# Copyright abcdesktop.io # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: pyos-role rules: - apiGroups: [''] resources: ['pods'] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [''] resources: ['events'] verbs: [ "get", "list", "watch" ] - apiGroups: [''] resources: ['pods/exec'] verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] - apiGroups: [''] resources: ['pods/ephemeralcontainers'] verbs: ["create", "get", "list", "watch", "update", "patch", "delete"] - apiGroups: [''] resources: ['secrets'] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [''] resources: ['configmaps'] verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] - apiGroups: [""] resources: ["endpoints"] verbs: ["get", "list"] - apiGroups: [''] resources: ['pods/log'] verbs: ['get', 'list', 'watch' ] - apiGroups: [""] resources: ["persistentvolumes"] verbs: ["get", "list", "create", "patch", "delete"] - apiGroups: [""] resources: ["persistentvolumeclaims"] verbs: ["get", "list", "watch", "update", "create", "delete"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: pyos-rbac subjects: - kind: ServiceAccount name: pyos-serviceaccount roleRef: kind: Role name: pyos-role apiGroup: rbac.authorization.k8s.io --- apiVersion: v1 kind: ServiceAccount metadata: name: pyos-serviceaccount --- apiVersion: v1 kind: ConfigMap metadata: name: configmap-mongodb-scripts labels: abcdesktop/role: mongodb-config data: ensure-users.js: | const targetDbList = cat('/etc/abcdesktop/MONGO_DBS_LIST'); const rootUser = cat('/etc/abcdesktop/admin/MONGO_ROOT_USERNAME'); const rootPass = cat('/etc/abcdesktop/admin/MONGO_ROOT_PASSWORD'); const usersStr = cat('/etc/abcdesktop/MONGO_USERS_LIST'); // auth against admin const adminDb = db.getSiblingDB('admin'); adminDb.auth(rootUser, rootPass); print('Successfully authenticated admin user'); print( 'List of database' ); print(targetDbList ); const targetDbs=targetDbList.split(','); for (targetDbStr of targetDbs) { print ( 'use ' + targetDbStr ); // we'll create the users here const targetDb = db.getSiblingDB(targetDbStr); // user-defined roles should be stored in the admin db const customRoles = adminDb .getRoles({rolesInfo: 1, showBuiltinRoles: false}) .map(role => role.role) .filter(Boolean); // parse the list of users, and create each user as needed usersStr .trim() .split(';') .map(s => s.split(':')) .forEach(user => { const username = user[0]; const rolesStr = user[1]; const password = user[2]; if (!rolesStr || !password) { return; } const roles = rolesStr.split(','); const userDoc = { user: username, pwd: password, }; userDoc.roles = roles.map(role => { if (!~customRoles.indexOf(role)) { // is this a user defined role? return role; // no, it is built-in, just use the role name } return {role: role, db: 'admin'}; // yes, user-defined, specify the long format }); try { targetDb.createUser(userDoc); } catch (err) { print( err ); if (!