From 0c9529c7a2ef2d6deddcf31e487cb500f338ee9f Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Sat, 4 Jan 2025 00:00:04 +0100 Subject: [PATCH] feat: overhaul --- .../babybuddy/app/externalsecret.yaml | 19 ++ .../babybuddy/app/helmrelease.yaml | 39 +--- .../babybuddy}/app/kustomization.yaml | 0 .../kubernetes}/babybuddy/ks.yaml | 5 +- .../cloudnative-pg/app/externalsecret.yaml | 0 .../cloudnative-pg/app/helmrelease.yaml | 0 .../cloudnative-pg/app/kustomization.yaml | 0 .../cloudnative-pg/cluster/cluster16.yaml | 44 ++-- .../cloudnative-pg/cluster/kustomization.yaml | 0 .../cluster/pgdump/externalsecret.yaml | 6 +- .../cluster/pgdump/helmrelease.yaml | 12 +- .../cluster/pgdump/kustomization.yaml | 0 .../cluster/pgdump/scripts/list_dbs.sh | 0 .../cluster/prometheusrule.yaml | 0 .../cluster/scheduledbackup.yaml | 0 .../kubernetes}/cloudnative-pg/ks.yaml | 0 .../kubernetes}/cloudnative-pg/readme.md | 0 .../invidious/app/externalsecret.yaml | 4 +- .../invidious/app/helmrelease.yaml | 0 .../invidious/app/kustomization.yaml | 0 .../kubernetes}/invidious/ks.yaml | 0 .../kresus/app/externalsecret.yaml | 2 +- .../kubernetes}/kresus/app/helmrelease.yaml | 2 +- .../kubernetes/kresus}/app/kustomization.yaml | 0 .../kubernetes}/kresus/ks.yaml | 0 .../kubernetes}/maybe/app/externalsecret.yaml | 2 +- .../kubernetes}/maybe/app/helmrelease.yaml | 0 .../kubernetes/maybe}/app/kustomization.yaml | 0 .../kubernetes}/maybe/ks.yaml | 0 .../pgadmin/app/externalsecret.yaml | 0 .../kubernetes}/pgadmin/app/helmrelease.yaml | 0 .../pgadmin}/app/kustomization.yaml | 1 - .../kubernetes}/pgadmin/ks.yaml | 0 .../plant-it/app/externalsecret.yaml | 2 +- .../kubernetes}/plant-it/app/helmrelease.yaml | 0 .../plant-it}/app/kustomization.yaml | 0 .../kubernetes}/plant-it/db/helmrelease.yaml | 0 .../plant-it/db/kustomization.yaml | 0 .../kubernetes}/plant-it/ks.yaml | 0 .../kubernetes}/thanos/app/helmrelease.yaml | 13 +- .../kubernetes}/thanos/app/kustomization.yaml | 1 - .../thanos/app/objectbucketclaim.yaml | 0 .../kubernetes}/thanos/app/pushsecret.yaml | 0 .../kubernetes}/thanos/app/readme.md | 0 .../thanos/app/resources/cache.yaml | 0 .../kubernetes}/thanos/ks.yaml | 5 +- .../windmill/app/externalsecret.yaml | 19 ++ .../kubernetes}/windmill/app/helmrelease.yaml | 33 +-- .../windmill/app/kustomization.yaml | 9 + .../kubernetes}/windmill/ks.yaml | 1 + .taskfiles/{Ansible => ansible}/Taskfile.yaml | 0 .taskfiles/bootstrap/Taskfile.yaml | 51 +++++ .../bootstrap/resources/wipe-rook.yaml.j2 | 49 +++++ .../Taskfile.yaml | 0 .taskfiles/{Flux => flux}/Taskfile.yaml | 0 .../{Kubernetes => kubernetes}/Taskfile.yaml | 8 +- .taskfiles/{Sops => sops}/Taskfile.yaml | 0 .taskfiles/{VolSync => volsync}/Taskfile.yaml | 4 +- .../scripts/controller.sh | 0 .../{VolSync => volsync}/scripts/wait.sh | 0 .../templates/list.tmpl.yaml | 0 .../replicationdestination.tmpl.yaml | 0 .../templates/unlock.tmpl.yaml | 0 .../templates/wipe.tmpl.yaml | 0 README.md | 2 +- Taskfile.yml | 13 +- .../actions-runner-controller/ks.yaml | 4 +- .../apps/actions-runner-system/namespace.yaml | 2 +- .../cert-manager/app/helmrelease.yaml | 2 +- .../externalsecret.yaml | 11 +- .../cert-manager/issuers/helmrelease.yaml | 42 ++++ .../kustomization.yaml | 0 .../apps/cert-manager/cert-manager/ks.yaml | 10 +- .../cert-manager/webhook-ovh/helmrelease.yaml | 69 ------ kubernetes/apps/cert-manager/namespace.yaml | 2 +- .../cluster/cluster.yaml | 203 ++++++++++++++++++ .../cluster/externalsecret.yaml | 26 +++ .../cluster/kustomization.yaml | 8 + .../cluster/podmonitor.yaml | 37 ++++ .../clustersecretstore.yaml | 19 ++ .../clustersecretstore/kustomization.yaml | 7 + .../clustersecretstore/rbac.yaml | 31 +++ .../crunchy-postgres-operator/ks.yaml | 110 ++++++++++ .../operator/helmrelease.yaml | 28 +++ .../operator/kustomization.yaml | 6 + .../pgadmin/externalsecret.yaml | 20 ++ .../pgadmin/ingress.yaml | 33 +++ .../pgadmin/kustomization.yaml | 9 + .../pgadmin/pgadmin.yaml | 22 ++ .../pgadmin/service.yaml | 14 ++ .../userinit-controller/helmrelease.yaml | 17 ++ .../userinit-controller/helmrepository.yaml | 10 + .../userinit-controller/kustomization.yaml | 7 + .../emqx/app/emqx/externalsecret.yaml | 1 - .../emqx/app/emqx/helmrelease.yaml | 16 +- .../emqx/app/emqx/kustomization.yaml | 1 - .../apps/{default => database}/emqx/ks.yaml | 6 +- kubernetes/apps/database/kustomization.yaml | 4 +- kubernetes/apps/database/namespace.yaml | 2 +- .../default/atuin/app/externalsecret.yaml | 29 --- .../apps/default/atuin/app/helmrelease.yaml | 53 ++--- .../apps/default/atuin/app/kustomization.yaml | 2 +- kubernetes/apps/default/atuin/ks.yaml | 3 +- .../default/authelia/app/externalsecret.yaml | 34 +-- .../default/authelia/app/helmrelease.yaml | 27 +-- .../default/authelia/app/kustomization.yaml | 1 - kubernetes/apps/default/authelia/ks.yaml | 4 +- .../default/babybuddy/app/externalsecret.yaml | 35 --- .../default/bazarr/app/externalsecret.yaml | 35 +-- .../apps/default/bazarr/app/helmrelease.yaml | 31 ++- kubernetes/apps/default/bazarr/ks.yaml | 4 +- .../apps/default/calibre/app/helmrelease.yaml | 3 +- kubernetes/apps/default/calibre/ks.yaml | 2 +- .../exercisediary/app/helmrelease.yaml | 12 +- kubernetes/apps/default/exercisediary/ks.yaml | 2 +- kubernetes/apps/default/flaresolverr/ks.yaml | 2 +- .../default/flood/app/externalsecret.yaml | 1 - .../apps/default/flood/app/helmrelease.yaml | 3 +- .../apps/default/flood/app/kustomization.yaml | 1 - kubernetes/apps/default/flood/ks.yaml | 2 +- .../default/freshrss/app/externalsecret.yaml | 8 - .../default/freshrss/app/helmrelease.yaml | 15 +- .../default/freshrss/app/kustomization.yaml | 1 - kubernetes/apps/default/freshrss/ks.yaml | 2 +- .../default/frigate/app/config/config.yml | 2 +- .../apps/default/frigate/app/helmrelease.yaml | 7 +- kubernetes/apps/default/frigate/ks.yaml | 2 +- .../ghostfolio/app/externalsecret.yaml | 29 ++- .../default/ghostfolio/app/helmrelease.yaml | 20 +- .../default/ghostfolio/app/kustomization.yaml | 1 - kubernetes/apps/default/ghostfolio/ks.yaml | 3 +- .../default/hajimari/app/helmrelease.yaml | 13 +- .../default/hajimari/app/kustomization.yaml | 1 - kubernetes/apps/default/hajimari/ks.yaml | 3 +- .../home-assistant/app/externalsecret.yaml | 30 ++- .../home-assistant/app/helmrelease.yaml | 20 +- .../home-assistant/app/kustomization.yaml | 1 - .../home-assistant/app/podmonitor.yaml | 1 - .../home-assistant/code/helmrelease.yaml | 3 +- .../apps/default/home-assistant/ks.yaml | 7 +- .../apps/default/homebox/app/helmrelease.yaml | 3 +- .../default/homebox/app/kustomization.yaml | 1 - kubernetes/apps/default/homebox/ks.yaml | 2 +- .../default/homepage/app/externalsecret.yaml | 1 - .../default/homepage/app/helmrelease.yaml | 3 +- .../default/homepage/app/kustomization.yaml | 1 - kubernetes/apps/default/homepage/ks.yaml | 2 +- .../default/jellyfin/app/helmrelease.yaml | 4 +- kubernetes/apps/default/jellyfin/ks.yaml | 2 +- .../default/joplin/app/externalsecret.yaml | 19 +- .../apps/default/joplin/app/helmrelease.yaml | 19 +- .../default/joplin/app/kustomization.yaml | 1 - kubernetes/apps/default/joplin/ks.yaml | 3 +- kubernetes/apps/default/komf/ks.yaml | 2 +- .../apps/default/komga/app/helmrelease.yaml | 3 +- kubernetes/apps/default/komga/ks.yaml | 2 +- kubernetes/apps/default/kustomization.yaml | 7 - .../default/libmedium/app/config/config.toml | 2 +- .../default/libmedium/app/helmrelease.yaml | 7 +- .../default/libmedium/app/kustomization.yaml | 1 - kubernetes/apps/default/libmedium/ks.yaml | 2 +- .../default/lidarr/app/externalsecret.yaml | 38 ++-- .../apps/default/lidarr/app/helmrelease.yaml | 31 +-- kubernetes/apps/default/lidarr/ks.yaml | 3 +- .../default/linkding/app/externalsecret.yaml | 15 -- .../default/linkding/app/helmrelease.yaml | 22 +- .../default/linkding/app/kustomization.yaml | 2 +- kubernetes/apps/default/linkding/ks.yaml | 3 +- .../default/lldap/app/externalsecret.yaml | 29 ++- .../apps/default/lldap/app/helmrelease.yaml | 29 +-- .../apps/default/lldap/app/kustomization.yaml | 1 - kubernetes/apps/default/lldap/ks.yaml | 4 +- .../apps/default/lms/app/helmrelease.yaml | 3 +- .../apps/default/lms/app/kustomization.yaml | 1 - kubernetes/apps/default/lms/ks.yaml | 2 +- .../default/lychee/app/externalsecret.yaml | 24 +-- .../apps/default/lychee/app/helmrelease.yaml | 42 ++-- .../default/lychee/app/kustomization.yaml | 1 - .../default/lychee/app/sync/helmrelease.yaml | 1 - kubernetes/apps/default/lychee/ks.yaml | 4 +- .../apps/default/music-transcode/ks.yaml | 2 +- kubernetes/apps/default/namespace.yaml | 2 +- .../default/navidrome/app/helmrelease.yaml | 5 +- kubernetes/apps/default/navidrome/ks.yaml | 2 +- .../default/outline/app/externalsecret.yaml | 32 ++- .../apps/default/outline/app/helmrelease.yaml | 16 +- .../default/outline/app/kustomization.yaml | 1 - kubernetes/apps/default/outline/ks.yaml | 3 +- .../default/paperless/app/externalsecret.yaml | 37 ++-- .../default/paperless/app/helmrelease.yaml | 19 +- .../default/paperless/app/kustomization.yaml | 1 - kubernetes/apps/default/paperless/ks.yaml | 4 +- .../default/prowlarr/app/externalsecret.yaml | 38 ++-- .../default/prowlarr/app/helmrelease.yaml | 28 ++- .../default/prowlarr/app/kustomization.yaml | 1 - kubernetes/apps/default/prowlarr/ks.yaml | 3 +- .../default/qbittorrent/app/helmrelease.yaml | 3 +- .../qbittorrent/app/kustomization.yaml | 1 - .../app/upgrade-p2pblocklist/helmrelease.yaml | 1 - kubernetes/apps/default/qbittorrent/ks.yaml | 2 +- .../default/radarr/app/externalsecret.yaml | 38 ++-- .../apps/default/radarr/app/helmrelease.yaml | 30 ++- kubernetes/apps/default/radarr/ks.yaml | 3 +- .../default/readeck/app/externalsecret.yaml | 28 --- .../apps/default/readeck/app/helmrelease.yaml | 24 +-- .../default/readeck/app/kustomization.yaml | 2 - kubernetes/apps/default/readeck/ks.yaml | 2 +- .../default/recyclarr/app/config/settings.yml | 2 +- .../default/recyclarr/app/externalsecret.yaml | 1 - .../default/recyclarr/app/helmrelease.yaml | 1 - .../default/recyclarr/app/kustomization.yaml | 1 - kubernetes/apps/default/recyclarr/ks.yaml | 2 +- .../apps/default/redlib/app/helmrelease.yaml | 5 +- kubernetes/apps/default/redlib/ks.yaml | 2 +- .../default/sabnzbd/app/externalsecret.yaml | 1 - .../apps/default/sabnzbd/app/helmrelease.yaml | 3 +- .../default/sabnzbd/app/kustomization.yaml | 1 - kubernetes/apps/default/sabnzbd/ks.yaml | 2 +- .../default/sharry/app/config/sharry.conf | 2 +- .../default/sharry/app/externalsecret.yaml | 10 - .../apps/default/sharry/app/helmrelease.yaml | 22 +- .../default/sharry/app/kustomization.yaml | 2 +- kubernetes/apps/default/sharry/ks.yaml | 3 +- kubernetes/apps/default/smtp-relay/ks.yaml | 2 +- .../default/sonarr/app/externalsecret.yaml | 28 ++- .../apps/default/sonarr/app/helmrelease.yaml | 29 ++- kubernetes/apps/default/sonarr/ks.yaml | 3 +- .../default/tandoor/app/externalsecret.yaml | 39 ++-- .../apps/default/tandoor/app/helmrelease.yaml | 17 +- kubernetes/apps/default/tandoor/ks.yaml | 3 +- .../apps/default/tdarr/app/helmrelease.yaml | 5 +- .../apps/default/tdarr/app/kustomization.yaml | 1 - kubernetes/apps/default/tdarr/ks.yaml | 4 +- .../apps/default/tdarr/node/helmrelease.yaml | 1 - .../default/tdarr/node/kustomization.yaml | 1 - .../apps/default/unifi/app/helmrelease.yaml | 3 +- .../apps/default/unifi/app/kustomization.yaml | 1 - kubernetes/apps/default/unifi/ks.yaml | 2 +- .../vaultwarden/app/externalsecret.yaml | 30 ++- .../default/vaultwarden/app/helmrelease.yaml | 20 +- .../vaultwarden/app/kustomization.yaml | 1 - kubernetes/apps/default/vaultwarden/ks.yaml | 3 +- .../default/vikunja/app/externalsecret.yaml | 38 ++-- .../apps/default/vikunja/app/helmrelease.yaml | 19 +- .../default/vikunja/app/kustomization.yaml | 1 - kubernetes/apps/default/vikunja/ks.yaml | 3 +- .../default/windmill/app/externalsecret.yaml | 29 --- .../default/windmill/app/scripts/grants.sh | 60 ------ .../zigbee2mqtt}/app/externalsecret.yaml | 13 +- .../default/zigbee2mqtt/app/helmrelease.yaml | 18 +- .../zigbee2mqtt/app/kustomization.yaml | 2 +- kubernetes/apps/default/zigbee2mqtt/ks.yaml | 2 +- .../default/zwave-js-ui/app/helmrelease.yaml | 3 +- .../zwave-js-ui/app/kustomization.yaml | 1 - kubernetes/apps/default/zwave-js-ui/ks.yaml | 2 +- kubernetes/apps/flux-system/addons/ks.yaml | 6 +- .../webhooks/github/externalsecret.yaml | 1 - .../addons/webhooks/github/ingress.yaml | 5 +- .../addons/webhooks/github/receiver.yaml | 1 - .../capacitor/app/helmrelease.yaml | 2 +- .../capacitor/app/kustomization.yaml | 1 - .../apps/flux-system/capacitor/app/rbac.yaml | 4 + kubernetes/apps/flux-system/namespace.yaml | 2 +- .../kube-system/cilium/app/configmap.yaml | 18 -- .../kube-system/cilium/app/helm-values.yaml} | 48 +++-- .../kube-system/cilium/app/helmrelease.yaml | 85 ++------ .../kube-system/cilium/app/kustomization.yaml | 8 +- .../cilium/app/kustomizeconfig.yaml | 7 + .../kube-system/cilium/config/bgp-policy.yaml | 21 ++ .../kube-system/cilium/config/bgp-pool.yaml | 8 + .../cilium/config/kustomization.yaml | 6 + kubernetes/apps/kube-system/cilium/ks.yaml | 30 ++- .../kube-system/coredns/app/helm-values.yaml | 51 +++++ .../kube-system/coredns/app/helmrelease.yaml | 27 +++ .../coredns}/app/kustomization.yaml | 10 +- .../coredns/app/kustomizeconfig.yaml | 7 + kubernetes/apps/kube-system/coredns/ks.yaml | 24 +++ .../apps/kube-system/descheduler/ks.yaml | 2 +- .../apps/kube-system/external-secrets/ks.yaml | 4 +- .../stores/onepassword/helmrelease.yaml | 7 +- .../stores/onepassword/kustomization.yaml | 1 - .../stores/onepassword/secret.sops.yaml | 9 +- .../kube-system/fstrim/app/helmrelease.yaml | 72 +++++++ .../kube-system/fstrim/app/kustomization.yaml | 6 + kubernetes/apps/kube-system/fstrim/ks.yaml | 24 +++ .../exporter/helmrelease.yaml | 70 ------ .../kube-system/intel-device-plugin/ks.yaml | 28 +-- kubernetes/apps/kube-system/k8s-ycl/ks.yaml | 2 +- .../kubelet-csr-approver/app/helm-values.yaml | 8 + .../kubelet-csr-approver/app/helmrelease.yaml | 13 +- .../app/kustomization.yaml | 7 +- .../app/kustomizeconfig.yaml | 7 + .../kube-system/kubelet-csr-approver/ks.yaml | 2 +- .../apps/kube-system/kustomization.yaml | 4 +- .../metrics-server/app/helmrelease.yaml | 9 +- .../apps/kube-system/metrics-server/ks.yaml | 2 +- kubernetes/apps/kube-system/namespace.yaml | 2 +- .../node-feature-discovery/ks.yaml | 4 +- kubernetes/apps/kube-system/reloader/ks.yaml | 2 +- .../kube-system/snapshot-controller/ks.yaml | 2 +- .../kube-system/spegel/app/helm-values.yaml | 12 ++ .../kube-system/spegel/app/helmrelease.yaml | 25 +-- .../kube-system/spegel/app/kustomization.yaml | 6 + .../spegel/app/kustomizeconfig.yaml | 7 + kubernetes/apps/kube-system/spegel/ks.yaml | 2 +- kubernetes/apps/kustomization.yaml | 18 -- kubernetes/apps/kyverno/namespace.yaml | 2 +- .../monitoring/kube-prometheus-stack/ks.yaml | 52 ----- .../network/cloudflared/app/dnsendpoint.yaml | 11 + .../cloudflared/app/externalsecret.yaml | 24 +++ .../network/cloudflared/app/helmrelease.yaml | 110 ++++++++++ .../cloudflared}/app/kustomization.yaml | 9 +- .../cloudflared/app/resources/config.yaml | 10 + kubernetes/apps/network/cloudflared/ks.yaml | 26 +++ .../cloudflare/externalsecret.yaml | 19 ++ .../external-dns/cloudflare/helmrelease.yaml | 53 +++++ .../cloudflare}/kustomization.yaml | 1 - .../external-dns/ks.yaml | 8 +- .../network/k8s-gateway/app/helmrelease.yaml | 34 +++ .../k8s-gateway/app}/kustomization.yaml | 2 +- .../k8s-gateway/ks.yaml | 6 +- .../kustomization.yaml | 3 +- .../{networking => network}/namespace.yaml | 8 +- .../nginx}/certificates/certificates.yaml | 2 +- .../nginx}/certificates/kustomization.yaml | 0 .../network/nginx/external/helmrelease.yaml | 101 +++++++++ .../nginx/external}/kustomization.yaml | 3 +- .../network/nginx/internal/helmrelease.yaml | 100 +++++++++ .../network/nginx/internal/kustomization.yaml | 7 + kubernetes/apps/network/nginx/ks.yaml | 78 +++++++ .../external-dns/app/helmrelease.yaml | 66 ------ .../app/dashboard/kustomization.yaml | 18 -- .../ingress-nginx/app/helmrelease.yaml | 147 ------------- .../apps/networking/ingress-nginx/ks.yaml | 52 ----- .../apps/networking/k8s-gateway/app/Corefile | 17 -- .../k8s-gateway/app/helmrelease.yaml | 104 --------- .../apps/networking/k8s-gateway/app/rbac.yaml | 48 ----- .../landing-page/app-staging/helmrelease.yaml | 6 +- .../app-staging/kustomization.yaml | 1 - .../ngnode/landing-page/app/helmrelease.yaml | 10 +- .../landing-page/app/kustomization.yaml | 1 - kubernetes/apps/ngnode/landing-page/ks.yaml | 4 +- .../apprise/app/helmrelease.yaml | 2 +- .../apprise/app/kustomization.yaml | 1 - .../apprise/ks.yaml | 6 +- .../blackbox-exporter/app/helmrelease.yaml | 74 +++++++ .../blackbox-exporter/app/kustomization.yaml | 7 + .../blackbox-exporter/app/probes.yaml | 14 ++ .../observability/blackbox-exporter/ks.yaml | 20 ++ .../gatus/app/config/config.yaml | 4 +- .../gatus/app/externalsecret.yaml | 10 - .../gatus/app/helmrelease.yaml | 88 ++++---- .../gatus/app/kustomization.yaml | 2 +- .../apps/observability/gatus/app/pvc.yaml | 11 + .../gatus/app/rbac.yaml | 13 +- .../gatus/ks.yaml | 6 +- .../grafana/app/externalsecret.yaml | 3 +- .../grafana/app/helmrelease.yaml | 59 +---- .../grafana/app/kustomization.yaml | 1 - .../grafana/dashboards/home-assistant.json | 0 .../dashboards/homelab-temperatures.json | 0 .../grafana/dashboards/truenas.json | 0 .../grafana/ks.yaml | 6 +- .../app/externalsecret.yaml | 1 - .../app/helmrelease.yaml | 78 +++---- .../app/kustomization.yaml | 1 - .../app/prometheusrule.yaml | 0 .../app/scrapeconfig.yaml | 0 .../crds/helmrelease.yaml | 23 ++ .../crds/kustomization.yaml | 6 + .../kube-prometheus-stack/ks.yaml | 72 +++++++ .../rules/kustomization.yaml | 1 - .../kube-prometheus-stack/rules/zfs.yaml | 1 - .../kustomization.yaml | 2 +- .../mailrise/app/externalsecret.yaml | 1 - .../mailrise/app/helmrelease.yaml | 3 +- .../mailrise/app/kustomization.yaml | 1 - .../mailrise/app/mailrise.yaml | 0 .../mailrise/ks.yaml | 6 +- .../namespace.yaml | 9 +- .../scrutiny/app/externalsecret.yaml | 1 - .../scrutiny/app/helmrelease.yaml | 3 +- .../scrutiny/app/kustomization.yaml | 0 .../scrutiny/collector/helmrelease.yaml | 3 +- .../scrutiny/collector/kustomization.yaml | 0 .../scrutiny/ks.yaml | 12 +- kubernetes/apps/openebs-system/namespace.yaml | 4 +- kubernetes/apps/rook-ceph/namespace.yaml | 2 +- .../rook-ceph/rook-ceph/app/helmrelease.yaml | 7 +- .../rook-ceph/cluster/helmrelease.yaml | 11 +- kubernetes/apps/rook-ceph/rook-ceph/ks.yaml | 6 +- .../rook-ceph/tools/helmrelease.yaml | 1 - kubernetes/apps/volsync/namespace.yaml | 2 +- kubernetes/apps/volsync/volsync/ks.yaml | 2 +- kubernetes/bootstrap/apps/helmfile.yaml | 56 +++++ .../bootstrap/cilium/kustomization.yaml | 15 -- kubernetes/bootstrap/flux/kustomization.yaml | 56 ++++- .../kubelet-csr-approver/kustomization.yaml | 18 -- kubernetes/flux/apps.yaml | 2 +- kubernetes/flux/config/cluster.yaml | 2 +- kubernetes/flux/config/flux.yaml | 23 +- .../flux/repositories/helm/coredns.yaml | 10 + .../flux/repositories/helm/crunchydata.yaml | 12 ++ .../flux/repositories/helm/k8s-gateway.yaml | 10 + .../flux/repositories/helm/kustomization.yaml | 3 + .../flux/vars/cluster-secrets.sops.yaml | 7 +- kubernetes/flux/vars/cluster-settings.yaml | 6 +- kubernetes/talos/cluster-0/talconfig.yaml | 195 +++++++++-------- 408 files changed, 3187 insertions(+), 2380 deletions(-) create mode 100644 .archive/kubernetes/babybuddy/app/externalsecret.yaml rename {kubernetes/apps/default => .archive/kubernetes}/babybuddy/app/helmrelease.yaml (69%) rename {kubernetes/apps/database/pgadmin => .archive/kubernetes/babybuddy}/app/kustomization.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/babybuddy/ks.yaml (75%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/app/externalsecret.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/app/helmrelease.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/app/kustomization.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/cluster/cluster16.yaml (54%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/cluster/kustomization.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/cluster/pgdump/externalsecret.yaml (78%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/cluster/pgdump/helmrelease.yaml (87%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/cluster/pgdump/kustomization.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/cluster/pgdump/scripts/list_dbs.sh (100%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/cluster/prometheusrule.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/cluster/scheduledbackup.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/ks.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/cloudnative-pg/readme.md (100%) rename {kubernetes/apps/default => .archive/kubernetes}/invidious/app/externalsecret.yaml (88%) rename {kubernetes/apps/default => .archive/kubernetes}/invidious/app/helmrelease.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/invidious/app/kustomization.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/invidious/ks.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/kresus/app/externalsecret.yaml (93%) rename {kubernetes/apps/default => .archive/kubernetes}/kresus/app/helmrelease.yaml (97%) rename {kubernetes/apps/default/babybuddy => .archive/kubernetes/kresus}/app/kustomization.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/kresus/ks.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/maybe/app/externalsecret.yaml (93%) rename {kubernetes/apps/default => .archive/kubernetes}/maybe/app/helmrelease.yaml (100%) rename {kubernetes/apps/default/kresus => .archive/kubernetes/maybe}/app/kustomization.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/maybe/ks.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/pgadmin/app/externalsecret.yaml (100%) rename {kubernetes/apps/database => .archive/kubernetes}/pgadmin/app/helmrelease.yaml (100%) rename {kubernetes/apps/default/plant-it => .archive/kubernetes/pgadmin}/app/kustomization.yaml (94%) rename {kubernetes/apps/database => .archive/kubernetes}/pgadmin/ks.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/plant-it/app/externalsecret.yaml (93%) rename {kubernetes/apps/default => .archive/kubernetes}/plant-it/app/helmrelease.yaml (100%) rename {kubernetes/apps/default/maybe => .archive/kubernetes/plant-it}/app/kustomization.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/plant-it/db/helmrelease.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/plant-it/db/kustomization.yaml (100%) rename {kubernetes/apps/default => .archive/kubernetes}/plant-it/ks.yaml (100%) rename {kubernetes/apps/monitoring => .archive/kubernetes}/thanos/app/helmrelease.yaml (90%) rename {kubernetes/apps/monitoring => .archive/kubernetes}/thanos/app/kustomization.yaml (95%) rename {kubernetes/apps/monitoring => .archive/kubernetes}/thanos/app/objectbucketclaim.yaml (100%) rename {kubernetes/apps/monitoring => .archive/kubernetes}/thanos/app/pushsecret.yaml (100%) rename {kubernetes/apps/monitoring => .archive/kubernetes}/thanos/app/readme.md (100%) rename {kubernetes/apps/monitoring => .archive/kubernetes}/thanos/app/resources/cache.yaml (100%) rename {kubernetes/apps/monitoring => .archive/kubernetes}/thanos/ks.yaml (83%) create mode 100644 .archive/kubernetes/windmill/app/externalsecret.yaml rename {kubernetes/apps/default => .archive/kubernetes}/windmill/app/helmrelease.yaml (68%) create mode 100644 .archive/kubernetes/windmill/app/kustomization.yaml rename {kubernetes/apps/default => .archive/kubernetes}/windmill/ks.yaml (93%) rename .taskfiles/{Ansible => ansible}/Taskfile.yaml (100%) create mode 100644 .taskfiles/bootstrap/Taskfile.yaml create mode 100644 .taskfiles/bootstrap/resources/wipe-rook.yaml.j2 rename .taskfiles/{ExternalSecrets => externalsecrets}/Taskfile.yaml (100%) rename .taskfiles/{Flux => flux}/Taskfile.yaml (100%) rename .taskfiles/{Kubernetes => kubernetes}/Taskfile.yaml (84%) rename .taskfiles/{Sops => sops}/Taskfile.yaml (100%) rename .taskfiles/{VolSync => volsync}/Taskfile.yaml (98%) rename .taskfiles/{VolSync => volsync}/scripts/controller.sh (100%) rename .taskfiles/{VolSync => volsync}/scripts/wait.sh (100%) rename .taskfiles/{VolSync => volsync}/templates/list.tmpl.yaml (100%) rename .taskfiles/{VolSync => volsync}/templates/replicationdestination.tmpl.yaml (100%) rename .taskfiles/{VolSync => volsync}/templates/unlock.tmpl.yaml (100%) rename .taskfiles/{VolSync => volsync}/templates/wipe.tmpl.yaml (100%) rename kubernetes/apps/cert-manager/cert-manager/{webhook-ovh => issuers}/externalsecret.yaml (66%) create mode 100644 kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml rename kubernetes/apps/cert-manager/cert-manager/{webhook-ovh => issuers}/kustomization.yaml (100%) delete mode 100644 kubernetes/apps/cert-manager/cert-manager/webhook-ovh/helmrelease.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/cluster/cluster.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/cluster/podmonitor.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/ks.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/operator/helmrelease.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/operator/kustomization.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/pgadmin/externalsecret.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/pgadmin/ingress.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/pgadmin/kustomization.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/pgadmin/pgadmin.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/pgadmin/service.