deploy(irc): enable readonly UnrealIRCd RPC on GX10
This commit is contained in:
Andrew Stoltz
@@ -4,7 +4,8 @@
|
|||||||
#
|
#
|
||||||
# GX10 adaptations vs OLD bluejay-infra/apps/irc/irc.yaml:
|
# GX10 adaptations vs OLD bluejay-infra/apps/irc/irc.yaml:
|
||||||
# - OnePasswordItem REPLACED by directly-copied Secrets (no OnePassword operator on GX10).
|
# - OnePasswordItem REPLACED by directly-copied Secrets (no OnePassword operator on GX10).
|
||||||
# irc-credentials is applied separately; cloak keys are injected from unrealircd-cloak-keys.
|
# irc-credentials and unrealircd-rpc-credentials are applied separately; cloak keys
|
||||||
|
# are injected from unrealircd-cloak-keys.
|
||||||
# - unrealircd image -> localhost/fc-unrealircd:6.1.9.1-arm64 (built on GX10 from
|
# - unrealircd image -> localhost/fc-unrealircd:6.1.9.1-arm64 (built on GX10 from
|
||||||
# DjLegolas/unrealircd-docker, alpine:3.19 base, UnrealIRCd 6.1.9.1 from source;
|
# DjLegolas/unrealircd-docker, alpine:3.19 base, UnrealIRCd 6.1.9.1 from source;
|
||||||
# djlegolas/unrealircd:6.1.9.1 on Docker Hub is amd64-ONLY -> would crashloop on arm64).
|
# djlegolas/unrealircd:6.1.9.1 on Docker Hub is amd64-ONLY -> would crashloop on arm64).
|
||||||
@@ -587,6 +588,7 @@ data:
|
|||||||
/* Credentials injected from copied K8s secret at pod startup */
|
/* Credentials injected from copied K8s secret at pod startup */
|
||||||
|
|
||||||
include "modules.default.conf";
|
include "modules.default.conf";
|
||||||
|
include "rpc.modules.default.conf";
|
||||||
include "help/help.conf";
|
include "help/help.conf";
|
||||||
include "operclass.default.conf";
|
include "operclass.default.conf";
|
||||||
include "snomasks.default.conf";
|
include "snomasks.default.conf";
|
||||||
@@ -636,6 +638,12 @@ data:
|
|||||||
port 6667;
|
port 6667;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
listen {
|
||||||
|
ip *;
|
||||||
|
port 8600;
|
||||||
|
options { rpc; }
|
||||||
|
}
|
||||||
|
|
||||||
listen {
|
listen {
|
||||||
ip *;
|
ip *;
|
||||||
port 6697;
|
port 6697;
|
||||||
@@ -658,6 +666,12 @@ data:
|
|||||||
class opers;
|
class opers;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
rpc-user flowercore-readonly {
|
||||||
|
match { ip 10.42.*; }
|
||||||
|
password "__RPC_PASSWORD__";
|
||||||
|
rpc-class readonly;
|
||||||
|
}
|
||||||
|
|
||||||
drpass {
|
drpass {
|
||||||
restart "__OPER_PASSWORD__";
|
restart "__OPER_PASSWORD__";
|
||||||
die "__OPER_PASSWORD__";
|
die "__OPER_PASSWORD__";
|
||||||
@@ -1014,11 +1028,13 @@ spec:
|
|||||||
args:
|
args:
|
||||||
- |
|
- |
|
||||||
OPER_PW=$(cat /secrets/password)
|
OPER_PW=$(cat /secrets/password)
|
||||||
|
RPC_PW=$(cat /rpc-secrets/password)
|
||||||
LINK_PW=$(cat /secrets/Link-Password)
|
LINK_PW=$(cat /secrets/Link-Password)
|
||||||
CLOAK_KEY_1=$(cat /cloak-secrets/cloak-key-1)
|
CLOAK_KEY_1=$(cat /cloak-secrets/cloak-key-1)
|
||||||
CLOAK_KEY_2=$(cat /cloak-secrets/cloak-key-2)
|
CLOAK_KEY_2=$(cat /cloak-secrets/cloak-key-2)
|
||||||
CLOAK_KEY_3=$(cat /cloak-secrets/cloak-key-3)
|
CLOAK_KEY_3=$(cat /cloak-secrets/cloak-key-3)
|
||||||
sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \
|
sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \
|
||||||
|
-e "s|__RPC_PASSWORD__|${RPC_PW}|g" \
|
||||||
-e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
|
-e "s|__LINK_PASSWORD__|${LINK_PW}|g" \
|
||||||
-e "s|__CLOAK_KEY_1__|${CLOAK_KEY_1}|g" \
|
-e "s|__CLOAK_KEY_1__|${CLOAK_KEY_1}|g" \
|
||||||
-e "s|__CLOAK_KEY_2__|${CLOAK_KEY_2}|g" \
|
-e "s|__CLOAK_KEY_2__|${CLOAK_KEY_2}|g" \
|
||||||
@@ -1029,6 +1045,9 @@ spec:
|
|||||||
- name: irc-credentials
|
- name: irc-credentials
|
||||||
mountPath: /secrets
|
mountPath: /secrets
|
||||||
readOnly: true
|
readOnly: true
|
||||||
|
- name: unrealircd-rpc-credentials
|
||||||
|
mountPath: /rpc-secrets
|
||||||
|
readOnly: true