~err.message.toLowerCase().indexOf('duplicate')) { // if not a duplicate user throw err; // rethrow } } } ); } --- apiVersion: v1 kind: Secret metadata: name: secret-mongodb labels: abcdesktop/role: secret-mongodb type: Opaque stringData: MONGO_ROOT_USERNAME: 'root' MONGO_ROOT_PASSWORD: 'Oge5iQw9dGBvRDd' MONGO_USERNAME: 'pyos' MONGO_PASSWORD: 'Az4MeYWUjZDg4Zjhk' MONGO_USERS_LIST: 'pyos:readWrite:Az4MeYWUjZDg4Zjhk' MONGO_DBS_LIST: 'image,fail2ban,loginHistory,applications,profiles,desktop' MONGODB_URL: 'mongodb://pyos:Az4MeYWUjZDg4Zjhk@mongodb' --- apiVersion: v1 kind: ConfigMap metadata: name: abcdesktop-passwd-templatefile data: passwd: | root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin messagebus:x:101:102::/nonexistent:/usr/sbin/nologin pulse:x:102:104:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin polkitd:x:999:999:User for polkitd:/:/usr/sbin/nologin sshd:x:4095:65534::/run/sshd:/usr/sbin/nologin {{ uid }}:x:{{ uidNumber }}:{{ gidNumber }}:{{ gecos }}:{{ homeDirectory }}:{{ loginShell }} --- apiVersion: v1 kind: ConfigMap metadata: name: abcdesktop-group-templatefile data: group: | root:x:0: daemon:x:1: bin:x:2: sys:x:3: adm:x:4: tty:x:5: disk:x:6: lp:x:7: mail:x:8: news:x:9: uucp:x:10: man:x:12: proxy:x:13: kmem:x:15: dialout:x:20: fax:x:21: voice:x:22: cdrom:x:24: floppy:x:25: tape:x:26: sudo:x:27:{{ uid }} audio:x:29:pulse dip:x:30: www-data:x:33: backup:x:34: operator:x:37: list:x:38: irc:x:39: src:x:40: gnats:x:41: shadow:x:42: utmp:x:43: video:x:44: sasl:x:45: plugdev:x:46: staff:x:50: games:x:60: users:x:100: nogroup:x:65534: lpadmin:x:101:root,{{ uid }} messagebus:x:102: ssl-cert:x:103: pulse:x:104: pulse-access:x:105: plocate:x:106: input:x:107: sgx:x:108: kvm:x:109: render:x:110: _ssh:x:111: rdma:x:112: polkitd:x:999: nogroup:x:65534: ssh:x:4095: {{ gid }}:x:{{ gidNumber }}:{{ uid }} --- apiVersion: v1 kind: ConfigMap metadata: name: abcdesktop-shadow-templatefile data: shadow: | root:*:19020:0:99999:7::: daemon:*:19020:0:99999:7::: bin:*:19020:0:99999:7::: sys:*:19020:0:99999:7::: sync:*:19020:0:99999:7::: games:*:19020:0:99999:7::: man:*:19020:0:99999:7::: lp:*:19020:0:99999:7::: mail:*:19020:0:99999:7::: news:*:19020:0:99999:7::: uucp:*:19020:0:99999:7::: proxy:*:19020:0:99999:7::: www-data:*:19020:0:99999:7::: backup:*:19020:0:99999:7::: list:*:19020:0:99999:7::: irc:*:19020:0:99999:7::: gnats:*:19020:0:99999:7::: nobody:*:19020:0:99999:7::: _apt:*:19020:0:99999:7::: sshd:*:17987:0:99999:7::: messagebus:*:19040:0:99999:7::: pulse:*:19041:0:99999:7::: polkitd:!*:20157:::::: {{ uid }}:{{ sha512 }}:19080:0:99999:7::: --- apiVersion: v1 kind: ConfigMap metadata: name: abcdesktop-gshadow-templatefile data: gshadow: | root:*:: daemon:*:: bin:*:: sys:*:: adm:*:: tty:*:: disk:*:: lp:*:: mail:*:: news:*:: uucp:*:: man:*:: proxy:*:: kmem:*:: dialout:*:: fax:*:: voice:*:: cdrom:*:: floppy:*:: tape:*:: sudo:*::{{ uid }} audio:*:: dip:*:: www-data:*:: backup:*:: operator:*:: list:*:: irc:*:: src:*:: gnats:*:: shadow:*:: utmp:*:: video:*:: sasl:*:: plugdev:*:: staff:*:: games:*:: users:*:: nogroup:*:: lpadmin:!::root,{{ uid }} messagebus:!:: ssl-cert:!:: pulse:x:!:: pulse-access:!:: plocate:!:: input:!:: sgx:!:: kvm:!:: render:!:: polkitd:!:: rdma:!:: {{ gid }}:!::{{ uid }} --- apiVersion: apps/v1 kind: Deployment metadata: name: mongodb-od labels: run: mongodb-od type: database abcdesktop/role: mongodb spec: selector: matchLabels: run: mongodb-od replicas: 1 template: metadata: labels: run: mongodb-od