From 6a36917c04b9ff335463abe88e7045febf6c1b1e Mon Sep 17 00:00:00 2001
From: Celes Renata <celes@celestium.life>
Date: Sun, 8 Dec 2024 23:15:10 -0800
Subject: [PATCH] update unifi

---
 unifi/config/rbac/kustomization.yaml          |  7 ++
 unifi/config/rbac/role.yaml                   | 46 +++++++++++
 unifi/config/rbac/role_binding.yaml           | 11 +++
 unifi/config/rbac/role_binding_database.yaml  | 11 +++
 unifi/config/rbac/role_database.yaml          | 19 +++++
 unifi/config/rbac/service_account.yaml        |  4 +
 .../config/rbac/service_account_database.yaml |  4 +
 unifi/kustomization.yaml                      |  2 +-
 unifi/mongo.yaml                              | 77 +++++++++++++++++++
 unifi/nfs-pv.yaml                             | 19 +++++
 unifi/nfs-pvc.yaml                            | 13 ++++
 unifi/runmefirst.sh                           |  4 +
 unifi/statefulset.yaml                        | 21 ++++-
 13 files changed, 236 insertions(+), 2 deletions(-)
 create mode 100644 unifi/config/rbac/kustomization.yaml
 create mode 100644 unifi/config/rbac/role.yaml
 create mode 100644 unifi/config/rbac/role_binding.yaml
 create mode 100644 unifi/config/rbac/role_binding_database.yaml
 create mode 100644 unifi/config/rbac/role_database.yaml
 create mode 100644 unifi/config/rbac/service_account.yaml
 create mode 100644 unifi/config/rbac/service_account_database.yaml
 create mode 100644 unifi/mongo.yaml
 create mode 100644 unifi/nfs-pv.yaml
 create mode 100644 unifi/nfs-pvc.yaml

diff --git a/unifi/config/rbac/kustomization.yaml b/unifi/config/rbac/kustomization.yaml
new file mode 100644
index 0000000..f1fe88a
--- /dev/null
+++ b/unifi/config/rbac/kustomization.yaml
@@ -0,0 +1,7 @@
+resources:
+- role.yaml
+- role_binding.yaml
+- service_account.yaml
+- service_account_database.yaml
+- role_binding_database.yaml
+- role_database.yaml
diff --git a/unifi/config/rbac/role.yaml b/unifi/config/rbac/role.yaml
new file mode 100644
index 0000000..6a9c420
--- /dev/null
+++ b/unifi/config/rbac/role.yaml
@@ -0,0 +1,46 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mongodb-kubernetes-operator
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - services
+  - configmaps
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - statefulsets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - mongodbcommunity.mongodb.com
+  resources:
+  - mongodbcommunity
+  - mongodbcommunity/status
+  - mongodbcommunity/spec
+  - mongodbcommunity/finalizers
+  verbs:
+  - get
+  - patch
+  - list
+  - update
+  - watch
diff --git a/unifi/config/rbac/role_binding.yaml b/unifi/config/rbac/role_binding.yaml
new file mode 100644
index 0000000..b444f2d
--- /dev/null
+++ b/unifi/config/rbac/role_binding.yaml
@@ -0,0 +1,11 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-kubernetes-operator
+subjects:
+- kind: ServiceAccount
+  name: mongodb-kubernetes-operator
+roleRef:
+  kind: Role
+  name: mongodb-kubernetes-operator
+  apiGroup: rbac.authorization.k8s.io
diff --git a/unifi/config/rbac/role_binding_database.yaml b/unifi/config/rbac/role_binding_database.yaml
new file mode 100644
index 0000000..b02a52d
--- /dev/null
+++ b/unifi/config/rbac/role_binding_database.yaml
@@ -0,0 +1,11 @@
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-database
+subjects:
+- kind: ServiceAccount
+  name: mongodb-database
+roleRef:
+  kind: Role
+  name: mongodb-database
+  apiGroup: rbac.authorization.k8s.io
diff --git a/unifi/config/rbac/role_database.yaml b/unifi/config/rbac/role_database.yaml
new file mode 100644
index 0000000..eaeef74
--- /dev/null
+++ b/unifi/config/rbac/role_database.yaml
@@ -0,0 +1,19 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: mongodb-database
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+    verbs:
+      - patch
+      - delete
+      - get
diff --git a/unifi/config/rbac/service_account.yaml b/unifi/config/rbac/service_account.yaml
new file mode 100644
index 0000000..2740f6c
--- /dev/null
+++ b/unifi/config/rbac/service_account.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-kubernetes-operator
diff --git a/unifi/config/rbac/service_account_database.yaml b/unifi/config/rbac/service_account_database.yaml
new file mode 100644
index 0000000..b24ae9d
--- /dev/null
+++ b/unifi/config/rbac/service_account_database.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mongodb-database
diff --git a/unifi/kustomization.yaml b/unifi/kustomization.yaml
index 3f766f7..26530d9 100644
--- a/unifi/kustomization.yaml
