Move scope files

templates/scope/cluster-role-binding.yaml.j2

@@ -0,0 +1,16 @@
+# borrowed from https://cloud.weave.works/k8s/scope.yaml?k8s-version=1.9.3
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: weave-scope
+  labels:
+    name: weave-scope
+  namespace: weave
+roleRef:
+  kind: ClusterRole
+  name: weave-scope
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: weave-scope
+    namespace: weave

templates/scope/cluster-role.yaml.j2

@@ -0,0 +1,88 @@
+# borrowed from https://cloud.weave.works/k8s/scope.yaml?k8s-version=1.9.3
+# with little modificatios to reduce permissions
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    name: weave-scope
+  name: weave-scope
+  namespace: weave
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  - replicationcontrollers
+  - services
+  - nodes
+  - persistentvolumes
+  - persistentvolumeclaims
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  verbs:
+  - delete
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  - statefulsets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - batch
+  resources:
+  - cronjobs
+  - jobs
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - daemonsets
+  - deployments
+  - deployments/scale
+  - replicasets
+  verbs:
+  - get
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resources:
+  - deployments/scale
+  verbs:
+  - update
+- apiGroups:
+  - storage.k8s.io
+  resources:
+  - storageclasses
+  verbs:
+  - list
+  - watch
+- apiGroups:
+  - extensions
+  resourceNames:
+  - weave-scope
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+- apiGroups:
+  - volumesnapshot.external-storage.k8s.io
+  resources:
+  - volumesnapshots
+  - volumesnapshotdatas
+  verbs:
+  - list
+  - watch

templates/scope/deploy.yaml.j2

@@ -0,0 +1,39 @@
+# borrowed from https://cloud.weave.works/k8s/scope.yaml?k8s-version=1.9.3
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: weave-scope-app
+  labels:
+    name: weave-scope-app
+    app: weave-scope
+    weave-cloud-component: scope
+    weave-scope-component: app
+  namespace: weave
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: weave-scope
+  revisionHistoryLimit: 2
+  template:
+    metadata:
+      labels:
+        name: weave-scope-app
+        app: weave-scope
+        weave-cloud-component: scope
+        weave-scope-component: app
+    spec:
+      containers:
+        - name: app
+          args:
+            - '--no-probe'
+          env: []
+          image: weaveworks/scope:{{ scope_version }}
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 4040
+              protocol: TCP
+          resources:
+            requests:
+              cpu: 200m
+              memory: 200Mi

templates/scope/ds.yaml.j2

@@ -0,0 +1,67 @@
+# borrowed from https://cloud.weave.works/k8s/scope.yaml?k8s-version=1.9.3
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  name: weave-scope-agent
+  labels:
+    name: weave-scope-agent
+    app: weave-scope
+    weave-cloud-component: scope
+    weave-scope-component: agent
+  namespace: weave
+spec:
+  minReadySeconds: 5
+  selector:
+    matchLabels:
+      app: weave-scope
+  template:
+    metadata:
+      labels:
+        name: weave-scope-agent
+        app: weave-scope
+        weave-cloud-component: scope
+        weave-scope-component: agent
+    spec:
+      containers:
+        - name: scope-agent
+          args:
+            - '--mode=probe'
+            - '--probe-only'
+            - '--probe.kubernetes.role=host'
+            - '--probe.docker.bridge=docker0'
+            - '--probe.docker=true'
+            - 'weave-scope-app.weave.svc.cluster.local.:80'
+          image: weaveworks/scope:{{ scope_version }}
+          imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: 100m
+              memory: 100Mi
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - name: docker-socket
+              mountPath: /var/run/docker.sock
+            - name: scope-plugins
+              mountPath: /var/run/scope/plugins
+            - name: sys-kernel-debug
+              mountPath: /sys/kernel/debug
+      dnsPolicy: ClusterFirstWithHostNet
+      hostNetwork: true
+      hostPID: true
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      volumes:
+        - name: docker-socket
+          hostPath:
+            path: /var/run/docker.sock
+        - name: scope-plugins
+          hostPath:
+            path: /var/run/scope/plugins
+        - name: sys-kernel-debug
+          hostPath:
+            path: /sys/kernel/debug
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1