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml create mode 100644 kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml rename kubernetes/apps/{default => database}/emqx/app/emqx/externalsecret.yaml (96%) rename kubernetes/apps/{default => database}/emqx/app/emqx/helmrelease.yaml (81%) rename kubernetes/apps/{default => database}/emqx/app/emqx/kustomization.yaml (93%) rename kubernetes/apps/{default => database}/emqx/ks.yaml (69%) delete mode 100644 kubernetes/apps/default/atuin/app/externalsecret.yaml delete mode 100644 kubernetes/apps/default/babybuddy/app/externalsecret.yaml delete mode 100644 kubernetes/apps/default/readeck/app/externalsecret.yaml delete mode 100644 kubernetes/apps/default/windmill/app/externalsecret.yaml delete mode 100644 kubernetes/apps/default/windmill/app/scripts/grants.sh rename kubernetes/apps/{networking/external-dns => default/zigbee2mqtt}/app/externalsecret.yaml (56%) delete mode 100644 kubernetes/apps/kube-system/cilium/app/configmap.yaml rename kubernetes/{bootstrap/cilium/values.yaml => apps/kube-system/cilium/app/helm-values.yaml} (51%) create mode 100644 kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml create mode 100644 kubernetes/apps/kube-system/cilium/config/bgp-policy.yaml create mode 100644 kubernetes/apps/kube-system/cilium/config/bgp-pool.yaml create mode 100644 kubernetes/apps/kube-system/cilium/config/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/coredns/app/helm-values.yaml create mode 100644 kubernetes/apps/kube-system/coredns/app/helmrelease.yaml rename kubernetes/apps/{networking/k8s-gateway => kube-system/coredns}/app/kustomization.yaml (66%) create mode 100644 kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml create mode 100644 kubernetes/apps/kube-system/coredns/ks.yaml create mode 100644 kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/fstrim/app/kustomization.yaml create mode 100644 kubernetes/apps/kube-system/fstrim/ks.yaml delete mode 100644 kubernetes/apps/kube-system/intel-device-plugin/exporter/helmrelease.yaml create mode 100644 kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml create mode 100644 kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml create mode 100644 kubernetes/apps/kube-system/spegel/app/helm-values.yaml create mode 100644 kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml delete mode 100644 kubernetes/apps/kustomization.yaml delete mode 100644 kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/externalsecret.yaml create mode 100644 kubernetes/apps/network/cloudflared/app/helmrelease.yaml rename kubernetes/apps/{default/windmill => network/cloudflared}/app/kustomization.yaml (60%) create mode 100644 kubernetes/apps/network/cloudflared/app/resources/config.yaml create mode 100644 kubernetes/apps/network/cloudflared/ks.yaml create mode 100644 kubernetes/apps/network/external-dns/cloudflare/externalsecret.yaml create mode 100644 kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml rename kubernetes/apps/{networking/external-dns/app => network/external-dns/cloudflare}/kustomization.yaml (92%) rename kubernetes/apps/{networking => network}/external-dns/ks.yaml (62%) create mode 100644 kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml rename kubernetes/apps/{kube-system/intel-device-plugin/exporter => network/k8s-gateway/app}/kustomization.yaml (91%) rename kubernetes/apps/{networking => network}/k8s-gateway/ks.yaml (64%) rename kubernetes/apps/{networking => network}/kustomization.yaml (88%) rename kubernetes/apps/{networking => network}/namespace.yaml (85%) rename kubernetes/apps/{networking/ingress-nginx => network/nginx}/certificates/certificates.yaml (93%) rename kubernetes/apps/{networking/ingress-nginx => network/nginx}/certificates/kustomization.yaml (100%) create mode 100644 kubernetes/apps/network/nginx/external/helmrelease.yaml rename kubernetes/apps/{networking/ingress-nginx/app => network/nginx/external}/kustomization.yaml (86%) create mode 100644 kubernetes/apps/network/nginx/internal/helmrelease.yaml create mode 100644 kubernetes/apps/network/nginx/internal/kustomization.yaml create mode 100644 kubernetes/apps/network/nginx/ks.yaml delete mode 100644 kubernetes/apps/networking/external-dns/app/helmrelease.yaml delete mode 100644 kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml delete mode 100644 kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml delete mode 100644 kubernetes/apps/networking/ingress-nginx/ks.yaml delete mode 100644 kubernetes/apps/networking/k8s-gateway/app/Corefile delete mode 100644 kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml delete mode 100644 kubernetes/apps/networking/k8s-gateway/app/rbac.yaml rename kubernetes/apps/{monitoring => observability}/apprise/app/helmrelease.yaml (98%) rename kubernetes/apps/{monitoring => observability}/apprise/app/kustomization.yaml (93%) rename kubernetes/apps/{monitoring => observability}/apprise/ks.yaml (69%) create mode 100644 kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml create mode 100644 kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml create mode 100644 kubernetes/apps/observability/blackbox-exporter/app/probes.yaml create mode 100644 kubernetes/apps/observability/blackbox-exporter/ks.yaml rename kubernetes/apps/{monitoring => observability}/gatus/app/config/config.yaml (83%) rename kubernetes/apps/{monitoring => observability}/gatus/app/externalsecret.yaml (59%) rename kubernetes/apps/{monitoring => observability}/gatus/app/helmrelease.yaml (68%) rename kubernetes/apps/{monitoring => observability}/gatus/app/kustomization.yaml (95%) create mode 100644 kubernetes/apps/observability/gatus/app/pvc.yaml rename kubernetes/apps/{monitoring => observability}/gatus/app/rbac.yaml (69%) rename kubernetes/apps/{monitoring => observability}/gatus/ks.yaml (67%) rename kubernetes/apps/{monitoring => observability}/grafana/app/externalsecret.yaml (91%) rename kubernetes/apps/{monitoring => observability}/grafana/app/helmrelease.yaml (81%) rename kubernetes/apps/{monitoring => observability}/grafana/app/kustomization.yaml (92%) rename kubernetes/apps/{monitoring => observability}/grafana/dashboards/home-assistant.json (100%) rename kubernetes/apps/{monitoring => observability}/grafana/dashboards/homelab-temperatures.json (100%) rename kubernetes/apps/{monitoring => observability}/grafana/dashboards/truenas.json (100%) rename kubernetes/apps/{monitoring => observability}/grafana/ks.yaml (64%) rename kubernetes/apps/{monitoring => observability}/kube-prometheus-stack/app/externalsecret.yaml (96%) rename kubernetes/apps/{monitoring => observability}/kube-prometheus-stack/app/helmrelease.yaml (76%) rename kubernetes/apps/{monitoring => observability}/kube-prometheus-stack/app/kustomization.yaml (93%) rename kubernetes/apps/{monitoring => observability}/kube-prometheus-stack/app/prometheusrule.yaml (100%) rename kubernetes/apps/{monitoring => observability}/kube-prometheus-stack/app/scrapeconfig.yaml (100%) create mode 100644 kubernetes/apps/observability/kube-prometheus-stack/crds/helmrelease.yaml create mode 100644 kubernetes/apps/observability/kube-prometheus-stack/crds/kustomization.yaml create mode 100644 kubernetes/apps/observability/kube-prometheus-stack/ks.yaml rename kubernetes/apps/{monitoring => observability}/kube-prometheus-stack/rules/kustomization.yaml (91%) rename kubernetes/apps/{monitoring => observability}/kube-prometheus-stack/rules/zfs.yaml (95%) rename kubernetes/apps/{monitoring => observability}/kustomization.yaml (93%) rename kubernetes/apps/{monitoring => observability}/mailrise/app/externalsecret.yaml (94%) rename kubernetes/apps/{monitoring => observability}/mailrise/app/helmrelease.yaml (97%) rename kubernetes/apps/{monitoring => observability}/mailrise/app/kustomization.yaml (95%) rename kubernetes/apps/{monitoring => observability}/mailrise/app/mailrise.yaml (100%) rename kubernetes/apps/{monitoring => observability}/mailrise/ks.yaml (66%) rename kubernetes/apps/{monitoring => observability}/namespace.yaml (81%) rename kubernetes/apps/{monitoring => observability}/scrutiny/app/externalsecret.yaml (95%) rename kubernetes/apps/{monitoring => observability}/scrutiny/app/helmrelease.yaml (98%) rename kubernetes/apps/{monitoring => observability}/scrutiny/app/kustomization.yaml (100%) rename kubernetes/apps/{monitoring => observability}/scrutiny/collector/helmrelease.yaml (94%) rename kubernetes/apps/{monitoring => observability}/scrutiny/collector/kustomization.yaml (100%) rename kubernetes/apps/{monitoring => observability}/scrutiny/ks.yaml (67%) create mode 100644 kubernetes/bootstrap/apps/helmfile.yaml delete mode 100644 kubernetes/bootstrap/cilium/kustomization.yaml delete mode 100644 kubernetes/bootstrap/kubelet-csr-approver/kustomization.yaml create mode 100644 kubernetes/flux/repositories/helm/coredns.yaml create mode 100644 kubernetes/flux/repositories/helm/crunchydata.yaml create mode 100644 kubernetes/flux/repositories/helm/k8s-gateway.yaml diff --git a/.archive/kubernetes/babybuddy/app/externalsecret.yaml b/.archive/kubernetes/babybuddy/app/externalsecret.yaml new file mode 100644 index 000000000..0d278b519 --- /dev/null +++ b/.archive/kubernetes/babybuddy/app/externalsecret.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: babybuddy +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: babybuddy-secret + template: + engineVersion: v2 + data: + SECRET_KEY: "{{ .BABYBUDDY_SECRET_KEY }}" + dataFrom: + - extract: + key: babybuddy diff --git a/kubernetes/apps/default/babybuddy/app/helmrelease.yaml b/.archive/kubernetes/babybuddy/app/helmrelease.yaml similarity index 69% rename from kubernetes/apps/default/babybuddy/app/helmrelease.yaml rename to .archive/kubernetes/babybuddy/app/helmrelease.yaml index bb2dc60e2..2de25c8be 100644 --- a/kubernetes/apps/default/babybuddy/app/helmrelease.yaml +++ b/.archive/kubernetes/babybuddy/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app babybuddy - namespace: default spec: interval: 30m chart: @@ -32,43 +31,17 @@ spec: babybuddy: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: babybuddy-secret - migrations: - image: - repository: ghcr.io/auricom/babybuddy - tag: 2.7.0@sha256:39bc60fb6825d5bca296c078f599e00c6b9249d55992ddfe4200e6aa0841f86a - pullPolicy: IfNotPresent - envFrom: *envFrom - command: - - /bin/bash - - -c - - | - #!/bin/bash - - set -o errexit - set -o nounset - - cd www/public - python3 ./manage.py migrate --noinput - python3 ./manage.py createcachetable containers: app: image: - repository: ghcr.io/auricom/babybuddy - tag: 2.7.0@sha256:e112563cbd34c4283e8cf5ee756dbed695799dcefe4f035f9495beacb6415d12 + repository: lscr.io/linuxserver/babybuddy + tag: 2.7.0@sha256:579e8f62bed981ed94c021de60a302ba01c22c971ba2bacfcf821650fbc89e9d env: TZ: ${TIMEZONE} - EMAIL_HOST: smtp-relay.default.svc.cluster.local. - EMAIL_PORT: "2525" - EMAIL_USE_TLS: "false" - envFrom: *envFrom + CSRF_TRUSTED_ORIGINS: https://{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN} + envFrom: + - secretRef: + name: babybuddy-secret probes: liveness: &probes enabled: true diff --git a/kubernetes/apps/database/pgadmin/app/kustomization.yaml b/.archive/kubernetes/babybuddy/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/database/pgadmin/app/kustomization.yaml rename to .archive/kubernetes/babybuddy/app/kustomization.yaml diff --git a/kubernetes/apps/default/babybuddy/ks.yaml b/.archive/kubernetes/babybuddy/ks.yaml similarity index 75% rename from kubernetes/apps/default/babybuddy/ks.yaml rename to .archive/kubernetes/babybuddy/ks.yaml index 8506eeeb8..7ba05bc89 100644 --- a/kubernetes/apps/default/babybuddy/ks.yaml +++ b/.archive/kubernetes/babybuddy/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -16,6 +16,7 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores - name: volsync wait: false @@ -27,4 +28,4 @@ spec: APP: *app VOLSYNC_CAPACITY: 2Gi VOLSYNC_UID: "65532" - VOLSYNC_GID: "65532" \ No newline at end of file + VOLSYNC_GID: "65532" diff --git a/kubernetes/apps/database/cloudnative-pg/app/externalsecret.yaml b/.archive/kubernetes/cloudnative-pg/app/externalsecret.yaml similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/app/externalsecret.yaml rename to .archive/kubernetes/cloudnative-pg/app/externalsecret.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/app/helmrelease.yaml b/.archive/kubernetes/cloudnative-pg/app/helmrelease.yaml similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/app/helmrelease.yaml rename to .archive/kubernetes/cloudnative-pg/app/helmrelease.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/app/kustomization.yaml b/.archive/kubernetes/cloudnative-pg/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/app/kustomization.yaml rename to .archive/kubernetes/cloudnative-pg/app/kustomization.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/cluster16.yaml b/.archive/kubernetes/cloudnative-pg/cluster/cluster16.yaml similarity index 54% rename from kubernetes/apps/database/cloudnative-pg/cluster/cluster16.yaml rename to .archive/kubernetes/cloudnative-pg/cluster/cluster16.yaml index 2b6db3b94..7fcdc6b69 100644 --- a/kubernetes/apps/database/cloudnative-pg/cluster/cluster16.yaml +++ b/.archive/kubernetes/cloudnative-pg/cluster/cluster16.yaml @@ -4,8 +4,8 @@ kind: Cluster metadata: name: postgres16 spec: - instances: 4 # set to the number of nodes in the cluster - imageName: ghcr.io/cloudnative-pg/postgresql:16.2-10@sha256:82827bc9bc5ca7df1d7f7d4813444e0e7a8e32633ad72c5c66ad2be72c3b2095 + instances: 1 + imageName: ghcr.io/cloudnative-pg/postgresql:16.2 primaryUpdateStrategy: unsupervised storage: size: 50Gi @@ -37,34 +37,28 @@ spec: wal: compression: bzip2 maxParallel: 8 - destinationPath: s3://postgresql/ - endpointURL: https://s3.${SECRET_INTERNAL_DOMAIN} + destinationPath: &dest s3://postgresql/ + endpointURL: &url https://s3.${SECRET_INTERNAL_DOMAIN} # Note: serverName version needs to be inclemented # when recovering from an existing cnpg cluster - serverName: postgres16-v4 - s3Credentials: + serverName: postgres16-v5 + s3Credentials: &credentials accessKeyId: name: cloudnative-pg-secret key: aws-access-key-id secretAccessKey: name: cloudnative-pg-secret key: aws-secret-access-key - # # Note: previousCluster needs to be set to the name of the previous - # # cluster when recovering from an existing cnpg cluster - # bootstrap: - # recovery: - # source: postgres16-v3 - # externalClusters: - # - name: postgres16-v3 - # barmanObjectStore: - # destinationPath: s3://postgresql/ - # endpointURL: https://s3.${SECRET_INTERNAL_DOMAIN} - # s3Credentials: - # accessKeyId: - # name: cloudnative-pg-secret - # key: aws-access-key-id - # secretAccessKey: - # name: cloudnative-pg-secret - # key: aws-secret-access-key - # wal: - # maxParallel: 8 + # Note: previousCluster needs to be set to the name of the previous + # cluster when recovering from an existing cnpg cluster + bootstrap: + recovery: + source: &backup postgres16-v4 + externalClusters: + - name: *backup + barmanObjectStore: + destinationPath: *dest + endpointURL: *url + s3Credentials: *credentials + wal: + maxParallel: 8 diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml b/.archive/kubernetes/cloudnative-pg/cluster/kustomization.yaml similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml rename to .archive/kubernetes/cloudnative-pg/cluster/kustomization.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/pgdump/externalsecret.yaml b/.archive/kubernetes/cloudnative-pg/cluster/pgdump/externalsecret.yaml similarity index 78% rename from kubernetes/apps/database/cloudnative-pg/cluster/pgdump/externalsecret.yaml rename to .archive/kubernetes/cloudnative-pg/cluster/pgdump/externalsecret.yaml index 1e97950c0..169db151f 100644 --- a/kubernetes/apps/database/cloudnative-pg/cluster/pgdump/externalsecret.yaml +++ b/.archive/kubernetes/cloudnative-pg/cluster/pgdump/externalsecret.yaml @@ -3,19 +3,19 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: cloudnative-pg-postgres16-pgdump + name: cloudnative-pg-postgres17-pgdump namespace: default spec: secretStoreRef: kind: ClusterSecretStore name: onepassword-connect target: - name: cloudnative-pg-postgres16-pgdump-secret + name: cloudnative-pg-postgres17-pgdump-secret template: engineVersion: v2 data: # App - POSTGRES_HOST: postgres16-rw.database.svc.cluster.local + POSTGRES_HOST: postgres17-rw.database.svc.cluster.local POSTGRES_USER: "{{ .POSTGRES_SUPER_USER }}" POSTGRES_PASSWORD: "{{ .POSTGRES_SUPER_PASS }}" POSTGRES_PORT: "5432" diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/pgdump/helmrelease.yaml b/.archive/kubernetes/cloudnative-pg/cluster/pgdump/helmrelease.yaml similarity index 87% rename from kubernetes/apps/database/cloudnative-pg/cluster/pgdump/helmrelease.yaml rename to .archive/kubernetes/cloudnative-pg/cluster/pgdump/helmrelease.yaml index 321b60a9e..a198fbd0f 100644 --- a/kubernetes/apps/database/cloudnative-pg/cluster/pgdump/helmrelease.yaml +++ b/.archive/kubernetes/cloudnative-pg/cluster/pgdump/helmrelease.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app cloudnative-pg-postgres16-pgdump + name: &app cloudnative-pg-postgres17-pgdump namespace: default spec: interval: 30m @@ -29,7 +29,7 @@ spec: keepHistory: false values: controllers: - cloudnative-pg-postgres16-pgdump: + cloudnative-pg-postgres17-pgdump: type: cronjob cronjob: concurrencyPolicy: Forbid @@ -38,18 +38,18 @@ spec: init-db: image: repository: ghcr.io/onedr0p/postgres-init - tag: 16 + tag: 17 env: EXCLUDE_DBS: app home_assistant lidarr_log radarr_log sonarr_log prowlarr_log postgres template0 template1 envFrom: &envFrom - secretRef: - name: cloudnative-pg-postgres16-pgdump-secret + name: cloudnative-pg-postgres17-pgdump-secret command: /scripts/list_dbs.sh containers: app: image: repository: prodrigestivill/postgres-backup-local - tag: 16-alpine@sha256:d41309ea4abc06b1d369927cafa7abb8b9cccab21921dcb5d765379fcd9d60cb + tag: 17-alpine@sha256:d41309ea4abc06b1d369927cafa7abb8b9cccab21921dcb5d765379fcd9d60cb command: [/backup.sh] env: POSTGRES_DB_FILE: /config/db_list @@ -79,7 +79,7 @@ spec: scripts: enabled: true type: configMap - name: cloudnative-pg-postgres16-pgdump-scripts # overriden by kustomizeconfig + name: cloudnative-pg-postgres17-pgdump-scripts # overriden by kustomizeconfig defaultMode: 0775 globalMounts: - path: /scripts diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/pgdump/kustomization.yaml b/.archive/kubernetes/cloudnative-pg/cluster/pgdump/kustomization.yaml similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/cluster/pgdump/kustomization.yaml rename to .archive/kubernetes/cloudnative-pg/cluster/pgdump/kustomization.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/pgdump/scripts/list_dbs.sh b/.archive/kubernetes/cloudnative-pg/cluster/pgdump/scripts/list_dbs.sh similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/cluster/pgdump/scripts/list_dbs.sh rename to .archive/kubernetes/cloudnative-pg/cluster/pgdump/scripts/list_dbs.sh diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/prometheusrule.yaml b/.archive/kubernetes/cloudnative-pg/cluster/prometheusrule.yaml similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/cluster/prometheusrule.yaml rename to .archive/kubernetes/cloudnative-pg/cluster/prometheusrule.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml b/.archive/kubernetes/cloudnative-pg/cluster/scheduledbackup.yaml similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml rename to .archive/kubernetes/cloudnative-pg/cluster/scheduledbackup.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/ks.yaml b/.archive/kubernetes/cloudnative-pg/ks.yaml similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/ks.yaml rename to .archive/kubernetes/cloudnative-pg/ks.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/readme.md b/.archive/kubernetes/cloudnative-pg/readme.md similarity index 100% rename from kubernetes/apps/database/cloudnative-pg/readme.md rename to .archive/kubernetes/cloudnative-pg/readme.md diff --git a/kubernetes/apps/default/invidious/app/externalsecret.yaml b/.archive/kubernetes/invidious/app/externalsecret.yaml similarity index 88% rename from kubernetes/apps/default/invidious/app/externalsecret.yaml rename to .archive/kubernetes/invidious/app/externalsecret.yaml index 65572058e..6e6686cc4 100644 --- a/kubernetes/apps/default/invidious/app/externalsecret.yaml +++ b/.archive/kubernetes/invidious/app/externalsecret.yaml @@ -16,7 +16,7 @@ spec: data: # App INVIDIOUS_CONFIG: | - database_url: postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres16-rw.database.svc.cluster.local.:5432/invidious + database_url: postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres17-rw.database.svc.cluster.local.:5432/invidious check_tables: true port: 3000 domain: invidious.${SECRET_EXTERNAL_DOMAIN} @@ -24,7 +24,7 @@ spec: hmac_key: {{ .HMAC_KEY }} # Postgres Init INIT_POSTGRES_DBNAME: invidious - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local + INIT_POSTGRES_HOST: postgres17-rw.database.svc.cluster.local INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" diff --git a/kubernetes/apps/default/invidious/app/helmrelease.yaml b/.archive/kubernetes/invidious/app/helmrelease.yaml similarity index 100% rename from kubernetes/apps/default/invidious/app/helmrelease.yaml rename to .archive/kubernetes/invidious/app/helmrelease.yaml diff --git a/kubernetes/apps/default/invidious/app/kustomization.yaml b/.archive/kubernetes/invidious/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/default/invidious/app/kustomization.yaml rename to .archive/kubernetes/invidious/app/kustomization.yaml diff --git a/kubernetes/apps/default/invidious/ks.yaml b/.archive/kubernetes/invidious/ks.yaml similarity index 100% rename from kubernetes/apps/default/invidious/ks.yaml rename to .archive/kubernetes/invidious/ks.yaml diff --git a/kubernetes/apps/default/kresus/app/externalsecret.yaml b/.archive/kubernetes/kresus/app/externalsecret.yaml similarity index 93% rename from kubernetes/apps/default/kresus/app/externalsecret.yaml rename to .archive/kubernetes/kresus/app/externalsecret.yaml index ccc11e779..ecb4bece0 100644 --- a/kubernetes/apps/default/kresus/app/externalsecret.yaml +++ b/.archive/kubernetes/kresus/app/externalsecret.yaml @@ -15,7 +15,7 @@ spec: engineVersion: v2 data: # App - KRESUS_DB_HOST: &dbHost postgres16-rw.database.svc.cluster.local + KRESUS_DB_HOST: &dbHost postgres17-rw.database.svc.cluster.local KRESUS_DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}" KRESUS_DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}" KRESUS_DB_NAME: &dbName kresus diff --git a/kubernetes/apps/default/kresus/app/helmrelease.yaml b/.archive/kubernetes/kresus/app/helmrelease.yaml similarity index 97% rename from kubernetes/apps/default/kresus/app/helmrelease.yaml rename to .archive/kubernetes/kresus/app/helmrelease.yaml index 876e1ad36..abb19c635 100644 --- a/kubernetes/apps/default/kresus/app/helmrelease.yaml +++ b/.archive/kubernetes/kresus/app/helmrelease.yaml @@ -58,7 +58,7 @@ spec: LANG: C.UTF-8 KRESUS_DB_TYPE: postgres KRESUS_DIR: /config - KRESUS_EMAIL_HOST: mailrise.monitoring.svc.cluster.local + KRESUS_EMAIL_HOST: mailrise.observability.svc.cluster.local KRESUS_EMAIL_PORT: 8025 KRESUS_EMAIL_TRANSPORT: smtp KRESUS_EMAIL_FROM: kresus@mailrise.home.arpa diff --git a/kubernetes/apps/default/babybuddy/app/kustomization.yaml b/.archive/kubernetes/kresus/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/default/babybuddy/app/kustomization.yaml rename to .archive/kubernetes/kresus/app/kustomization.yaml diff --git a/kubernetes/apps/default/kresus/ks.yaml b/.archive/kubernetes/kresus/ks.yaml similarity index 100% rename from kubernetes/apps/default/kresus/ks.yaml rename to .archive/kubernetes/kresus/ks.yaml diff --git a/kubernetes/apps/default/maybe/app/externalsecret.yaml b/.archive/kubernetes/maybe/app/externalsecret.yaml similarity index 93% rename from kubernetes/apps/default/maybe/app/externalsecret.yaml rename to .archive/kubernetes/maybe/app/externalsecret.yaml index 3eae93e00..6228dbb8a 100644 --- a/kubernetes/apps/default/maybe/app/externalsecret.yaml +++ b/.archive/kubernetes/maybe/app/externalsecret.yaml @@ -16,7 +16,7 @@ spec: data: # App SECRET_KEY_BASE: "{{ .MAYBE__SECRET_KEY_BASE }}" - DB_HOST: &dbHost postgres16-rw.database.svc.cluster.local + DB_HOST: &dbHost postgres17-rw.database.svc.cluster.local POSTGRES_DB: &dbName maybe POSTGRES_USER: &dbUser "{{ .MAYBE__POSTGRES_USER }}" POSTGRES_PASSWORD: &dbPass "{{ .MAYBE__POSTGRES_PASS }}" diff --git a/kubernetes/apps/default/maybe/app/helmrelease.yaml b/.archive/kubernetes/maybe/app/helmrelease.yaml similarity index 100% rename from kubernetes/apps/default/maybe/app/helmrelease.yaml rename to .archive/kubernetes/maybe/app/helmrelease.yaml diff --git a/kubernetes/apps/default/kresus/app/kustomization.yaml b/.archive/kubernetes/maybe/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/default/kresus/app/kustomization.yaml rename to .archive/kubernetes/maybe/app/kustomization.yaml diff --git a/kubernetes/apps/default/maybe/ks.yaml b/.archive/kubernetes/maybe/ks.yaml similarity index 100% rename from kubernetes/apps/default/maybe/ks.yaml rename to .archive/kubernetes/maybe/ks.yaml diff --git a/kubernetes/apps/database/pgadmin/app/externalsecret.yaml b/.archive/kubernetes/pgadmin/app/externalsecret.yaml similarity index 100% rename from kubernetes/apps/database/pgadmin/app/externalsecret.yaml rename to .archive/kubernetes/pgadmin/app/externalsecret.yaml diff --git a/kubernetes/apps/database/pgadmin/app/helmrelease.yaml b/.archive/kubernetes/pgadmin/app/helmrelease.yaml similarity index 100% rename from kubernetes/apps/database/pgadmin/app/helmrelease.yaml rename to .archive/kubernetes/pgadmin/app/helmrelease.yaml diff --git a/kubernetes/apps/default/plant-it/app/kustomization.yaml b/.archive/kubernetes/pgadmin/app/kustomization.yaml similarity index 94% rename from kubernetes/apps/default/plant-it/app/kustomization.yaml rename to .archive/kubernetes/pgadmin/app/kustomization.yaml index 48e972b27..5d04acddd 100644 --- a/kubernetes/apps/default/plant-it/app/kustomization.yaml +++ b/.archive/kubernetes/pgadmin/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/database/pgadmin/ks.yaml b/.archive/kubernetes/pgadmin/ks.yaml similarity index 100% rename from kubernetes/apps/database/pgadmin/ks.yaml rename to .archive/kubernetes/pgadmin/ks.yaml diff --git a/kubernetes/apps/default/plant-it/app/externalsecret.yaml b/.archive/kubernetes/plant-it/app/externalsecret.yaml similarity index 93% rename from kubernetes/apps/default/plant-it/app/externalsecret.yaml rename to .archive/kubernetes/plant-it/app/externalsecret.yaml index f13f100da..00b7b0543 100644 --- a/kubernetes/apps/default/plant-it/app/externalsecret.yaml +++ b/.archive/kubernetes/plant-it/app/externalsecret.yaml @@ -20,7 +20,7 @@ spec: MYSQL_ROOT_PASSWORD: &dbPass "{{ .PLANTIT__MARIADB_ROOT_PASS }}" MYSQL_USERNAME: "{{ .PLANTIT__MARIADB_USER }}" MYSQL_PSW: *dbPass - FLORACODEX_KEY: "{{ .PLANTIT__FLORACODEX_KEY }}" + FLORACODEX_KEY: "{{ .PLANTIT__TREFLE_KEY }}" JWT_SECRET: "{{ .PLANTIT__JWT_SECRET }}" dataFrom: diff --git a/kubernetes/apps/default/plant-it/app/helmrelease.yaml b/.archive/kubernetes/plant-it/app/helmrelease.yaml similarity index 100% rename from kubernetes/apps/default/plant-it/app/helmrelease.yaml rename to .archive/kubernetes/plant-it/app/helmrelease.yaml diff --git a/kubernetes/apps/default/maybe/app/kustomization.yaml b/.archive/kubernetes/plant-it/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/default/maybe/app/kustomization.yaml rename to .archive/kubernetes/plant-it/app/kustomization.yaml diff --git a/kubernetes/apps/default/plant-it/db/helmrelease.yaml b/.archive/kubernetes/plant-it/db/helmrelease.yaml similarity index 100% rename from kubernetes/apps/default/plant-it/db/helmrelease.yaml rename to .archive/kubernetes/plant-it/db/helmrelease.yaml diff --git a/kubernetes/apps/default/plant-it/db/kustomization.yaml b/.archive/kubernetes/plant-it/db/kustomization.yaml similarity index 100% rename from kubernetes/apps/default/plant-it/db/kustomization.yaml rename to .archive/kubernetes/plant-it/db/kustomization.yaml diff --git a/kubernetes/apps/default/plant-it/ks.yaml b/.archive/kubernetes/plant-it/ks.yaml similarity index 100% rename from kubernetes/apps/default/plant-it/ks.yaml rename to .archive/kubernetes/plant-it/ks.yaml diff --git a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml b/.archive/kubernetes/thanos/app/helmrelease.yaml similarity index 90% rename from kubernetes/apps/monitoring/thanos/app/helmrelease.yaml rename to .archive/kubernetes/thanos/app/helmrelease.yaml index 4251f150a..d212cd00f 100644 --- a/kubernetes/apps/monitoring/thanos/app/helmrelease.yaml +++ b/.archive/kubernetes/thanos/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: thanos - namespace: monitoring spec: interval: 30m timeout: 15m @@ -57,8 +56,8 @@ spec: config: insecure: true additionalEndpoints: - - dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery.monitoring.svc.cluster.local - additionalReplicaLabels: ["__replica__"] + - dnssrv+_grpc._tcp.kube-prometheus-stack-thanos-discovery.observability.svc.cluster.local + additionalReplicaLabels: [__replica__] serviceMonitor: enabled: true compact: @@ -86,10 +85,10 @@ spec: configMapKeyRef: name: &configMap thanos-cache-configmap key: cache.yaml - extraArgs: ["--query-range.response-cache-config=$(THANOS_CACHE_CONFIG)"] + extraArgs: [--query-range.response-cache-config=$(THANOS_CACHE_CONFIG)] ingress: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: gethomepage.dev/enabled: "true" gethomepage.dev/name: Thanos @@ -107,13 +106,13 @@ spec: rule: enabled: true replicas: 3 - extraArgs: ["--web.prefix-header=X-Forwarded-Prefix"] + extraArgs: [--web.prefix-header=X-Forwarded-Prefix] alertmanagersConfig: value: |- alertmanagers: - api_version: v2 static_configs: - - dnssrv+_http-web._tcp.alertmanager-operated.monitoring.svc.cluster.local + - dnssrv+_http-web._tcp.alertmanager-operated.observability.svc.cluster.local rules: value: |- groups: diff --git a/kubernetes/apps/monitoring/thanos/app/kustomization.yaml b/.archive/kubernetes/thanos/app/kustomization.yaml similarity index 95% rename from kubernetes/apps/monitoring/thanos/app/kustomization.yaml rename to .archive/kubernetes/thanos/app/kustomization.yaml index f27c08755..a444235df 100644 --- a/kubernetes/apps/monitoring/thanos/app/kustomization.yaml +++ b/.archive/kubernetes/thanos/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: monitoring resources: - ./objectbucketclaim.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/thanos/app/objectbucketclaim.yaml b/.archive/kubernetes/thanos/app/objectbucketclaim.yaml similarity index 100% rename from kubernetes/apps/monitoring/thanos/app/objectbucketclaim.yaml rename to .archive/kubernetes/thanos/app/objectbucketclaim.yaml diff --git a/kubernetes/apps/monitoring/thanos/app/pushsecret.yaml b/.archive/kubernetes/thanos/app/pushsecret.yaml similarity index 100% rename from kubernetes/apps/monitoring/thanos/app/pushsecret.yaml rename to .archive/kubernetes/thanos/app/pushsecret.yaml diff --git a/kubernetes/apps/monitoring/thanos/app/readme.md b/.archive/kubernetes/thanos/app/readme.md similarity index 100% rename from kubernetes/apps/monitoring/thanos/app/readme.md rename to .archive/kubernetes/thanos/app/readme.md diff --git a/kubernetes/apps/monitoring/thanos/app/resources/cache.yaml b/.archive/kubernetes/thanos/app/resources/cache.yaml similarity index 100% rename from kubernetes/apps/monitoring/thanos/app/resources/cache.yaml rename to .archive/kubernetes/thanos/app/resources/cache.yaml diff --git a/kubernetes/apps/monitoring/thanos/ks.yaml b/.archive/kubernetes/thanos/ks.yaml similarity index 83% rename from kubernetes/apps/monitoring/thanos/ks.yaml rename to .archive/kubernetes/thanos/ks.yaml index 8bf2a5576..c0f552853 100644 --- a/kubernetes/apps/monitoring/thanos/ks.yaml +++ b/.archive/kubernetes/thanos/ks.yaml @@ -6,14 +6,15 @@ metadata: name: &app thanos namespace: flux-system spec: - targetNamespace: monitoring + targetNamespace: observability commonMetadata: labels: app.kubernetes.io/name: *app dependsOn: + - name: dragonfly-cluster - name: external-secrets-stores - name: rook-ceph-cluster - path: ./kubernetes/apps/monitoring/thanos/app + path: ./kubernetes/apps/observability/thanos/app prune: true sourceRef: kind: GitRepository diff --git a/.archive/kubernetes/windmill/app/externalsecret.yaml b/.archive/kubernetes/windmill/app/externalsecret.yaml new file mode 100644 index 000000000..80e11d4d7 --- /dev/null +++ b/.archive/kubernetes/windmill/app/externalsecret.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: windmill +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: windmill-secret + template: + engineVersion: v2 + data: + WINDMILL_POSTGRES_URL: 'postgres://{{ index . "user" }}:{{ index . "password" }}@{{ index . "host" }}/{{ index . "dbname" }}' + dataFrom: + - extract: + key: postgres-pguser-windmill diff --git a/kubernetes/apps/default/windmill/app/helmrelease.yaml b/.archive/kubernetes/windmill/app/helmrelease.yaml similarity index 68% rename from kubernetes/apps/default/windmill/app/helmrelease.yaml rename to .archive/kubernetes/windmill/app/helmrelease.yaml index 3bfb0c1a7..36a44c4d9 100644 --- a/kubernetes/apps/default/windmill/app/helmrelease.yaml +++ b/.archive/kubernetes/windmill/app/helmrelease.yaml @@ -29,37 +29,6 @@ spec: app: annotations: reloader.stakater.com/auto: "true" - initContainers: - - name: init-db - image: ghcr.io/onedr0p/postgres-init:16 - envFrom: - - secretRef: - name: &secret windmill-secret - - name: init-grants - image: ghcr.io/onedr0p/postgres-init:16 - command: - - /bin/bash - - -c - - | - #!/bin/bash - - set -o errexit - set -o nounset - - /var/run/grants.sh - envFrom: - - secretRef: - name: *secret - volumeMounts: - - name: grants - readOnly: true - subPath: grants.sh - mountPath: /var/run/grants.sh - volumes: - - name: grants - configMap: - name: windmill-grants - defaultMode: 509 baseDomain: &host "windmill.