107 lines
3.7 KiB
YAML
107 lines
3.7 KiB
YAML
apiVersion: v1
|
|
kind: Service
|
|
metadata: { name: neo4j, namespace: graph }
|
|
spec:
|
|
selector: { app: neo4j }
|
|
ports:
|
|
- { name: http, port: 7474, targetPort: 7474 }
|
|
- { name: bolt, port: 7687, targetPort: 7687 }
|
|
---
|
|
apiVersion: apps/v1
|
|
kind: StatefulSet
|
|
metadata: { name: neo4j, namespace: graph }
|
|
spec:
|
|
serviceName: neo4j
|
|
replicas: 1
|
|
selector: { matchLabels: { app: neo4j } }
|
|
template:
|
|
metadata: { labels: { app: neo4j } }
|
|
spec:
|
|
enableServiceLinks: false
|
|
nodeSelector: { node: hetzner-2 }
|
|
containers:
|
|
- name: neo4j
|
|
image: neo4j:5.20
|
|
env:
|
|
- name: NEO4J_AUTH
|
|
valueFrom: { secretKeyRef: { name: neo4j-auth, key: NEO4J_AUTH } }
|
|
- name: NEO4J_dbms_ssl_policy_bolt_enabled
|
|
value: "true"
|
|
- name: NEO4J_dbms_ssl_policy_bolt_base__directory
|
|
value: "/certs/bolt"
|
|
- name: NEO4J_dbms_ssl_policy_bolt_private__key
|
|
value: "tls.key"
|
|
- name: NEO4J_dbms_ssl_policy_bolt_public__certificate
|
|
value: "tls.crt"
|
|
- name: NEO4J_dbms_connector_bolt_tls__level
|
|
value: "REQUIRED"
|
|
# Advertise public hostname so the Browser uses the external FQDN for Bolt
|
|
- name: NEO4J_dbms_connector_bolt_advertised__address
|
|
value: "neo4j.betelgeusebytes.io:7687"
|
|
# also set a default advertised address (recommended)
|
|
- name: NEO4J_dbms_default__advertised__address
|
|
value: "neo4j.betelgeusebytes.io"
|
|
ports:
|
|
- { containerPort: 7474 }
|
|
- { containerPort: 7687 }
|
|
volumeMounts:
|
|
- { name: data, mountPath: /data }
|
|
- { name: bolt-certs, mountPath: /certs/bolt }
|
|
volumes:
|
|
- name: bolt-certs
|
|
secret:
|
|
secretName: neo4j-tls
|
|
items:
|
|
- key: tls.crt
|
|
path: tls.crt
|
|
- key: tls.key
|
|
path: tls.key
|
|
volumeClaimTemplates:
|
|
- metadata: { name: data }
|
|
spec:
|
|
accessModes: ["ReadWriteOnce"]
|
|
storageClassName: local-ssd-hetzner
|
|
resources: { requests: { storage: 20Gi } }
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata: { name: neo4j-auth, namespace: graph }
|
|
type: Opaque
|
|
stringData: { NEO4J_AUTH: "neo4j/NEO4J-PASS" }
|
|
---
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: neo4j-http
|
|
namespace: graph
|
|
annotations:
|
|
cert-manager.io/cluster-issuer: letsencrypt-prod
|
|
# nginx.ingress.kubernetes.io/auth-type: basic
|
|
# nginx.ingress.kubernetes.io/auth-secret: basic-auth-neo4j
|
|
# nginx.ingress.kubernetes.io/auth-realm: "Authentication Required"
|
|
spec:
|
|
ingressClassName: nginx
|
|
tls: [{ hosts: ["neo4j.betelgeusebytes.io"], secretName: neo4j-tls }]
|
|
rules:
|
|
- host: neo4j.betelgeusebytes.io
|
|
http:
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
backend: { service: { name: neo4j, port: { number: 7474 } } }
|
|
|
|
# create or update the tcp-services configmap
|
|
# kubectl -n ingress-nginx create configmap tcp-services \
|
|
# --from-literal="7687=graph/neo4j:7687" \
|
|
# -o yaml --dry-run=client | kubectl apply -f -
|
|
|
|
# kubectl -n ingress-nginx patch deploy ingress-nginx-controller \
|
|
# --type='json' -p='[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services"}]'
|
|
|
|
# kubectl -n ingress-nginx patch deploy ingress-nginx-controller \
|
|
# --type='json' -p='[{"op":"add","path":"/spec/template/spec/containers/0/args/-","value":"--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services"}]'
|
|
|
|
# kubectl -n ingress-nginx patch deployment ingress-nginx-controller \
|
|
# --type='json' -p='[
|
|
# {"op":"add","path":"/spec/template/spec/containers/0/ports/-","value":{"name":"tcp-7687","containerPort":7687,"hostPort":7687,"protocol":"TCP"}}
|
|
# ]' |