|
||||||
- name: unrealircd-cloak-keys
|
- name: unrealircd-cloak-keys
|
||||||
mountPath: /cloak-secrets
|
mountPath: /cloak-secrets
|
||||||
readOnly: true
|
readOnly: true
|
||||||
@@ -1067,6 +1086,8 @@ spec:
|
|||||||
name: irc-tls
|
name: irc-tls
|
||||||
- containerPort: 8067
|
- containerPort: 8067
|
||||||
name: services-link
|
name: services-link
|
||||||
|
- containerPort: 8600
|
||||||
|
name: rpc
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: injected-config
|
- name: injected-config
|
||||||
mountPath: /app/conf/unrealircd.conf
|
mountPath: /app/conf/unrealircd.conf
|
||||||
@@ -1090,6 +1111,9 @@ spec:
|
|||||||
- name: irc-credentials
|
- name: irc-credentials
|
||||||
secret:
|
secret:
|
||||||
secretName: irc-credentials
|
secretName: irc-credentials
|
||||||
|
- name: unrealircd-rpc-credentials
|
||||||
|
secret:
|
||||||
|
secretName: unrealircd-rpc-credentials
|
||||||
- name: unrealircd-cloak-keys
|
- name: unrealircd-cloak-keys
|
||||||
secret:
|
secret:
|
||||||
secretName: unrealircd-cloak-keys
|
secretName: unrealircd-cloak-keys
|
||||||
@@ -1263,7 +1287,7 @@ spec:
|
|||||||
configMap:
|
configMap:
|
||||||
name: thelounge-flowercore-theme
|
name: thelounge-flowercore-theme
|
||||||
---
|
---
|
||||||
# UnrealIRCd internal Service (anope uplink 8067 + in-cluster 6667 for thelounge)
|
# UnrealIRCd internal Service (anope uplink 8067 + in-cluster 6667 for thelounge + in-cluster JSON-RPC)
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Service
|
kind: Service
|
||||||
metadata:
|
metadata:
|
||||||
@@ -1282,6 +1306,9 @@ spec:
|
|||||||
- port: 8067
|
- port: 8067
|
||||||
targetPort: 8067
|
targetPort: 8067
|
||||||
name: services-link
|
name: services-link
|
||||||
|
- port: 8600
|
||||||
|
targetPort: 8600
|
||||||
|
name: rpc
|
||||||
---
|
---
|
||||||
# UnrealIRCd external LoadBalancer — exposes IRC TCP 6667/6697 on the GX10 PROD MetalLB pool.
|
# UnrealIRCd external LoadBalancer — exposes IRC TCP 6667/6697 on the GX10 PROD MetalLB pool.
|
||||||
# (Replaces OLD's Traefik irc/irctls entryPoints; GX10 Traefik has no such entryPoints.)
|
# (Replaces OLD's Traefik irc/irctls entryPoints; GX10 Traefik has no such entryPoints.)
|
||||||
@@ -1394,7 +1421,7 @@ spec:
|
|||||||
fsGroupChangePolicy: OnRootMismatch
|
fsGroupChangePolicy: OnRootMismatch
|
||||||
containers:
|
containers:
|
||||||
- name: web
|
- name: web
|
||||||
image: localhost/fc-irc-web:v20260619-irc2-trust-010f526
|
image: localhost/fc-irc-web:v20260619-irc-r1-rpc-01f67be
|
||||||
imagePullPolicy: Never
|
imagePullPolicy: Never
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 5080
|
- containerPort: 5080
|
||||||
@@ -1422,6 +1449,21 @@ spec:
|
|||||||
value: "irc.iamworkin.lan"
|
value: "irc.iamworkin.lan"
|
||||||
- name: FlowerCore__IRC__ServerManagement__TlsPort
|
- name: FlowerCore__IRC__ServerManagement__TlsPort
|
||||||
value: "6697"
|
value: "6697"
|
||||||
|
- name: FlowerCore__IRC__ServerManagement__RpcEnabled
|
||||||
|
value: "true"
|
||||||
|
- name: FlowerCore__IRC__ServerManagement__RpcBaseUrl
|
||||||
|
value: "http://unrealircd.irc.svc.cluster.local:8600"
|
||||||
|
- name: FlowerCore__IRC__ServerManagement__RpcPath
|
||||||
|
value: "/api"
|
||||||
|
- name: FlowerCore__IRC__ServerManagement__RpcUsername
|
||||||
|
value: "flowercore-readonly"
|
||||||
|
- name: FlowerCore__IRC__ServerManagement__RpcPassword
|
||||||
|
valueFrom:
|
||||||
|
secretKeyRef:
|
||||||
|
name: unrealircd-rpc-credentials
|
||||||
|
key: password
|
||||||
|
- name: FlowerCore__IRC__ServerManagement__PreferRpcReadModel
|
||||||
|
value: "true"
|
||||||
- name: FlowerCore__Mcp__ServiceName
|
- name: FlowerCore__Mcp__ServiceName
|
||||||
value: "fc-irc"
|
value: "fc-irc"
|
||||||
- name: FlowerCore__Mcp__RoutePath
|
- name: FlowerCore__Mcp__RoutePath
|
||||||
|
|||||||
Reference in New Issue
Block a user