apiVersion: v1 kind: Service metadata: { name: neo4j, namespace: graph } spec: selector: { app: neo4j } ports: - { name: http, port: 7474, targetPort: 7474 } - { name: bolt, port: 7687, targetPort: 7687 } --- apiVersion: apps/v1 kind: StatefulSet metadata: { name: neo4j, namespace: graph } spec: serviceName: neo4j replicas: 1 selector: { matchLabels: { app: neo4j } } template: metadata: { labels: { app: neo4j } } spec: enableServiceLinks: false nodeSelector: { node: hetzner-2 } containers: - name: neo4j image: neo4j:5.20 env: - name: NEO4J_AUTH valueFrom: { secretKeyRef: { name: neo4j-auth, key: NEO4J_AUTH } } - name: NEO4J_dbms_ssl_policy_bolt_enabled value: "true" - name: NEO4J_dbms_ssl_policy_bolt_base__directory value: "/certs/bolt" - name: NEO4J_dbms_ssl_policy_bolt_private__key value: "tls.key" - name: NEO4J_dbms_ssl_policy_bolt_public__certificate value: "tls.crt" - name: NEO4J_dbms_connector_bolt_tls__level value: "REQUIRED" # Advertise public hostname so the Browser uses the external FQDN for Bolt - name: NEO4J_dbms_connector_bolt_advertised__address value: "neo4j.betelgeusebytes.io:7687" # also set a default advertised address (recommended) - name: NEO4J_dbms_default__advertised__address value: "neo4j.betelgeusebytes.io" ports: - { containerPort: 7474 } - { containerPort: 7687 } volumeMounts: - { name: data, mountPath: /data } - { name: bolt-certs, mountPath: /certs/bolt } volumes: - name: bolt-certs secret: secretName: neo4j-tls items: - key: tls.crt path: tls.crt - key: tls.key path: tls.key volumeClaimTemplates: - metadata: { name: data } spec: accessModes: ["ReadWriteOnce"] storageClassName: local-ssd-hetzner resources: { requests: { storage: 20Gi } } --- apiVersion: v1 kind: Secret metadata: { name: neo4j-auth, namespace: graph } type: Opaque stringData: { NEO4J_AUTH: "neo4j/NEO4J-PASS" } --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: neo4j-http namespace: graph annotations: cert-manager.io/cluster-issuer: letsencrypt-prod # nginx.ingress.kubernetes.io/auth-type: basic # nginx.ingress.kubernetes.io/auth-secret: basic-auth-neo4j # nginx.ingress.kubernetes.io/auth-realm: "Authentication Required" spec: ingressClassName: nginx tls: [{ hosts: ["neo4j.betelgeusebytes.io"], secretName: neo4j-tls }] rules: - host: neo4j.betelgeusebytes.io http: paths: - path: / pathType: Prefix backend: { service: { name: neo4j, port: { number: 7474 } } } # create or update the tcp-services configmap # kubectl -n ingress-nginx create configmap tcp-services \ # --from-literal="7687=graph/neo4j:7687" \ # -o yaml --dry-run=client | kubectl apply -f - # kubectl -n ingress-nginx patch deploy ingress-nginx-controller \ # --type='json' -p='[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services"}]' # kubectl -n ingress-nginx patch deploy ingress-nginx-controller \ # --type='json' -p='[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services"}]' # kubectl -n ingress-nginx patch deployment ingress-nginx-controller \ # --type='json' -p='[ # {"op":"add","path":"/spec/template/spec/containers/0/ports/-","value":{"name":"tcp-7687","containerPort":7687,"hostPort":7687,"protocol":"TCP"}} # ]'