type: database spec: containers: - name: mongodb image: mongo:4.4 resources: limits: cpu: 0.5 memory: 512Mi requests: cpu: 0.1 memory: 128Mi env: - name: MONGO_INITDB_ROOT_USERNAME_FILE value: /etc/abcdesktop/admin/MONGO_ROOT_USERNAME - name: MONGO_INITDB_ROOT_PASSWORD_FILE value: /etc/abcdesktop/admin/MONGO_ROOT_PASSWORD volumeMounts: - name: abcdesktop mountPath: /etc/abcdesktop readOnly: true - name: mongodb-scripts mountPath: /docker-entrypoint-initdb.d readOnly: true volumes: - name: abcdesktop secret: secretName: secret-mongodb items: - key: MONGO_ROOT_USERNAME path: admin/MONGO_ROOT_USERNAME mode: 0444 - key: MONGO_ROOT_PASSWORD path: admin/MONGO_ROOT_PASSWORD mode: 0444 - key: MONGO_USERNAME path: MONGO_USERNAME mode: 0444 - key: MONGO_PASSWORD path: MONGO_PASSWORD mode: 0444 - key: MONGO_USERS_LIST path: MONGO_USERS_LIST mode: 0444 - key: MONGO_DBS_LIST path: MONGO_DBS_LIST mode: 0444 - name: mongodb-scripts configMap: name: configmap-mongodb-scripts items: - key: ensure-users.js path: ensure-users.js --- apiVersion: apps/v1 kind: Deployment metadata: name: memcached-od labels: abcdesktop/role: memcached spec: selector: matchLabels: run: memcached-od replicas: 1 template: metadata: labels: run: memcached-od type: database spec: containers: - name: memcached # like image: memcached:alpine image: ghcr.io/abcdesktopio/oc.memcached:4.2 resources: limits: cpu: 0.2 memory: 64Mi requests: cpu: 0.1 memory: 16Mi ports: - containerPort: 11211 --- apiVersion: apps/v1 kind: Deployment metadata: name: router-od labels: abcdesktop/role: router spec: replicas: 1 selector: matchLabels: name: router-od template: metadata: labels: name: router-od run: router-od type: router-od # list netpool to permit router to connect to netpol/speedtest: 'true' netpol/pyos: 'true' netpol/ocuser: 'true' netpol/dns: 'true' netpol/nginx: 'true' netpol/console: 'true' spec: containers: - name: nginx-router imagePullPolicy: Always image: ghcr.io/abcdesktopio/route:4.2 volumeMounts: - name: jwtsigningkeys mountPath: "/config.signing" readOnly: true - name: jwtpayloadkeys mountPath: "/config.payload" readOnly: true ports: - containerPort: 80 name: http livenessProbe: httpGet: path: /healthz port: 80 failureThreshold: 1 periodSeconds: 10 startupProbe: httpGet: path: /healthz port: 80 failureThreshold: 5 periodSeconds: 5 resources: limits: cpu: 0.5 memory: 512Mi requests: cpu: 0.25 memory: 16Mi env: # # overwrite default values for development # you should not change the default values # # - name: SPEEDTEST_FQDN # value: speedtest.abcdesktop.svc.cluster.local # - name: PYOS_FQDN # value: pyos.abcdesktop.svc.cluster.local # - name: CONSOLE_FQDN # value: console.abcdesktop.svc.cluster.local # - name: WEBSITE_FQDN # value: website.abcdesktop.svc.cluster.local - name: JWT_DESKTOP_PAYLOAD_PRIVATE_KEY value: "/config.payload/abcdesktop_jwt_desktop_payload_private_key.pem" - name: JWT_DESKTOP_SIGNING_PUBLIC_KEY value: "/config.signing/abcdesktop_jwt_desktop_signing_public_key.pem" - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP volumes: - name: jwtsigningkeys secret: secretName: abcdesktopjwtdesktopsigning - name: jwtpayloadkeys secret: secretName: abcdesktopjwtdesktoppayload