kind: epiphany-cluster title: Epiphany cluster Config provider: aws name: default specification: prefix: prefix name: kaasbal admin_user: name: ubuntu key_path: /shared/.ssh/epiphany-operations/id_rsa cloud: k8s_as_cloud_service: false vnet_address_pool: 10.1.0.0/20 use_public_ips: false region: eu-west-2 credentials: key: XXXX-XXXX-XXXX secret: XXXXXXXXXXXXXXXX network: use_network_security_groups: true default_os_image: default components: kubernetes_master: count: 1 machine: kubernetes-master-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.1.0/24 - availability_zone: eu-west-2b address_pool: 10.1.2.0/24 kubernetes_node: count: 2 machine: kubernetes-node-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.1.0/24 - availability_zone: eu-west-2b address_pool: 10.1.2.0/24 logging: count: 1 machine: logging-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.3.0/24 monitoring: count: 1 machine: monitoring-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.4.0/24 kafka: count: 2 machine: kafka-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.5.0/24 postgresql: count: 1 machine: postgresql-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.6.0/24 load_balancer: count: 1 machine: load-balancer-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.7.0/24 rabbitmq: count: 1 machine: rabbitmq-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.8.0/24 opendistro_for_elasticsearch: count: 0 machine: logging-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.10.0/24 repository: count: 1 machine: repository-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.11.0/24 single_machine: count: 0 machine: single-machine configuration: default subnets: - availability_zone: eu-west-2a address_pool: 10.1.1.0/24 - availability_zone: eu-west-2b address_pool: 10.1.2.0/24 version: 2.0.0dev --- kind: configuration/feature-mapping title: Feature mapping to roles name: default specification: available_roles: - name: repository enabled: true - name: firewall enabled: true - name: image-registry enabled: true - name: kubernetes-master enabled: true - name: kubernetes-node enabled: true - name: helm enabled: true - name: logging enabled: true - name: opendistro-for-elasticsearch enabled: true - name: elasticsearch-curator enabled: true - name: kibana enabled: true - name: filebeat enabled: true - name: prometheus enabled: true - name: grafana enabled: true - name: node-exporter enabled: true - name: jmx-exporter enabled: true - name: zookeeper enabled: true - name: kafka enabled: true - name: rabbitmq enabled: true - name: kafka-exporter enabled: true - name: postgresql enabled: true - name: postgres-exporter enabled: true - name: haproxy enabled: true - name: applications enabled: true roles_mapping: kafka: - zookeeper - jmx-exporter - kafka - kafka-exporter - node-exporter - filebeat - firewall rabbitmq: - rabbitmq - node-exporter - filebeat - firewall logging: - logging - kibana - node-exporter - filebeat - firewall load_balancer: - haproxy - node-exporter - filebeat - firewall monitoring: - prometheus - grafana - node-exporter - filebeat - firewall postgresql: - postgresql - postgres-exporter - node-exporter - filebeat - firewall custom: - repository - image-registry - kubernetes-master - node-exporter - filebeat - rabbitmq - postgresql - prometheus - grafana - node-exporter - logging - firewall single_machine: - repository - image-registry - kubernetes-master - helm - applications - rabbitmq - postgresql - firewall kubernetes_master: - kubernetes-master - helm - applications - node-exporter - filebeat - firewall kubernetes_node: - kubernetes-node - node-exporter - filebeat - firewall opendistro_for_elasticsearch: - opendistro-for-elasticsearch - node-exporter - filebeat - firewall repository: - repository - image-registry - firewall - filebeat - node-exporter version: 2.0.0dev provider: aws --- kind: configuration/shared-config title: Shared configuration that will be visible to all roles name: default specification: custom_repository_url: '' custom_image_registry_address: '' download_directory: /tmp vault_location: '' use_ha_control_plane: false promote_to_ha: false version: 2.0.0dev provider: aws --- kind: configuration/kubernetes-master title: Kubernetes Master Config name: default specification: version: 1.22.4 cni_version: 0.8.7 cluster_name: kubernetes-epiphany allow_pods_on_master: false storage: name: epiphany-cluster-volume path: / enable: true capacity: 50 data: {} advanced: api_server_args: profiling: false enable-admission-plugins: AlwaysPullImages,NamespaceLifecycle,ServiceAccount,NodeRestriction audit-log-maxbackup: 10 audit-log-maxsize: 200 secure-port: 6443 controller_manager_args: profiling: false terminated-pod-gc-threshold: 200 