunkerweb.io/www.example.com_USE_UI: "yes" bunkerweb.io/www.example.com_INTERCEPTED_ERROR_CODES: "400 404 405 413 429 500 501 502 503 504" spec: rules: - host: www.example.com http: paths: - path: /changeme pathType: Prefix backend: service: name: svc-bunkerweb-ui port: number: 7000