${SECRET_EXTERNAL_DOMAIN}" baseProtocol: https appReplicas: 1 @@ -105,6 +74,6 @@ spec: enabled: false valuesFrom: - kind: Secret - name: *secret + name: windmill-secret valuesKey: WINDMILL_POSTGRES_URL targetPath: windmill.databaseUrl diff --git a/.archive/kubernetes/windmill/app/kustomization.yaml b/.archive/kubernetes/windmill/app/kustomization.yaml new file mode 100644 index 000000000..7b5540eb5 --- /dev/null +++ b/.archive/kubernetes/windmill/app/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - ./externalsecret.yaml + - ./helmrelease.yaml + - ../../../../templates/gatus/guarded diff --git a/kubernetes/apps/default/windmill/ks.yaml b/.archive/kubernetes/windmill/ks.yaml similarity index 93% rename from kubernetes/apps/default/windmill/ks.yaml rename to .archive/kubernetes/windmill/ks.yaml index ccc4c860e..4db785a8f 100644 --- a/kubernetes/apps/default/windmill/ks.yaml +++ b/.archive/kubernetes/windmill/ks.yaml @@ -11,6 +11,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores path: ./kubernetes/apps/default/windmill/app prune: true diff --git a/.taskfiles/Ansible/Taskfile.yaml b/.taskfiles/ansible/Taskfile.yaml similarity index 100% rename from .taskfiles/Ansible/Taskfile.yaml rename to .taskfiles/ansible/Taskfile.yaml diff --git a/.taskfiles/bootstrap/Taskfile.yaml b/.taskfiles/bootstrap/Taskfile.yaml new file mode 100644 index 000000000..215f7bde7 --- /dev/null +++ b/.taskfiles/bootstrap/Taskfile.yaml @@ -0,0 +1,51 @@ +--- +# yaml-language-server: $schema=https://taskfile.dev/schema.json +version: '3' + +vars: + BOOTSTRAP_RESOURCES_DIR: '{{.ROOT_DIR}}/.taskfiles/bootstrap/resources' + CLUSTER_DIR: '{{.ROOT_DIR}}/kubernetes' + +tasks: + + base: + desc: Bootstrap Base Apps + cmds: + - until kubectl wait nodes --for=condition=Ready=False --all --timeout=10m; do sleep 5; done + - helmfile --quiet --file {{.CLUSTER_DIR}}/bootstrap/apps/helmfile.yaml apply --skip-diff-on-install --suppress-diff + - until kubectl wait nodes --for=condition=Ready --all --timeout=10m; do sleep 5; done + preconditions: + - talosctl config info + # - test -f {{.CLUSTER_DIR}}/talos/cluster-0/talosconfig + - test -f {{.CLUSTER_DIR}}/bootstrap/apps/helmfile.yaml + - which helmfile kubectl + + # NOTE: Nodes must all be part of the Ceph cluster and Ceph disks must share the same disk model + rook: + desc: Bootstrap Rook-Ceph + cmds: + - minijinja-cli {{.BOOTSTRAP_RESOURCES_DIR}}/wipe-rook.yaml.j2 | kubectl apply --server-side --filename - + - until kubectl --namespace default get job/wipe-rook &>/dev/null; do sleep 5; done + - kubectl --namespace default wait job/wipe-rook --for=condition=complete --timeout=5m + - stern --namespace default job/wipe-rook --no-follow + - kubectl --namespace default delete job wipe-rook + env: + NODE_COUNT: + sh: talosctl config info --output json | jq --raw-output '.nodes | length' + preconditions: + - test -f {{.BOOTSTRAP_RESOURCES_DIR}}/wipe-rook.yaml.j2 + - which jq kubectl minijinja-cli stern talosctl + + flux: + desc: Bootstrap Flux + cmds: + - kubectl create namespace flux-system --dry-run=client -o yaml | kubectl apply --filename - + - cat {{.SOPS_AGE_KEY}} | kubectl --namespace flux-system create secret generic sops-age --from-file=age.agekey=/dev/stdin + - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/bootstrap/flux + - SOPS_AGE_KEY_FILE={{.SOPS_AGE_KEY}} sops exec-file {{.CLUSTER_DIR}}/bootstrap/flux/github-deploy-key.sops.yaml "kubectl apply --server-side --filename {}" + - SOPS_AGE_KEY_FILE={{.SOPS_AGE_KEY}} sops exec-file {{.CLUSTER_DIR}}/flux/vars/cluster-secrets.sops.yaml "kubectl apply --server-side --filename {}" + - kubectl apply --server-side --filename ./flux/vars/cluster-settings.yaml + + apps: + desc: Bootstrap Flux + - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/flux/config diff --git a/.taskfiles/bootstrap/resources/wipe-rook.yaml.j2 b/.taskfiles/bootstrap/resources/wipe-rook.yaml.j2 new file mode 100644 index 000000000..9c9848942 --- /dev/null +++ b/.taskfiles/bootstrap/resources/wipe-rook.yaml.j2 @@ -0,0 +1,49 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: &app wipe-rook + namespace: default + labels: + app.kubernetes.io/name: *app +spec: + parallelism: 4 + template: + metadata: + labels: + app.kubernetes.io/name: *app + spec: + restartPolicy: Never + containers: + - name: disk-wipe + image: rook/ceph:master + securityContext: + privileged: true + command: + [ + "/bin/sh", + "-c", + "echo 'Starting disk operations on /dev/sdb'; \ + echo 'Running sgdisk --zap-all /dev/sdb'; time sgdisk --zap-all /dev/sdb; \ + echo 'Running dd if=/dev/zero bs=1M count=10000 oflag=direct of=/dev/sdb'; time dd if=/dev/zero bs=1M count=10000 oflag=direct of=/dev/sdb; \ + echo 'Running blkdiscard /dev/sdb'; time blkdiscard /dev/sdb; \ + echo 'Running partprobe /dev/sdb'; time partprobe /dev/sdb; \ + echo 'Disk operations completed on /dev/sdb'" + ] + volumeMounts: + - mountPath: /dev + name: dev + securityContext: + runAsUser: 0 + runAsGroup: 0 + volumes: + - name: dev + hostPath: + path: /dev + topologySpreadConstraints: + - maxSkew: 1 + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule diff --git a/.taskfiles/ExternalSecrets/Taskfile.yaml b/.taskfiles/externalsecrets/Taskfile.yaml similarity index 100% rename from .taskfiles/ExternalSecrets/Taskfile.yaml rename to .taskfiles/externalsecrets/Taskfile.yaml diff --git a/.taskfiles/Flux/Taskfile.yaml b/.taskfiles/flux/Taskfile.yaml similarity index 100% rename from .taskfiles/Flux/Taskfile.yaml rename to .taskfiles/flux/Taskfile.yaml diff --git a/.taskfiles/Kubernetes/Taskfile.yaml b/.taskfiles/kubernetes/Taskfile.yaml similarity index 84% rename from .taskfiles/Kubernetes/Taskfile.yaml rename to .taskfiles/kubernetes/Taskfile.yaml index 9be2f9b3a..4eb36f389 100644 --- a/.taskfiles/Kubernetes/Taskfile.yaml +++ b/.taskfiles/kubernetes/Taskfile.yaml @@ -19,8 +19,8 @@ tasks: "containers": [ { "name": "debug", - "image": "ghcr.io/onedr0p/alpine:rolling", - "command": ["/bin/bash"], + "image": "cgr.dev/chainguard/wolfi-base", + "command": ["sleep","9999999"], "stdin": true, "stdinOnce": true, "tty": true, @@ -44,8 +44,8 @@ tasks: } }' requires: - vars: ["claim"] + vars: [claim] vars: ns: '{{.ns | default "default"}}' preconditions: - - { msg: "PVC not found", sh: "kubectl -n {{.ns}} get persistentvolumeclaim {{.claim}}" } + - { msg: PVC not found, sh: "kubectl -n {{.ns}} get persistentvolumeclaim {{.claim}}" } diff --git a/.taskfiles/Sops/Taskfile.yaml b/.taskfiles/sops/Taskfile.yaml similarity index 100% rename from .taskfiles/Sops/Taskfile.yaml rename to .taskfiles/sops/Taskfile.yaml diff --git a/.taskfiles/VolSync/Taskfile.yaml b/.taskfiles/volsync/Taskfile.yaml similarity index 98% rename from .taskfiles/VolSync/Taskfile.yaml rename to .taskfiles/volsync/Taskfile.yaml index 4f2aa1692..06efb3e40 100644 --- a/.taskfiles/VolSync/Taskfile.yaml +++ b/.taskfiles/volsync/Taskfile.yaml @@ -19,8 +19,8 @@ x-env: &env ts: '{{.ts}}' vars: - scriptsDir: '{{.ROOT_DIR}}/.taskfiles/VolSync/scripts' - templatesDir: '{{.ROOT_DIR}}/.taskfiles/VolSync/templates' + scriptsDir: '{{.ROOT_DIR}}/.taskfiles/volsync/scripts' + templatesDir: '{{.ROOT_DIR}}/.taskfiles/volsync/templates' ts: '{{now | date "150405"}}' tasks: diff --git a/.taskfiles/VolSync/scripts/controller.sh b/.taskfiles/volsync/scripts/controller.sh similarity index 100% rename from .taskfiles/VolSync/scripts/controller.sh rename to .taskfiles/volsync/scripts/controller.sh diff --git a/.taskfiles/VolSync/scripts/wait.sh b/.taskfiles/volsync/scripts/wait.sh similarity index 100% rename from .taskfiles/VolSync/scripts/wait.sh rename to .taskfiles/volsync/scripts/wait.sh diff --git a/.taskfiles/VolSync/templates/list.tmpl.yaml b/.taskfiles/volsync/templates/list.tmpl.yaml similarity index 100% rename from .taskfiles/VolSync/templates/list.tmpl.yaml rename to .taskfiles/volsync/templates/list.tmpl.yaml diff --git a/.taskfiles/VolSync/templates/replicationdestination.tmpl.yaml b/.taskfiles/volsync/templates/replicationdestination.tmpl.yaml similarity index 100% rename from .taskfiles/VolSync/templates/replicationdestination.tmpl.yaml rename to .taskfiles/volsync/templates/replicationdestination.tmpl.yaml diff --git a/.taskfiles/VolSync/templates/unlock.tmpl.yaml b/.taskfiles/volsync/templates/unlock.tmpl.yaml similarity index 100% rename from .taskfiles/VolSync/templates/unlock.tmpl.yaml rename to .taskfiles/volsync/templates/unlock.tmpl.yaml diff --git a/.taskfiles/VolSync/templates/wipe.tmpl.yaml b/.taskfiles/volsync/templates/wipe.tmpl.yaml similarity index 100% rename from .taskfiles/VolSync/templates/wipe.tmpl.yaml rename to .taskfiles/volsync/templates/wipe.tmpl.yaml diff --git a/README.md b/README.md index 841264714..e85dba3c5 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,7 @@
[![Discord](https://img.shields.io/discord/673534664354430999?style=for-the-badge&label&logo=discord&logoColor=white&color=blue)](https://discord.gg/k8s-at-home) -[![Kubernetes](https://img.shields.io/badge/v1.31-blue?style=for-the-badge&logo=kubernetes&logoColor=white)](https://talos.dev/) +[![Kubernetes](https://img.shields.io/badge/v1.32-blue?style=for-the-badge&logo=kubernetes&logoColor=white)](https://talos.dev/) [![Renovate](https://img.shields.io/github/actions/workflow/status/auricom/home-ops/renovate.yaml?branch=main&label=&logo=renovatebot&style=for-the-badge&color=blue)](https://github.com/auricom/home-ops/actions/workflows/renovate.yaml)
diff --git a/Taskfile.yml b/Taskfile.yml index 3b188b468..4d60afc2a 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -14,12 +14,13 @@ env: SOPS_AGE_KEY_FILE: "~/.config/sops/age/keys.txt" includes: - ansible: .taskfiles/Ansible/Taskfile.yaml - external-secrets: .taskfiles/ExternalSecrets/Taskfile.yaml - flux: .taskfiles/Flux/Taskfile.yaml - kubernetes: .taskfiles/Kubernetes/Taskfile.yaml - sops: .taskfiles/Sops/Taskfile.yaml - volsync: .taskfiles/VolSync/Taskfile.yaml + ansible: .taskfiles/ansible/Taskfile.yaml + bootstrap: .taskfiles/bootstrap/Taskfile.yaml + external-secrets: .taskfiles/externalsecrets/Taskfile.yaml + flux: .taskfiles/flux/Taskfile.yaml + kubernetes: .taskfiles/kubernetes/Taskfile.yaml + sops: .taskfiles/sops/Taskfile.yaml + volsync: .taskfiles/volsync/Taskfile.yaml tasks: diff --git a/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml b/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml index 081fff50a..845488979 100644 --- a/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml +++ b/kubernetes/apps/actions-runner-system/actions-runner-controller/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -25,7 +25,7 @@ spec: substitute: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/actions-runner-system/namespace.yaml b/kubernetes/apps/actions-runner-system/namespace.yaml index 7acd019f8..5373332c9 100644 --- a/kubernetes/apps/actions-runner-system/namespace.yaml +++ b/kubernetes/apps/actions-runner-system/namespace.yaml @@ -15,7 +15,7 @@ metadata: namespace: actions-runner-system spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 diff --git a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml index b80cc01c3..627475f06 100644 --- a/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml @@ -38,4 +38,4 @@ spec: enabled: true servicemonitor: enabled: true - prometheusInstance: monitoring + prometheusInstance: observability diff --git a/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/externalsecret.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml similarity index 66% rename from kubernetes/apps/cert-manager/cert-manager/webhook-ovh/externalsecret.yaml rename to kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml index 2c7be990e..9213c564b 100644 --- a/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/externalsecret.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml @@ -3,15 +3,18 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: cert-manager-webhook-ovh + name: cloudflare namespace: cert-manager spec: secretStoreRef: kind: ClusterSecretStore name: onepassword-connect target: - name: cert-manager-webhook-ovh-secret + name: cloudflare-secret + template: + engineVersion: v2 + data: + CLOUDFLARE_TOKEN: "{{ .CLOUDFLARE_TOKEN }}" dataFrom: - extract: - # applicationKey, applicationSecret, consumerKey - key: cert-manager-webhook-ovh + key: cloudflare diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml new file mode 100644 index 000000000..73042a54f --- /dev/null +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml @@ -0,0 +1,42 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/clusterissuer_v1.json +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: "${SECRET_CLUSTER_DOMAIN_EMAIL}" + privateKeySecretRef: + name: letsencrypt-production + solvers: + - dns01: + cloudflare: + email: "${SECRET_CLUSTER_DOMAIN_EMAIL}" + apiTokenSecretRef: + name: cloudflare-secret + key: CLOUDFLARE_TOKEN + selector: + dnsZones: ["${SECRET_EXTERNAL_DOMAIN}"] +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/clusterissuer_v1.json +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + server: https://acme-staging-v02.api.letsencrypt.org/directory + email: "${SECRET_CLUSTER_DOMAIN_EMAIL}" + privateKeySecretRef: + name: letsencrypt-staging + solvers: + - dns01: + cloudflare: + email: "${SECRET_CLUSTER_DOMAIN_EMAIL}" + apiTokenSecretRef: + name: cloudflare-secret + key: CLOUDFLARE_TOKEN + selector: + dnsZones: ["${SECRET_EXTERNAL_DOMAIN}"] diff --git a/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml similarity index 100% rename from kubernetes/apps/cert-manager/cert-manager/webhook-ovh/kustomization.yaml rename to kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml index f0c5cd45f..f0c4f294d 100644 --- a/kubernetes/apps/cert-manager/cert-manager/ks.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -23,21 +23,21 @@ spec: substitute: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: cert-manager-webhook-ovh + name: &app cert-manager-issuers namespace: flux-system spec: targetNamespace: cert-manager commonMetadata: labels: - app.kubernetes.io/name: &app cert-manager + app.kubernetes.io/name: *app dependsOn: - name: cert-manager - name: external-secrets-stores - path: ./kubernetes/apps/cert-manager/cert-manager/webhook-ovh + path: ./kubernetes/apps/cert-manager/cert-manager/issuers prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/helmrelease.yaml deleted file mode 100644 index 0786add0c..000000000 --- a/kubernetes/apps/cert-manager/cert-manager/webhook-ovh/helmrelease.yaml +++ /dev/null @@ -1,69 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: cert-manager-webhook-ovh - namespace: cert-manager -spec: - interval: 30m - chart: - spec: - chart: cert-manager-webhook-ovh - version: 0.7.3 - sourceRef: - kind: HelmRepository - name: cert-manager-webhook-ovh - namespace: flux-system - maxHistory: 2 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - configVersion: 0.0.1 - podAnnotations: - reloader.stakater.com/auto: "true" - groupName: "${SECRET_DOMAIN}" - certManager: - namespace: cert-manager - serviceAccountName: cert-manager - issuers: - - name: letsencrypt-staging - create: true - kind: ClusterIssuer - acmeServerUrl: https://acme-staging-v02.api.letsencrypt.org/directory - email: "${SECRET_EXTERNAL_DOMAIN_EMAIL}" - ovhEndpointName: ovh-eu - ovhAuthenticationRef: - applicationKeyRef: - name: cert-manager-webhook-ovh-secret - key: applicationKey - applicationSecretRef: - name: cert-manager-webhook-ovh-secret - key: applicationSecret - consumerKeyRef: - name: cert-manager-webhook-ovh-secret - key: consumerKey - - name: letsencrypt-production - create: true - kind: ClusterIssuer - acmeServerUrl: https://acme-v02.api.letsencrypt.org/directory - email: "${SECRET_EXTERNAL_DOMAIN_EMAIL}" - ovhEndpointName: ovh-eu - ovhAuthenticationRef: - applicationKeyRef: - name: cert-manager-webhook-ovh-secret - key: applicationKey - applicationSecretRef: - name: cert-manager-webhook-ovh-secret - key: applicationSecret - consumerKeyRef: - name: cert-manager-webhook-ovh-secret - key: consumerKey diff --git a/kubernetes/apps/cert-manager/namespace.yaml b/kubernetes/apps/cert-manager/namespace.yaml index 37ca7c115..76acf8add 100644 --- a/kubernetes/apps/cert-manager/namespace.yaml +++ b/kubernetes/apps/cert-manager/namespace.yaml @@ -14,7 +14,7 @@ metadata: namespace: cert-manager spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 diff --git a/kubernetes/apps/database/crunchy-postgres-operator/cluster/cluster.yaml b/kubernetes/apps/database/crunchy-postgres-operator/cluster/cluster.yaml new file mode 100644 index 000000000..4720a093b --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/cluster/cluster.yaml @@ -0,0 +1,203 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PostgresCluster +metadata: + name: &name postgres +spec: + postgresVersion: 17 + + metadata: + labels: + crunchy-userinit.ramblurr.github.com/enabled: "true" + crunchy-userinit.ramblurr.github.com/superuser: postgres + + patroni: # turn on sync writes to at least 1 other replica + dynamicConfiguration: + synchronous_mode: true + postgresql: + max_wal_size: 5GB + synchronous_commit: "on" + pg_hba: + - hostnossl authelia all 192.168.8.0/22 md5 # Needed because authelia does not support SSL yet + - hostssl all all all md5 + parameters: + max_connections: 500 + instances: + - name: postgres + metadata: + labels: + app.kubernetes.io/name: crunchy-postgres + replicas: &replica 2 + dataVolumeClaimSpec: + storageClassName: openebs-hostpath + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 80Gi + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: *name + postgres-operator.crunchydata.com/data: postgres + + users: + # Superuser + - name: postgres + databases: + - postgres + options: SUPERUSER + password: &password + type: AlphaNumeric + # Applications + - name: authelia + databases: + - authelia + password: *password + - name: bazarr + databases: + - bazarr_main + - bazarr_log + password: *password + - name: ghostfolio + databases: + - ghostfolio + password: *password + - name: home-assistant + databases: + - home-assistant + password: *password + - name: joplin + databases: + - joplin + password: *password + - name: lldap + databases: + - lldap + password: *password + - name: lidarr + databases: + - lidarr_main + - lidarr_log + password: *password + - name: lychee + databases: + - lychee + password: *password + - name: outline + databases: + - outline + password: *password + - name: paperless + databases: + - paperless + password: *password + - name: prowlarr + databases: + - prowlarr_main + - prowlarr_logs + password: *password + - name: pushover-notifier + databases: + - pushover-notifier + password: *password + - name: radarr + databases: + - radarr_main + - radarr_log + password: *password + - name: sonarr + databases: + - sonarr_main + - sonarr_log + password: *password + - name: tandoor + databases: + - tandoor + password: *password + - name: vikunja + databases: + - vikunja + password: *password + backups: + pgbackrest: + configuration: &backupConfig + - secret: + name: crunchy-postgres-secret + global: &backupFlag + compress-type: bz2 + compress-level: "9" + # Minio + repo1-block: y + repo1-bundle: y + repo1-path: /crunchy-pgo + repo1-retention-full: "30" # days + repo1-retention-full-type: time + repo1-s3-uri-style: path + manual: + repoName: repo1 + options: + - --type=full + metadata: + labels: + app.kubernetes.io/name: crunchy-postgres-backup + repos: + - name: repo1 # Minio + s3: &minio + bucket: crunchy-postgres-operator + endpoint: "s3.${SECRET_INTERNAL_DOMAIN}" + region: us-east-1 + schedules: + full: 0 1 * * 0 # Sunday at 01:00 + differential: 0 1 * * 1-6 # Mon-Sat at 01:00 + incremental: 0 2-23 * * * # Every hour except 01:00 + + # dataSource: + # pgbackrest: + # stanza: "db" + # configuration: *backupConfig + # global: *backupFlag + # repo: + # name: "repo1" + # s3: *minio + + monitoring: + pgmonitor: + exporter: + resources: + requests: + cpu: 10m + memory: 64M + limits: + memory: 512M + + proxy: + pgBouncer: + port: 5432 + service: + metadata: + annotations: + lbipam.cilium.io/ips: ${CLUSTER_LB_POSTGRES} + type: LoadBalancer + replicas: *replica + metadata: + labels: + app.kubernetes.io/name: crunchy-postgres-pgbouncer + config: + global: + pool_mode: session # Grafana requires session https://github.com/grafana/grafana/issues/74260#issuecomment-1702795311. Everything else is happy with transaction + client_tls_sslmode: prefer + default_pool_size: "100" + max_client_conn: "500" + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + postgres-operator.crunchydata.com/cluster: *name + postgres-operator.crunchydata.com/role: pgbouncer diff --git a/kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml b/kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml new file mode 100644 index 000000000..d384742bd --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/cluster/externalsecret.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: crunchy-postgres +spec: + refreshInterval: 5m + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: crunchy-postgres-secret + template: + engineVersion: v2 + data: + s3.conf: | + [global] + repo1-s3-key={{ .CRUNCHY_POSTGRES_S3_ACCESS_KEY }} + repo1-s3-key-secret={{ .CRUNCHY_POSTGRES_S3_SECRET_KEY }} + encryption.conf: | + [global] + repo1-cipher-pass={{ .CRUNCHY_POSTGRES_BACKUP_ENCRYPTION_CIPHER }} + dataFrom: + - extract: + key: crunchy-postgres diff --git a/kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml b/kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml new file mode 100644 index 000000000..169b5f5da --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/cluster/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./cluster.yaml + - ./podmonitor.yaml diff --git a/kubernetes/apps/database/crunchy-postgres-operator/cluster/podmonitor.yaml b/kubernetes/apps/database/crunchy-postgres-operator/cluster/podmonitor.yaml new file mode 100644 index 000000000..046484ab9 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/cluster/podmonitor.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: cpgo-postgres +spec: + jobLabel: cpgo-postgres + namespaceSelector: + matchNames: + - database + podMetricsEndpoints: + - honorLabels: true + path: /metrics + port: exporter + relabelings: + - sourceLabels: + [ + "__meta_kubernetes_namespace", + "__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_cluster", + ] + targetLabel: pg_cluster + separator: "/" + replacement: "$1$2" + - sourceLabels: + [ + __meta_kubernetes_pod_label_postgres_operator_crunchydata_com_instance, + ] + targetLabel: deployment + - sourceLabels: + [__meta_kubernetes_pod_label_postgres_operator_crunchydata_com_role] + targetLabel: role + - sourceLabels: [__meta_kubernetes_pod_name] + targetLabel: instance + selector: + matchLabels: + postgres-operator.crunchydata.com/cluster: postgres + postgres-operator.crunchydata.com/crunchy-postgres-exporter: "true" diff --git a/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml new file mode 100644 index 000000000..f0a8f51f6 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/clustersecretstore.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: external-secrets.io/v1beta1 +kind: ClusterSecretStore +metadata: + name: crunchy-pgo-secrets +spec: + provider: + kubernetes: + remoteNamespace: database + server: + caProvider: + type: ConfigMap + name: kube-root-ca.crt + namespace: database + key: ca.crt + auth: + serviceAccount: + name: external-secrets-pg + namespace: database diff --git a/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml new file mode 100644 index 000000000..dbaceab8d --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./rbac.yaml + - ./clustersecretstore.yaml diff --git a/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml new file mode 100644 index 000000000..ab1721656 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore/rbac.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: external-secrets-pg +rules: + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + - apiGroups: ["authorization.k8s.io"] + resources: ["selfsubjectrulesreviews"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: &name external-secrets-pg +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: *name +subjects: + - kind: ServiceAccount + name: *name + namespace: database +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: external-secrets-pg + namespace: database diff --git a/kubernetes/apps/database/crunchy-postgres-operator/ks.yaml b/kubernetes/apps/database/crunchy-postgres-operator/ks.yaml new file mode 100644 index 000000000..be86943fd --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/ks.yaml @@ -0,0 +1,110 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app crunchy-postgres-operator + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + timeout: 5m + path: ./kubernetes/apps/database/crunchy-postgres-operator/operator + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app crunchy-postgres-operator-cluster + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + timeout: 5m + path: ./kubernetes/apps/database/crunchy-postgres-operator/cluster + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true + dependsOn: + - name: crunchy-postgres-operator + - name: external-secrets-stores +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app crunchy-postgres-operator-secretstore + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + timeout: 5m + path: ./kubernetes/apps/database/crunchy-postgres-operator/clustersecretstore + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true + dependsOn: + - name: crunchy-postgres-operator-cluster + - name: external-secrets +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app crunchy-postgres-userinit-controller + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + timeout: 5m + path: ./kubernetes/apps/database/crunchy-postgres-operator/userinit-controller + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true + dependsOn: + - name: crunchy-postgres-operator-cluster +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app crunchy-postgres-pgadmin + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + timeout: 5m + path: ./kubernetes/apps/database/crunchy-postgres-operator/pgadmin + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true + dependsOn: + - name: crunchy-postgres-operator-cluster diff --git a/kubernetes/apps/database/crunchy-postgres-operator/operator/helmrelease.yaml b/kubernetes/apps/database/crunchy-postgres-operator/operator/helmrelease.yaml new file mode 100644 index 000000000..d148e2a22 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/operator/helmrelease.yaml @@ -0,0 +1,28 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: crunchy-postgres-operator +spec: + interval: 30m + chart: + spec: + chart: pgo + version: 5.7.2 + sourceRef: + kind: HelmRepository + name: crunchydata + namespace: flux-system + interval: 5m + install: + crds: CreateReplace + upgrade: + crds: CreateReplace + dependsOn: + - name: openebs + namespace: openebs-system + values: + install: + clusterLabels: + app.kubernetes.io/name: pgo diff --git a/kubernetes/apps/database/crunchy-postgres-operator/operator/kustomization.yaml b/kubernetes/apps/database/crunchy-postgres-operator/operator/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/operator/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/externalsecret.yaml b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/externalsecret.yaml new file mode 100644 index 000000000..925caf5d7 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/externalsecret.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: pgadmin +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: pgadmin-secret + template: + engineVersion: v2 + data: + # App + PGADMIN_PASSWORD: "{{ .password }}" + dataFrom: + - extract: + key: pgadmin diff --git a/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/ingress.yaml b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/ingress.yaml new file mode 100644 index 000000000..b5e5d68c5 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/ingress.yaml @@ -0,0 +1,33 @@ +--- +# trunk-ignore(checkov/CKV_K8S_21) +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: pgadmin + annotations: + hajimari.io/icon: mdi:database + gethomepage.dev/enabled: "true" + gethomepage.dev/name: pgAdmin + gethomepage.dev/description: PostgreSQL management tool. + gethomepage.dev/group: Infrrastructure + gethomepage.dev/icon: pgadmin.png + gethomepage.dev/pod-selector: >- + app in ( + pgadmin + ) +spec: + ingressClassName: internal + tls: + - hosts: + - &host pgadmin.${SECRET_EXTERNAL_DOMAIN} + rules: + - host: *host + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: pgadmin + port: + number: 5050 diff --git a/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/kustomization.yaml b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/kustomization.yaml new file mode 100644 index 000000000..8261e3285 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./externalsecret.yaml + - ./ingress.yaml + - ./pgadmin.yaml + - ./service.yaml diff --git a/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/pgadmin.yaml b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/pgadmin.yaml new file mode 100644 index 000000000..e3e0dde59 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/pgadmin.