scheduler_args: profiling: false networking: dnsDomain: cluster.local serviceSubnet: 10.96.0.0/12 plugin: flannel imageRepository: k8s.gcr.io certificates: expiration_days: 365 renew: false etcd_args: encrypted: true kubeconfig: local: api_server: hostname: 127.0.0.1 port: 6443 version: 2.0.0dev provider: aws --- kind: configuration/helm title: Helm name: default specification: apache_epirepo_path: /var/www/html/epirepo version: 2.0.0dev provider: aws --- kind: configuration/applications title: Kubernetes Applications Config name: default specification: applications: - name: rabbitmq enabled: false image_path: rabbitmq:3.8.9 use_local_image_registry: true service: name: rabbitmq-cluster port: 30672 management_port: 31672 replicas: 2 namespace: queue rabbitmq: plugins: - rabbitmq_management - rabbitmq_management_agent policies: - name: ha-policy2 pattern: .* definitions: ha-mode: all custom_configurations: - name: vm_memory_high_watermark.relative value: 0.5 cluster: - name: auth-service enabled: false image_path: epiphanyplatform/keycloak:14.0.0 use_local_image_registry: true service: name: as-testauthdb port: 30104 replicas: 2 namespace: namespace-for-auth admin_user: auth-service-username admin_password: PASSWORD_TO_CHANGE proxy_address_forwarding: false database: name: auth-database-name user: auth-db-user password: PASSWORD_TO_CHANGE - name: pgpool enabled: false image: path: bitnami/pgpool:4.2.4 debug: false use_local_image_registry: true namespace: postgres-pool service: name: pgpool port: 5432 replicas: 3 pod_spec: affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 podAffinityTerm: labelSelector: matchExpressions: - key: app operator: In values: - pgpool topologyKey: kubernetes.io/hostname nodeSelector: {} tolerations: {} resources: limits: memory: 310Mi requests: cpu: 250m memory: 310Mi pgpool: env: PGPOOL_BACKEND_NODES: autoconfigured PGPOOL_POSTGRES_USERNAME: epi_pgpool_postgres_admin PGPOOL_SR_CHECK_USER: epi_pgpool_sr_check PGPOOL_ADMIN_USERNAME: epi_pgpool_admin PGPOOL_ENABLE_LOAD_BALANCING: true PGPOOL_MAX_POOL: 4 PGPOOL_CHILD_LIFE_TIME: 300 PGPOOL_POSTGRES_PASSWORD_FILE: /opt/bitnami/pgpool/secrets/pgpool_postgres_password PGPOOL_SR_CHECK_PASSWORD_FILE: /opt/bitnami/pgpool/secrets/pgpool_sr_check_password PGPOOL_ADMIN_PASSWORD_FILE: /opt/bitnami/pgpool/secrets/pgpool_admin_password secrets: pgpool_postgres_password: PASSWORD_TO_CHANGE pgpool_sr_check_password: PASSWORD_TO_CHANGE pgpool_admin_password: PASSWORD_TO_CHANGE pgpool_conf_content_to_append: | #------------------------------------------------------------------------------ # CUSTOM SETTINGS (appended by Epiphany to override defaults) #------------------------------------------------------------------------------ # num_init_children = 32 connection_life_time = 900 reserved_connections = 1 pool_hba_conf: autoconfigured - name: pgbouncer enabled: false image_path: bitnami/pgbouncer:1.16.0 init_image_path: bitnami/pgpool:4.2.4 use_local_image_registry: true namespace: postgres-pool service: name: pgbouncer port: 5432 replicas: 2 resources: requests: cpu: 250m memory: 128Mi limits: cpu: 500m memory: 128Mi pgbouncer: env: DB_HOST: pgpool.postgres-pool.svc.cluster.local DB_LISTEN_PORT: 5432 MAX_CLIENT_CONN: 150 DEFAULT_POOL_SIZE: 25 RESERVE_POOL_SIZE: 25 POOL_MODE: session CLIENT_IDLE_TIMEOUT: 0 version: 2.0.0dev provider: aws --- kind: configuration/node-exporter title: Node exporter name: default specification: disable_helm_chart: false helm_chart_values: service: port: 9100 targetPort: 9100 files: node_exporter_helm_chart_file_name: node-exporter-2.3.17.tgz enabled_collectors: - conntrack - diskstats - entropy - filefd - filesystem - loadavg - mdadm - meminfo - netdev - netstat - sockstat - stat - textfile - time - uname - vmstat - systemd config_flags: - --web.listen-address=:9100 - --log.level=info - --collector.diskstats.ignored-devices=^(ram|loop|fd)\\d+$ - --collector.filesystem.mount-points-exclude=^/(sys|proc|dev|run)($|/) - --collector.netdev.device-exclude="^$" - --collector.textfile.directory=/var/lib/prometheus/node-exporter - --collector.systemd.unit-include=(kafka.service|zookeeper.service) web_listen_port: '9100' web_listen_address: '' config_for_prometheus: exporter_listen_port: '9100' prometheus_config_dir: /etc/prometheus file_sd_labels: - label: job value: node version: 2.0.0dev provider: aws --- kind: configuration/filebeat title: Filebeat name: default specification: kibana: dashboards: index: filebeat-* enabled: auto disable_helm_chart: false postgresql_input: multiline: pattern: >- '^\d{4}-\d{2}-\d{2} ' negate: true match: after version: 2.0.0dev provider: aws --- kind: configuration/firewall title: OS level firewall name: default specification: Debian: install_firewalld: false firewall_service_enabled: false apply_configuration: false managed_zone_name: epiphany rules: applications: enabled: false ports: - 30104/tcp - 30672/tcp - 31672/tcp common: enabled: true ports: - 22/tcp grafana: enabled: true ports: - 3000/tcp haproxy: enabled: true ports: - 443/tcp - 9000/tcp image_registry: enabled: true ports: - 5000/tcp jmx_exporter: enabled: true ports: - 7071/tcp - 7072/tcp kafka: enabled: true ports: - 9092/tcp kafka_exporter: enabled: true ports: - 9308/tcp kibana: enabled: true ports: - 5601/tcp kubernetes_master: enabled: true ports: - 6443/tcp - 2379-2380/tcp - 8472/udp - 10250/tcp - 10251/tcp - 10252/tcp kubernetes_node: enabled: true ports: - 8472/udp - 10250/tcp logging: enabled: true ports: - 9200/tcp node_exporter: enabled: true ports: - 9100/tcp opendistro_for_elasticsearch: enabled: true ports: - 9200/tcp postgresql: enabled: true ports: - 5432/tcp prometheus: enabled: true ports: - 9090/tcp - 9093/tcp rabbitmq: enabled: true ports: - 4369/tcp - 5672/tcp - 15692/tcp - 25672/tcp zookeeper: enabled: true ports: - 2181/tcp - 2888/tcp - 3888/tcp version: 2.0.0dev provider: aws --- kind: configuration/kubernetes-node title: Kubernetes Node Config name: default specification: version: 1.22.4 cni_version: 0.8.7 node_labels: node-type=epiphany version: 2.0.0dev provider: aws --- kind: configuration/logging title: Logging Config name: default specification: cluster_name: EpiphanyElastic admin_password: PASSWORD_TO_CHANGE kibanaserver_password: PASSWORD_TO_CHANGE kibanaserver_user_active: true logstash_password: PASSWORD_TO_CHANGE logstash_user_active: true demo_users_to_remove: - kibanaro - readall - snapshotrestore paths: data: /var/lib/elasticsearch repo: /var/lib/elasticsearch-snapshots logs: /var/log/elasticsearch jvm_options: Xmx: 1g opendistro_security: ssl: transport: enforce_hostname_verification: true version: 2.0.0dev provider: aws --- kind: configuration/kibana title: Kibana name: default specification: kibana_log_dir: /var/log/kibana version: 2.0.0dev provider: aws --- kind: configuration/prometheus title: Prometheus name: default specification: config_directory: /etc/prometheus storage: data_directory: /var/lib/prometheus config_flags: - --config.file=/etc/prometheus/prometheus.yml - --storage.tsdb.path=/var/lib/prometheus - --storage.tsdb.retention.time=180d - --storage.tsdb.retention.size=20GB - --web.console.libraries=/etc/prometheus/console_libraries - --web.console.templates=/etc/prometheus/consoles - --web.listen-address=0.0.0.0:9090 - --web.enable-admin-api metrics_path: /metrics scrape_interval: 15s scrape_timeout: 10s evaluation_interval: 10s remote_write: [] remote_read: [] alertmanager: enable: false alert_rules: common: true container: false kafka: false node: false postgresql: false prometheus: false version: 2.0.0dev provider: aws --- kind: configuration/grafana title: Grafana name: default specification: grafana_logs_dir: /var/log/grafana grafana_data_dir: /var/lib/grafana grafana_address: 0.0.0.0 grafana_port: 3000 grafana_provisioning_synced: false grafana_url: https://0.0.0.0:3000 grafana_server: protocol: https enforce_domain: false socket: '' cert_key: /etc/grafana/ssl/grafana_key.key cert_file: /etc/grafana/ssl/grafana_cert.pem enable_gzip: false static_root_path: public router_logging: false grafana_security: admin_user: admin admin_password: PASSWORD_TO_CHANGE grafana_database: type: sqlite3 grafana_external_dashboards: [] grafana_online_dashboards: [] grafana_dashboards_dir: dashboards grafana_welcome_email_on_sign_up: false grafana_users: allow_sign_up: false auto_assign_org_role: Viewer default_theme: dark grafana_auth: {} grafana_ldap: {} grafana_session: {} grafana_analytics: {} grafana_smtp: {} grafana_alerting: execute_alerts: true grafana_log: {} grafana_metrics: {} grafana_tracing: {} grafana_snapshots: {} grafana_image_storage: {} grafana_plugins: [] grafana_alert_notifications: [] grafana_datasources: - name: Prometheus type: prometheus access: proxy url: http://localhost:9090 basicAuth: false basicAuthUser: '' basicAuthPassword: '' isDefault: true editable: true jsonData: tlsAuth: false tlsAuthWithCACert: false tlsSkipVerify: true grafana_api_keys: [] grafana_logging: log_rotate: true daily_rotate: true max_days: 7 version: 2.0.0dev provider: aws --- kind: configuration/zookeeper title: Zookeeper name: default specification: static_config_file: configurable_block: | # Limits the number of concurrent connections (at the socket level) that a single client, identified by IP address, # may make to a single member of the ZooKeeper ensemble. This is used to prevent certain classes of DoS attacks, # including file descriptor exhaustion. The default is 