templates/scope/probe-deploy.yaml.j2

@@ -0,0 +1,44 @@
+# borrowed from https://cloud.weave.works/k8s/scope.yaml?k8s-version=1.9.3
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: weave-scope-cluster-agent
+  labels:
+    name: weave-scope-cluster-agent
+    app: weave-scope
+    weave-cloud-component: scope
+    weave-scope-component: cluster-agent
+  namespace: weave
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: weave-scope-cluster-agent
+      app: weave-scope
+      weave-cloud-component: scope
+      weave-scope-component: cluster-agent
+  revisionHistoryLimit: 2
+  template:
+    metadata:
+      labels:
+        name: weave-scope-cluster-agent
+        app: weave-scope
+        weave-cloud-component: scope
+        weave-scope-component: cluster-agent
+    spec:
+      containers:
+        - name: scope-cluster-agent
+          args:
+            - '--mode=probe'
+            - '--probe-only'
+            - '--probe.kubernetes.role=cluster'
+            - 'weave-scope-app.weave.svc.cluster.local.:80'
+          command:
+            - /home/weave/scope
+          image: 'docker.io/weaveworks/scope:{{ scope_version }}'
+          imagePullPolicy: IfNotPresent
+          resources:
+            requests:
+              cpu: 100m
+              memory: 100Mi
+      serviceAccountName: weave-scope

templates/scope/psp.yaml.j2

@@ -0,0 +1,21 @@
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: weave-scope
+spec:
+  privileged: true
+  hostPID: true
+  hostNetwork: true
+  allowedCapabilities:
+  - 'NET_ADMIN'
+  fsGroup:
+    rule: RunAsAny
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - secret
+  - hostPath

templates/scope/sa.yaml.j2

@@ -0,0 +1,8 @@
+# borrowed from https://cloud.weave.works/k8s/scope.yaml?k8s-version=1.9.3
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: weave-scope
+  labels:
+    name: weave-scope
+  namespace: weave

templates/scope/svc.yaml.j2

@@ -0,0 +1,22 @@
+# borrowed from https://cloud.weave.works/k8s/scope.yaml?k8s-version=1.9.3
+apiVersion: v1
+kind: Service
+metadata:
+  name: weave-scope-app
+  labels:
+    name: weave-scope-app
+    app: weave-scope
+    weave-cloud-component: scope
+    weave-scope-component: app
+  namespace: weave
+spec:
+  ports:
+    - name: app
+      port: 80
+      protocol: TCP
+      targetPort: 4040
+  selector:
+    name: weave-scope-app
+    app: weave-scope
+    weave-cloud-component: scope
+    weave-scope-component: app

templates/scope/weave_ingress.yaml.j2

@@ -0,0 +1,82 @@
+---
+{% if traefik_version | regex_search('(^1.)') %}
+#will not work: weave hate https...
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: weave
+  namespace: weave
+  annotations:
+{% if ingress_whitelist is defined %}
+    ingress.kubernetes.io/whitelist-source-range: "{% for acl_whitelist in ingress_whitelist %}{{ acl_whitelist }}{% if not loop.last %}, {% endif %}{% endfor %}"
+{% endif %}
+    traefik.frontend.priority: "10"
+{% if basic_auth is defined %}
+    traefik.ingress.kubernetes.io/auth-type: basic
+    traefik.ingress.kubernetes.io/auth-secret: basic-auth
+{% endif %}
+spec:
+  rules:
+  - host: weave.{{ ingress_domain }}
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: weave-scope-app
+          servicePort: 80
+{% else %}
+{% if traefik_version | regex_search('(^2.)') %}
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: weave
+  namespace: weave
+  labels:
+    app: weave
+
+spec:
+  entryPoints:
+    - https
+  routes:
+  # Match is the rule corresponding to an underlying router.
+  # Later on, match could be the simple form of a path prefix, e.g. just "/bar",
+  # but for now we only support a traefik style matching rule.
+  - match: Host(`weave.{{ ingress_domain }}`)
+    # kind could eventually be one of "Rule", "Path", "Host", "Method", "Header",
+    # "Parameter", etc, to support simpler forms of rule matching, but for now we
+    # only support "Rule".
+    kind: Rule
+    # (optional) Priority disambiguates rules of the same length, for route matching.
+    priority: 12
+{% if basic_auth is defined or ingress_whitelist is defined %}
+    middlewares:
+{% if ingress_whitelist is defined %}
+      - name: traefik-ipwhitelist
+        namespace: tools
+{% endif %}
+{% if basic_auth is defined %}
+      - name: basic-auth
+        namespace: tools
+{% endif %}
+{% endif %}
+    services:
+    - name: weave-scope-app
+      port: 80
+      # (default 1) A weight used by the weighted round-robin strategy (WRR).  
+      weight: 1
+      # (default true) PassHostHeader controls whether to leave the request's Host
+      # Header as it was before it reached the proxy, or whether to let the proxy set it
+      # to the destination (backend) host.
+      passHostHeader: true
+      responseForwarding:
+        # (default 100ms) Interval between flushes of the buffered response body to the client.
+        flushInterval: 100ms
+  tls:
+    store:
+      name: default
+      namespace: {{ traefik_namespace }}
+    options:
+      name: default
+      namespace: {{ traefik_namespace }}
+{% endif %}
+{% endif %}