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: postgres-operator.crunchydata.com/v1beta1 +kind: PGAdmin +metadata: + name: pgadmin +spec: + users: + - username: admin@homelab.io + role: Administrator + passwordRef: + name: pgadmin-secret + key: PGADMIN_PASSWORD + dataVolumeClaimSpec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + serverGroups: + - name: supply + postgresClusterSelector: {} + serviceName: pgadmin diff --git a/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/service.yaml b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/service.yaml new file mode 100644 index 000000000..fa77db7fd --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/pgadmin/service.yaml @@ -0,0 +1,14 @@ +--- +# trunk-ignore(checkov/CKV_K8S_21) +apiVersion: v1 +kind: Service +metadata: + name: pgadmin +spec: + type: ClusterIP + ports: + - name: pgadmin-port + port: 5050 + protocol: TCP + selector: + postgres-operator.crunchydata.com/pgadmin: pgadmin diff --git a/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml new file mode 100644 index 000000000..71400f1a8 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrelease.yaml @@ -0,0 +1,17 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: userinit-controller +spec: + interval: 30m + chart: + spec: + chart: crunchy-userinit-controller + version: 0.0.4 + sourceRef: + kind: HelmRepository + name: crunchy-userinit + values: + fullnameOverride: crunchy-userinit-controller diff --git a/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml new file mode 100644 index 000000000..ec91f9222 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/helmrepository.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: crunchy-userinit +spec: + interval: 30m + url: https://ramblurr.github.io/crunchy-userinit-controller + timeout: 3m diff --git a/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml new file mode 100644 index 000000000..4ceb6e752 --- /dev/null +++ b/kubernetes/apps/database/crunchy-postgres-operator/userinit-controller/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrepository.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/default/emqx/app/emqx/externalsecret.yaml b/kubernetes/apps/database/emqx/app/emqx/externalsecret.yaml similarity index 96% rename from kubernetes/apps/default/emqx/app/emqx/externalsecret.yaml rename to kubernetes/apps/database/emqx/app/emqx/externalsecret.yaml index f99073d71..44fe6b385 100644 --- a/kubernetes/apps/default/emqx/app/emqx/externalsecret.yaml +++ b/kubernetes/apps/database/emqx/app/emqx/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: emqx - namespace: default spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/default/emqx/app/emqx/helmrelease.yaml b/kubernetes/apps/database/emqx/app/emqx/helmrelease.yaml similarity index 81% rename from kubernetes/apps/default/emqx/app/emqx/helmrelease.yaml rename to kubernetes/apps/database/emqx/app/emqx/helmrelease.yaml index 5bdbf6b6b..5bf80b426 100644 --- a/kubernetes/apps/default/emqx/app/emqx/helmrelease.yaml +++ b/kubernetes/apps/database/emqx/app/emqx/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: emqx - namespace: default spec: interval: 30m chart: @@ -37,12 +36,12 @@ spec: EMQX_DASHBOARD__DEFAULT_USERNAME: admin service: type: LoadBalancer - loadBalancerIP: 192.168.169.109 + loadBalancerIP: ${CLUSTER_LB_EMQX} externalTrafficPolicy: Local ingress: dashboard: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: hajimari.io/appName: "EMQX" hajimari.io/icon: simple-icons:eclipsemosquitto @@ -63,17 +62,6 @@ spec: enabled: true storageClass: rook-ceph-block size: 400Mi - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: ["emqx"] - topologyKey: kubernetes.io/hostname resources: requests: cpu: 100m diff --git a/kubernetes/apps/default/emqx/app/emqx/kustomization.yaml b/kubernetes/apps/database/emqx/app/emqx/kustomization.yaml similarity index 93% rename from kubernetes/apps/default/emqx/app/emqx/kustomization.yaml rename to kubernetes/apps/database/emqx/app/emqx/kustomization.yaml index ac5ae96e1..d6adbe135 100644 --- a/kubernetes/apps/default/emqx/app/emqx/kustomization.yaml +++ b/kubernetes/apps/database/emqx/app/emqx/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/emqx/ks.yaml b/kubernetes/apps/database/emqx/ks.yaml similarity index 69% rename from kubernetes/apps/default/emqx/ks.yaml rename to kubernetes/apps/database/emqx/ks.yaml index 8240dd6dd..a611eea6b 100644 --- a/kubernetes/apps/default/emqx/ks.yaml +++ b/kubernetes/apps/database/emqx/ks.yaml @@ -1,19 +1,19 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app emqx namespace: flux-system spec: - targetNamespace: default + targetNamespace: database commonMetadata: labels: app.kubernetes.io/name: *app dependsOn: - name: rook-ceph-cluster - name: external-secrets-stores - path: ./kubernetes/apps/default/emqx/app + path: ./kubernetes/apps/database/emqx/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/database/kustomization.yaml b/kubernetes/apps/database/kustomization.yaml index 066725dd7..dc5660add 100644 --- a/kubernetes/apps/database/kustomization.yaml +++ b/kubernetes/apps/database/kustomization.yaml @@ -6,7 +6,7 @@ resources: # Pre Flux-Kustomizations - ./namespace.yaml # Flux-Kustomizations - - ./cloudnative-pg/ks.yaml + - ./crunchy-postgres-operator/ks.yaml - ./dragonfly/ks.yaml + - ./emqx/ks.yaml - ./influx/ks.yaml - - ./pgadmin/ks.yaml diff --git a/kubernetes/apps/database/namespace.yaml b/kubernetes/apps/database/namespace.yaml index fa8391b51..618beab1d 100644 --- a/kubernetes/apps/database/namespace.yaml +++ b/kubernetes/apps/database/namespace.yaml @@ -14,7 +14,7 @@ metadata: namespace: database spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 diff --git a/kubernetes/apps/default/atuin/app/externalsecret.yaml b/kubernetes/apps/default/atuin/app/externalsecret.yaml deleted file mode 100644 index 1f4d16e6c..000000000 --- a/kubernetes/apps/default/atuin/app/externalsecret.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: atuin - namespace: default -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: atuin-secret - template: - engineVersion: v2 - data: - # App - ATUIN_DB_URI: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres16-rw.database.svc.cluster.local/atuin" - # Postgres Init - INIT_POSTGRES_DBNAME: atuin - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" - dataFrom: - - extract: - key: atuin - - extract: - key: cloudnative-pg diff --git a/kubernetes/apps/default/atuin/app/helmrelease.yaml b/kubernetes/apps/default/atuin/app/helmrelease.yaml index 28622384c..7b93e9361 100644 --- a/kubernetes/apps/default/atuin/app/helmrelease.yaml +++ b/kubernetes/apps/default/atuin/app/helmrelease.yaml @@ -27,32 +27,17 @@ spec: values: controllers: atuin: - replicas: 2 - strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: atuin-secret containers: app: image: - repository: ghcr.io/atuinsh/atuin - tag: 18.4.0@sha256:8c6fa0aea944bf2a39665c9c69df1c2c0f9c05207bda5b942d450142285e3ee1 + repository: ghcr.io/onedr0p/atuin-server-sqlite + tag: v18.3.0@sha256:9d8e8b983d8a8113d87a72111b158552d49ad050ef98ebfe3e7bdd12a5207466 env: ATUIN_HOST: 0.0.0.0 - ATUIN_PORT: &port 80 + ATUIN_PORT: &port 8080 ATUIN_OPEN_REGISTRATION: "true" - ATUIN_METRICS__ENABLE: "true" - ATUIN_METRICS__HOST: 0.0.0.0 - ATUIN_METRICS__PORT: &metricsPort 8080 - ATUIN_TLS__ENABLE: "false" - envFrom: *envFrom args: [server, start] probes: liveness: &probes @@ -76,35 +61,24 @@ spec: cpu: 10m limits: memory: 256Mi - pod: - securityContext: - runAsUser: 568 - runAsGroup: 568 - runAsNonRoot: true - fsGroup: 568 - fsGroupChangePolicy: OnRootMismatch + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + seccompProfile: { type: RuntimeDefault } service: app: controller: *app ports: http: port: *port - metrics: - port: *metricsPort - serviceMonitor: - app: - serviceName: *app - enabled: true - endpoints: - - port: metrics - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:powershell hosts: @@ -119,5 +93,4 @@ spec: - *host persistence: config: - enabled: true - type: emptyDir + existingClaim: atuin diff --git a/kubernetes/apps/default/atuin/app/kustomization.yaml b/kubernetes/apps/default/atuin/app/kustomization.yaml index 7b5540eb5..25da0aae3 100644 --- a/kubernetes/apps/default/atuin/app/kustomization.yaml +++ b/kubernetes/apps/default/atuin/app/kustomization.yaml @@ -4,6 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: default resources: - - ./externalsecret.yaml - ./helmrelease.yaml - ../../../../templates/gatus/guarded + - ../../../../templates/volsync diff --git a/kubernetes/apps/default/atuin/ks.yaml b/kubernetes/apps/default/atuin/ks.yaml index 8b56d0fdf..f1381cdfe 100644 --- a/kubernetes/apps/default/atuin/ks.yaml +++ b/kubernetes/apps/default/atuin/ks.yaml @@ -10,8 +10,6 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - dependsOn: - - name: external-secrets-stores path: ./kubernetes/apps/default/atuin/app prune: true sourceRef: @@ -25,3 +23,4 @@ spec: substitute: APP: *app GATUS_SUBDOMAIN: sh + VOLSYNC_CAPACITY: 5Gi diff --git a/kubernetes/apps/default/authelia/app/externalsecret.yaml b/kubernetes/apps/default/authelia/app/externalsecret.yaml index 70529115d..bb8fafc62 100644 --- a/kubernetes/apps/default/authelia/app/externalsecret.yaml +++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: authelia - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -20,10 +19,6 @@ spec: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: "{{ .AUTHELIA_JWT_SECRET }}" AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}" AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}" - AUTHELIA_STORAGE_POSTGRES_ADDRESS: &dbHost postgres16-rw.database.svc.cluster.local - AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia - AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}" - AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}" # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false" OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}" @@ -44,18 +39,31 @@ spec: WINDMILL_OAUTH_CLIENT_SECRET: "{{ .WINDMILL_OAUTH_CLIENT_SECRET }}" WINDMILL_OAUTH_DIGEST: "{{ .WINDMILL_OAUTH_DIGEST }}" SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}" - # Postgres Init - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: key: authelia - - extract: - key: cloudnative-pg - extract: key: lldap - extract: key: generic +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: authelia-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: authelia-db-secret + template: + engineVersion: v2 + data: + AUTHELIA_STORAGE_POSTGRES_DATABASE: '{{ index . "dbname" }}' + AUTHELIA_STORAGE_POSTGRES_ADDRESS: 'tcp://{{ index . "host" }}:{{ index . "port" }}' + AUTHELIA_STORAGE_POSTGRES_USERNAME: '{{ index . "user" }}' + AUTHELIA_STORAGE_POSTGRES_PASSWORD: '{{ index . "password" }}' + dataFrom: + - extract: + key: postgres-pguser-authelia diff --git a/kubernetes/apps/default/authelia/app/helmrelease.yaml b/kubernetes/apps/default/authelia/app/helmrelease.yaml index ecde1d441..2a23a5999 100644 --- a/kubernetes/apps/default/authelia/app/helmrelease.yaml +++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app authelia - namespace: default spec: interval: 30m chart: @@ -36,27 +35,13 @@ spec: securityContext: runAsUser: 568 runAsGroup: 568 - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: *app controllers: authelia: replicas: 2 strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: authelia-secret + secret.reloader.stakater.com/reload: authelia-db-secret containers: app: image: @@ -74,7 +59,11 @@ spec: AUTHELIA_WEBAUTHN_DISABLE: "true" X_AUTHELIA_CONFIG: /config/configuration.yaml X_AUTHELIA_CONFIG_FILTERS: template - envFrom: *envFrom + envFrom: + - secretRef: + name: authelia-secret + - secretRef: + name: authelia-db-secret probes: liveness: &probes enabled: true @@ -117,10 +106,8 @@ spec: ingress: app: enabled: true - className: nginx + className: external annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. nginx.ingress.kubernetes.io/configuration-snippet: | add_header Cache-Control "no-store"; add_header Pragma "no-cache"; diff --git a/kubernetes/apps/default/authelia/app/kustomization.yaml b/kubernetes/apps/default/authelia/app/kustomization.yaml index 2e5fc2024..3409a00c9 100644 --- a/kubernetes/apps/default/authelia/app/kustomization.yaml +++ b/kubernetes/apps/default/authelia/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/authelia/ks.yaml b/kubernetes/apps/default/authelia/ks.yaml index b66fc3eb8..6aba9f95e 100644 --- a/kubernetes/apps/default/authelia/ks.yaml +++ b/kubernetes/apps/default/authelia/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -11,7 +11,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: - - name: cloudnative-pg-cluster + - name: crunchy-postgres-operator-cluster - name: dragonfly-cluster - name: external-secrets-stores path: ./kubernetes/apps/default/authelia/app diff --git a/kubernetes/apps/default/babybuddy/app/externalsecret.yaml b/kubernetes/apps/default/babybuddy/app/externalsecret.yaml deleted file mode 100644 index 33f43ed05..000000000 --- a/kubernetes/apps/default/babybuddy/app/externalsecret.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: babybuddy - namespace: default -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: babybuddy-secret - template: - engineVersion: v2 - data: - # App - DB_NAME: &dbName babybuddy - DB_HOST: &dbHost postgres16-rw.database.svc.cluster.local - DB_USER: &dbUser "{{ .POSTGRES_USER }}" - DB_PASS: &dbPass "{{ .POSTGRES_PASS }}" - SECRET_KEY: "{{ .BABYBUDDY_SECRET_KEY }}" - # Postgres Init - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" - INIT_GRANT_SCHEMA_PUBLIC: "true" - - dataFrom: - - extract: - key: babybuddy - - extract: - key: cloudnative-pg diff --git a/kubernetes/apps/default/bazarr/app/externalsecret.yaml b/kubernetes/apps/default/bazarr/app/externalsecret.yaml index cda870fd6..687539517 100644 --- a/kubernetes/apps/default/bazarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/bazarr/app/externalsecret.yaml @@ -16,20 +16,29 @@ spec: data: # App BAZARR__API_KEY: "{{ .BAZARR__API_KEY }}" - POSTGRES_ENABLED: "true" - POSTGRES_DATABASE: &dbName bazarr - POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local - POSTGRES_USERNAME: &dbUser "{{ .POSTGRES_USER }}" - POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}" - POSTGRES_PORT: "5432" - # Postgres Init - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: key: bazarr +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: bazarr-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: bazarr-db-secret + template: + engineVersion: v2 + data: + POSTGRES_ENABLED: "true" + POSTGRES_DATABASE: '{{ index . "dbname" }}' + POSTGRES_HOST: '{{ index . "host" }}' + POSTGRES_USERNAME: '{{ index . "user" }}' + POSTGRES_PASSWORD: '{{ index . "password" }}' + POSTGRES_PORT: '{{ index . "port" }}' + dataFrom: - extract: - key: cloudnative-pg + key: postgres-pguser-bazarr diff --git a/kubernetes/apps/default/bazarr/app/helmrelease.yaml b/kubernetes/apps/default/bazarr/app/helmrelease.yaml index 3fa0d0522..4dfa11ba6 100644 --- a/kubernetes/apps/default/bazarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/bazarr/app/helmrelease.yaml @@ -43,14 +43,7 @@ spec: bazarr: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: bazarr-secret + secret.reloader.stakater.com/reload: bazarr-db-secret containers: app: image: @@ -58,11 +51,15 @@ spec: tag: 1.5.1@sha256:4f3f5f42e552979d75cf2f168d9f053134eefa11e9e42b4878bded3bb69978d4 env: TZ: "${TIMEZONE}" - envFrom: *envFrom + envFrom: + - secretRef: + name: bazarr-secret + - secretRef: + name: bazarr-db-secret securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - capabilities: { drop: ["ALL"] } + capabilities: { drop: [ALL] } probes: liveness: &probes enabled: true @@ -101,13 +98,13 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: - # nginx.ingress.kubernetes.io/auth-method: GET - # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; hajimari.io/icon: mdi:subtitles-outline gethomepage.dev/enabled: "true" gethomepage.dev/group: Media @@ -146,6 +143,6 @@ spec: enabled: true type: configMap name: bazarr-scripts # overriden by kustomizeconfig - defaultMode: 0775 + defaultMode: 0775 # trunk-ignore(yamllint/octal-values) globalMounts: - path: /scripts diff --git a/kubernetes/apps/default/bazarr/ks.yaml b/kubernetes/apps/default/bazarr/ks.yaml index e36b4ff3e..0f3d85afb 100644 --- a/kubernetes/apps/default/bazarr/ks.yaml +++ b/kubernetes/apps/default/bazarr/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -11,7 +11,9 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores + - name: rook-ceph-cluster - name: volsync path: ./kubernetes/apps/default/bazarr/app prune: true diff --git a/kubernetes/apps/default/calibre/app/helmrelease.yaml b/kubernetes/apps/default/calibre/app/helmrelease.yaml index 37535d5e8..c68dbab8e 100644 --- a/kubernetes/apps/default/calibre/app/helmrelease.yaml +++ b/kubernetes/apps/default/calibre/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app calibre - namespace: default spec: interval: 30m chart: @@ -54,7 +53,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify diff --git a/kubernetes/apps/default/calibre/ks.yaml b/kubernetes/apps/default/calibre/ks.yaml index 6a231fea1..736befe63 100644 --- a/kubernetes/apps/default/calibre/ks.yaml +++ b/kubernetes/apps/default/calibre/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/exercisediary/app/helmrelease.yaml b/kubernetes/apps/default/exercisediary/app/helmrelease.yaml index eae2faa7a..cc9d14405 100644 --- a/kubernetes/apps/default/exercisediary/app/helmrelease.yaml +++ b/kubernetes/apps/default/exercisediary/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app exercisediary - namespace: default spec: interval: 30m chart: @@ -38,8 +37,8 @@ spec: env: TZ: "${TIMEZONE}" PORT: &port 8851 - THEME: "darkly" # optional, default: grass - COLOR: "dark" # optional, default: light + THEME: darkly # optional, default: grass + COLOR: dark # optional, default: light resources: requests: cpu: 100m @@ -55,8 +54,13 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; hajimari.io/icon: mdi:radio gethomepage.dev/enabled: "true" gethomepage.dev/name: exercisediary diff --git a/kubernetes/apps/default/exercisediary/ks.yaml b/kubernetes/apps/default/exercisediary/ks.yaml index 11f699e58..5091d6af5 100644 --- a/kubernetes/apps/default/exercisediary/ks.yaml +++ b/kubernetes/apps/default/exercisediary/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/flaresolverr/ks.yaml b/kubernetes/apps/default/flaresolverr/ks.yaml index 06f0a59c6..f4d67f64b 100644 --- a/kubernetes/apps/default/flaresolverr/ks.yaml +++ b/kubernetes/apps/default/flaresolverr/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/flood/app/externalsecret.yaml b/kubernetes/apps/default/flood/app/externalsecret.yaml index 2b4aaf755..99467a515 100644 --- a/kubernetes/apps/default/flood/app/externalsecret.yaml +++ b/kubernetes/apps/default/flood/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: flood - namespace: default spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/default/flood/app/helmrelease.yaml b/kubernetes/apps/default/flood/app/helmrelease.yaml index 839e361b3..74145b8a8 100644 --- a/kubernetes/apps/default/flood/app/helmrelease.yaml +++ b/kubernetes/apps/default/flood/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app flood - namespace: default spec: interval: 30m chart: @@ -65,7 +64,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify diff --git a/kubernetes/apps/default/flood/app/kustomization.yaml b/kubernetes/apps/default/flood/app/kustomization.yaml index 48e972b27..5d04acddd 100644 --- a/kubernetes/apps/default/flood/app/kustomization.yaml +++ b/kubernetes/apps/default/flood/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/flood/ks.yaml b/kubernetes/apps/default/flood/ks.yaml index 8adbc9b7e..5dba5c38f 100644 --- a/kubernetes/apps/default/flood/ks.yaml +++ b/kubernetes/apps/default/flood/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/freshrss/app/externalsecret.yaml b/kubernetes/apps/default/freshrss/app/externalsecret.yaml index 81e5f8af8..94e68e535 100644 --- a/kubernetes/apps/default/freshrss/app/externalsecret.yaml +++ b/kubernetes/apps/default/freshrss/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: freshrss - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -14,15 +13,8 @@ spec: template: engineVersion: v2 data: - # App OIDC_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}" FRESHRSS_OIDC_CLIENT_CRYPTO_KEY: "{{ .FRESHRSS_OIDC_CLIENT_CRYPTO_KEY}}" - # Postgres Init - INIT_POSTGRES_DBNAME: freshrss - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: key: authelia diff --git a/kubernetes/apps/default/freshrss/app/helmrelease.yaml b/kubernetes/apps/default/freshrss/app/helmrelease.yaml index e25c5e739..95b61db0a 100644 --- a/kubernetes/apps/default/freshrss/app/helmrelease.yaml +++ b/kubernetes/apps/default/freshrss/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app freshrss - namespace: default spec: interval: 30m chart: @@ -33,14 +32,6 @@ spec: annotations: reloader.stakater.com/auto: "true" secret.reloader.stakater.com/reload: authelia-secret - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: freshrss-secret containers: app: image: @@ -56,7 +47,9 @@ spec: OIDC_REMOTE_USER_CLAIM: preferred_username OIDC_SCOPES: openid groups email profile OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto - envFrom: *envFrom + envFrom: + - secretRef: + name: freshrss-secret resources: requests: cpu: 50m @@ -70,7 +63,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:rss gethomepage.dev/enabled: "true" diff --git a/kubernetes/apps/default/freshrss/app/kustomization.yaml b/kubernetes/apps/default/freshrss/app/kustomization.yaml index 48e972b27..5d04acddd 100644 --- a/kubernetes/apps/default/freshrss/app/kustomization.yaml +++ b/kubernetes/apps/default/freshrss/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/freshrss/ks.yaml b/kubernetes/apps/default/freshrss/ks.yaml index 14e7f24ef..8496e9836 100644 --- a/kubernetes/apps/default/freshrss/ks.yaml +++ b/kubernetes/apps/default/freshrss/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/frigate/app/config/config.yml b/kubernetes/apps/default/frigate/app/config/config.yml index d8d36d857..eba156bad 100644 --- a/kubernetes/apps/default/frigate/app/config/config.yml +++ b/kubernetes/apps/default/frigate/app/config/config.yml @@ -11,7 +11,7 @@ tls: enabled: false mqtt: - host: emqx.default.svc.cluster.local + host: emqx.database.svc.cluster.local topic_prefix: frigate user: "{FRIGATE_MQTT_USERNAME}" password: "{FRIGATE_MQTT_PASSWORD}" diff --git a/kubernetes/apps/default/frigate/app/helmrelease.yaml b/kubernetes/apps/default/frigate/app/helmrelease.yaml index ca8446bc4..962d43fda 100644 --- a/kubernetes/apps/default/frigate/app/helmrelease.yaml +++ b/kubernetes/apps/default/frigate/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app frigate - namespace: default spec: interval: 30m chart: @@ -30,7 +29,7 @@ spec: - name: intel-device-plugin-gpu namespace: kube-system - name: emqx - namespace: default + namespace: database - name: rook-ceph-cluster namespace: rook-ceph - name: volsync @@ -85,7 +84,7 @@ spec: controller: *app type: LoadBalancer externalTrafficPolicy: Local - loadBalancerIP: 192.168.169.114 + loadBalancerIP: ${CLUSTER_LB_FRIGATE} ports: http: port: *port @@ -112,7 +111,7 @@ spec: app in ( frigate ) - className: nginx + className: internal hosts: - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" paths: diff --git a/kubernetes/apps/default/frigate/ks.yaml b/kubernetes/apps/default/frigate/ks.yaml index be77d6588..40cc2f7b9 100644 --- a/kubernetes/apps/default/frigate/ks.yaml +++ b/kubernetes/apps/default/frigate/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/ghostfolio/app/externalsecret.yaml b/kubernetes/apps/default/ghostfolio/app/externalsecret.yaml index 965bc1d77..ab28fa6fc 100644 --- a/kubernetes/apps/default/ghostfolio/app/externalsecret.yaml +++ b/kubernetes/apps/default/ghostfolio/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: ghostfolio - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -14,18 +13,26 @@ spec: template: engineVersion: v2 data: - # App ACCESS_TOKEN_SALT: "{{ .GHOSTFOLIO_ACCESS_TOKEN_SALT }}" - DATABASE_URL: postgresql://{{ .POSTGRES_USERNAME }}:{{ .POSTGRES_PASSWORD }}@postgres16-rw.database.svc.cluster.local:5432/ghostfolio JWT_SECRET_KEY: "{{ .GHOSTFOLIO_JWT_SECRET_KEY }}" - # Postgres Init - INIT_POSTGRES_DBNAME: ghostfolio - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}" - INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: ghostfolio +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: ghostfolio-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: ghostfolio-db-secret + template: + engineVersion: v2 + data: + DATABASE_URL: postgresql://{{ index . "user" }}:{{ index . "password" }}@{{ index . "host" }}:{{ index . "port" }}/{{ index . "dbname" }} + dataFrom: + - extract: + key: postgres-pguser-ghostfolio diff --git a/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml b/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml index 0f7acd8e1..5eaf3dcd2 100644 --- a/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml +++ b/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app ghostfolio - namespace: default spec: interval: 30m chart: @@ -33,14 +32,7 @@ spec: strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: ghostfolio-secret + secret.reloader.stakater.com/reload: ghostfolio-db-secret containers: app: image: @@ -50,7 +42,11 @@ spec: NODE_ENV: production REDIS_HOST: dragonfly.database.svc.cluster.local. REDIS_PORT: 6379 - envFrom: *envFrom + envFrom: + - secretRef: + name: ghostfolio-secret + - secretRef: + name: ghostfolio-db-secret probes: liveness: &probes enabled: true @@ -79,12 +75,12 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:cash-multiple gethomepage.dev/enabled: "true" gethomepage.dev/name: Ghostfolio - gethomepage.dev/description: NVR with realtime local object detection for IP cameras + gethomepage.dev/description: Open Source Wealth Management Software gethomepage.dev/group: Applications gethomepage.dev/icon: ghostfolio.png gethomepage.dev/pod-selector: >- diff --git a/kubernetes/apps/default/ghostfolio/app/kustomization.yaml b/kubernetes/apps/default/ghostfolio/app/kustomization.yaml index f8c2e193c..f641102c1 100644 --- a/kubernetes/apps/default/ghostfolio/app/kustomization.yaml +++ b/kubernetes/apps/default/ghostfolio/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/ghostfolio/ks.yaml b/kubernetes/apps/default/ghostfolio/ks.yaml index 22a3a9aaa..f56947bf8 100644 --- a/kubernetes/apps/default/ghostfolio/ks.yaml +++ b/kubernetes/apps/default/ghostfolio/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -16,6 +16,7 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores - name: dragonfly-cluster wait: false diff --git a/kubernetes/apps/default/hajimari/app/helmrelease.yaml b/kubernetes/apps/default/hajimari/app/helmrelease.yaml index 14f9495bc..7f27242f3 100644 --- a/kubernetes/apps/default/hajimari/app/helmrelease.yaml +++ b/kubernetes/apps/default/hajimari/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: hajimari - namespace: default spec: interval: 30m chart: @@ -30,7 +29,7 @@ spec: controller: strategy: RollingUpdate podAnnotations: - configmap.reloader.stakater.com/reload: "hajimari-settings" + configmap.reloader.stakater.com/reload: hajimari-settings env: TZ: ${TIMEZONE} hajimari: @@ -50,8 +49,8 @@ spec: matchNames: - default - flux-system - - monitoring - - networking + - observability + - network - rook-ceph customApps: - group: servers @@ -86,11 +85,11 @@ spec: ingress: app: enabled: true - ingressClassName: nginx + ingressClassName: internal annotations: hajimari.io/enable: "false" - hajimari.io/icon: "weather-sunset" - hajimari.io/instance: "admin" + hajimari.io/icon: weather-sunset + hajimari.io/instance: admin hosts: - host: &host apps.${SECRET_EXTERNAL_DOMAIN} paths: diff --git a/kubernetes/apps/default/hajimari/app/kustomization.yaml b/kubernetes/apps/default/hajimari/app/kustomization.yaml index 839d732b8..f5bc67592 100644 --- a/kubernetes/apps/default/hajimari/app/kustomization.yaml +++ b/kubernetes/apps/default/hajimari/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml - ../../../../templates/gatus/guarded diff --git a/kubernetes/apps/default/hajimari/ks.yaml b/kubernetes/apps/default/hajimari/ks.yaml index 2236e927e..b9a5db6ad 100644 --- a/kubernetes/apps/default/hajimari/ks.yaml +++ b/kubernetes/apps/default/hajimari/ks.yaml @@ -1,11 +1,12 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app hajimari namespace: flux-system spec: + targetNamespace: default commonMetadata: labels: app.kubernetes.io/name: *app diff --git a/kubernetes/apps/default/home-assistant/app/externalsecret.yaml b/kubernetes/apps/default/home-assistant/app/externalsecret.yaml index 6783f8980..f5a110a86 100644 --- a/kubernetes/apps/default/home-assistant/app/externalsecret.yaml +++ b/kubernetes/apps/default/home-assistant/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: home-assistant - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -14,21 +13,30 @@ spec: template: engineVersion: v2 data: - # App HASS_SECRET_ELEVATION: "{{ .HASS_ELEVATION }}" HASS_SECRET_LATITUDE: "{{ .HASS_LATITUDE }}" HASS_SECRET_LONGITUDE: "{{ .HASS_LONGITUDE }}" - HASS_SECRET_DB_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres16-rw.database.svc.cluster.local/home_assistant" HASS_SECRET_URL: "{{ .HASS_URL }}" PROMETHEUS_TOKEN: "{{ .PROMETHEUS_TOKEN }}" - # Postgres Init - INIT_POSTGRES_DBNAME: home_assistant - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: home-assistant +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: home-assistant-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: home-assistant-db-secret + template: + engineVersion: v2 + data: + HASS_SECRET_DB_URL: 'postgres://{{ index . "user" }}:{{ index . "password" }}@{{ index . "host" }}/{{ index . "dbname" }}' + dataFrom: + - extract: + key: postgres-pguser-home-assistant diff --git a/kubernetes/apps/default/home-assistant/app/helmrelease.yaml b/kubernetes/apps/default/home-assistant/app/helmrelease.yaml index e228ed411..f69cce442 100644 --- a/kubernetes/apps/default/home-assistant/app/helmrelease.yaml +++ b/kubernetes/apps/default/home-assistant/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app home-assistant - namespace: default spec: interval: 30m chart: @@ -40,14 +39,7 @@ spec: home-assistant: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: home-assistant-secret + secret.reloader.stakater.com/reload: home-assistant-db-secret containers: app: image: @@ -55,9 +47,11 @@ spec: tag: 2024.12.5@sha256:638e519c874a06389ce6f03e435dd80a6697e8692eac88b459775839410f3439 env: TZ: "${TIMEZONE}" - POSTGRES_HOST: ${POSTGRES_HOST} - POSTGRES_DB: home_assistant - envFrom: *envFrom + envFrom: + - secretRef: + name: home-assistant-secret + - secretRef: + name: home-assistant-db-secret probes: liveness: enabled: false @@ -85,7 +79,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:home-assistant hosts: diff --git a/kubernetes/apps/default/home-assistant/app/kustomization.yaml b/kubernetes/apps/default/home-assistant/app/kustomization.yaml index c6ffe4e11..91837f11e 100644 --- a/kubernetes/apps/default/home-assistant/app/kustomization.yaml +++ b/kubernetes/apps/default/home-assistant/app/kustomization.yaml @@ -1,7 +1,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/home-assistant/app/podmonitor.yaml b/kubernetes/apps/default/home-assistant/app/podmonitor.yaml index e6a20287e..49a09909c 100644 --- a/kubernetes/apps/default/home-assistant/app/podmonitor.yaml +++ b/kubernetes/apps/default/home-assistant/app/podmonitor.yaml @@ -3,7 +3,6 @@ apiVersion: monitoring.coreos.com/v1 kind: PodMonitor metadata: name: home-assistant - namespace: default spec: podMetricsEndpoints: - interval: 1m diff --git a/kubernetes/apps/default/home-assistant/code/helmrelease.yaml b/kubernetes/apps/default/home-assistant/code/helmrelease.yaml index 5b410ec7c..0349ec53e 100644 --- a/kubernetes/apps/default/home-assistant/code/helmrelease.yaml +++ b/kubernetes/apps/default/home-assistant/code/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app home-assistant-code - namespace: default spec: interval: 30m chart: @@ -76,7 +75,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal hosts: - host: &host hass-code.