dnsPolicy: ClusterFirst --- apiVersion: apps/v1 kind: Deployment metadata: name: nginx-od labels: abcdesktop/role: nginx spec: replicas: 1 selector: matchLabels: name: nginx-od template: metadata: labels: name: nginx-od run: nginx-od type: frontend spec: containers: - name: nginx imagePullPolicy: Always image: ghcr.io/abcdesktopio/oc.nginx:4.2 ports: - containerPort: 80 name: http livenessProbe: httpGet: path: / port: 80 failureThreshold: 1 periodSeconds: 10 startupProbe: httpGet: path: / port: 80 failureThreshold: 5 periodSeconds: 5 resources: limits: cpu: 0.5 memory: 256Mi requests: cpu: 0.1 memory: 32Mi --- apiVersion: apps/v1 kind: Deployment metadata: name: speedtest-od labels: abcdesktop/role: speedtest spec: selector: matchLabels: run: speedtest-od replicas: 1 template: metadata: labels: run: speedtest-od spec: containers: - name: speedtest resources: limits: cpu: 0.5 memory: 128Mi requests: cpu: 0.1 memory: 32Mi # like image: ghcr.io/librespeed/speedtest:master-alpine image: ghcr.io/abcdesktopio/oc.speedtest:4.2 ports: - containerPort: 8080 --- apiVersion: apps/v1 kind: Deployment metadata: name: pyos-od labels: abcdesktop/role: pyos spec: replicas: 1 selector: matchLabels: name: pyos-od template: metadata: labels: name: pyos-od run: pyos-od netpol/https: 'true' netpol/ldaps: 'true' netpol/auth: 'true' netpol/cifs: 'true' netpol/api: 'true' netpol/dns: 'true' netpol/mongodb: 'true' netpol/memcached: 'true' netpol/graylog: 'true' netpol/router: 'true' netpol/nginx: 'true' spec: serviceAccountName: pyos-serviceaccount containers: - name : pyos imagePullPolicy: Always image: ghcr.io/abcdesktopio/pyos:4.2.alpine_latest volumeMounts: - name: jwtsigningkeys mountPath: "/config.signing" readOnly: true - name: jwtusersigningkeys mountPath: "/config.usersigning" readOnly: true - name: jwtpayloadkeys mountPath: "/config.payload" readOnly: true - name: volume-abcdesktop-config mountPath: /var/pyos/od.config subPath: od.config readOnly: true - name: volume-abcdesktop-passwd-templatefile mountPath: /var/pyos/passwd subPath: passwd readOnly: true - name: volume-abcdesktop-group-templatefile mountPath: /var/pyos/group subPath: group readOnly: true - name: volume-abcdesktop-shadow-templatefile mountPath: /var/pyos/shadow subPath: shadow readOnly: true - name: volume-abcdesktop-gshadow-templatefile mountPath: /var/pyos/gshadow subPath: gshadow readOnly: true ports: - containerPort: 8000 livenessProbe: httpGet: path: /API/healthz port: 8000 failureThreshold: 1 periodSeconds: 10 startupProbe: httpGet: path: /API/healthz port: 8000 failureThreshold: 5 periodSeconds: 10 resources: limits: cpu: 1 memory: 2048Mi requests: cpu: 0.5 memory: 256Mi env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace - name: POD_IP valueFrom: fieldRef: fieldPath: status.podIP - name: MONGODB_URL valueFrom: secretKeyRef: name: secret-mongodb key: MONGODB_URL - name: OAUTHLIB_RELAX_TOKEN_SCOPE value: "1" volumes: - name: jwtusersigningkeys secret: secretName: abcdesktopjwtusersigning - name: jwtsigningkeys secret: secretName: abcdesktopjwtdesktopsigning - name: jwtpayloadkeys secret: secretName: abcdesktopjwtdesktoppayload - name: volume-abcdesktop-config