60. Setting this to 0 removes the limit. maxClientCnxns=0 # --- AdminServer configuration --- # By default the AdminServer is enabled. Disabling it will cause automated test failures. admin.enableServer=true # The address the embedded Jetty server listens on. Defaults to 0.0.0.0. admin.serverAddress=127.0.0.1 # The port the embedded Jetty server listens on. Defaults to 8080. admin.serverPort=8008 version: 2.0.0dev provider: aws --- kind: configuration/jmx-exporter title: JMX exporter name: default specification: jmx_jars_directory: /opt/jmx-exporter/jars jmx_exporter_user: jmx-exporter jmx_exporter_group: jmx-exporter version: 2.0.0dev provider: aws --- kind: configuration/kafka title: Kafka name: default specification: kafka_var: enabled: true admin: kafka admin_pwd: epiphany security: ssl: enabled: false port: 9093 server: local_cert_download_path: kafka-certs keystore_location: /var/private/ssl/kafka.server.keystore.jks truststore_location: /var/private/ssl/kafka.server.truststore.jks cert_validity: 365 passwords: keystore: PasswordToChange truststore: PasswordToChange key: PasswordToChange endpoint_identification_algorithm: HTTPS client_auth: required encrypt_at_rest: false inter_broker_protocol: PLAINTEXT authorization: enabled: false authorizer_class_name: kafka.security.auth.SimpleAclAuthorizer allow_everyone_if_no_acl_found: false super_users: - tester01 - tester02 users: - name: test_user topic: test_topic authentication: enabled: false authentication_method: certificates sasl_mechanism_inter_broker_protocol: sasl_enabled_mechanisms: PLAIN sha: b28e81705e30528f1abb6766e22dfe9dae50b1e1e93330c880928ff7a08e6b38ee71cbfc96ec14369b2dfd24293938702cab422173c8e01955a9d1746ae43f98 port: 9092 min_insync_replicas: 1 default_replication_factor: 1 offsets_topic_replication_factor: 1 num_recovery_threads_per_data_dir: 1 num_replica_fetchers: 1 replica_fetch_max_bytes: 1048576 replica_socket_receive_buffer_bytes: 65536 partitions: 8 log_retention_hours: 168 log_retention_bytes: -1 offset_retention_minutes: 10080 heap_opts: -Xmx2G -Xms2G opts: -Djavax.net.debug=all jmx_opts: max_incremental_fetch_session_cache_slots: 1000 controlled_shutdown_enable: true group: kafka user: kafka conf_dir: /opt/kafka/config data_dir: /var/lib/kafka log_dir: /var/log/kafka socket_settings: network_threads: 3 io_threads: 8 send_buffer_bytes: 102400 receive_buffer_bytes: 102400 request_max_bytes: 104857600 zookeeper_set_acl: false zookeeper_hosts: "{{ groups['zookeeper']|join(':2181,') }}:2181" jmx_exporter_user: jmx-exporter jmx_exporter_group: jmx-exporter prometheus_jmx_exporter_web_listen_port: 7071 prometheus_jmx_config: /opt/kafka/config/jmx-kafka.config.yml prometheus_config_dir: /etc/prometheus prometheus_kafka_jmx_file_sd_labels: job: jmx-kafka version: 2.0.0dev provider: aws --- kind: configuration/kafka-exporter title: Kafka exporter name: default specification: description: Service that runs Kafka Exporter web_listen_port: '9308' config_flags: - --web.listen-address=:9308 - --web.telemetry-path=/metrics - --topic.filter=.* - --group.filter=.* - --kafka.version=2.6.0 config_for_prometheus: exporter_listen_port: '9308' prometheus_config_dir: /etc/prometheus file_sd_labels: - label: job value: kafka-exporter version: 2.0.0dev provider: aws --- kind: configuration/postgresql title: PostgreSQL name: default specification: config_file: parameter_groups: - name: CONNECTIONS AND AUTHENTICATION subgroups: - name: Connection Settings parameters: - name: listen_addresses value: "'*'" comment: listen on all addresses - name: Security and Authentication parameters: - name: ssl value: off comment: to have the default value also on Ubuntu - name: RESOURCE USAGE (except WAL) subgroups: - name: Kernel Resource Usage parameters: - name: shared_preload_libraries value: AUTOCONFIGURED comment: set by automation - name: ERROR REPORTING AND LOGGING subgroups: - name: Where to Log parameters: - name: log_directory value: "'/var/log/postgresql'" comment: to have standard location for Filebeat and logrotate - name: log_filename value: "'postgresql.log'" comment: to use logrotate with common configuration - name: WRITE AHEAD LOG subgroups: - name: Settings parameters: - name: wal_level value: replica when: replication - name: Archiving parameters: - name: archive_mode value: on when: replication - name: archive_command value: "'/bin/true'" when: replication - name: REPLICATION subgroups: - name: Sending Server(s) parameters: - name: max_wal_senders value: 10 comment: maximum number of simultaneously running WAL sender processes when: replication - name: wal_keep_size value: 500 comment: the size of WAL files held for standby servers (MB) when: replication - name: Standby Servers parameters: - name: hot_standby value: on comment: must be 'on' for repmgr needs, ignored on primary but recommended in case primary becomes standby when: replication extensions: pgaudit: enabled: false shared_preload_libraries: - pgaudit config_file_parameters: log_connections: off log_disconnections: off log_statement: none log_line_prefix: "'%m [%p] %q%u@%d,host=%h '" pgaudit.log: "'write, function, role, ddl, misc_set'" pgaudit.log_catalog: 'off # to reduce overhead of logging' pgaudit.log_relation: 'on # separate log entry for each relation' pgaudit.log_statement_once: off pgaudit.log_parameter: on replication: replication_user_name: epi_repmgr replication_user_password: PASSWORD_TO_CHANGE privileged_user_name: epi_repmgr_admin privileged_user_password: PASSWORD_TO_CHANGE repmgr_database: epi_repmgr shared_preload_libraries: - repmgr logrotate: postgresql: |- /var/log/postgresql/postgresql*.log { maxsize 10M daily rotate 6 copytruncate # delaycompress is for Filebeat delaycompress compress notifempty missingok su root root nomail # to have multiple unique filenames per day when dateext option is set dateformat -%Y%m%dH%H } version: 2.0.0dev provider: aws --- kind: configuration/postgres-exporter title: Postgres exporter name: default specification: config_flags: - --log.level=info - --extend.query-path=/opt/postgres_exporter/queries.yaml - --auto-discover-databases config_for_prometheus: exporter_listen_port: '9187' prometheus_config_dir: /etc/prometheus file_sd_labels: - label: job value: postgres-exporter version: 2.0.0dev provider: aws --- kind: configuration/haproxy title: HAProxy name: default specification: logs_max_days: 60 self_signed_certificate_name: self-signed-fullchain.pem self_signed_private_key_name: self-signed-privkey.pem self_signed_concatenated_cert_name: self-signed-test.tld.pem haproxy_log_path: /var/log/haproxy.log stats: enable: true bind_address: 127.0.0.1 port: 9000 uri: /haproxy?stats user: operations password: your-haproxy-stats-pwd metrics: enable: true bind_address: '*' port: 9101 frontend: - name: https_front port: 443 https: true backend: - http_back1 backend: - name: http_back1 server_groups: - kubernetes_node port: 30104 version: 2.0.0dev provider: aws --- kind: configuration/rabbitmq title: RabbitMQ name: default specification: rabbitmq_user: rabbitmq rabbitmq_group: rabbitmq stop_service: false logrotate_period: weekly logrotate_number: 10 ulimit_open_files: 65535 amqp_port: 5672 rabbitmq_use_longname: AUTOCONFIGURED rabbitmq_policies: [] rabbitmq_plugins: [] rabbitmq_monitoring_enabled: false custom_configurations: [] cluster: is_clustered: false version: 2.0.0dev provider: aws --- kind: configuration/repository title: Epiphany requirements repository name: default specification: description: Local repository of binaries required to install Epiphany download_done_flag_expire_minutes: 120 apache_epirepo_path: /var/www/html/epirepo teardown: disable_http_server: true remove: files: false helm_charts: false images: false packages: false version: 2.0.0dev provider: aws --- kind: configuration/image-registry title: Epiphany image registry name: default specification: description: Local registry with Docker images registry_image: name: registry:2 file_name: registry-2.tar images_to_load: x86_64: generic: - name: epiphanyplatform/keycloak:14.0.0 file_name: keycloak-14.0.0.tar - name: rabbitmq:3.8.9 file_name: rabbitmq-3.8.9.tar - name: kubernetesui/dashboard:v2.3.1 file_name: dashboard-v2.3.1.tar - name: kubernetesui/metrics-scraper:v1.0.7 file_name: metrics-scraper-v1.0.7.tar - name: bitnami/pgpool:4.2.4 file_name: pgpool-4.2.4.tar - name: bitnami/pgbouncer:1.16.0 file_name: pgbouncer-1.16.0.tar current: - name: haproxy:2.2.2-alpine file_name: haproxy-2.2.2-alpine.tar - name: k8s.gcr.io/kube-apiserver:v1.22.4 file_name: kube-apiserver-v1.22.4.tar - name: k8s.gcr.io/kube-controller-manager:v1.22.4 file_name: kube-controller-manager-v1.22.4.tar - name: k8s.gcr.io/kube-proxy:v1.22.4 file_name: kube-proxy-v1.22.4.tar - name: k8s.gcr.io/kube-scheduler:v1.22.4 file_name: kube-scheduler-v1.22.4.tar - name: k8s.gcr.io/coredns/coredns:v1.8.4 file_name: coredns-v1.8.4.tar - name: k8s.gcr.io/etcd:3.5.0-0 file_name: etcd-3.5.0-0.tar - name: k8s.gcr.io/pause:3.5 file_name: pause-3.5.tar - name: quay.io/coreos/flannel:v0.14.0-amd64 file_name: flannel-v0.14.0-amd64.tar - name: quay.io/coreos/flannel:v0.14.0 file_name: flannel-v0.14.0.tar - name: calico/cni:v3.20.3 file_name: cni-v3.20.3.tar - name: calico/kube-controllers:v3.20.3 file_name: kube-controllers-v3.20.3.tar - name: calico/node:v3.20.3 file_name: node-v3.20.3.tar - name: calico/pod2daemon-flexvol:v3.20.3 file_name: pod2daemon-flexvol-v3.20.3.tar legacy: - name: k8s.gcr.io/kube-apiserver:v1.21.7 