${SECRET_EXTERNAL_DOMAIN} paths: diff --git a/kubernetes/apps/default/home-assistant/ks.yaml b/kubernetes/apps/default/home-assistant/ks.yaml index d355229b7..3694b282b 100644 --- a/kubernetes/apps/default/home-assistant/ks.yaml +++ b/kubernetes/apps/default/home-assistant/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -11,6 +11,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores - name: volsync path: ./kubernetes/apps/default/home-assistant/app @@ -28,7 +29,7 @@ spec: GATUS_SUBDOMAIN: hass VOLSYNC_CAPACITY: 5Gi --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -39,6 +40,8 @@ spec: commonMetadata: labels: app.kubernetes.io/name: &app home-assistant + dependsOn: + - name: home-assistant path: ./kubernetes/apps/default/home-assistant/code prune: true sourceRef: diff --git a/kubernetes/apps/default/homebox/app/helmrelease.yaml b/kubernetes/apps/default/homebox/app/helmrelease.yaml index cb5861b55..27093a2ac 100644 --- a/kubernetes/apps/default/homebox/app/helmrelease.yaml +++ b/kubernetes/apps/default/homebox/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app homebox - namespace: default spec: interval: 30m chart: @@ -55,7 +54,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/enable: "true" hajimari.io/appName: *app diff --git a/kubernetes/apps/default/homebox/app/kustomization.yaml b/kubernetes/apps/default/homebox/app/kustomization.yaml index 35ff57401..fd54ff7cc 100644 --- a/kubernetes/apps/default/homebox/app/kustomization.yaml +++ b/kubernetes/apps/default/homebox/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml - ../../../../templates/gatus/guarded diff --git a/kubernetes/apps/default/homebox/ks.yaml b/kubernetes/apps/default/homebox/ks.yaml index 04eadac1d..77d14e8fe 100644 --- a/kubernetes/apps/default/homebox/ks.yaml +++ b/kubernetes/apps/default/homebox/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/homepage/app/externalsecret.yaml b/kubernetes/apps/default/homepage/app/externalsecret.yaml index 224794c3a..25096d85f 100644 --- a/kubernetes/apps/default/homepage/app/externalsecret.yaml +++ b/kubernetes/apps/default/homepage/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: homepage - namespace: default spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/default/homepage/app/helmrelease.yaml b/kubernetes/apps/default/homepage/app/helmrelease.yaml index 7907edbec..535d2ca26 100644 --- a/kubernetes/apps/default/homepage/app/helmrelease.yaml +++ b/kubernetes/apps/default/homepage/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app homepage - namespace: default spec: interval: 30m chart: @@ -67,7 +66,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal hosts: - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" paths: diff --git a/kubernetes/apps/default/homepage/app/kustomization.yaml b/kubernetes/apps/default/homepage/app/kustomization.yaml index 48d779ab2..0bd54a1ac 100644 --- a/kubernetes/apps/default/homepage/app/kustomization.yaml +++ b/kubernetes/apps/default/homepage/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/homepage/ks.yaml b/kubernetes/apps/default/homepage/ks.yaml index 36422e899..1086bc87c 100644 --- a/kubernetes/apps/default/homepage/ks.yaml +++ b/kubernetes/apps/default/homepage/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/jellyfin/app/helmrelease.yaml b/kubernetes/apps/default/jellyfin/app/helmrelease.yaml index c8ea36442..f781c1560 100644 --- a/kubernetes/apps/default/jellyfin/app/helmrelease.yaml +++ b/kubernetes/apps/default/jellyfin/app/helmrelease.yaml @@ -109,10 +109,8 @@ spec: ingress: app: enabled: true - className: nginx + className: external annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. hajimari.io/icon: simple-icons:jellyfin hosts: - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" diff --git a/kubernetes/apps/default/jellyfin/ks.yaml b/kubernetes/apps/default/jellyfin/ks.yaml index 483d63834..54e020ddd 100644 --- a/kubernetes/apps/default/jellyfin/ks.yaml +++ b/kubernetes/apps/default/jellyfin/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/joplin/app/externalsecret.yaml b/kubernetes/apps/default/joplin/app/externalsecret.yaml index 41c5cd9c9..efe671bb7 100644 --- a/kubernetes/apps/default/joplin/app/externalsecret.yaml +++ b/kubernetes/apps/default/joplin/app/externalsecret.yaml @@ -1,29 +1,20 @@ --- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: joplin - namespace: default spec: secretStoreRef: kind: ClusterSecretStore - name: onepassword-connect + name: crunchy-pgo-secrets target: name: joplin-secret template: engineVersion: v2 data: - # App - POSTGRES_CONNECTION_STRING: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASSWORD }}@postgres16-rw.database.svc.cluster.local:5432/joplin - # Postgres Init - INIT_POSTGRES_DBNAME: joplin - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + DB_CLIENT: pg + POSTGRES_CONNECTION_STRING: postgresql://{{ index . "user" }}:{{ index . "password" }}@{{ index . "host" }}:{{ index . "port" }}/{{ index . "dbname" }}?sslmode=require + NODE_TLS_REJECT_UNAUTHORIZED: "0" dataFrom: - extract: - key: cloudnative-pg - - extract: - key: joplin + key: postgres-pguser-joplin diff --git a/kubernetes/apps/default/joplin/app/helmrelease.yaml b/kubernetes/apps/default/joplin/app/helmrelease.yaml index 24ef0fe03..309cbfba0 100644 --- a/kubernetes/apps/default/joplin/app/helmrelease.yaml +++ b/kubernetes/apps/default/joplin/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app joplin - namespace: default spec: interval: 30m chart: @@ -33,14 +32,7 @@ spec: strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: joplin-secret + secret.reloader.stakater.com/reload: joplin-db-secret containers: app: image: @@ -49,14 +41,15 @@ spec: env: APP_BASE_URL: https://joplin.${SECRET_EXTERNAL_DOMAIN} APP_PORT: &port 8080 - DB_CLIENT: pg MAILER_ENABLED: 1 MAILER_HOST: smtp-relay.default.svc.cluster.local. MAILER_PORT: 2525 MAILER_SECURITY: none MAILER_NOREPLY_NAME: JoplinServer MAILER_NOREPLY_EMAIL: joplin@${SECRET_DOMAIN} - envFrom: *envFrom + envFrom: + - secretRef: + name: joplin-secret resources: requests: cpu: 50m @@ -70,10 +63,8 @@ spec: ingress: app: enabled: true - className: nginx + className: external annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. hajimari.io/icon: mdi:text gethomepage.dev/enabled: "true" gethomepage.dev/name: Joplin diff --git a/kubernetes/apps/default/joplin/app/kustomization.yaml b/kubernetes/apps/default/joplin/app/kustomization.yaml index c067a3946..66e65aa34 100644 --- a/kubernetes/apps/default/joplin/app/kustomization.yaml +++ b/kubernetes/apps/default/joplin/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/joplin/ks.yaml b/kubernetes/apps/default/joplin/ks.yaml index ec9b40296..25a0fa42d 100644 --- a/kubernetes/apps/default/joplin/ks.yaml +++ b/kubernetes/apps/default/joplin/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -16,6 +16,7 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores wait: false interval: 30m diff --git a/kubernetes/apps/default/komf/ks.yaml b/kubernetes/apps/default/komf/ks.yaml index 4c47de685..21e2b8c0e 100644 --- a/kubernetes/apps/default/komf/ks.yaml +++ b/kubernetes/apps/default/komf/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/komga/app/helmrelease.yaml b/kubernetes/apps/default/komga/app/helmrelease.yaml index c7b7b9557..37e78062f 100644 --- a/kubernetes/apps/default/komga/app/helmrelease.yaml +++ b/kubernetes/apps/default/komga/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app komga - namespace: default spec: interval: 30m chart: @@ -55,6 +54,7 @@ spec: ingress: app: enabled: true + className: internal annotations: hajimari.io/icon: mdi:ideogram-cjk-variant gethomepage.dev/enabled: "true" @@ -66,7 +66,6 @@ spec: app in ( komga ) - className: nginx hosts: - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" paths: diff --git a/kubernetes/apps/default/komga/ks.yaml b/kubernetes/apps/default/komga/ks.yaml index e735aaded..63402b6da 100644 --- a/kubernetes/apps/default/komga/ks.yaml +++ b/kubernetes/apps/default/komga/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml index dc74ee72d..2efa661c5 100644 --- a/kubernetes/apps/default/kustomization.yaml +++ b/kubernetes/apps/default/kustomization.yaml @@ -8,10 +8,8 @@ resources: # Flux-Kustomizations - ./atuin/ks.yaml - ./authelia/ks.yaml - - ./babybuddy/ks.yaml - ./bazarr/ks.yaml - ./calibre/ks.yaml - - ./emqx/ks.yaml - ./exercisediary/ks.yaml - ./flaresolverr/ks.yaml - ./flood/ks.yaml @@ -22,24 +20,20 @@ resources: - ./home-assistant/ks.yaml - ./homebox/ks.yaml - ./homepage/ks.yaml - - ./invidious/ks.yaml - ./jellyfin/ks.yaml - ./joplin/ks.yaml - ./komf/ks.yaml - ./komga/ks.yaml - - ./kresus/ks.yaml - ./libmedium/ks.yaml - ./lidarr/ks.yaml - ./linkding/ks.yaml - ./lldap/ks.yaml - ./lms/ks.yaml - ./lychee/ks.yaml - - ./maybe/ks.yaml - ./music-transcode/ks.yaml - ./navidrome/ks.yaml - ./outline/ks.yaml - ./paperless/ks.yaml - - ./plant-it/ks.yaml - ./prowlarr/ks.yaml - ./qbittorrent/ks.yaml - ./radarr/ks.yaml @@ -55,7 +49,6 @@ resources: - ./unifi/ks.yaml - ./vaultwarden/ks.yaml - ./vikunja/ks.yaml - - ./windmill/ks.yaml - ./zigbee2mqtt/ks.yaml - ./zwave-js-ui/ks.yaml # Default resources diff --git a/kubernetes/apps/default/libmedium/app/config/config.toml b/kubernetes/apps/default/libmedium/app/config/config.toml index bd3dfc83f..08378eea2 100644 --- a/kubernetes/apps/default/libmedium/app/config/config.toml +++ b/kubernetes/apps/default/libmedium/app/config/config.toml @@ -1,5 +1,5 @@ debug = false -source_code = "https://github.com/realaravinth/libmedium" +source_code = "https://git.batsense.net/realaravinth/libmedium" #cache = "/var/lib/libmedium" [server] diff --git a/kubernetes/apps/default/libmedium/app/helmrelease.yaml b/kubernetes/apps/default/libmedium/app/helmrelease.yaml index 21b0eeb8c..5621f2998 100644 --- a/kubernetes/apps/default/libmedium/app/helmrelease.yaml +++ b/kubernetes/apps/default/libmedium/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app libmedium - namespace: default spec: interval: 30m chart: @@ -37,7 +36,7 @@ spec: app: image: repository: realaravinth/libmedium - tag: master@sha256:63d69a1fd87588028f9fdf26256ec11fc06ecb90fcdd6ee007cd20a1808e1b14 + tag: latest@sha256:3ab8addf2e78c69ca26b3df6305667541b0cbddbc473401199311650aa298478 resources: requests: cpu: 50m @@ -51,15 +50,13 @@ spec: ingress: app: enabled: true - className: nginx + className: external annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. hajimari.io/icon: mdi:file-document-arrow-right-outline gethomepage.dev/enabled: "true" gethomepage.dev/name: Libmedium diff --git a/kubernetes/apps/default/libmedium/app/kustomization.yaml b/kubernetes/apps/default/libmedium/app/kustomization.yaml index 7d8fc089e..882cc6ff6 100644 --- a/kubernetes/apps/default/libmedium/app/kustomization.yaml +++ b/kubernetes/apps/default/libmedium/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml - ../../../../templates/gatus/external diff --git a/kubernetes/apps/default/libmedium/ks.yaml b/kubernetes/apps/default/libmedium/ks.yaml index a00994674..d377af90f 100644 --- a/kubernetes/apps/default/libmedium/ks.yaml +++ b/kubernetes/apps/default/libmedium/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/lidarr/app/externalsecret.yaml b/kubernetes/apps/default/lidarr/app/externalsecret.yaml index c75873ad8..4c58d40de 100644 --- a/kubernetes/apps/default/lidarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/lidarr/app/externalsecret.yaml @@ -14,26 +14,34 @@ spec: template: engineVersion: v2 data: - # App LIDARR__API_KEY: "{{ .LIDARR__API_KEY }}" - LIDARR__POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local - LIDARR__POSTGRES_PORT: "5432" - LIDARR__POSTGRES_USER: &dbUser "{{ .LIDARR__POSTGRES_USER }}" - LIDARR__POSTGRES_PASSWORD: &dbPass "{{ .LIDARR__POSTGRES_PASSWORD }}" - LIDARR__POSTGRES_MAIN_DB: lidarr_main - LIDARR__POSTGRES_LOG_DB: lidarr_log PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}" PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" - # Postgres Init - INIT_POSTGRES_DBNAME: lidarr_main lidarr_log - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: pushover - extract: key: lidarr +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: lidarr-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: lidarr-db-secret + template: + engineVersion: v2 + data: + LIDARR__POSTGRES__MAINDB: '{{ index . "dbname" }}' + LIDARR__POSTGRES__LOGDB: lidarr_log + LIDARR__POSTGRES__HOST: '{{ index . "host" }}' + LIDARR__POSTGRES__USER: '{{ index . "user" }}' + LIDARR__POSTGRES__PASSWORD: '{{ index . "password" }}' + LIDARR__POSTGRES__PORT: '{{ index . "port" }}' + dataFrom: + - extract: + key: postgres-pguser-lidarr diff --git a/kubernetes/apps/default/lidarr/app/helmrelease.yaml b/kubernetes/apps/default/lidarr/app/helmrelease.yaml index 74c64495f..da00d10d0 100644 --- a/kubernetes/apps/default/lidarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/lidarr/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app lidarr - namespace: default spec: interval: 30m chart: @@ -39,15 +38,7 @@ spec: annotations: reloader.stakater.com/auto: "true" configmap.reloader.stakater.com/reload: lidarr-pushover - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - pullPolicy: IfNotPresent - envFrom: &envFrom - - secretRef: - name: lidarr-secret + secret.reloader.stakater.com/reload: lidarr-db-secret containers: app: image: @@ -55,9 +46,9 @@ spec: tag: 2.9.0.4506@sha256:192f559e751fa123b752073beb4e840bd9c019825dd09a36beaa128cb7bc07e8 env: TZ: "${TIMEZONE}" - LIDARR__INSTANCE_NAME: Lidarr - LIDARR__PORT: &port 8080 - LIDARR__LOG_LEVEL: info + LIDARR__APP__INSTANCENAME: Lidarr + LIDARR__SERVER__PORT: &port 8080 + LIDARR__LOG__LEVEL: info PUSHOVER_APP_URL: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" PUSHOVER_PRIORITY: "0" envFrom: @@ -78,13 +69,13 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: - # nginx.ingress.kubernetes.io/auth-method: GET - # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; hajimari.io/icon: mdi:headphones hosts: - host: *host @@ -117,7 +108,7 @@ spec: scripts: type: configMap name: lidarr-pushover - defaultMode: 0775 + defaultMode: 0775 # trunk-ignore(yamllint/octal-values) globalMounts: - path: /scripts/pushover-notify.sh subPath: pushover-notify.sh diff --git a/kubernetes/apps/default/lidarr/ks.yaml b/kubernetes/apps/default/lidarr/ks.yaml index 4f1d3388c..42b35f2fa 100644 --- a/kubernetes/apps/default/lidarr/ks.yaml +++ b/kubernetes/apps/default/lidarr/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -12,6 +12,7 @@ spec: app.kubernetes.io/name: *app dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores - name: rook-ceph-cluster - name: volsync diff --git a/kubernetes/apps/default/linkding/app/externalsecret.yaml b/kubernetes/apps/default/linkding/app/externalsecret.yaml index 01819e980..a45d6c8bc 100644 --- a/kubernetes/apps/default/linkding/app/externalsecret.yaml +++ b/kubernetes/apps/default/linkding/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: linkding - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -14,22 +13,8 @@ spec: template: engineVersion: v2 data: - # App - LD_DB_ENGINE: "postgres" - LD_DB_USER: &dbUser "{{ .POSTGRES_USERNAME }}" - LD_DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}" - LD_DB_HOST: &dbHost postgres16-rw.database.svc.cluster.local - LD_DB_DATABASE: &dbName linkding LD_SUPERUSER_NAME: "{{ .username }}" LD_SUPERUSER_PASSWORD: "{{ .password }}" - # Postgres Init - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: linkding diff --git a/kubernetes/apps/default/linkding/app/helmrelease.yaml b/kubernetes/apps/default/linkding/app/helmrelease.yaml index 00c251920..8ff716ec6 100644 --- a/kubernetes/apps/default/linkding/app/helmrelease.yaml +++ b/kubernetes/apps/default/linkding/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app linkding - namespace: default spec: interval: 30m chart: @@ -30,23 +29,16 @@ spec: values: controllers: linkding: - strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: linkding-secret containers: app: image: repository: sissbruecker/linkding tag: 1.36.0@sha256:6e2cfd1c32dae78ff6d0fd3000562556f123502d4b79f4e3e53b4b0592022edd - envFrom: *envFrom + envFrom: + - secretRef: + name: linkding-secret probes: liveness: &probes enabled: true @@ -75,7 +67,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: link gethomepage.dev/enabled: "true" @@ -97,3 +89,9 @@ spec: tls: - hosts: - *host + persistence: + config: + enabled: true + existingClaim: *app + globalMounts: + - path: /etc/linkding/data diff --git a/kubernetes/apps/default/linkding/app/kustomization.yaml b/kubernetes/apps/default/linkding/app/kustomization.yaml index f8c2e193c..5d04acddd 100644 --- a/kubernetes/apps/default/linkding/app/kustomization.yaml +++ b/kubernetes/apps/default/linkding/app/kustomization.yaml @@ -2,8 +2,8 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml - ../../../../templates/gatus/guarded + - ../../../../templates/volsync diff --git a/kubernetes/apps/default/linkding/ks.yaml b/kubernetes/apps/default/linkding/ks.yaml index 8c9b329db..17a8d7a83 100644 --- a/kubernetes/apps/default/linkding/ks.yaml +++ b/kubernetes/apps/default/linkding/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -25,3 +25,4 @@ spec: substitute: APP: *app GATUS_SUBDOMAIN: links + VOLSYNC_CAPACITY: 2Gi diff --git a/kubernetes/apps/default/lldap/app/externalsecret.yaml b/kubernetes/apps/default/lldap/app/externalsecret.yaml index 326dbbf3c..5ab5e741a 100644 --- a/kubernetes/apps/default/lldap/app/externalsecret.yaml +++ b/kubernetes/apps/default/lldap/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: lldap - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -14,21 +13,29 @@ spec: template: engineVersion: v2 data: - # App LLDAP_JWT_SECRET: "{{ .LLDAP_JWT_SECRET }}" LLDAP_LDAP_USER_PASS: "{{ .password }}" LLDAP_USER_DN: "{{ .username }}" LLDAP_LDAP_USER_EMAIL: "{{ .LLDAP_LDAP_USER_EMAIL }}" LLDAP_SERVER_KEY_SEED: "{{ .LLDAP_SERVER_KEY_SEED }}" - LLDAP_DATABASE_URL: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres16-rw.database.svc.cluster.local/lldap" - # Postgres Init - INIT_POSTGRES_DBNAME: lldap - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: lldap +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: lldap-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: lldap-db-secret + template: + engineVersion: v2 + data: + LLDAP_DATABASE_URL: 'postgres://{{ index . "user" }}:{{ index . "password" }}@{{ index . "host" }}:{{ index . "port" }}/{{ index . "dbname" }}' + dataFrom: + - extract: + key: postgres-pguser-lldap diff --git a/kubernetes/apps/default/lldap/app/helmrelease.yaml b/kubernetes/apps/default/lldap/app/helmrelease.yaml index 3aec6da35..bf2b3ecb5 100644 --- a/kubernetes/apps/default/lldap/app/helmrelease.yaml +++ b/kubernetes/apps/default/lldap/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app lldap - namespace: default spec: interval: 30m chart: @@ -28,29 +27,11 @@ spec: uninstall: keepHistory: false values: - defaultPodOptions: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: *app controllers: lldap: - replicas: 2 - strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - pullPolicy: IfNotPresent - envFrom: &envFrom - - secretRef: - name: lldap-secret + secret.reloader.stakater.com/reload: lldap-db-secret containers: app: image: @@ -62,7 +43,11 @@ spec: LLDAP_HTTP_URL: https://lldap.${SECRET_EXTERNAL_DOMAIN} LLDAP_LDAP_PORT: &ldapPort 5389 LLDAP_LDAP_BASE_DN: dc=home,dc=arpa - envFrom: *envFrom + envFrom: + - secretRef: + name: lldap-secret + - secretRef: + name: lldap-db-secret resources: requests: cpu: 100m @@ -92,7 +77,7 @@ spec: app in ( lldap ) - className: nginx + className: internal hosts: - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" paths: diff --git a/kubernetes/apps/default/lldap/app/kustomization.yaml b/kubernetes/apps/default/lldap/app/kustomization.yaml index f8c2e193c..f641102c1 100644 --- a/kubernetes/apps/default/lldap/app/kustomization.yaml +++ b/kubernetes/apps/default/lldap/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/lldap/ks.yaml b/kubernetes/apps/default/lldap/ks.yaml index f95381c36..fe1066c3f 100644 --- a/kubernetes/apps/default/lldap/ks.yaml +++ b/kubernetes/apps/default/lldap/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -15,6 +15,8 @@ spec: sourceRef: kind: GitRepository name: home-ops-kubernetes + dependsOn: + - name: crunchy-postgres-operator-cluster wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/default/lms/app/helmrelease.yaml b/kubernetes/apps/default/lms/app/helmrelease.yaml index ca6eeb4f2..c9e658fe1 100644 --- a/kubernetes/apps/default/lms/app/helmrelease.yaml +++ b/kubernetes/apps/default/lms/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app lms - namespace: default spec: interval: 30m chart: @@ -69,7 +68,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:file-music gethomepage.dev/enabled: "true" diff --git a/kubernetes/apps/default/lms/app/kustomization.yaml b/kubernetes/apps/default/lms/app/kustomization.yaml index 35ff57401..fd54ff7cc 100644 --- a/kubernetes/apps/default/lms/app/kustomization.yaml +++ b/kubernetes/apps/default/lms/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml - ../../../../templates/gatus/guarded diff --git a/kubernetes/apps/default/lms/ks.yaml b/kubernetes/apps/default/lms/ks.yaml index 240bc6dc0..428f30d3a 100644 --- a/kubernetes/apps/default/lms/ks.yaml +++ b/kubernetes/apps/default/lms/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/lychee/app/externalsecret.yaml b/kubernetes/apps/default/lychee/app/externalsecret.yaml index 7e26d5b3d..dff6c628d 100644 --- a/kubernetes/apps/default/lychee/app/externalsecret.yaml +++ b/kubernetes/apps/default/lychee/app/externalsecret.yaml @@ -4,30 +4,20 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: lychee - namespace: default spec: secretStoreRef: kind: ClusterSecretStore - name: onepassword-connect + name: crunchy-pgo-secrets target: name: lychee-secret template: engineVersion: v2 data: - # App - DB_HOST: &dbHost postgres16-rw.database.svc.cluster.local - DB_PORT: "5432" - DB_DATABASE: &dbName lychee - DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}" - DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}" - # Postgres Init - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" + DB_HOST: '{{ index . "host" }}' + DB_PORT: '{{ index . "port" }}' + DB_DATABASE: '{{ index . "dbname" }}' + DB_USERNAME: '{{ index . "user" }}' + DB_PASSWORD: '{{ index . "password" }}' dataFrom: - extract: - key: cloudnative-pg - - extract: - key: lychee + key: postgres-pguser-lychee diff --git a/kubernetes/apps/default/lychee/app/helmrelease.yaml b/kubernetes/apps/default/lychee/app/helmrelease.yaml index 24a14c885..1f7dc7edf 100644 --- a/kubernetes/apps/default/lychee/app/helmrelease.yaml +++ b/kubernetes/apps/default/lychee/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app lychee - namespace: default spec: interval: 30m chart: @@ -32,14 +31,7 @@ spec: lychee: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: lychee-secret + secret.reloader.stakater.com/reload: lychee-db-secret containers: app: image: @@ -54,24 +46,46 @@ spec: REDIS_HOST: dragonfly.database.svc.cluster.local. REDIS_PORT: 6379 TRUSTED_PROXIES: "*" - envFrom: *envFrom + envFrom: + - secretRef: + name: lychee-secret resources: requests: cpu: 100m memory: 256Mi + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: &probeHttpGet + path: / + port: &port 80 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + startup: + enabled: true + custom: true + spec: + initialDelaySeconds: 0 + timeoutSeconds: 1 + periodSeconds: 10 + failureThreshold: 30 + httpGet: *probeHttpGet service: app: controller: *app ports: http: - port: 80 + port: *port ingress: app: enabled: true - className: nginx + className: external annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. hajimari.io/icon: mdi:camera gethomepage.dev/enabled: "true" gethomepage.dev/name: Lychee diff --git a/kubernetes/apps/default/lychee/app/kustomization.yaml b/kubernetes/apps/default/lychee/app/kustomization.yaml index d60d6391e..f11802352 100644 --- a/kubernetes/apps/default/lychee/app/kustomization.yaml +++ b/kubernetes/apps/default/lychee/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/lychee/app/sync/helmrelease.yaml b/kubernetes/apps/default/lychee/app/sync/helmrelease.yaml index 73c41dce5..98422bdf5 100644 --- a/kubernetes/apps/default/lychee/app/sync/helmrelease.yaml +++ b/kubernetes/apps/default/lychee/app/sync/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app lychee-sync - namespace: default spec: interval: 30m chart: diff --git a/kubernetes/apps/default/lychee/ks.yaml b/kubernetes/apps/default/lychee/ks.yaml index 99250ee1d..9d60efdd3 100644 --- a/kubernetes/apps/default/lychee/ks.yaml +++ b/kubernetes/apps/default/lychee/ks.yaml @@ -1,11 +1,12 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app lychee namespace: flux-system spec: + targetNamespace: default commonMetadata: labels: app.kubernetes.io/name: *app @@ -15,6 +16,7 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: + - name: crunchy-postgres-operator-cluster - name: dragonfly-cluster - name: external-secrets-stores - name: rook-ceph-cluster diff --git a/kubernetes/apps/default/music-transcode/ks.yaml b/kubernetes/apps/default/music-transcode/ks.yaml index 62446553e..76b70d7d9 100644 --- a/kubernetes/apps/default/music-transcode/ks.yaml +++ b/kubernetes/apps/default/music-transcode/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/namespace.yaml b/kubernetes/apps/default/namespace.yaml index 17a954a3c..01c3e5f0f 100644 --- a/kubernetes/apps/default/namespace.yaml +++ b/kubernetes/apps/default/namespace.yaml @@ -15,7 +15,7 @@ metadata: namespace: default spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 diff --git a/kubernetes/apps/default/navidrome/app/helmrelease.yaml b/kubernetes/apps/default/navidrome/app/helmrelease.yaml index 6e830c2f0..973a16f6b 100644 --- a/kubernetes/apps/default/navidrome/app/helmrelease.yaml +++ b/kubernetes/apps/default/navidrome/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app navidrome - namespace: default spec: interval: 30m chart: @@ -67,15 +66,13 @@ spec: ingress: app: enabled: true - className: nginx + className: external annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. hajimari.io/icon: mdi:music gethomepage.dev/enabled: "true" gethomepage.dev/name: Navidrome diff --git a/kubernetes/apps/default/navidrome/ks.yaml b/kubernetes/apps/default/navidrome/ks.yaml index c4eedd395..a7b7307cd 100644 --- a/kubernetes/apps/default/navidrome/ks.yaml +++ b/kubernetes/apps/default/navidrome/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/outline/app/externalsecret.yaml b/kubernetes/apps/default/outline/app/externalsecret.yaml index 4ff7f2dbc..21ed5fbf2 100644 --- a/kubernetes/apps/default/outline/app/externalsecret.yaml +++ b/kubernetes/apps/default/outline/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: outline - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -19,19 +18,30 @@ spec: AWS_SECRET_ACCESS_KEY: "{{ .OUTLINE_AWS_SECRET_ACCESS_KEY }}" SECRET_KEY: "{{ .OUTLINE_SECRET_KEY }}" UTILS_SECRET: "{{ .OUTLINE_UTILS_SECRET }}" - DATABASE_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres16-rw.database.svc.cluster.local/outline" OIDC_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}" - # PGSSLMODE: require - # Postgres Init - INIT_POSTGRES_DBNAME: outline - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: key: authelia - - extract: - key: cloudnative-pg - extract: key: outline +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: outline-db + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: outline-db-secret + template: + engineVersion: v2 + data: + DATABASE_URL: 'postgresql://{{ index . "user" }}:{{ index . "password" }}@{{ index . "host" }}/{{ index . "dbname" }}' + PGSSLMODE: require + dataFrom: + - extract: + key: postgres-pguser-outline diff --git a/kubernetes/apps/default/outline/app/helmrelease.yaml b/kubernetes/apps/default/outline/app/helmrelease.yaml index b202ec03f..9578aa8b0 100644 --- a/kubernetes/apps/default/outline/app/helmrelease.yaml +++ b/kubernetes/apps/default/outline/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app outline - namespace: default spec: interval: 30m chart: @@ -32,15 +31,7 @@ spec: outline: annotations: reloader.stakater.com/auto: "true" - secret.reloader.stakater.com/reload: authelia-secret - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: outline-secret + secret.reloader.stakater.com/reload: authelia-secret,outline-db-secret containers: app: image: @@ -49,6 +40,8 @@ spec: envFrom: - secretRef: name: outline-secret + - secretRef: + name: outline-db-secret env: AWS_REGION: us-east-1 AWS_S3_ACL: private @@ -58,6 +51,7 @@ spec: ENABLE_UPDATES: "false" FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400" LOG_LEVEL: debug + NODE_TLS_REJECT_UNAUTHORIZED: "0" OIDC_AUTH_URI: "https://auth.