Add a new Unifi Network Application Component

kustomization/components/unifi-network-application/README.md

@@ -0,0 +1,66 @@
+# Unifi Controller Component
+
+This will deploy the [Unifi Network Application](https://github.com/linuxserver/docker-unifi-network-application), and
+assumes you are using [Traefik Proxy](https://traefik.io/traefik).
+
+This also requires our PriorityClass component.
+
+# Example Usage
+
+```yaml
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+components:
+  - https://github.com/marinatedconcrete/config/kustomization/components/unifi-network-application
+```
+
+See below for additionally required patches and secrets.
+
+## Required Patches
+
+### Add ServersTransport to Service
+
+#### `kustomization.yml`
+
+```yaml
+patches:
+  - path: patches/add_una_svc_serverstransport.yml
+    target:
+      kind: Service
+      name: unifi-network-application-svc
+```
+
+#### `patches/add_una_svc_serverstransport.yml`
+
+The format of the annotation value is: `<deployed-namespace>-unifi-network-application-serverstransport@kubernetescrd`.
+
+```yaml
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    traefik.ingress.kubernetes.io/service.serverstransport: unifi-unifi-network-application-serverstransport@kubernetescrd
+  name: this-is-ignored-but-is-required
+```
+
+## Required Secrets
+
+### `una-secret`
+
+This needs to have the following keys defined:
+
+- `MONGO_PASS`
+
+You can include additional keys as well for further configuration.
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: una-secret
+stringData:
+  MONGO_PASS: ...
+```

kustomization/components/unifi-network-application/configmap/generate-init-mongo.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+
+if [ -z "${MONGO_PASS}" ]; then
+    echo "MONGO_PASS must be set!"
+    exit 1
+fi
+
+echo "db.getSiblingDB(\"unifi\")
+  .createUser({
+    user: \"unifi\",
+    pwd: \"${MONGO_PASS}\",
+    roles: [
+      {role: \"dbOwner\", db: \"unifi\"}
+    ]
+  });
+db.getSiblingDB(\"unifi_stat\")
+  .createUser({
+    user: \"unifi\",
+    pwd: \"${MONGO_PASS}\",
+    roles: [
+      {role: \"dbOwner\", db: \"unifi_stat\"}
+    ]
+  });" > /docker-entrypoint-initdb.d/init-mongo.js

kustomization/components/unifi-network-application/configmap/shutdown-mongo.js

@@ -0,0 +1,3 @@
+db.adminCommand({
+    shutdown: 1
+})

kustomization/components/unifi-network-application/kustomization.yml

@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.config.k8s.io/v1alpha1
+kind: Component
+
+configMapGenerator:
+  - name: una-mongodb-scripts-configmap
+    files:
+      - configmap/generate-init-mongo.sh
+      - configmap/shutdown-mongo.js
+images:
+  - name: busybox
+    newTag: 1.36.1
+  - name: lscr.io/linuxserver/unifi-network-application
+    newTag: 8.1.113
+  - name: mongo
+    newTag: 7.0.7
+resources:
+  - statefulset.yml
+  - serverstransport.yml
+  - service.yml

kustomization/components/unifi-network-application/serverstransport.yml

@@ -0,0 +1,7 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: ServersTransport
+metadata:
+  name: unifi-network-application-serverstransport
+spec:
+  insecureSkipVerify: true

kustomization/components/unifi-network-application/service.yml

@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  annotations:
+    traefik.ingress.kubernetes.io/service.serversscheme: https
+  name: unifi-network-application-svc
+spec:
+  ports:
+    - name: una-web
+      port: 443
+      protocol: TCP
+      targetPort: una-web
+    - name: device-api
+      port: 8080
+      protocol: TCP
+    - name: device-discover
+      port: 10001
+      protocol: UDP
+    - name: device-stun
+      port: 3478
+      protocol: UDP
+  selector:
+    app.kubernetes.io/name: unifi-network-application
+  type: LoadBalancer