+++ b/unifi/kustomization.yaml
@@ -6,7 +6,7 @@ resources:
   - service.yaml
   - ingress-route.yaml
 images:
-  - name: linuxserver/unifi-controller
+  - name: linuxserver/unifi-network-application
     newTag: latest 
 patches:
   # Set Service to LoadBalancer and Specify IP Address to use
diff --git a/unifi/mongo.yaml b/unifi/mongo.yaml
new file mode 100644
index 0000000..27ac4fd
--- /dev/null
+++ b/unifi/mongo.yaml
@@ -0,0 +1,77 @@
+---
+apiVersion: mongodbcommunity.mongodb.com/v1
+kind: MongoDBCommunity
+metadata:
+  name: unifi-mongodb
+spec:
+#  containers:
+#    volumeMounts:
+#    - name: mongo-ps
+#      mountPath: /data/db
+  members: 1 
+  type: ReplicaSet
+  version: "6.0.19"
+  security:
+    authentication:
+      modes: ["SCRAM-SHA-1"]
+  users:
+    - name: unifi
+      db: admin
+      passwordSecretRef: # a reference to the secret that will be used to generate the user's password
+        name: unifi-user
+      roles:
+        - name: clusterAdmin
+          db: admin
+        - name: readWriteAnyDatabase
+          db: admin
+        - name: dbAdminAnyDatabase
+          db: admin 
+      scramCredentialsSecretName: my-scram 
+  additionalMongodConfig:
+    storage.wiredTiger.engineConfig.journalCompressor: zlib
+ # volumes:
+ # - name: mongo-ps
+ #   persistentVolumeClaim:
+ #     claimName: unifi-data-pvc
+# the user credentials will be generated from this secret
+# once the credentials are generated, this secret is no longer required
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: unifi-user
+type: Opaque
+stringData:
+  password: unifi
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: unifi-mongo-ca
+spec:
+  secretName: unifi-mongodb-ca
+  commonName: "*.unifi-mongodb-svc.unifi-service.cluster.local"
+  dnsNames:
+    - "*.unifi-mongodb-svc.unifi-service.cluster.local"
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  isCA: true
+  issuerRef:
+    name: ca-issuer
+    kind: ClusterIssuer
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: unifi-mongodb-tls
+spec:
+  secretName: unifi-mongodb-tls
+  commonName: "*.unifi-mongodb-svc.unifi-service.cluster.local"
+  dnsNames:
+    - unifi-mongodb-svc.unifi-service.celestium.life
+    - unifi-mongodb-svc.unifi-service
+    - unifi-mongodb-0.celestium.life
+  issuerRef:
+    name: ca-issuer
+    kind: ClusterIssuer
diff --git a/unifi/nfs-pv.yaml b/unifi/nfs-pv.yaml
new file mode 100644
index 0000000..bcff9dd
--- /dev/null
+++ b/unifi/nfs-pv.yaml
@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: unifi-data
+spec:
+  persistentVolumeReclaimPolicy: Delete
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+    - ReadWriteMany
+  storageClassName: ""
+  nfs:
+    path: /volume1/Kubernetes/mongodb/data/unifi     # The path to your media
+    server: 192.168.42.8     # Your NFS server with Media
+  mountOptions:
+    - vers=4
+    - minorversion=1
+    - noac
diff --git a/unifi/nfs-pvc.yaml b/unifi/nfs-pvc.yaml
new file mode 100644
index 0000000..6791f0b
--- /dev/null
+++ b/unifi/nfs-pvc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: unifi-data-pvc 
+spec:
+  volumeName: unifi-data
+  storageClassName: ""
+  accessModes:
+    - ReadWriteMany
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
diff --git a/unifi/runmefirst.sh b/unifi/runmefirst.sh
index aca0b0a..00af632 100755
--- a/unifi/runmefirst.sh
+++ b/unifi/runmefirst.sh
@@ -1,3 +1,7 @@
 #!/usr/bin/env bash
 kubectl create namespace unifi-service
+kubectl apply -k config/rbac/  --namespace unifi-service
+kubectl apply -f mongo.yaml -n unifi-service 
+echo "Creating mongodb"
+sleep 60
 kubectl kustomize . | kubectl create -n unifi-service -f -
diff --git a/unifi/statefulset.yaml b/unifi/statefulset.yaml
index 7e8d39a..769ba63 100644
--- a/unifi/statefulset.yaml
+++ b/unifi/statefulset.yaml
@@ -10,8 +10,27 @@ spec:
     spec:
       containers:
       - name: unifi-controller
-        image: linuxserver/unifi-controller
+        image: linuxserver/unifi-network-application
         imagePullPolicy: IfNotPresent
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: Etc/UTC
+        - name: MONGO_USER
+          value: unifi
+        - name: MONGO_PASS
+          value: unifi
+        - name: MONGO_HOST
+          value: unifi-mongodb-svc.unifi-service
+        - name: MONGO_PORT
+          value: "27017"
+        - name: MONGO_DBNAME
+          value: unifi-db
+        - name: MONGO_AUTHSOURCE
+          value: admin
         ports:
         - name: device-comm
           containerPort: 8080