file_name: kube-apiserver-v1.21.7.tar - name: k8s.gcr.io/kube-controller-manager:v1.21.7 file_name: kube-controller-manager-v1.21.7.tar - name: k8s.gcr.io/kube-proxy:v1.21.7 file_name: kube-proxy-v1.21.7.tar - name: k8s.gcr.io/kube-scheduler:v1.21.7 file_name: kube-scheduler-v1.21.7.tar - name: k8s.gcr.io/coredns/coredns:v1.8.0 file_name: coredns-v1.8.0.tar - name: k8s.gcr.io/etcd:3.4.13-0 file_name: etcd-3.4.13-0.tar - name: k8s.gcr.io/pause:3.4.1 file_name: pause-3.4.1.tar - name: k8s.gcr.io/kube-apiserver:v1.20.12 file_name: kube-apiserver-v1.20.12.tar - name: k8s.gcr.io/kube-controller-manager:v1.20.12 file_name: kube-controller-manager-v1.20.12.tar - name: k8s.gcr.io/kube-proxy:v1.20.12 file_name: kube-proxy-v1.20.12.tar - name: k8s.gcr.io/kube-scheduler:v1.20.12 file_name: kube-scheduler-v1.20.12.tar - name: k8s.gcr.io/coredns:1.7.0 file_name: coredns-1.7.0.tar - name: k8s.gcr.io/pause:3.2 file_name: pause-3.2.tar - name: k8s.gcr.io/kube-apiserver:v1.19.15 file_name: kube-apiserver-v1.19.15.tar - name: k8s.gcr.io/kube-controller-manager:v1.19.15 file_name: kube-controller-manager-v1.19.15.tar - name: k8s.gcr.io/kube-proxy:v1.19.15 file_name: kube-proxy-v1.19.15.tar - name: k8s.gcr.io/kube-scheduler:v1.19.15 file_name: kube-scheduler-v1.19.15.tar - name: k8s.gcr.io/kube-apiserver:v1.18.6 file_name: kube-apiserver-v1.18.6.tar - name: k8s.gcr.io/kube-controller-manager:v1.18.6 file_name: kube-controller-manager-v1.18.6.tar - name: k8s.gcr.io/kube-proxy:v1.18.6 file_name: kube-proxy-v1.18.6.tar - name: k8s.gcr.io/kube-scheduler:v1.18.6 file_name: kube-scheduler-v1.18.6.tar - name: k8s.gcr.io/coredns:1.6.7 file_name: coredns-1.6.7.tar - name: k8s.gcr.io/etcd:3.4.3-0 file_name: etcd-3.4.3-0.tar - name: quay.io/coreos/flannel:v0.12.0-amd64 file_name: flannel-v0.12.0-amd64.tar - name: quay.io/coreos/flannel:v0.12.0 file_name: flannel-v0.12.0.tar - name: calico/cni:v3.15.0 file_name: cni-v3.15.0.tar - name: calico/kube-controllers:v3.15.0 file_name: kube-controllers-v3.15.0.tar - name: calico/node:v3.15.0 file_name: node-v3.15.0.tar - name: calico/pod2daemon-flexvol:v3.15.0 file_name: pod2daemon-flexvol-v3.15.0.tar aarch64: generic: - name: epiphanyplatform/keycloak:14.0.0 file_name: keycloak-14.0.0.tar - name: rabbitmq:3.8.9 file_name: rabbitmq-3.8.9.tar - name: kubernetesui/dashboard:v2.3.1 file_name: dashboard-v2.3.1.tar - name: kubernetesui/metrics-scraper:v1.0.7 file_name: metrics-scraper-v1.0.7.tar current: - name: haproxy:2.2.2-alpine file_name: haproxy-2.2.2-alpine.tar - name: k8s.gcr.io/kube-apiserver:v1.22.4 file_name: kube-apiserver-v1.22.4.tar - name: k8s.gcr.io/kube-controller-manager:v1.22.4 file_name: kube-controller-manager-v1.22.4.tar - name: k8s.gcr.io/kube-proxy:v1.22.4 file_name: kube-proxy-v1.22.4.tar - name: k8s.gcr.io/kube-scheduler:v1.22.4 file_name: kube-scheduler-v1.22.4.tar - name: k8s.gcr.io/coredns/coredns:v1.8.4 file_name: coredns-v1.8.4.tar - name: k8s.gcr.io/etcd:3.5.0-0 file_name: etcd-3.5.0-0.tar - name: k8s.gcr.io/pause:3.5 file_name: pause-3.5.tar - name: quay.io/coreos/flannel:v0.14.0-arm64 file_name: flannel-v0.14.0-arm64.tar - name: quay.io/coreos/flannel:v0.14.0 file_name: flannel-v0.14.0.tar - name: calico/cni:v3.20.3 file_name: cni-v3.20.3.tar - name: calico/kube-controllers:v3.20.3 file_name: kube-controllers-v3.20.3.tar - name: calico/node:v3.20.3 file_name: node-v3.20.3.tar - name: calico/pod2daemon-flexvol:v3.20.3 file_name: pod2daemon-flexvol-v3.20.3.tar legacy: - name: k8s.gcr.io/kube-apiserver:v1.21.7 file_name: kube-apiserver-v1.21.7.tar - name: k8s.gcr.io/kube-controller-manager:v1.21.7 file_name: kube-controller-manager-v1.21.7.tar - name: k8s.gcr.io/kube-proxy:v1.21.7 file_name: kube-proxy-v1.21.7.tar - name: k8s.gcr.io/kube-scheduler:v1.21.7 file_name: kube-scheduler-v1.21.7.tar - name: k8s.gcr.io/coredns/coredns:v1.8.0 file_name: coredns-v1.8.0.tar - name: k8s.gcr.io/etcd:3.4.13-0 file_name: etcd-3.4.13-0.tar - name: k8s.gcr.io/pause:3.4.1 file_name: pause-3.4.1.tar - name: k8s.gcr.io/kube-apiserver:v1.20.12 file_name: kube-apiserver-v1.20.12.tar - name: k8s.gcr.io/kube-controller-manager:v1.20.12 file_name: kube-controller-manager-v1.20.12.tar - name: k8s.gcr.io/kube-proxy:v1.20.12 file_name: kube-proxy-v1.20.12.tar - name: k8s.gcr.io/kube-scheduler:v1.20.12 file_name: kube-scheduler-v1.20.12.tar - name: k8s.gcr.io/coredns:1.7.0 file_name: coredns-1.7.0.tar - name: k8s.gcr.io/pause:3.2 file_name: pause-3.2.tar - name: k8s.gcr.io/kube-apiserver:v1.19.15 file_name: kube-apiserver-v1.19.15.tar - name: k8s.gcr.io/kube-controller-manager:v1.19.15 file_name: kube-controller-manager-v1.19.15.tar - name: k8s.gcr.io/kube-proxy:v1.19.15 file_name: kube-proxy-v1.19.15.tar - name: k8s.gcr.io/kube-scheduler:v1.19.15 