kustomization/components/unifi-network-application/statefulset.yml

@@ -0,0 +1,175 @@
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: unifi-network-application-statefulset
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: unifi-network-application
+  serviceName: una-unifi-svc
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: unifi-network-application
+    spec:
+      containers:
+        - image: mongo
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - /bin/sh
+                  - -c
+                  - mongo admin /scripts/shutdown-mongo.js
+          livenessProbe:
+            tcpSocket:
+              port: 27017
+            initialDelaySeconds: 10
+            periodSeconds: 15
+          name: mongodb
+          readinessProbe:
+            tcpSocket:
+              port: 27017
+            initialDelaySeconds: 10
+            periodSeconds: 15
+          resources:
+            limits:
+              cpu: 2000m
+              memory: 2Gi
+            requests:
+              cpu: 500m
+              memory: 1Gi
+          securityContext:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /data/db
+              name: mongodb-data
+            - mountPath: /docker-entrypoint-initdb.d/init-mongo.js
+              name: init-mongodb
+              readOnly: true
+              subPath: init-mongo.js
+            - mountPath: /scripts
+              name: mongodb-scripts
+        - env:
+            - name: MEM_LIMIT
+              value: "1024"
+            - name: MEM_STARTUP
+              value: "1024"
+            - name: MONGO_DBNAME
+              value: unifi
+            - name: MONGO_HOST
+              value: 127.0.0.1
+            - name: MONGO_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: una-secret
+                  key: MONGO_PASS
+            - name: MONGO_PORT
+              value: "27017"
+            - name: MONGO_USER
+              value: unifi
+            - name: TZ
+              value: America/Los_Angeles
+          image: lscr.io/linuxserver/unifi-network-application
+          livenessProbe:
+            httpGet:
+              port: una-web
+              scheme: HTTPS
+            initialDelaySeconds: 15
+            periodSeconds: 15
+          name: unifi
+          # https://help.ui.com/hc/en-us/articles/218506997-UniFi-Network-Required-Ports-Reference
+          ports:
+            - name: una-web
+              containerPort: 8443
+              protocol: TCP
+            - name: device-api
+              containerPort: 8080
+              protocol: TCP
+            - name: device-discover
+              containerPort: 10001
+              protocol: UDP
+            - name: device-stun
+              containerPort: 3478
+              protocol: UDP
+          readinessProbe:
+            httpGet:
+              port: una-web
+              scheme: HTTPS
+            initialDelaySeconds: 15
+            periodSeconds: 15
+          resources:
+            limits:
+              cpu: 2000m
+              memory: 2Gi
+            requests:
+              cpu: 500m
+              memory: 1Gi
+          securityContext:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - name: unifi-config
+              mountPath: /config
+      initContainers:
+        - env:
+            - name: MONGO_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: una-secret
+                  key: MONGO_PASS
+          command:
+            - sh
+            - -c
+            - /scripts/generate-init-mongo.sh
+          image: busybox
+          name: init-mongodb
+          resources:
+            limits:
+              cpu: 100m
+              memory: 200Mi
+            requests:
+              cpu: 30m
+              memory: 100Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: /docker-entrypoint-initdb.d
+              name: init-mongodb
+            - mountPath: /scripts
+              name: mongodb-scripts
+      priorityClassName: critical-application
+      volumes:
+        - emptyDir:
+            medium: Memory
+          name: init-mongodb
+        - configMap:
+            defaultMode: 0777
+            name: una-mongodb-scripts-configmap
+          name: mongodb-scripts
+  volumeClaimTemplates:
+    - metadata:
+        name: mongodb-data
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+        storageClassName: longhorn-encrypted
+    - metadata:
+        name: unifi-config
+      spec:
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
+        storageClassName: longhorn-encrypted

kustomization/tests/unifi-network-application/kustomization.yml

@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+components:
+  - ../../components/priorityclass
+  - ../../components/unifi-network-application
+namespace: unifi-network-application-test
+patches:
+  # TODO(https://github.com/marinatedconcrete/config/issues/56): we can allow this to exist once we have traefik
+  - patch: |-
+      $patch: delete
+      apiVersion: traefik.io/v1alpha1
+      kind: ServersTransport
+      metadata:
+        name: this-is-ignored-but-is-required
+    target:
+      kind: ServersTransport
+resources:
+  - namespace.yml

kustomization/tests/unifi-network-application/namespace.yml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: latest
+  name: unifi-network-application-test