configMap: name: abcdesktop-config - name: volume-abcdesktop-passwd-templatefile configMap: name: abcdesktop-passwd-templatefile - name: volume-abcdesktop-group-templatefile configMap: name: abcdesktop-group-templatefile - name: volume-abcdesktop-shadow-templatefile configMap: name: abcdesktop-shadow-templatefile - name: volume-abcdesktop-gshadow-templatefile configMap: name: abcdesktop-gshadow-templatefile dnsPolicy: ClusterFirst --- apiVersion: apps/v1 kind: Deployment metadata: name: console-od labels: abcdesktop/role: console spec: selector: matchLabels: run: console-od replicas: 1 template: metadata: labels: run: console-od type: admin-console spec: containers: - name: console imagePullPolicy: Always image: ghcr.io/abcdesktopio/console:4.2 ports: - containerPort: 80 env: - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace resources: limits: cpu: 0.5 memory: 128Mi requests: cpu: 0.1 memory: 16Mi --- apiVersion: apps/v1 kind: Deployment metadata: name: openldap-od labels: abcdesktop/role: openldap spec: selector: matchLabels: run: openldap-od replicas: 1 template: metadata: labels: run: openldap-od netpol/dns: 'true' spec: containers: - name: openldap # abcdesktopio/docker-test-openldap:master # is same as https://github.com/rroemhild/docker-test-openldap # but with posixAccount support image: ghcr.io/abcdesktopio/docker-test-openldap:4.2 imagePullPolicy: Always resources: limits: cpu: 0.5 memory: 2048Mi requests: cpu: 0.1 memory: 128Mi ports: - containerPort: 389 - containerPort: 636 --- kind: Endpoints apiVersion: v1 metadata: name: desktop --- apiVersion: v1 kind: Service metadata: name: desktop labels: abcdesktop/role: desktop spec: clusterIP: None selector: type: x11server --- kind: Service apiVersion: v1 metadata: name: memcached labels: abcdesktop/role: memcached spec: selector: run: memcached-od ports: - port: 11211 protocol: TCP targetPort: 11211 --- kind: Service apiVersion: v1 metadata: name: mongodb labels: abcdesktop/role: mongodb spec: selector: run: mongodb-od ports: - protocol: TCP port: 27017 targetPort: 27017 --- kind: Service apiVersion: v1 metadata: name: speedtest labels: abcdesktop/role: speedtest spec: selector: run: speedtest-od ports: - protocol: TCP port: 80 targetPort: 8080 --- kind: Service apiVersion: v1 metadata: name: pyos labels: abcdesktop/role: pyos spec: selector: run: pyos-od ports: - port: 8000 protocol: TCP targetPort: 8000 --- kind: Service apiVersion: v1 metadata: name: console labels: abcdesktop/role: console spec: selector: run: console-od ports: - port: 80 protocol: TCP targetPort: 80 --- kind: Service apiVersion: v1 metadata: name: http-router labels: abcdesktop/role: router-od spec: type: NodePort selector: run: router-od ports: - protocol: TCP port: 80 nodePort: 30443 targetPort: 80 name: http --- kind: Service apiVersion: v1 metadata: name: website labels: abcdesktop/role: nginx spec: selector: run: nginx-od ports: - protocol: TCP port: 80 name: http --- kind: Service apiVersion: v1 metadata: name: openldap labels: abcdesktop/role: openldap spec: selector: run: openldap-od ports: - name: ldap protocol: TCP port: 389 targetPort: 389 - name: ldaps protocol: TCP port: 636 targetPort: 636