${SECRET_EXTERNAL_DOMAIN}/api/oidc/authorization" OIDC_CLIENT_ID: outline OIDC_DISPLAY_NAME: Authelia @@ -94,7 +88,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:text-box-multiple gethomepage.dev/enabled: "true" diff --git a/kubernetes/apps/default/outline/app/kustomization.yaml b/kubernetes/apps/default/outline/app/kustomization.yaml index f8c2e193c..f641102c1 100644 --- a/kubernetes/apps/default/outline/app/kustomization.yaml +++ b/kubernetes/apps/default/outline/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/outline/ks.yaml b/kubernetes/apps/default/outline/ks.yaml index 26250c7e0..495b4af19 100644 --- a/kubernetes/apps/default/outline/ks.yaml +++ b/kubernetes/apps/default/outline/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -16,6 +16,7 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: + - name: crunchy-postgres-operator-cluster - name: dragonfly-cluster - name: external-secrets-stores wait: false diff --git a/kubernetes/apps/default/paperless/app/externalsecret.yaml b/kubernetes/apps/default/paperless/app/externalsecret.yaml index 32d8d4fcb..28f40baa4 100644 --- a/kubernetes/apps/default/paperless/app/externalsecret.yaml +++ b/kubernetes/apps/default/paperless/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: paperless - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -14,23 +13,31 @@ spec: template: engineVersion: v2 data: - # App PAPERLESS_ADMIN_USER: "{{ .username }}" PAPERLESS_ADMIN_PASSWORD: "{{ .password }}" PAPERLESS_SECRET_KEY: "{{ .PAPERLESS_SECRET_KEY }}" - PAPERLESS_DBUSER: &dbUser "{{ .POSTGRES_USER }}" - PAPERLESS_DBPASS: &dbPass "{{ .POSTGRES_PASS }}" - PAPERLESS_DBHOST: &dbHost postgres16-rw.database.svc.cluster.local - PAPERLESS_DBPORT: "5432" - - # Postgres Init - INIT_POSTGRES_DBNAME: paperless - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: paperless +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: paperless-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: paperless-db-secret + template: + engineVersion: v2 + data: + PAPERLESS_DBNAME: '{{ index . "dbname" }}' + PAPERLESS_DBUSER: '{{ index . "user" }}' + PAPERLESS_DBPASS: '{{ index . "password" }}' + PAPERLESS_DBHOST: '{{ index . "host" }}' + dataFrom: + - extract: + key: postgres-pguser-paperless diff --git a/kubernetes/apps/default/paperless/app/helmrelease.yaml b/kubernetes/apps/default/paperless/app/helmrelease.yaml index d20f6daf6..c30bf84f7 100644 --- a/kubernetes/apps/default/paperless/app/helmrelease.yaml +++ b/kubernetes/apps/default/paperless/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app paperless - namespace: default spec: interval: 30m chart: @@ -33,15 +32,7 @@ spec: strategy: RollingUpdate annotations: reloader.stakater.com/auto: "true" - secret.reloader.stakater.com/reload: authelia-secret - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: paperless-secret + secret.reloader.stakater.com/reload: authelia-secret,paperless-db-secret containers: app: image: @@ -62,7 +53,11 @@ spec: PAPERLESS_TASK_WORKERS: 2 PAPERLESS_TIME_ZONE: Europe/Paris PAPERLESS_URL: https://paperless.${SECRET_EXTERNAL_DOMAIN} - envFrom: *envFrom + envFrom: + - secretRef: + name: paperless-secret + - secretRef: + name: paperless-db-secret resources: requests: cpu: 25m @@ -78,7 +73,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:barcode-scan gethomepage.dev/enabled: "true" diff --git a/kubernetes/apps/default/paperless/app/kustomization.yaml b/kubernetes/apps/default/paperless/app/kustomization.yaml index f8c2e193c..f641102c1 100644 --- a/kubernetes/apps/default/paperless/app/kustomization.yaml +++ b/kubernetes/apps/default/paperless/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/paperless/ks.yaml b/kubernetes/apps/default/paperless/ks.yaml index b6a826fcc..f117e9864 100644 --- a/kubernetes/apps/default/paperless/ks.yaml +++ b/kubernetes/apps/default/paperless/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -16,6 +16,7 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: + - name: crunchy-postgres-operator-cluster - name: dragonfly-cluster - name: external-secrets-stores wait: false @@ -25,4 +26,3 @@ spec: postBuild: substitute: APP: *app ---- diff --git a/kubernetes/apps/default/prowlarr/app/externalsecret.yaml b/kubernetes/apps/default/prowlarr/app/externalsecret.yaml index c6fc0099c..facef2b1b 100644 --- a/kubernetes/apps/default/prowlarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/prowlarr/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: prowlarr - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -13,25 +12,34 @@ spec: name: prowlarr-secret template: data: - # App PROWLARR__AUTH__APIKEY: "{{ .PROWLARR__API_KEY }}" - PROWLARR__POSTGRES__HOST: &dbHost postgres16-rw.database.svc.cluster.local - PROWLARR__POSTGRES__PORT: "5432" - PROWLARR__POSTGRES__USER: &dbUser "{{ .PROWLARR__POSTGRES_USER }}" - PROWLARR__POSTGRES__PASSWORD: &dbPass "{{ .PROWLARR__POSTGRES_PASSWORD }}" - PROWLARR__POSTGRES__MAINDB: prowlarr_main PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}" PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" - # Postgres Init - INIT_POSTGRES_DBNAME: prowlarr_main - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: pushover - extract: key: prowlarr +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: prowlarr-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: prowlarr-db-secret + template: + engineVersion: v2 + data: + PROWLARR__POSTGRES__MAINDB: '{{ index . "dbname" }}' + PROWLARR__POSTGRES__LOGDB: prowlarr_log + PROWLARR__POSTGRES__HOST: '{{ index . "host" }}' + PROWLARR__POSTGRES__USER: '{{ index . "user" }}' + PROWLARR__POSTGRES__PASSWORD: '{{ index . "password" }}' + PROWLARR__POSTGRES__PORT: '{{ index . "port" }}' + dataFrom: + - extract: + key: postgres-pguser-prowlarr diff --git a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml index 60f42eb28..af91e8951 100644 --- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app prowlarr - namespace: default spec: interval: 30m chart: @@ -32,14 +31,7 @@ spec: prowlarr: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: prowlarr-secret + secret.reloader.stakater.com/reload: prowlarr-db-secret containers: app: image: @@ -55,7 +47,11 @@ spec: PROWLARR__AUTH__REQUIRED: DisabledForLocalAddresses PROWLARR__SERVER__PORT: &port 8080 PROWLARR__UPDATE__BRANCH: develop - envFrom: *envFrom + envFrom: + - secretRef: + name: prowlarr-secret + - secretRef: + name: prowlarr-db-secret resources: requests: cpu: 100m @@ -71,13 +67,13 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: - # nginx.ingress.kubernetes.io/auth-method: GET - # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; hajimari.io/icon: mdi:movie-search gethomepage.dev/enabled: "true" gethomepage.dev/name: Prowlarr diff --git a/kubernetes/apps/default/prowlarr/app/kustomization.yaml b/kubernetes/apps/default/prowlarr/app/kustomization.yaml index f8c2e193c..f641102c1 100644 --- a/kubernetes/apps/default/prowlarr/app/kustomization.yaml +++ b/kubernetes/apps/default/prowlarr/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/prowlarr/ks.yaml b/kubernetes/apps/default/prowlarr/ks.yaml index ac72fe1d7..0e423b692 100644 --- a/kubernetes/apps/default/prowlarr/ks.yaml +++ b/kubernetes/apps/default/prowlarr/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -11,6 +11,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores path: ./kubernetes/apps/default/prowlarr/app prune: true diff --git a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml index 223debf7f..8ce5a7b74 100644 --- a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app qbittorrent - namespace: default spec: interval: 30m chart: @@ -72,7 +71,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:download hosts: diff --git a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml index 678de29dc..83ecb8fbf 100644 --- a/kubernetes/apps/default/qbittorrent/app/kustomization.yaml +++ b/kubernetes/apps/default/qbittorrent/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml - ./upgrade-p2pblocklist diff --git a/kubernetes/apps/default/qbittorrent/app/upgrade-p2pblocklist/helmrelease.yaml b/kubernetes/apps/default/qbittorrent/app/upgrade-p2pblocklist/helmrelease.yaml index 254fe89af..8f691784a 100644 --- a/kubernetes/apps/default/qbittorrent/app/upgrade-p2pblocklist/helmrelease.yaml +++ b/kubernetes/apps/default/qbittorrent/app/upgrade-p2pblocklist/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app qbittorrent-upgrade-p2pblocklist - namespace: default spec: interval: 30m chart: diff --git a/kubernetes/apps/default/qbittorrent/ks.yaml b/kubernetes/apps/default/qbittorrent/ks.yaml index 6ab74371b..809defc15 100644 --- a/kubernetes/apps/default/qbittorrent/ks.yaml +++ b/kubernetes/apps/default/qbittorrent/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/radarr/app/externalsecret.yaml b/kubernetes/apps/default/radarr/app/externalsecret.yaml index 2d01ffb84..ee48cb1a3 100644 --- a/kubernetes/apps/default/radarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/radarr/app/externalsecret.yaml @@ -13,25 +13,33 @@ spec: name: radarr-secret template: data: - # App - RADARR__AUTH__APIKEY: "{{ .RADARR__API_KEY }}" - RADARR__POSTGRES__HOST: &dbHost postgres16-rw.database.svc.cluster.local - RADARR__POSTGRES__PORT: "5432" - RADARR__POSTGRES__USER: &dbUser "{{ .RADARR__POSTGRES_USER }}" - RADARR__POSTGRES__PASSWORD: &dbPass "{{ .RADARR__POSTGRES_PASSWORD }}" - RADARR__POSTGRES__MAINDB: radarr_main PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}" PUSHOVER_USER_KEY: "{{ .PUSHOVER_USER_KEY }}" - # Postgres Init - INIT_POSTGRES_DBNAME: radarr_main radarr_log - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: pushover - extract: key: radarr +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: radarr-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: radarr-db-secret + template: + engineVersion: v2 + data: + RADARR__POSTGRES__MAINDB: '{{ index . "dbname" }}' + RADARR__POSTGRES__LOGDB: radarr_log + RADARR__POSTGRES__HOST: '{{ index . "host" }}' + RADARR__POSTGRES__USER: '{{ index . "user" }}' + RADARR__POSTGRES__PASSWORD: '{{ index . "password" }}' + RADARR__POSTGRES__PORT: '{{ index . "port" }}' + dataFrom: + - extract: + key: postgres-pguser-radarr diff --git a/kubernetes/apps/default/radarr/app/helmrelease.yaml b/kubernetes/apps/default/radarr/app/helmrelease.yaml index e686df71f..accec5fbe 100644 --- a/kubernetes/apps/default/radarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/radarr/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app radarr - namespace: default spec: interval: 30m chart: @@ -39,14 +38,7 @@ spec: annotations: configmap.reloader.stakater.com/reload: radarr-pushover reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: radarr-secret + secret.reloader.stakater.com/reload: radarr-db-secret containers: app: image: @@ -65,7 +57,11 @@ spec: RADARR__UPDATE__BRANCH: develop PUSHOVER_DEBUG: "false" PUSHOVER_PRIORITY: "0" - envFrom: *envFrom + envFrom: + - secretRef: + name: radarr-secret + - secretRef: + name: radarr-db-secret resources: requests: cpu: 500m @@ -81,13 +77,13 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: - # nginx.ingress.kubernetes.io/auth-method: GET - # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; hajimari.io/icon: mdi:filmstrip hosts: - host: *host @@ -123,7 +119,7 @@ spec: enabled: true type: configMap name: radarr-pushover - defaultMode: 0775 + defaultMode: 0775 # trunk-ignore(yamllint/octal-values) globalMounts: - path: /scripts/pushover-notify.sh subPath: pushover-notify.sh diff --git a/kubernetes/apps/default/radarr/ks.yaml b/kubernetes/apps/default/radarr/ks.yaml index bd36c76cb..d556d7a4f 100644 --- a/kubernetes/apps/default/radarr/ks.yaml +++ b/kubernetes/apps/default/radarr/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -11,6 +11,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores - name: rook-ceph-cluster - name: volsync diff --git a/kubernetes/apps/default/readeck/app/externalsecret.yaml b/kubernetes/apps/default/readeck/app/externalsecret.yaml deleted file mode 100644 index 2a2a5b6c8..000000000 --- a/kubernetes/apps/default/readeck/app/externalsecret.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: readeck - namespace: default -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: readeck-secret - template: - data: - # App - READECK_DATABASE_SOURCE: postgres://{{ .READECK__POSTGRES_USER }}:{{ .READECK__POSTGRES_PASSWORD }}@postgres16-rw.database.svc.cluster.local:5432/readeck - # Postgres Init - INIT_POSTGRES_DBNAME: readeck - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .READECK__POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .READECK__POSTGRES_PASSWORD }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" - dataFrom: - - extract: - key: cloudnative-pg - - extract: - key: readeck diff --git a/kubernetes/apps/default/readeck/app/helmrelease.yaml b/kubernetes/apps/default/readeck/app/helmrelease.yaml index 25b3f9db0..3965bc4cf 100644 --- a/kubernetes/apps/default/readeck/app/helmrelease.yaml +++ b/kubernetes/apps/default/readeck/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app readeck - namespace: default spec: interval: 30m chart: @@ -32,14 +31,6 @@ spec: readeck: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: readeck-secret containers: app: image: @@ -54,7 +45,6 @@ spec: READECK_SERVER_PREFIX: / READECK_USE_X_FORWARDED: "true" READECK_ALLOWED_HOSTS: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - envFrom: *envFrom resources: requests: cpu: 10m @@ -70,13 +60,13 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: - # nginx.ingress.kubernetes.io/auth-method: GET - # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; hajimari.io/icon: mdi:fa-book gethomepage.dev/enabled: "true" gethomepage.dev/name: Readeck @@ -102,4 +92,4 @@ spec: enabled: true existingClaim: *app globalMounts: - - path: /config + - path: /readeck diff --git a/kubernetes/apps/default/readeck/app/kustomization.yaml b/kubernetes/apps/default/readeck/app/kustomization.yaml index 48e972b27..fd54ff7cc 100644 --- a/kubernetes/apps/default/readeck/app/kustomization.yaml +++ b/kubernetes/apps/default/readeck/app/kustomization.yaml @@ -2,9 +2,7 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - - ./externalsecret.yaml - ./helmrelease.yaml - ../../../../templates/gatus/guarded - ../../../../templates/volsync diff --git a/kubernetes/apps/default/readeck/ks.yaml b/kubernetes/apps/default/readeck/ks.yaml index d32eb8b25..a06c1270f 100644 --- a/kubernetes/apps/default/readeck/ks.yaml +++ b/kubernetes/apps/default/readeck/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/recyclarr/app/config/settings.yml b/kubernetes/apps/default/recyclarr/app/config/settings.yml index 5096136e7..223022397 100644 --- a/kubernetes/apps/default/recyclarr/app/config/settings.yml +++ b/kubernetes/apps/default/recyclarr/app/config/settings.yml @@ -3,7 +3,7 @@ notifications: apprise: mode: stateless - base_url: http://apprise.monitoring.svc.cluster.local.:8000 + base_url: http://apprise.observability.svc.cluster.local.:8000 urls: - !env_var PUSHOVER_URL verbosity: normal diff --git a/kubernetes/apps/default/recyclarr/app/externalsecret.yaml b/kubernetes/apps/default/recyclarr/app/externalsecret.yaml index 62b457c26..e0dc10dd6 100644 --- a/kubernetes/apps/default/recyclarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/recyclarr/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: recyclarr - namespace: default spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/default/recyclarr/app/helmrelease.yaml b/kubernetes/apps/default/recyclarr/app/helmrelease.yaml index 32624dc17..e8212ed32 100644 --- a/kubernetes/apps/default/recyclarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/recyclarr/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app recyclarr - namespace: default spec: interval: 30m chart: diff --git a/kubernetes/apps/default/recyclarr/app/kustomization.yaml b/kubernetes/apps/default/recyclarr/app/kustomization.yaml index 59dd5a166..35c92f97d 100644 --- a/kubernetes/apps/default/recyclarr/app/kustomization.yaml +++ b/kubernetes/apps/default/recyclarr/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/recyclarr/ks.yaml b/kubernetes/apps/default/recyclarr/ks.yaml index 80bd52f41..085a1640b 100644 --- a/kubernetes/apps/default/recyclarr/ks.yaml +++ b/kubernetes/apps/default/recyclarr/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/redlib/app/helmrelease.yaml b/kubernetes/apps/default/redlib/app/helmrelease.yaml index 51e59a907..78579c9ab 100644 --- a/kubernetes/apps/default/redlib/app/helmrelease.yaml +++ b/kubernetes/apps/default/redlib/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app redlib - namespace: default spec: interval: 30m chart: @@ -63,15 +62,13 @@ spec: ingress: app: enabled: true - className: nginx + className: external annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. hajimari.io/icon: mdi:web gethomepage.dev/enabled: "true" gethomepage.dev/name: Redlib diff --git a/kubernetes/apps/default/redlib/ks.yaml b/kubernetes/apps/default/redlib/ks.yaml index 3ce9d42ab..164c950f4 100644 --- a/kubernetes/apps/default/redlib/ks.yaml +++ b/kubernetes/apps/default/redlib/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/sabnzbd/app/externalsecret.yaml b/kubernetes/apps/default/sabnzbd/app/externalsecret.yaml index f71aba31a..1800c1169 100644 --- a/kubernetes/apps/default/sabnzbd/app/externalsecret.yaml +++ b/kubernetes/apps/default/sabnzbd/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: sabnzbd - namespace: default spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml index 1405ea6b1..6d175de8c 100644 --- a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml +++ b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app sabnzbd - namespace: default spec: interval: 30m chart: @@ -91,7 +90,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: # nginx.ingress.kubernetes.io/auth-method: GET # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify diff --git a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml index 48e972b27..5d04acddd 100644 --- a/kubernetes/apps/default/sabnzbd/app/kustomization.yaml +++ b/kubernetes/apps/default/sabnzbd/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/sabnzbd/ks.yaml b/kubernetes/apps/default/sabnzbd/ks.yaml index 586764e34..1aaeb2c86 100644 --- a/kubernetes/apps/default/sabnzbd/ks.yaml +++ b/kubernetes/apps/default/sabnzbd/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/sharry/app/config/sharry.conf b/kubernetes/apps/default/sharry/app/config/sharry.conf index 95b941505..789277741 100644 --- a/kubernetes/apps/default/sharry/app/config/sharry.conf +++ b/kubernetes/apps/default/sharry/app/config/sharry.conf @@ -14,7 +14,7 @@ sharry.restserver { fixed.enabled = false } jdbc { - url = "jdbc:postgresql://postgres16-rw.database.svc.cluster.local:5432/sharry" + url = "jdbc:h2:///config/sharry.db;MODE=PostgreSQL;DATABASE_TO_LOWER=TRUE" # user = "${SHARRY_BACKEND_JDBC_USER}" # password = "${SHARRY_BACKEND_JDBC_PASSWORD}" } diff --git a/kubernetes/apps/default/sharry/app/externalsecret.yaml b/kubernetes/apps/default/sharry/app/externalsecret.yaml index ca24e9280..0c114948a 100644 --- a/kubernetes/apps/default/sharry/app/externalsecret.yaml +++ b/kubernetes/apps/default/sharry/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: sharry - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -14,17 +13,8 @@ spec: template: engineVersion: v2 data: - # App SHARRY_BACKEND_JDBC_USER: &dbUser "{{ .POSTGRES_USER }}" SHARRY_BACKEND_JDBC_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}" - # Postgres Init - INIT_POSTGRES_DBNAME: sharry - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: sharry diff --git a/kubernetes/apps/default/sharry/app/helmrelease.yaml b/kubernetes/apps/default/sharry/app/helmrelease.yaml index 828b87837..20e3d0456 100644 --- a/kubernetes/apps/default/sharry/app/helmrelease.yaml +++ b/kubernetes/apps/default/sharry/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app sharry - namespace: default spec: interval: 30m chart: @@ -32,20 +31,14 @@ spec: sharry: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: sharry-secret containers: app: image: repository: eikek0/sharry tag: v1.14.0@sha256:8b1388310e9f93a61f54f27d1b4b1c91d8ef2e846ac1068023c4315fa7794729 - envFrom: *envFrom + envFrom: + - secretRef: + name: sharry-secret args: - /opt/sharry.conf resources: @@ -63,10 +56,8 @@ spec: ingress: app: enabled: true - className: nginx + className: external annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. nginx.ingress.kubernetes.io/proxy-body-size: "0" hajimari.io/icon: mdi:account-arrow-up gethomepage.dev/enabled: "true" @@ -90,6 +81,11 @@ spec: - *host persistence: config: + enabled: true + existingClaim: *app + globalMounts: + - path: /config + configmap: enabled: true type: configMap name: sharry-configmap diff --git a/kubernetes/apps/default/sharry/app/kustomization.yaml b/kubernetes/apps/default/sharry/app/kustomization.yaml index 84776ff48..270f29b13 100644 --- a/kubernetes/apps/default/sharry/app/kustomization.yaml +++ b/kubernetes/apps/default/sharry/app/kustomization.yaml @@ -2,11 +2,11 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml - ../../../../templates/gatus/external + - ../../../../templates/volsync configMapGenerator: - name: sharry-configmap files: diff --git a/kubernetes/apps/default/sharry/ks.yaml b/kubernetes/apps/default/sharry/ks.yaml index bd39d7c44..11792490e 100644 --- a/kubernetes/apps/default/sharry/ks.yaml +++ b/kubernetes/apps/default/sharry/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -22,3 +22,4 @@ spec: postBuild: substitute: APP: *app + VOLSYNC_CAPACITY: 2Gi diff --git a/kubernetes/apps/default/smtp-relay/ks.yaml b/kubernetes/apps/default/smtp-relay/ks.yaml index f3cfec927..a25dc8c32 100644 --- a/kubernetes/apps/default/smtp-relay/ks.yaml +++ b/kubernetes/apps/default/smtp-relay/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/sonarr/app/externalsecret.yaml b/kubernetes/apps/default/sonarr/app/externalsecret.yaml index e15e6e371..796c9de25 100644 --- a/kubernetes/apps/default/sonarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/sonarr/app/externalsecret.yaml @@ -15,7 +15,7 @@ spec: data: # App SONARR__AUTH__APIKEY: "{{ .SONARR__API_KEY }}" - SONARR__POSTGRES__HOST: &dbHost postgres16-rw.database.svc.cluster.local + SONARR__POSTGRES__HOST: &dbHost postgres17-rw.database.svc.cluster.local SONARR__POSTGRES__PORT: "5432" SONARR__POSTGRES__USER: &dbUser "{{ .SONARR__POSTGRES_USER }}" SONARR__POSTGRES__PASSWORD: &dbPass "{{ .SONARR__POSTGRES_PASSWORD }}" @@ -29,9 +29,31 @@ spec: INIT_POSTGRES_PASS: *dbPass INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: pushover - extract: key: sonarr +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: sonarr-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: sonarr-db-secret + template: + engineVersion: v2 + data: + SONARR__POSTGRES__MAINDB: '{{ index . "dbname" }}' + SONARR__POSTGRES__LOGDB: sonarr_log + SONARR__POSTGRES__HOST: '{{ index . "host" }}' + SONARR__POSTGRES__USER: '{{ index . "user" }}' + SONARR__POSTGRES__PASSWORD: '{{ index . "password" }}' + SONARR__POSTGRES__PORT: '{{ index . "port" }}' + + dataFrom: + - extract: + key: postgres-pguser-sonarr diff --git a/kubernetes/apps/default/sonarr/app/helmrelease.yaml b/kubernetes/apps/default/sonarr/app/helmrelease.yaml index 882910f86..0a4e78ae3 100644 --- a/kubernetes/apps/default/sonarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/sonarr/app/helmrelease.yaml @@ -39,14 +39,7 @@ spec: annotations: reloader.stakater.com/auto: "true" configmap.reloader.stakater.com/reload: sonarr-pushover - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: sonarr-secret + secret.reloader.stakater.com/reload: sonarr-db-secret containers: app: image: @@ -62,7 +55,11 @@ spec: SONARR__LOG__LEVEL: info SONARR__SERVER__PORT: &port 8080 SONARR__UPDATE__BRANCH: develop - envFrom: *envFrom + envFrom: + - secretRef: + name: sonarr-secret + - secretRef: + name: sonarr-db-secret probes: liveness: &probes enabled: true @@ -93,13 +90,13 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: - # nginx.ingress.kubernetes.io/auth-method: GET - # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; hajimari.io/icon: mdi:television-classic hosts: - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" @@ -132,7 +129,7 @@ spec: scripts: type: configMap name: sonarr-pushover - defaultMode: 0775 + defaultMode: 0775 # trunk-ignore(yamllint/octal-values) globalMounts: - path: /scripts/pushover-notify.sh subPath: pushover-notify.sh diff --git a/kubernetes/apps/default/sonarr/ks.yaml b/kubernetes/apps/default/sonarr/ks.yaml index 520e3fba3..92358eba7 100644 --- a/kubernetes/apps/default/sonarr/ks.yaml +++ b/kubernetes/apps/default/sonarr/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -11,6 +11,7 @@ spec: labels: app.kubernetes.io/name: *app dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores - name: rook-ceph-cluster - name: volsync diff --git a/kubernetes/apps/default/tandoor/app/externalsecret.yaml b/kubernetes/apps/default/tandoor/app/externalsecret.yaml index 0352d8102..2a9af5a42 100644 --- a/kubernetes/apps/default/tandoor/app/externalsecret.yaml +++ b/kubernetes/apps/default/tandoor/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: tandoor - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -13,23 +12,33 @@ spec: name: tandoor-secret template: data: - # App - DB_ENGINE: django.db.backends.postgresql_psycopg2 - # DB_OPTIONS: '{"sslmode":"require"}' SECRET_KEY: "{{ .TANDOOR_SECRET_KEY }}" - POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local - POSTGRES_PORT: "5432" - POSTGRES_DB: &dbName tandoor - POSTGRES_USER: &dbUser "{{ .TANDOOR_POSTGRES_USER }}" - POSTGRES_PASSWORD: &dbPass "{{ .TANDOOR_POSTGRES_PASS }}" - # Postgres Init - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: key: cloudnative-pg - extract: key: tandoor +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: tandoor-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: tandoor-db-secret + template: + engineVersion: v2 + data: + DB_ENGINE: django.db.backends.postgresql_psycopg2 + POSTGRES_HOST: '{{ index . "host" }}' + POSTGRES_PORT: '{{ index . "port" }}' + POSTGRES_DB: '{{ index . "dbname" }}' + POSTGRES_USER: '{{ index . "user" }}' + POSTGRES_PASSWORD: '{{ index . "password" }}' + dataFrom: + - extract: + key: postgres-pguser-tandoor diff --git a/kubernetes/apps/default/tandoor/app/helmrelease.yaml b/kubernetes/apps/default/tandoor/app/helmrelease.yaml index 002e262be..d35415042 100644 --- a/kubernetes/apps/default/tandoor/app/helmrelease.yaml +++ b/kubernetes/apps/default/tandoor/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app tandoor - namespace: &ns default spec: interval: 30m chart: @@ -36,19 +35,17 @@ spec: tandoor: annotations: reloader.stakater.com/auto: "true" + secret.reloader.stakater.com/reload: lychee-db-secret initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: tandoor-secret migrations: image: repository: vabene1111/recipes tag: 1.5.26@sha256:2de2de6c1ad5e4ea85f605112985d70079dad7b4118bd13e4087cde2dd411457 - envFrom: *envFrom + envFrom: &envFrom + - secretRef: + name: tandoor-secret + - secretRef: + name: tandoor-db-secret command: - sh - -c @@ -106,7 +103,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:chef-hat gethomepage.dev/enabled: "true" diff --git a/kubernetes/apps/default/tandoor/ks.yaml b/kubernetes/apps/default/tandoor/ks.yaml index c21292818..4eefa4dda 100644 --- a/kubernetes/apps/default/tandoor/ks.yaml +++ b/kubernetes/apps/default/tandoor/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -16,6 +16,7 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores - name: rook-ceph-cluster - name: volsync diff --git a/kubernetes/apps/default/tdarr/app/helmrelease.yaml b/kubernetes/apps/default/tdarr/app/helmrelease.yaml index c19667b44..7fd09b700 100644 --- a/kubernetes/apps/default/tdarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/tdarr/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app tdarr - namespace: default spec: interval: 30m chart: @@ -54,7 +53,7 @@ spec: server: controller: *app type: LoadBalancer - loadBalancerIP: 192.168.169.117 + loadBalancerIP: ${CLUSTER_LB_TDARR} externalTrafficPolicy: Local ports: server: @@ -64,7 +63,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify diff --git a/kubernetes/apps/default/tdarr/app/kustomization.yaml b/kubernetes/apps/default/tdarr/app/kustomization.yaml index 35ff57401..fd54ff7cc 100644 --- a/kubernetes/apps/default/tdarr/app/kustomization.yaml +++ b/kubernetes/apps/default/tdarr/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml - ../../../../templates/gatus/guarded diff --git a/kubernetes/apps/default/tdarr/ks.yaml b/kubernetes/apps/default/tdarr/ks.yaml index 8af127db2..b1141cf65 100644 --- a/kubernetes/apps/default/tdarr/ks.yaml +++ b/kubernetes/apps/default/tdarr/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -29,7 +29,7 @@ spec: VOLSYNC_CACHE_CAPACITY: 20Gi VOLSYNC_CAPACITY: 50Gi --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/tdarr/node/helmrelease.yaml b/kubernetes/apps/default/tdarr/node/helmrelease.yaml index 618d62bd9..f216c7de9 100644 --- a/kubernetes/apps/default/tdarr/node/helmrelease.yaml +++ b/kubernetes/apps/default/tdarr/node/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app tdarr-node - namespace: default spec: interval: 30m chart: diff --git a/kubernetes/apps/default/tdarr/node/kustomization.yaml b/kubernetes/apps/default/tdarr/node/kustomization.yaml index 4aa74b27c..09bc749a9 100644 --- a/kubernetes/apps/default/tdarr/node/kustomization.yaml +++ b/kubernetes/apps/default/tdarr/node/kustomization.yaml @@ -2,6 +2,5 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/default/unifi/app/helmrelease.yaml b/kubernetes/apps/default/unifi/app/helmrelease.yaml index 05b2f136a..1ef4027d8 100644 --- a/kubernetes/apps/default/unifi/app/helmrelease.yaml +++ b/kubernetes/apps/default/unifi/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app unifi - namespace: default spec: interval: 30m chart: @@ -89,7 +88,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: nginx.ingress.kubernetes.io/backend-protocol: HTTPS hajimari.io/icon: mdi:lan diff --git a/kubernetes/apps/default/unifi/app/kustomization.yaml b/kubernetes/apps/default/unifi/app/kustomization.yaml index 35ff57401..fd54ff7cc 100644 --- a/kubernetes/apps/default/unifi/app/kustomization.yaml +++ b/kubernetes/apps/default/unifi/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml - ../../../../templates/gatus/guarded diff --git a/kubernetes/apps/default/unifi/ks.yaml b/kubernetes/apps/default/unifi/ks.yaml index 99f568181..220c9d2c9 100644 --- a/kubernetes/apps/default/unifi/ks.yaml +++ b/kubernetes/apps/default/unifi/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/vaultwarden/app/externalsecret.yaml b/kubernetes/apps/default/vaultwarden/app/externalsecret.yaml index fe2613619..47f0021a8 100644 --- a/kubernetes/apps/default/vaultwarden/app/externalsecret.yaml +++ b/kubernetes/apps/default/vaultwarden/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: vaultwarden - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -14,17 +13,26 @@ spec: template: engineVersion: v2 data: - # App - DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres16-rw.database.svc.cluster.local.:5432/vaultwarden ADMIN_TOKEN: "{{ .VAULTWARDEN_ADMIN_TOKEN }}" - # Postgres Init - INIT_POSTGRES_DBNAME: vaultwarden - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: vaultwarden +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vaultwarden-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: vaultwarden-db-secret + template: + engineVersion: v2 + data: + DATABASE_URL: postgresql://{{ index . "user" }}:{{ index . "password" }}@{{ index . "host" }}:{{ index . "port" }}/{{ index . "dbname" }} + dataFrom: + - extract: + key: postgres-pguser-vaultwarden diff --git a/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml b/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml index 930f6f344..6b96597b4 100644 --- a/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml +++ b/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app vaultwarden - namespace: default spec: interval: 30m chart: @@ -32,14 +31,7 @@ spec: vaultwarden: annotations: reloader.stakater.com/auto: "true" - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: vaultwarden-secret + secret.reloader.stakater.com/reload: vaultwarden-db-secret containers: app: image: @@ -60,7 +52,11 @@ spec: SMTP_FROM_NAME: vaultwarden SMTP_PORT: 2525 SMTP_SECURITY: "off" - envFrom: *envFrom + envFrom: + - secretRef: + name: vaultwarden-secret + - secretRef: + name: vaultwarden-db-secret resources: requests: cpu: 100m @@ -76,10 +72,8 @@ spec: ingress: app: enabled: true - className: nginx + className: external annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. hajimari.io/icon: mdi:lock gethomepage.dev/enabled: "true" gethomepage.dev/name: Vaultwarden diff --git a/kubernetes/apps/default/vaultwarden/app/kustomization.yaml b/kubernetes/apps/default/vaultwarden/app/kustomization.yaml index 72f9ab807..4c3bf6b62 100644 --- a/kubernetes/apps/default/vaultwarden/app/kustomization.yaml +++ b/kubernetes/apps/default/vaultwarden/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/vaultwarden/ks.yaml b/kubernetes/apps/default/vaultwarden/ks.yaml index dde6291f9..2ed16e3df 100644 --- a/kubernetes/apps/default/vaultwarden/ks.yaml +++ b/kubernetes/apps/default/vaultwarden/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -16,6 +16,7 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores - name: rook-ceph-cluster - name: volsync diff --git a/kubernetes/apps/default/vikunja/app/externalsecret.yaml b/kubernetes/apps/default/vikunja/app/externalsecret.yaml index 1c72874f5..573935753 100644 --- a/kubernetes/apps/default/vikunja/app/externalsecret.yaml +++ b/kubernetes/apps/default/vikunja/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: vikunja - namespace: default spec: secretStoreRef: kind: ClusterSecretStore @@ -14,22 +13,29 @@ spec: template: engineVersion: v2 data: - # App - VIKUNJA_DATABASE_HOST: &dbHost postgres16-rw.database.svc.cluster.local. - VIKUNJA_DATABASE_DATABASE: &dbName vikunja - VIKUNJA_DATABASE_USER: &dbUser "{{ .VIKUNJA_POSTGRES_USER }}" - VIKUNJA_DATABASE_PASSWORD: &dbPass "{{ .VIKUNJA_POSTGRES_PASS }}" - VIKUNJA_DATABASE_SSLMODE: require - VIKUNJA_DATABASE_TYPE: postgres VIKUNJA_SERVICE_JWTSECRET: "{{ .VIKUNJA_SERVICE_JWTSECRET }}" - # Postgres Init - INIT_POSTGRES_DBNAME: *dbName - INIT_POSTGRES_HOST: *dbHost - INIT_POSTGRES_USER: *dbUser - INIT_POSTGRES_PASS: *dbPass - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - - extract: - key: cloudnative-pg - extract: key: vikunja +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: vikunja-db +spec: + secretStoreRef: + kind: ClusterSecretStore + name: crunchy-pgo-secrets + target: + name: vikunja-db-secret + template: + engineVersion: v2 + data: + VIKUNJA_DATABASE_HOST: '{{ index . "host" }}' + VIKUNJA_DATABASE_DATABASE: '{{ index . "dbname" }}' + VIKUNJA_DATABASE_USER: '{{ index . "user" }}' + VIKUNJA_DATABASE_PASSWORD: '{{ index . "password" }}' + dataFrom: + - extract: + key: postgres-pguser-vikunja diff --git a/kubernetes/apps/default/vikunja/app/helmrelease.yaml b/kubernetes/apps/default/vikunja/app/helmrelease.yaml index 891a751e9..6ad0aa56b 100644 --- a/kubernetes/apps/default/vikunja/app/helmrelease.yaml +++ b/kubernetes/apps/default/vikunja/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app vikunja - namespace: default spec: interval: 30m chart: @@ -32,21 +31,17 @@ spec: vikunja: annotations: reloader.stakater.com/auto: "true" - configmap.reloader.stakater.com/reload: lidarr-pushover - initContainers: - init-db: - image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - envFrom: &envFrom - - secretRef: - name: vikunja-secret + secret.reloader.stakater.com/reload: vikunja-db-secret containers: app: image: repository: vikunja/api tag: 0.22.1@sha256:c9415431e6235229302bb8f9ee6660b74c24859d1e8adbc4a3e25bd418604b57 - envFrom: *envFrom + envFrom: + - secretRef: + name: vikunja-secret + - secretRef: + name: vikunja-db-secret env: VIKUNJA_MAILER_HOST: smtp-relay.default.svc.cluster.local. VIKUNJA_MAILER_PORT: "2525" @@ -74,7 +69,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: external-dns.alpha.kubernetes.io/enabled: "true" external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. diff --git a/kubernetes/apps/default/vikunja/app/kustomization.yaml b/kubernetes/apps/default/vikunja/app/kustomization.yaml index 760a5f125..374b49655 100644 --- a/kubernetes/apps/default/vikunja/app/kustomization.yaml +++ b/kubernetes/apps/default/vikunja/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/default/vikunja/ks.yaml b/kubernetes/apps/default/vikunja/ks.yaml index c336d12e1..b68575656 100644 --- a/kubernetes/apps/default/vikunja/ks.yaml +++ b/kubernetes/apps/default/vikunja/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -16,6 +16,7 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: + - name: crunchy-postgres-operator-cluster - name: external-secrets-stores - name: rook-ceph-cluster - name: volsync diff --git a/kubernetes/apps/default/windmill/app/externalsecret.yaml b/kubernetes/apps/default/windmill/app/externalsecret.yaml deleted file mode 100644 index de93e1dfb..000000000 --- a/kubernetes/apps/default/windmill/app/externalsecret.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: windmill - namespace: default -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: windmill-secret - template: - engineVersion: v2 - data: - # App - WINDMILL_POSTGRES_URL: "postgres://{{ .WINDMILL__POSTGRES_USER }}:{{ .WINDMILL__POSTGRES_PASS }}@postgres16-rw.database.svc.cluster.local/windmill" - # Postgres Init - INIT_POSTGRES_DBNAME: windmill - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: "{{ .WINDMILL__POSTGRES_USER }}" - INIT_POSTGRES_PASS: "{{ .WINDMILL__POSTGRES_PASS }}" - INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" - dataFrom: - - extract: - key: cloudnative-pg - - extract: - key: windmill diff --git a/kubernetes/apps/default/windmill/app/scripts/grants.sh b/kubernetes/apps/default/windmill/app/scripts/grants.sh deleted file mode 100644 index e4670e2fd..000000000 --- a/kubernetes/apps/default/windmill/app/scripts/grants.sh +++ /dev/null @@ -1,60 +0,0 @@ -#!/usr/bin/env bash - -export INIT_POSTGRES_SUPER_USER=${INIT_POSTGRES_SUPER_USER:-postgres} -export INIT_POSTGRES_PORT=${INIT_POSTGRES_PORT:-5432} - -if [[ -z "${INIT_POSTGRES_HOST}" || - -z "${INIT_POSTGRES_SUPER_PASS}" || - -z "${INIT_POSTGRES_USER}" || - -z "${INIT_POSTGRES_PASS}" || - -z "${INIT_POSTGRES_DBNAME}" -]]; then - printf "\e[1;32m%-6s\e[m\n" "Invalid configuration - missing a required environment variable" - [[ -z "${INIT_POSTGRES_HOST}" ]] && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_HOST: unset" - [[ -z "${INIT_POSTGRES_SUPER_PASS}" ]] && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_SUPER_PASS: unset" - [[ -z "${INIT_POSTGRES_USER}" ]] && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_USER: unset" - [[ -z "${INIT_POSTGRES_PASS}" ]] && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_PASS: unset" - [[ -z "${INIT_POSTGRES_DBNAME}" ]] && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_DBNAME: unset" - exit 1 -fi - -# These env are for the psql CLI -export PGHOST="${INIT_POSTGRES_HOST}" -export PGUSER="${INIT_POSTGRES_SUPER_USER}" -export PGPASSWORD="${INIT_POSTGRES_SUPER_PASS}" -export PGPORT="${INIT_POSTGRES_PORT}" - -until pg_isready; do - printf "\e[1;32m%-6s\e[m\n" "Waiting for Host '${PGHOST}' on port '${PGPORT}' ..." - sleep 1 -done - -for dbname in ${INIT_POSTGRES_DBNAME}; do - printf "\e[1;32m%-6s\e[m\n" "Update User Privileges on Database ..." - psql --dbname ${dbname} -c " - DO \$\$ - BEGIN - IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'windmill_user') THEN - CREATE ROLE windmill_user; - END IF; - END - \$\$; - - DO \$\$ - BEGIN - IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'windmill_admin') THEN - CREATE ROLE windmill_admin WITH BYPASSRLS; - END IF; - END - \$\$; - - GRANT ALL ON ALL TABLES IN SCHEMA public TO windmill_user; - GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO windmill_user; - ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO windmill_user; - ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO windmill_user; - GRANT windmill_user TO windmill_admin; - GRANT windmill_admin TO ${INIT_POSTGRES_USER}; - GRANT windmill_user TO ${INIT_POSTGRES_USER}; - GRANT USAGE ON SCHEMA public TO windmill_admin; - GRANT USAGE ON SCHEMA public TO windmill_user;" -done diff --git a/kubernetes/apps/networking/external-dns/app/externalsecret.yaml b/kubernetes/apps/default/zigbee2mqtt/app/externalsecret.yaml similarity index 56% rename from kubernetes/apps/networking/external-dns/app/externalsecret.yaml rename to kubernetes/apps/default/zigbee2mqtt/app/externalsecret.yaml index f7c2f4174..08eb690e3 100644 --- a/kubernetes/apps/networking/external-dns/app/externalsecret.yaml +++ b/kubernetes/apps/default/zigbee2mqtt/app/externalsecret.yaml @@ -3,20 +3,19 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: - name: external-dns - namespace: networking + name: zigbee2mqtt spec: secretStoreRef: kind: ClusterSecretStore name: onepassword-connect target: - name: external-dns-secret + name: zigbee2mqtt-secret template: engineVersion: v2 data: - OVH_APPLICATION_KEY: "{{ .OVH_APPLICATION_KEY }}" - OVH_APPLICATION_SECRET: "{{ .OVH_APPLICATION_SECRET }}" - OVH_CONSUMER_KEY: "{{ .OVH_CONSUMMER_KEY }}" + ZIGBEE2MQTT_CONFIG_MQTT_USER: "{{ .EMQX_MQTT_USER }}" + ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD: "{{ .EMQX_MQTT_PASSWORD }}" + dataFrom: - extract: - key: external-dns + key: emqx diff --git a/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml b/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml index 91c2146ea..3e6a3efbb 100644 --- a/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml +++ b/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app zigbee2mqtt - namespace: default spec: interval: 30m chart: @@ -65,22 +64,15 @@ spec: ZIGBEE2MQTT_CONFIG_MQTT_INCLUDE_DEVICE_INFORMATION: "true" ZIGBEE2MQTT_CONFIG_MQTT_KEEPALIVE: 60 ZIGBEE2MQTT_CONFIG_MQTT_REJECT_UNAUTHORIZED: "true" - ZIGBEE2MQTT_CONFIG_MQTT_SERVER: mqtt://emqx.default.svc.cluster.local. + ZIGBEE2MQTT_CONFIG_MQTT_SERVER: mqtt://emqx.database.svc.cluster.local. ZIGBEE2MQTT_CONFIG_MQTT_VERSION: 5 - ZIGBEE2MQTT_CONFIG_MQTT_USER: - valueFrom: - secretKeyRef: - name: emqx-secret - key: user_1_username - ZIGBEE2MQTT_CONFIG_MQTT_PASSWORD: - valueFrom: - secretKeyRef: - name: emqx-secret - key: user_1_password ZIGBEE2MQTT_CONFIG_PERMIT_JOIN: "false" ZIGBEE2MQTT_CONFIG_SERIAL_PORT: /dev/serial/by-id/usb-1a86_USB_Serial-if00-port0 # ZIGBEE2MQTT_CONFIG_DEVICES: devices.yaml # ZIGBEE2MQTT_CONFIG_GROUPS: groups.yaml + envFrom: + - secretRef: + name: zigbee2mqtt-secret securityContext: privileged: true resources: @@ -98,7 +90,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify diff --git a/kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml b/kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml index 861265573..a2f0ea957 100644 --- a/kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml +++ b/kubernetes/apps/default/zigbee2mqtt/app/kustomization.yaml @@ -1,8 +1,8 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: + - ./externalsecret.yaml - ./helmrelease.yaml - ../../../../templates/gatus/guarded - ../../../../templates/volsync diff --git a/kubernetes/apps/default/zigbee2mqtt/ks.yaml b/kubernetes/apps/default/zigbee2mqtt/ks.yaml index dc580f6f2..e39245054 100644 --- a/kubernetes/apps/default/zigbee2mqtt/ks.yaml +++ b/kubernetes/apps/default/zigbee2mqtt/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/default/zwave-js-ui/app/helmrelease.yaml b/kubernetes/apps/default/zwave-js-ui/app/helmrelease.yaml index b16de63be..478f7fa53 100644 --- a/kubernetes/apps/default/zwave-js-ui/app/helmrelease.yaml +++ b/kubernetes/apps/default/zwave-js-ui/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app zwave-js-ui - namespace: default spec: interval: 30m chart: @@ -86,7 +85,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: nginx.ingress.kubernetes.io/auth-method: GET nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify diff --git a/kubernetes/apps/default/zwave-js-ui/app/kustomization.yaml b/kubernetes/apps/default/zwave-js-ui/app/kustomization.yaml index 35ff57401..fd54ff7cc 100644 --- a/kubernetes/apps/default/zwave-js-ui/app/kustomization.yaml +++ b/kubernetes/apps/default/zwave-js-ui/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml - ../../../../templates/gatus/guarded diff --git a/kubernetes/apps/default/zwave-js-ui/ks.yaml b/kubernetes/apps/default/zwave-js-ui/ks.yaml index ed3c5f940..cf79b2b7b 100644 --- a/kubernetes/apps/default/zwave-js-ui/ks.yaml +++ b/kubernetes/apps/default/zwave-js-ui/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/flux-system/addons/ks.yaml b/kubernetes/apps/flux-system/addons/ks.yaml index e066e0ed1..ecbb2094a 100644 --- a/kubernetes/apps/flux-system/addons/ks.yaml +++ b/kubernetes/apps/flux-system/addons/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -23,7 +23,7 @@ spec: substitute: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -47,7 +47,7 @@ spec: substitute: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml index c7e831ee9..c7c657354 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: github-webhook-token - namespace: flux-system spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml index ad37cbc14..803c0c2f2 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml @@ -3,13 +3,10 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: webhook-receiver - namespace: flux-system annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. hajimari.io/enable: "false" spec: - ingressClassName: "nginx" + ingressClassName: external rules: - host: "flux-webhook.${SECRET_EXTERNAL_DOMAIN}" http: diff --git a/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml b/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml index 39b78dc78..4c2239910 100644 --- a/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml +++ b/kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml @@ -4,7 +4,6 @@ apiVersion: notification.toolkit.fluxcd.io/v1 kind: Receiver metadata: name: home-ops-kubernetes - namespace: flux-system spec: type: github events: diff --git a/kubernetes/apps/flux-system/capacitor/app/helmrelease.yaml b/kubernetes/apps/flux-system/capacitor/app/helmrelease.yaml index e75f199b2..8f26486f4 100644 --- a/kubernetes/apps/flux-system/capacitor/app/helmrelease.yaml +++ b/kubernetes/apps/flux-system/capacitor/app/helmrelease.yaml @@ -58,7 +58,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:sync gethomepage.dev/enabled: "true" diff --git a/kubernetes/apps/flux-system/capacitor/app/kustomization.yaml b/kubernetes/apps/flux-system/capacitor/app/kustomization.yaml index b4f5b8037..430075e35 100644 --- a/kubernetes/apps/flux-system/capacitor/app/kustomization.yaml +++ b/kubernetes/apps/flux-system/capacitor/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./helmrelease.yaml - ./rbac.yaml diff --git a/kubernetes/apps/flux-system/capacitor/app/rbac.yaml b/kubernetes/apps/flux-system/capacitor/app/rbac.yaml index b6a51eaae..0b4b29f56 100644 --- a/kubernetes/apps/flux-system/capacitor/app/rbac.yaml +++ b/kubernetes/apps/flux-system/capacitor/app/rbac.yaml @@ -25,12 +25,16 @@ rules: - source.toolkit.fluxcd.io - kustomize.toolkit.fluxcd.io - helm.toolkit.fluxcd.io + - infra.contrib.fluxcd.io resources: - gitrepositories - ocirepositories - buckets + - helmrepositories + - helmcharts - kustomizations - helmreleases + - terraforms verbs: - get - watch diff --git a/kubernetes/apps/flux-system/namespace.yaml b/kubernetes/apps/flux-system/namespace.yaml index ff9cea6e3..4f91b1713 100644 --- a/kubernetes/apps/flux-system/namespace.yaml +++ b/kubernetes/apps/flux-system/namespace.yaml @@ -14,7 +14,7 @@ metadata: namespace: flux-system spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 diff --git a/kubernetes/apps/kube-system/cilium/app/configmap.yaml b/kubernetes/apps/kube-system/cilium/app/configmap.yaml deleted file mode 100644 index 046d2e372..000000000 --- a/kubernetes/apps/kube-system/cilium/app/configmap.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: bgp-config - namespace: kube-system -data: - config.yaml: | - peers: - - peer-address: ${LOCAL_LAN_OPNSENSE} - peer-asn: 64512 - my-asn: 64512 - address-pools: - - name: default - protocol: bgp - addresses: - - ${CILIUM_BGP_SVC_RANGE} - avoid-buggy-ips: true diff --git a/kubernetes/bootstrap/cilium/values.yaml b/kubernetes/apps/kube-system/cilium/app/helm-values.yaml similarity index 51% rename from kubernetes/bootstrap/cilium/values.yaml rename to kubernetes/apps/kube-system/cilium/app/helm-values.yaml index 8f1681b76..1b0c3ab0d 100644 --- a/kubernetes/bootstrap/cilium/values.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helm-values.yaml @@ -1,13 +1,24 @@ --- autoDirectNodeRoutes: true -bgp: - announce: - loadbalancerIP: true - enabled: false -containerRuntime: - integration: containerd +bandwidthManager: + enabled: true +bbr: true +bgpControlPlane: + enabled: true +cgroup: + automount: + enabled: false + hostRoot: /sys/fs/cgroup +cluster: + id: 1 + name: talos-cluster +cni: + exclusive: false +enableIPv4BIGTCP: true endpointRoutes: enabled: true +envoy: + enabled: false hubble: enabled: false ipam: @@ -15,14 +26,32 @@ ipam: ipv4NativeRoutingCIDR: 10.69.0.0/16 k8sServiceHost: localhost k8sServicePort: 7445 -kubeProxyReplacement: strict +kubeProxyReplacement: true +kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 +l2announcements: + enabled: true loadBalancer: algorithm: maglev mode: dsr localRedirectPolicy: true operator: + replicas: 2 rollOutPods: true + prometheus: + enabled: true + serviceMonitor: + enabled: true + dashboards: + enabled: true +prometheus: + enabled: true + serviceMonitor: + enabled: true + trustCRDsExist: true +dashboards: + enabled: true rollOutCiliumPods: true +routingMode: native securityContext: capabilities: ciliumAgent: @@ -41,8 +70,3 @@ securityContext: - NET_ADMIN - SYS_ADMIN - SYS_RESOURCE - cgroup: - autoMount: - enabled: false - hostRoot: /sys/fs/cgroup -tunnel: disabled diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml index c1ff09e41..45d098aec 100644 --- a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -3,8 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &app cilium - namespace: &ns kube-system + name: cilium spec: interval: 30m chart: @@ -26,89 +25,35 @@ spec: retries: 3 uninstall: keepHistory: false + valuesFrom: + - kind: ConfigMap + name: cilium-helm-values values: - autoDirectNodeRoutes: true - bgp: - announce: - loadbalancerIP: true - enabled: true - cluster: - id: 1 - name: cluster-0 - enableRuntimeDeviceDetection: true - endpointRoutes: - enabled: true hubble: enabled: true metrics: enabled: - - dns:query;ignoreAAAA + - dns:query - drop - tcp - flow - port-distribution - icmp - http + serviceMonitor: + enabled: true + dashboards: + enabled: true relay: enabled: true rollOutPods: true - serviceMonitor: - enabled: true + prometheus: + serviceMonitor: + enabled: true ui: enabled: true + rollOutPods: true ingress: enabled: true - className: nginx - hosts: - - &host "cilium.${SECRET_EXTERNAL_DOMAIN}" - tls: - - hosts: - - *host - rollOutPods: true - ipam: - mode: kubernetes - ipv4NativeRoutingCIDR: ${CILIUM_POD_CIDR} - k8sServiceHost: localhost - k8sServicePort: 7445 - kubeProxyReplacement: true - kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 - l2announcements: - enabled: true - loadBalancer: - algorithm: maglev - mode: dsr - localRedirectPolicy: true - operator: - rollOutPods: true - rollOutCiliumPods: true - securityContext: - capabilities: - ciliumAgent: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - cleanCiliumState: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE - cgroup: - autoMount: - enabled: false - hostRoot: /sys/fs/cgroup - l7proxy: true - routingMode: native - ingressController: - enabled: false - defaultSecretNamespace: networking - defaultSecretName: ${SECRET_EXTERNAL_DOMAIN//./-}-tls - loadbalancerMode: shared - service: - loadBalancerIP: 192.168.169.115 + className: internal + hosts: ["hubble.${SECRET_EXTERNAL_DOMAIN}"] diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml index e64212369..2b04bf348 100644 --- a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -2,7 +2,11 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system resources: - - ./configmap.yaml - ./helmrelease.yaml +configMapGenerator: + - name: cilium-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml new file mode 100644 index 000000000..58f92ba15 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/cilium/config/bgp-policy.yaml b/kubernetes/apps/kube-system/cilium/config/bgp-policy.yaml new file mode 100644 index 000000000..1033fd0c4 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/config/bgp-policy.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeeringPolicy +metadata: + name: bgp-loadbalancer-ip-main +spec: + nodeSelector: + matchLabels: + kubernetes.io/os: "linux" + virtualRouters: + - localASN: 64512 + exportPodCIDR: false + serviceSelector: + matchExpressions: + - key: thisFakeSelector + operator: NotIn + values: + - will-match-and-announce-all-services + neighbors: + - peerAddress: ${LOCAL_LAN_OPNSENSE}/24 + peerASN: 64512 diff --git a/kubernetes/apps/kube-system/cilium/config/bgp-pool.yaml b/kubernetes/apps/kube-system/cilium/config/bgp-pool.yaml new file mode 100644 index 000000000..95b531590 --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/config/bgp-pool.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: main-pool +spec: + blocks: + - cidr: ${CILIUM_BGP_SVC_RANGE} diff --git a/kubernetes/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml new file mode 100644 index 000000000..fe62b7bee --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/config/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./bgp-policy.yaml + - ./bgp-pool.yaml diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml index bc5eea827..b8ca9d93a 100644 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -1,15 +1,12 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app cilium + name: &app cilium-app namespace: flux-system spec: targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: *app path: ./kubernetes/apps/kube-system/cilium/app prune: false sourceRef: @@ -19,6 +16,23 @@ spec: interval: 30m retryInterval: 1m timeout: 5m - postBuild: - substitute: - APP: *app +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cilium-config + namespace: flux-system +spec: + targetNamespace: kube-system + dependsOn: + - name: cilium-app + path: ./kubernetes/apps/kube-system/cilium/config + prune: false + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/kube-system/coredns/app/helm-values.yaml b/kubernetes/apps/kube-system/coredns/app/helm-values.yaml new file mode 100644 index 000000000..866f8067c --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/helm-values.yaml @@ -0,0 +1,51 @@ +--- +fullnameOverride: coredns +replicaCount: 2 +k8sAppLabelOverride: kube-dns +serviceAccount: + create: true +service: + name: kube-dns + clusterIP: 10.96.0.10 +servers: + - zones: + - zone: . + scheme: dns:// + use_tcp: true + port: 53 + plugins: + - name: errors + - name: health + configBlock: |- + lameduck 5s + - name: ready + - name: log + configBlock: |- + class error + - name: prometheus + parameters: 0.0.0.0:9153 + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + - name: forward + parameters: . /etc/resolv.conf + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists +tolerations: + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule diff --git a/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml new file mode 100644 index 000000000..eacfe82e6 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/helmrelease.yaml @@ -0,0 +1,27 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: coredns +spec: + interval: 30m + chart: + spec: + chart: coredns + version: 1.37.0 + sourceRef: + kind: HelmRepository + name: coredns + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + valuesFrom: + - kind: ConfigMap + name: coredns-helm-values diff --git a/kubernetes/apps/networking/k8s-gateway/app/kustomization.yaml b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml similarity index 66% rename from kubernetes/apps/networking/k8s-gateway/app/kustomization.yaml rename to kubernetes/apps/kube-system/coredns/app/kustomization.yaml index 91f37e36e..2e73a5c9f 100644 --- a/kubernetes/apps/networking/k8s-gateway/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/coredns/app/kustomization.yaml @@ -2,13 +2,11 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: networking resources: - - ./rbac.yaml - ./helmrelease.yaml configMapGenerator: - - name: k8s-gateway-configmap + - name: coredns-helm-values files: - - ./Corefile -generatorOptions: - disableNameSuffixHash: true + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml new file mode 100644 index 000000000..58f92ba15 --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/coredns/ks.yaml b/kubernetes/apps/kube-system/coredns/ks.yaml new file mode 100644 index 000000000..90fe8405b --- /dev/null +++ b/kubernetes/apps/kube-system/coredns/ks.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app coredns + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/coredns/app + prune: false + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/apps/kube-system/descheduler/ks.yaml b/kubernetes/apps/kube-system/descheduler/ks.yaml index 56288a1c2..d79cc83ce 100644 --- a/kubernetes/apps/kube-system/descheduler/ks.yaml +++ b/kubernetes/apps/kube-system/descheduler/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/kube-system/external-secrets/ks.yaml b/kubernetes/apps/kube-system/external-secrets/ks.yaml index 129ce810e..d7a3c8263 100644 --- a/kubernetes/apps/kube-system/external-secrets/ks.yaml +++ b/kubernetes/apps/kube-system/external-secrets/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -23,7 +23,7 @@ spec: substitute: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml index b628a3e50..1761b3e70 100644 --- a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml +++ b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app onepassword-connect - namespace: kube-system spec: interval: 30m chart: @@ -44,7 +43,7 @@ spec: tag: 1.7.2@sha256:da8cb369fb841a7bd9447c909d273de4053ecc9c2b2e6432c5af6c2e08b82da1 env: OP_BUS_PORT: "11220" - OP_BUS_PEERS: "localhost:11221" + OP_BUS_PEERS: localhost:11221 OP_HTTP_PORT: &port 8080 OP_SESSION: valueFrom: @@ -86,7 +85,7 @@ spec: env: - { name: OP_HTTP_PORT, value: &sport 8081 } - { name: OP_BUS_PORT, value: "11221" } - - { name: OP_BUS_PEERS, value: "localhost:11220" } + - { name: OP_BUS_PEERS, value: localhost:11220 } - name: OP_SESSION valueFrom: secretKeyRef: @@ -120,7 +119,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/enable: "false" hosts: diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml index 449c82881..cc5475a51 100644 --- a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml +++ b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system resources: - ./clustersecretstore.