file_name: kube-scheduler-v1.19.15.tar - name: k8s.gcr.io/kube-apiserver:v1.18.6 file_name: kube-apiserver-v1.18.6.tar - name: k8s.gcr.io/kube-controller-manager:v1.18.6 file_name: kube-controller-manager-v1.18.6.tar - name: k8s.gcr.io/kube-proxy:v1.18.6 file_name: kube-proxy-v1.18.6.tar - name: k8s.gcr.io/kube-scheduler:v1.18.6 file_name: kube-scheduler-v1.18.6.tar - name: k8s.gcr.io/coredns:1.6.7 file_name: coredns-1.6.7.tar - name: k8s.gcr.io/etcd:3.4.3-0 file_name: etcd-3.4.3-0.tar - name: quay.io/coreos/flannel:v0.12.0-arm64 file_name: flannel-v0.12.0-arm64.tar - name: quay.io/coreos/flannel:v0.12.0 file_name: flannel-v0.12.0.tar - name: calico/cni:v3.15.0 file_name: cni-v3.15.0.tar - name: calico/kube-controllers:v3.15.0 file_name: kube-controllers-v3.15.0.tar - name: calico/node:v3.15.0 file_name: node-v3.15.0.tar - name: calico/pod2daemon-flexvol:v3.15.0 file_name: pod2daemon-flexvol-v3.15.0.tar version: 2.0.0dev provider: aws --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: default specification: subnet_names: [] availability_zones: [] authorized_to_efs: false mount_efs: false tags: - version: 0.4.2 size: t2.micro os_full_name: ubuntu/images/hvm-ssd/ubuntu-focal-20.04-amd64-server-20220110 os_type: linux ebs_optimized: false disks: root: volume_type: gp2 volume_size: 30 delete_on_termination: true encrypted: true additional_disks: [] security: rules: - name: ssh description: Allow SSH direction: Inbound protocol: Tcp destination_port_range: '22' source_address_prefix: 0.0.0.0/0 destination_address_prefix: 0.0.0.0/0 - name: node_exporter description: Allow node_exporter traffic direction: Inbound protocol: Tcp destination_port_range: '9100' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: out description: Allow out direction: Egress protocol: all destination_port_range: '0' source_address_prefix: 0.0.0.0/0 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: rabbitmq-machine specification: tags: - version: 0.4.2 size: t3.micro os_type: linux security: rules: - _merge: true - name: rabbitmq description: Allow rabbitmq traffic direction: Inbound protocol: Tcp destination_port_range: '5672' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: rabbitmq_clustering_1 description: Allow rabbitmq clustering traffic 1 direction: Inbound protocol: Tcp destination_port_range: '4369' source_address_prefix: 10.1.8.0/24 destination_address_prefix: 0.0.0.0/0 - name: rabbitmq_clustering_2 description: Allow rabbitmq clustering traffic 2 direction: Inbound protocol: Tcp destination_port_range: '25672' source_address_prefix: 10.1.8.0/24 destination_address_prefix: 0.0.0.0/0 - name: rabbitmq-exporter description: Allow Prometheus for RabbitMQ data scrap direction: Inbound protocol: Tcp destination_port_range: '15692' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: load-balancer-machine specification: tags: - version: 0.4.2 size: t3.micro os_type: linux security: rules: - _merge: true - name: haproxy_metrics description: Allow haproxy_metrics traffic direction: Inbound protocol: Tcp destination_port_range: '9101' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: kubernetes-master-machine specification: size: t3.medium authorized_to_efs: true mount_efs: true security: rules: - _merge: true - name: repository description: Allow repository traffic direction: Inbound protocol: Tcp destination_port_range: '80' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: subnet-traffic description: Allow subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.1.0/24 destination_address_prefix: 0.0.0.0/0 - name: monitoring-traffic description: Allow monitoring subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.4.0/24 destination_address_prefix: 0.0.0.0/0 - name: node-subnet-traffic description: Allow node subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.2.0/24 destination_address_prefix: 0.0.0.0/0 - name: node2-subnet-traffic description: Allow node subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.4.0/24 destination_address_prefix: 0.0.0.0/0 - name: load-balancer-subnet-traffic description: Allow load-balancer subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.7.0/24 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: kubernetes-node-machine specification: size: t3.medium authorized_to_efs: true mount_efs: true security: rules: - _merge: true - name: subnet-traffic description: Allow master subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.1.0/24 destination_address_prefix: 0.0.0.0/0 - name: monitoring-traffic description: Allow monitoring subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.4.0/24 destination_address_prefix: 0.0.0.0/0 - name: node-subnet-traffic description: Allow node subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.2.0/24 destination_address_prefix: 0.0.0.0/0 - name: load-balancer-subnet-traffic description: Allow load-balancer subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.7.0/24 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: kafka-machine specification: size: t3.medium security: rules: - _merge: true - name: kafka_exporter description: Allow kafka exporter traffic direction: Inbound protocol: Tcp destination_port_range: '9308' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: zookeeper1 description: Allow Zookeeper 1 direction: Inbound protocol: Tcp destination_port_range: '3888' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: zookeeper2 description: Allow Zookeeper 2 direction: Inbound protocol: Tcp destination_port_range: '2888' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: zookeeper_client description: Allow Zookeeper Client direction: Inbound protocol: Tcp destination_port_range: '2181' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: kafka_client_9092 description: Allow Kafka Client direction: Inbound protocol: Tcp destination_port_range: '9092' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: kafka_ssl_client_9093 description: Allow Kafka SSL Client direction: Inbound protocol: Tcp destination_port_range: '9093' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: monitoring-traffic description: Allow monitoring subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.4.0/24 destination_address_prefix: 0.0.0.0/0 - name: kubernetes-traffic description: Allow Kubernetes subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.1.0/24 destination_address_prefix: 0.0.0.0/0 - name: kubernetes-traffic2 description: Allow Kubernetes subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.2.0/24 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: monitoring-machine specification: size: t3.medium security: rules: - _merge: true - name: prometheus description: Allow connection to Prometheus direction: Inbound protocol: Tcp destination_port_range: '9090' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: grafana description: Allow connection to Grafana direction: Inbound protocol: Tcp destination_port_range: '3000' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: postgresql-machine specification: size: t3.medium security: rules: - _merge: true - name: postgres_exporter description: Allow postgres exporter traffic direction: Inbound protocol: Tcp destination_port_range: '9187' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: kubernetes-traffic description: Allow Kubernetes subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.1.0/24 destination_address_prefix: 0.0.0.0/0 - name: kubernetes-traffic2 description: Allow Kubernetes subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.2.0/24 destination_address_prefix: 0.0.0.0/0 - name: postgres_clustering description: Allow Postgres clustering traffic direction: Inbound protocol: Tcp destination_port_range: '5432' source_address_prefix: 10.1.6.0/24 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: logging-machine specification: size: t3.large security: rules: - _merge: true - name: Elastic description: Allow Elastic direction: Inbound protocol: Tcp destination_port_range: '9200' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: Elastic2 description: Allow Elastic direction: Inbound protocol: Tcp destination_port_range: '9300' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: Kibana description: Allow Kibana direction: Inbound protocol: Tcp destination_port_range: '5601' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: single-machine specification: size: t3.xlarge authorized_to_efs: true mount_efs: true security: rules: - _merge: true - name: repository description: Allow repository traffic direction: Inbound protocol: Tcp destination_port_range: '80' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: subnet-traffic description: Allow subnet traffic direction: Inbound protocol: ALL destination_port_range: '0' source_address_prefix: 10.1.1.0/24 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev --- kind: infrastructure/virtual-machine title: Virtual Machine Infra provider: aws name: repository-machine specification: disks: root: volume_size: 64 size: t2.medium security: rules: - _merge: true - name: repository description: Allow repository traffic direction: Inbound protocol: Tcp destination_port_range: '80' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 - name: image_registry description: Allow image registry traffic direction: Inbound protocol: Tcp destination_port_range: '5000' source_address_prefix: 10.1.0.0/20 destination_address_prefix: 0.0.0.0/0 version: 2.0.0dev