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml index 4d51ceb55..06f566084 100644 --- a/kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml +++ b/kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml @@ -3,11 +3,10 @@ apiVersion: v1 kind: Secret metadata: name: onepassword-connect-secret - namespace: kube-system type: Opaque stringData: onepassword-credentials.json: ENC[AES256_GCM,data:vVOz94aHx8jMRGQNw1a0Sio0HI7AVNT9r0nkdaRyRop/20e4lvNU+PyfnlskTdya0Ty62mZNH78Uj2+vXIgh8z5ROzulLx61MKdKSEfQqwwnbZ5mPIgZT6QHTtG/pXHj2IUGW7m0v173avxtpq0PPr5sum9Eg1QNnTSqgSwmmD3D0Q0lY0mxbYA7x5ERd6354nTqV+93f2RHNZ0JIYG72L3xMn+TdaO4TfgmZRSjXsRGCOhfISdEg69d4/NHMAQOSkDT6eoAlbIco5Tel7n4BxGi8Je+EH4J/HdzeHNtQliJuAwXXsrYWS2qaJxoBXTPuBeuVZYohoRUcF2qH8uHYINDR7mrHiByCvtxxKXs33hLTbAHUhCnMUJ4hLqyWZ/tnH5w/EdsSlsMpPVEyBc6xOZZrmL40M4b4M+O++Hoah0Bv2zw3K9JR5EwP6fezuNq0YP6hb9nds9UfZ6RsIAsOKWDt7MaO/cLMRU/0eqCgKX4tnJUM3+t+ns/p27iKGyn4DFtj3HA7wPYmuPfTDhFmA0exG3PaSsV6ITVzbrScqtPyEU8QyWdk5IAUPccZlyWTRr7CKYXtXzbUeYCGmNNsa3VuVKMRoAXTpgT6+ww0h+BVkquednurlgtUNX+nPA7vzIzPuHoQUWZbDL/kGq1rEPHF3MGwkNjLyRvMbh412n5916eNQ+r+0ZN8SZ2SoWN4IRAfa99gXlcBmZ04zPvDIhKJtFwrLgtfnqiqi2FAcILZhNFBv2uxcEFlZ1iKDdJTmue/JPuG4L3hqMcVRuKWSjJSsdYBs4GY4YLy4u+vOeh1hqIzW8zHonh7ukOA/5UfUx/O8OQ+cXY/4bZQgBuLUXaGzT/CLsrdoWW2/Ks7tvcAgJBXxXWHk0PWjLo+OQYbmM5aIjHAJY3uGiq4rjKQbAtaJUUu5dzMDnGdOnh86TJet4bSt6jF6ainaNjYNc4MaJX5zVC7mj78iBvzFa7BfzSzp47hPo3w5OS3/XvJQ1ch15DmDpu2t7MEqxE0KL8qxM0IbcDdC5nVUEBsxqTNndBlwl2a6rPSoukCwf3VBQ5dzbTisxaHyWz5XFbxWhYCtaofrN0opxBH2Abh1oUu6bFFIOsD2iXgtL+GcD+w0LjpTqP54TXRXNXK/IEwNhxuCYQ2skCzBEwQIMd370GF8tGy4jo9ttH3KYR50C6Ugw5ZQc9PcbOEisMSdvOvXl99CDHCbpXdv2nnDSWZ1XZVeiPdymBClMAXzOigaWD/p8YjM8PXOW6Ik7pM4/nIhtzrBaZCehrzntnjevfxAOBgviu4FKWBO4JognerlP/MAjL49P3EDYoy0karHMlCL+UZu2FHkoixM40gG5bQx2bMGUZ9nkzYM1nJz4i2PDQMQi7Mxi0wRi4WOFsRgl9c7gH1Ws6c+Z0O3Uul4pN7NCLtd5hqmYtqUeXIa/egaR9Buv5gmkGnF5+kPu5g5x04yc2UUIGpsD/V05B8jIp3DmMmQSO4Sa3+8c6F4n91QCe74U7Q3zlN59PFYc/Cx9kal80vphAwJ/lRfvlws1OXPtOUKe7iy0VcjJblNAtZwJTpdYE/tJtCBteeIfah9/wPBKSqrzJ4kXz8DldPiCUmWyVcWqjakZT5kYqlgxlk6Nt8/Pu1Tgwpgkl4vzlRhyvuRLfq7jkb78iR0yhPJBT/gBO+RRG/NRZTeYYzGMr/ZRVsOUfPzjnhsTfZTZO5g5SIUT0oCmTnkN440tSGXtW61d/PNSJKH2Wutt6lV+cGkTuHmgRatmh7to0YohrfJcLq19IygUh3QckK0tLCo/DTRjbE7NH1UkqzvDew0NNY+GsrhHMA4wBixQ2UFr6D7Hqx5mkIn/UXTJyXbuLrTHnZ8XfDCZ9HHm5c4nP85vXHxP0f81P6aN4OPArLRKpiGhDdhmCDOFE0kDsjjN5JsXg,iv:6yAbNoRVVpX+IQjCbktN/ukB8a+bhOOAEd45rxgaJYQ=,tag:S3Mi7dKSyxW/OAzkE2GWtA==,type:str] - token: ENC[AES256_GCM,data:oXhsBpqi1+y+gfKi55aXM27f3fTYlBL183r/IfaCDQKdDk5myyk+WZduJWjvjkQm4zjQFDG+DNVqViJVAzzctAfER5rlU9z76YxWTHoc6CGZd9o+hJkhsnDmdie6taTLvq/9FcQVcez6DYjLniuLenjN808ELWo1gt1CN04f8Ih+jGYHmlxUT/uigambjTELCFRWcZwZvH6y2SMNtmQT0tbqdi2JmdtW7Rh04BKkPDjH3Bw7iNYdFyqfk95gbkhw+JLDyOKp5G5luEQSpyxU2E5cI5It1tD6zAsE874TxvDj2Hea6dK5GAaMGoMygCbQwuCxlmmHbYkq6dGj9twAAVOUgocv4L7COrRxaCUu6zcNc4U7xrYkEMS57+eFFUkOGkVhcJ6kHgnVtadbW/VlUEqhukoylNWDkvAXKr4W5qzs1yxdxiH0xa+0c0/Eq7nIWsRNDBtwgnEuk2x7vVtgAFC82VS7CfGQ5x7EObjV9V0iaFgXmXfKKnDw38Thjy85YgBgVm0sK7uutpCwfC2nihLXxVBWqcLlXI+JP1s3bNXmZLEokvELX8P4Z6cXXIFYT9ctgn3RsAJBXGt5S0THyQKQbSmA2Xp8gruuzjNKKzdBZtAd6V/PFf0auWQoYdBMOu5f7TKJqyAvb8weL/8jpdHxGCpJg+iTAHUFGmBMj67KtPWZFAoM519K6i3lg+rOjH7FHNTK1FM0gCWtZO0ogp+qvS3nNTF2cFsSNfRjWoJmRmTnPrIV0FPY5cQ145/8/8feiMx2PrzECWYByi3t3JHUTd+RIC4Yj3w0SOvdMtndSEMeWZj6/YvoInOAC842D6J4GLJ4Q9ybHiXBm3eayRE4,iv:0/kEup5L+qJfmC7NOU8KaCpceHa6DvQp3KHGqHHfZKE=,tag:eGMIbzowAm8lsU/7q7TmjA==,type:str] + token: ENC[AES256_GCM,data:7yDxo39qbHCTQ2MzZvmRTGTptGlR0Nm0yUJP7pA9lVy3M4w59WY1/47Q0aKxD3tDhs4R549z1cXTfntF8FZe1/YoQr7D15IOx5sa+Ei0OCpzsKLb3ngk8sxxiRbmgo2H2fAkuiEe8lsqHEN7pUrdTMjOX//tsem3bH4XZUJwUdlU6LPrwj6JP7oUKbM+qmJ+1YXcOUhumwork5qWyGC1TrFAKsD2XXqZknkw/qNDcr9Y39ph10hBTT4WRYsrmXLMqKsU0wuD7mfaRHI5ZJmGCsXqXTFavlYHadG0X8gQ/RK4l3sKxxc6Z7w05In8PwSeQOcy09rqZj9rUqCa4x046l7SmW2Ns+gGdDopaJQIRW7uuw0a4kMtnE6FCIuZyz4CqnlUyN2odO7H074tyjQjByFmHiG0udy0+LrfXvXkGV5Rz3qVE1byV84UnbCGYavJDvAq4oDiWq8SRgrLS+VVZeDD11IGx28rKpn465nh1+HmcV8hrHBPD3KkTJCCOg21F+zEnbItsqoICWGcEWVxdtTujfP6yh6RcfuBZPZiAq7oe2tl8fJiLKb1jDHbRWWb/1ailkd9OiamSQosu2bAY7SUNFqI7R8SLByqqImBTcnNQ02ZTJKoYh8GMg87l1ZQe6bYd5AallRNT7YclJFtiH8OzVYK6Kgn7cYBgJQmWbLnLK2ido1jos8gZ8Ti1Uu2pWRw6bnK8ZH/vti6jGnYP8ot2iMT/bOUxDP5hmovuHRrv/J5qjfOXsBRrpHfMEtmF5gaQtgdwXuf2LVvr90lOw+zwz7JWtzXs14QhEnmKtDQMBYO0Ro6HSLS2O3oNEfwlPJdbpU4YJf7wQyTg0/iU3LEdg==,iv:PHJ1zL9f+Ucy+lJN95ILTyXbqOKQecV0sC/env0qk3U=,tag:jkAeCrzx0GWatr9ZFE+/dw==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +22,8 @@ sops: OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+ LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-07T23:26:27Z" - mac: ENC[AES256_GCM,data:2FbAt4qdwgE3UkxYxtSluGN8iXMW5aEAxqzzcHfetifh/gtm4x9qMn6JVv4TUoBcCYzWLD+X7dyOBiSi5uWGSbL0owEB5tXj0dQW7aCNjC3hH+Y34i/+C2AYfq/hhiAV1iwyXNSu2iSKZMDbbQNkoAii/ZLsxFuBrBclACAHFWM=,iv:FRjfKHprJXFsbku4cQtZmm74ZbHsh8aqno+aRssjImM=,tag:Sh5zKXVDzl/ukpFK5lloXw==,type:str] + lastmodified: "2025-01-05T12:25:23Z" + mac: ENC[AES256_GCM,data:3KguzE81b3dKWytHq52X866gJB2sHvGQYvFs0Rq6wlCLSwhIX/BVUvvuCWLZstBGyTb60HYUWqiu2isHqN4mzRiqHnKRh3qw3bzkNwbLaGa0ITxV5FrDFdrvaWD7PTPGSHTBtFRc9n3vZqDNk54chkx/8jdNKf9blybgnBPqIVM=,iv:xJx7QfBv1Tkz25S050pDgwZ/U/FAvEyL+kkdDif+BJU=,tag:lXR/EsV+/uDJiTb/ZwaycA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.0 + version: 3.9.3 diff --git a/kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml b/kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml new file mode 100644 index 000000000..639aa1f45 --- /dev/null +++ b/kubernetes/apps/kube-system/fstrim/app/helmrelease.yaml @@ -0,0 +1,72 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app fstrim +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.6.0 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + fstrim: + type: cronjob + cronjob: + schedule: 0 0 * * 0 + parallelism: 4 # Set to total number of nodes + successfulJobsHistory: 1 + failedJobsHistory: 1 + containers: + app: + image: + repository: ghcr.io/onedr0p/kubanetics + tag: 2024.12.4@sha256:4941a46bd7c05ce1de1f0f2e98137db44cf116312b33d9c7d0e3619679250bd4 + env: + SCRIPT_NAME: fstrim.sh + resources: + requests: + cpu: 25m + limits: + memory: 128Mi + securityContext: + privileged: true + defaultPodOptions: + hostNetwork: true + hostPID: true + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + persistence: + procfs: + type: hostPath + hostPath: /proc + hostPathType: Directory + globalMounts: + - path: /host/proc + readOnly: true + netfs: + type: hostPath + hostPath: /sys + hostPathType: Directory + globalMounts: + - path: /host/net + readOnly: true diff --git a/kubernetes/apps/kube-system/fstrim/app/kustomization.yaml b/kubernetes/apps/kube-system/fstrim/app/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/kube-system/fstrim/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/kube-system/fstrim/ks.yaml b/kubernetes/apps/kube-system/fstrim/ks.yaml new file mode 100644 index 000000000..e272b2bcb --- /dev/null +++ b/kubernetes/apps/kube-system/fstrim/ks.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app fstrim + namespace: flux-system +spec: + targetNamespace: kube-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/kube-system/fstrim/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/apps/kube-system/intel-device-plugin/exporter/helmrelease.yaml b/kubernetes/apps/kube-system/intel-device-plugin/exporter/helmrelease.yaml deleted file mode 100644 index dfd714a0a..000000000 --- a/kubernetes/apps/kube-system/intel-device-plugin/exporter/helmrelease.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app intel-gpu-exporter - namespace: kube-system -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.6.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - maxHistory: 2 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - uninstall: - keepHistory: false - values: - defaultPodOptions: - nodeSelector: - intel.feature.node.kubernetes.io/gpu: "true" - controllers: - intel-gpu-exporter: - type: daemonset - containers: - app: - image: - repository: ghcr.io/onedr0p/intel-gpu-exporter - tag: rolling@sha256:5782b746f507149e7c3d5f7b19fe8d834fda854f117afcbdd21ecf822ef1ee02 - resources: - requests: - gpu.intel.com/i915_monitoring: 1 - cpu: 100m - memory: 100Mi - limits: - gpu.intel.com/i915_monitoring: 1 - memory: 500Mi - securityContext: - privileged: true - service: - app: - controller: *app - ports: - http: - port: 8080 - serviceMonitor: - app: - serviceName: app - enabled: true - endpoints: - - port: http - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - relabelings: - - sourceLabels: [__meta_kubernetes_pod_node_name] - targetLabel: node diff --git a/kubernetes/apps/kube-system/intel-device-plugin/ks.yaml b/kubernetes/apps/kube-system/intel-device-plugin/ks.yaml index feacdae97..2bc6a4fb7 100644 --- a/kubernetes/apps/kube-system/intel-device-plugin/ks.yaml +++ b/kubernetes/apps/kube-system/intel-device-plugin/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -23,7 +23,7 @@ spec: substitute: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -46,27 +46,3 @@ spec: postBuild: substitute: APP: *app ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app intel-device-plugin-exporter - namespace: flux-system -spec: - targetNamespace: kube-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/kube-system/intel-device-plugin/exporter - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app diff --git a/kubernetes/apps/kube-system/k8s-ycl/ks.yaml b/kubernetes/apps/kube-system/k8s-ycl/ks.yaml index 9a15c5f98..076f52f57 100644 --- a/kubernetes/apps/kube-system/k8s-ycl/ks.yaml +++ b/kubernetes/apps/kube-system/k8s-ycl/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml new file mode 100644 index 000000000..ec58ba215 --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helm-values.yaml @@ -0,0 +1,8 @@ +--- +replicas: 1 +providerRegex: ^talos-\d$ +bypassDnsResolution: true +metrics: + enable: true + serviceMonitor: + enabled: true diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml index e20bc2a06..f1c567dc7 100644 --- a/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: kubelet-csr-approver - namespace: kube-system spec: interval: 30m chart: @@ -15,18 +14,14 @@ spec: kind: HelmRepository name: postfinance namespace: flux-system - maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: cleanupOnFail: true remediation: + strategy: rollback retries: 3 - uninstall: - keepHistory: false - values: - providerRegex: ^talos-node-[1-9]$ - namespace: kube-system - bypassDnsResolution: true + valuesFrom: + - kind: ConfigMap + name: kubelet-csr-approver-helm-values diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml index 1af0c2237..0a23fc432 100644 --- a/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomization.yaml @@ -2,6 +2,11 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system resources: - ./helmrelease.yaml +configMapGenerator: + - name: kubelet-csr-approver-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml new file mode 100644 index 000000000..58f92ba15 --- /dev/null +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml b/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml index 78bc1c315..6001c8907 100644 --- a/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml +++ b/kubernetes/apps/kube-system/kubelet-csr-approver/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index 01f5f8157..35a649d45 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -7,10 +7,12 @@ resources: - ./namespace.yaml # Flux-Kustomizations - ./cilium/ks.yaml + - ./coredns/ks.yaml - ./descheduler/ks.yaml - ./external-secrets/ks.yaml + - ./fstrim/ks.yaml - ./intel-device-plugin/ks.yaml - - ./k8s-ycl/ks.yaml + # - ./k8s-ycl/ks.yaml - ./kubelet-csr-approver/ks.yaml - ./metrics-server/ks.yaml - ./node-feature-discovery/ks.yaml diff --git a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml index 17cf02e7c..59538154e 100644 --- a/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/metrics-server/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: metrics-server - namespace: kube-system spec: interval: 30m chart: @@ -15,23 +14,21 @@ spec: kind: HelmRepository name: metrics-server namespace: flux-system - maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: cleanupOnFail: true remediation: + strategy: rollback retries: 3 - uninstall: - keepHistory: false values: args: - --kubelet-insecure-tls - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname - --kubelet-use-node-status-port - - --metric-resolution=15s + - --metric-resolution=10s + - --kubelet-request-timeout=2s metrics: enabled: true serviceMonitor: diff --git a/kubernetes/apps/kube-system/metrics-server/ks.yaml b/kubernetes/apps/kube-system/metrics-server/ks.yaml index aad6237c9..1aac4b5f6 100644 --- a/kubernetes/apps/kube-system/metrics-server/ks.yaml +++ b/kubernetes/apps/kube-system/metrics-server/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/kube-system/namespace.yaml b/kubernetes/apps/kube-system/namespace.yaml index dfe4c0cf0..d5795a134 100644 --- a/kubernetes/apps/kube-system/namespace.yaml +++ b/kubernetes/apps/kube-system/namespace.yaml @@ -14,7 +14,7 @@ metadata: namespace: kube-system spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 diff --git a/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml b/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml index 3b26351e2..32ef41328 100644 --- a/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml +++ b/kubernetes/apps/kube-system/node-feature-discovery/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -23,7 +23,7 @@ spec: substitute: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/kube-system/reloader/ks.yaml b/kubernetes/apps/kube-system/reloader/ks.yaml index e498cd3de..4051935c5 100644 --- a/kubernetes/apps/kube-system/reloader/ks.yaml +++ b/kubernetes/apps/kube-system/reloader/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/kube-system/snapshot-controller/ks.yaml b/kubernetes/apps/kube-system/snapshot-controller/ks.yaml index 72946bb0e..5dad6a0f0 100644 --- a/kubernetes/apps/kube-system/snapshot-controller/ks.yaml +++ b/kubernetes/apps/kube-system/snapshot-controller/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/kube-system/spegel/app/helm-values.yaml b/kubernetes/apps/kube-system/spegel/app/helm-values.yaml new file mode 100644 index 000000000..47b5e6046 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/helm-values.yaml @@ -0,0 +1,12 @@ +--- +spegel: + appendMirrors: true + containerdSock: /run/containerd/containerd.sock + containerdRegistryConfigPath: /etc/cri/conf.d/hosts +service: + registry: + hostPort: 29999 +serviceMonitor: + enabled: true +grafanaDashboard: + enabled: true diff --git a/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml b/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml index 06d0ffc37..788a90d13 100644 --- a/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/spegel/app/helmrelease.yaml @@ -3,38 +3,25 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: &name spegel - namespace: kube-system + name: spegel spec: interval: 30m chart: spec: - chart: *name + chart: spegel version: v0.0.28 sourceRef: kind: HelmRepository name: spegel namespace: flux-system - maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: cleanupOnFail: true remediation: + strategy: rollback retries: 3 - uninstall: - keepHistory: false - values: - spegel: - appendMirrors: true - containerdSock: /run/containerd/containerd.sock - containerdRegistryConfigPath: /etc/cri/conf.d/hosts - service: - registry: - hostPort: 29999 - grafanaDashboard: - enabled: true - serviceMonitor: - enabled: true + valuesFrom: + - kind: ConfigMap + name: spegel-helm-values diff --git a/kubernetes/apps/kube-system/spegel/app/kustomization.yaml b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml index 09bc749a9..28df38d19 100644 --- a/kubernetes/apps/kube-system/spegel/app/kustomization.yaml +++ b/kubernetes/apps/kube-system/spegel/app/kustomization.yaml @@ -4,3 +4,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml +configMapGenerator: + - name: spegel-helm-values + files: + - values.yaml=./helm-values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml b/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml new file mode 100644 index 000000000..58f92ba15 --- /dev/null +++ b/kubernetes/apps/kube-system/spegel/app/kustomizeconfig.yaml @@ -0,0 +1,7 @@ +--- +nameReference: + - kind: ConfigMap + version: v1 + fieldSpecs: + - path: spec/valuesFrom/name + kind: HelmRelease diff --git a/kubernetes/apps/kube-system/spegel/ks.yaml b/kubernetes/apps/kube-system/spegel/ks.yaml index b17216e03..e9d76bb90 100644 --- a/kubernetes/apps/kube-system/spegel/ks.yaml +++ b/kubernetes/apps/kube-system/spegel/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/kustomization.yaml b/kubernetes/apps/kustomization.yaml deleted file mode 100644 index ccf781a83..000000000 --- a/kubernetes/apps/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./actions-runner-system - - ./cert-manager - - ./database - - ./default - - ./flux-system - - ./kube-system - - ./kyverno - - ./monitoring - - ./ngnode - - ./openebs-system - - ./networking - - ./rook-ceph - - ./volsync diff --git a/kubernetes/apps/kyverno/namespace.yaml b/kubernetes/apps/kyverno/namespace.yaml index 70187e557..50493b522 100644 --- a/kubernetes/apps/kyverno/namespace.yaml +++ b/kubernetes/apps/kyverno/namespace.yaml @@ -15,7 +15,7 @@ metadata: namespace: kyverno spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml b/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml deleted file mode 100644 index 59dabad7d..000000000 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/ks.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kube-prometheus-stack - namespace: flux-system -spec: - targetNamespace: monitoring - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: rook-ceph-cluster - - name: thanos - path: ./kubernetes/apps/monitoring/kube-prometheus-stack/app - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app - # renovate: datasource=docker depName=quay.io/thanos/thanos - THANOS_VERSION: v0.35.0 ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app kube-prometheus-rules - namespace: flux-system -spec: - targetNamespace: monitoring - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: kube-prometheus-stack - path: ./kubernetes/apps/monitoring/kube-prometheus-stack/rules - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml new file mode 100644 index 000000000..72088bfe7 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/externaldns.k8s.io/dnsendpoint_v1alpha1.json +apiVersion: externaldns.k8s.io/v1alpha1 +kind: DNSEndpoint +metadata: + name: cloudflared +spec: + endpoints: + - dnsName: "external.${SECRET_EXTERNAL_DOMAIN}" + recordType: CNAME + targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/apps/network/cloudflared/app/externalsecret.yaml b/kubernetes/apps/network/cloudflared/app/externalsecret.yaml new file mode 100644 index 000000000..181b3cab6 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/externalsecret.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: cloudflared-tunnel +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: cloudflared-tunnel-secret + template: + engineVersion: v2 + data: + credentials.json: | + { + "AccountTag": "{{ .CLOUDFLARE_ACCOUNT_TAG }}", + "TunnelSecret": "{{ .CLOUDFLARE_TUNNEL_SECRET }}", + "TunnelID": "{{ .CLOUDFLARE_TUNNEL_ID }}" + } + dataFrom: + - extract: + key: cloudflare diff --git a/kubernetes/apps/network/cloudflared/app/helmrelease.yaml b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml new file mode 100644 index 000000000..cd6848a66 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml @@ -0,0 +1,110 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cloudflared +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.6.0 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + dependsOn: + - name: nginx-external + namespace: network + values: + controllers: + cloudflared: + replicas: 2 + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: docker.io/cloudflare/cloudflared + tag: 2024.12.2@sha256:cb38f3f30910a7d51545118a179b8516eb7066eac61855d62ce6ed733c54ce70 + env: + NO_AUTOUPDATE: true + TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json + TUNNEL_METRICS: 0.0.0.0:8080 + TUNNEL_ORIGIN_ENABLE_HTTP2: true + TUNNEL_TRANSPORT_PROTOCOL: quic + TUNNEL_POST_QUANTUM: true + args: + - tunnel + - --config + - /etc/cloudflared/config/config.yaml + - run + - ${SECRET_CLOUDFLARE_TUNNEL_ID} + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /ready + port: &port 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 256Mi + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + seccompProfile: { type: RuntimeDefault } + service: + app: + controller: cloudflared + ports: + http: + port: *port + serviceMonitor: + app: + serviceName: cloudflared + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + persistence: + config: + type: configMap + name: cloudflared-configmap + globalMounts: + - path: /etc/cloudflared/config/config.yaml + subPath: config.yaml + readOnly: true + creds: + type: secret + name: cloudflared-tunnel-secret + globalMounts: + - path: /etc/cloudflared/creds/credentials.json + subPath: credentials.json + readOnly: true diff --git a/kubernetes/apps/default/windmill/app/kustomization.yaml b/kubernetes/apps/network/cloudflared/app/kustomization.yaml similarity index 60% rename from kubernetes/apps/default/windmill/app/kustomization.yaml rename to kubernetes/apps/network/cloudflared/app/kustomization.yaml index 5d1046c35..86de1bda9 100644 --- a/kubernetes/apps/default/windmill/app/kustomization.yaml +++ b/kubernetes/apps/network/cloudflared/app/kustomization.yaml @@ -2,16 +2,13 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: default resources: - ./externalsecret.yaml + - ./dnsendpoint.yaml - ./helmrelease.yaml - - ../../../../templates/gatus/guarded configMapGenerator: - - name: windmill-grants + - name: cloudflared-configmap files: - - ./scripts/grants.sh + - config.yaml=./resources/config.yaml generatorOptions: disableNameSuffixHash: true - annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/kubernetes/apps/network/cloudflared/app/resources/config.yaml b/kubernetes/apps/network/cloudflared/app/resources/config.yaml new file mode 100644 index 000000000..5aaa8586e --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/resources/config.yaml @@ -0,0 +1,10 @@ +--- +originRequest: + originServerName: external.${SECRET_EXTERNAL_DOMAIN} + +ingress: + - hostname: "${SECRET_EXTERNAL_DOMAIN}" + service: https://nginx-external-controller.network.svc.cluster.local:443 + - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" + service: https://nginx-external-controller.network.svc.cluster.local:443 + - service: http_status:404 diff --git a/kubernetes/apps/network/cloudflared/ks.yaml b/kubernetes/apps/network/cloudflared/ks.yaml new file mode 100644 index 000000000..b4169c804 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/ks.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app cloudflared + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: external-dns-cloudflare + - name: external-secrets-stores + path: ./kubernetes/apps/network/cloudflared/app + prune: false + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/apps/network/external-dns/cloudflare/externalsecret.yaml b/kubernetes/apps/network/external-dns/cloudflare/externalsecret.yaml new file mode 100644 index 000000000..eb651842b --- /dev/null +++ b/kubernetes/apps/network/external-dns/cloudflare/externalsecret.yaml @@ -0,0 +1,19 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: external-dns +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: external-dns-cloudflare-secret + template: + engineVersion: v2 + data: + CF_API_TOKEN: "{{ .CLOUDFLARE_TOKEN }}" + dataFrom: + - extract: + key: cloudflare diff --git a/kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml b/kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml new file mode 100644 index 000000000..74d72ec8f --- /dev/null +++ b/kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml @@ -0,0 +1,53 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app external-dns-cloudflare +spec: + interval: 30m + chart: + spec: + chart: external-dns + version: 1.15.0 + sourceRef: + kind: HelmRepository + name: external-dns + namespace: flux-system + install: + crds: CreateReplace + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + crds: CreateReplace + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: *app + provider: + name: cloudflare + env: + - name: &name CF_API_TOKEN + valueFrom: + secretKeyRef: + name: &secret external-dns-cloudflare-secret + key: *name + extraArgs: + - --cloudflare-dns-records-per-page=1000 + - --cloudflare-proxied + - --crd-source-apiversion=externaldns.k8s.io/v1alpha1 + - --crd-source-kind=DNSEndpoint + - --ignore-ingress-tls-spec + - --ingress-class=external + triggerLoopOnEvent: true + policy: sync + sources: [crd, ingress] + txtOwnerId: default + txtPrefix: k8s. + domainFilters: ["${SECRET_EXTERNAL_DOMAIN}"] + serviceMonitor: + enabled: true + podAnnotations: + secret.reloader.stakater.com/reload: *secret diff --git a/kubernetes/apps/networking/external-dns/app/kustomization.yaml b/kubernetes/apps/network/external-dns/cloudflare/kustomization.yaml similarity index 92% rename from kubernetes/apps/networking/external-dns/app/kustomization.yaml rename to kubernetes/apps/network/external-dns/cloudflare/kustomization.yaml index be03d2ded..d6adbe135 100644 --- a/kubernetes/apps/networking/external-dns/app/kustomization.yaml +++ b/kubernetes/apps/network/external-dns/cloudflare/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: networking resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/networking/external-dns/ks.yaml b/kubernetes/apps/network/external-dns/ks.yaml similarity index 62% rename from kubernetes/apps/networking/external-dns/ks.yaml rename to kubernetes/apps/network/external-dns/ks.yaml index 975e45f13..79980a196 100644 --- a/kubernetes/apps/networking/external-dns/ks.yaml +++ b/kubernetes/apps/network/external-dns/ks.yaml @@ -1,16 +1,16 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app external-dns + name: &app external-dns-cloudflare namespace: flux-system spec: - targetNamespace: networking + targetNamespace: network commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/networking/external-dns/app + path: ./kubernetes/apps/network/external-dns/cloudflare prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml b/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml new file mode 100644 index 000000000..aa47ee9db --- /dev/null +++ b/kubernetes/apps/network/k8s-gateway/app/helmrelease.yaml @@ -0,0 +1,34 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: k8s-gateway +spec: + interval: 30m + chart: + spec: + chart: k8s-gateway + version: 2.4.0 + sourceRef: + kind: HelmRepository + name: k8s-gateway + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: k8s-gateway + domain: "${SECRET_EXTERNAL_DOMAIN}" + ttl: 1 + service: + type: LoadBalancer + port: 53 + annotations: + lbipam.cilium.io/ips: ${CLUSTER_LB_K8SGATEWAY} + externalTrafficPolicy: Local + watchedResources: ["Ingress", "Service"] diff --git a/kubernetes/apps/kube-system/intel-device-plugin/exporter/kustomization.yaml b/kubernetes/apps/network/k8s-gateway/app/kustomization.yaml similarity index 91% rename from kubernetes/apps/kube-system/intel-device-plugin/exporter/kustomization.yaml rename to kubernetes/apps/network/k8s-gateway/app/kustomization.yaml index 1af0c2237..b27f49367 100644 --- a/kubernetes/apps/kube-system/intel-device-plugin/exporter/kustomization.yaml +++ b/kubernetes/apps/network/k8s-gateway/app/kustomization.yaml @@ -2,6 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: kube-system +namespace: network resources: - ./helmrelease.yaml diff --git a/kubernetes/apps/networking/k8s-gateway/ks.yaml b/kubernetes/apps/network/k8s-gateway/ks.yaml similarity index 64% rename from kubernetes/apps/networking/k8s-gateway/ks.yaml rename to kubernetes/apps/network/k8s-gateway/ks.yaml index d24ffb197..67601e428 100644 --- a/kubernetes/apps/networking/k8s-gateway/ks.yaml +++ b/kubernetes/apps/network/k8s-gateway/ks.yaml @@ -1,16 +1,16 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app k8s-gateway namespace: flux-system spec: - targetNamespace: networking + targetNamespace: network commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/networking/k8s-gateway/app + path: ./kubernetes/apps/network/k8s-gateway/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/networking/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml similarity index 88% rename from kubernetes/apps/networking/kustomization.yaml rename to kubernetes/apps/network/kustomization.yaml index 6887a3a81..b64f343fb 100644 --- a/kubernetes/apps/networking/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -6,6 +6,7 @@ resources: # Pre Flux-Kustomizations - ./namespace.yaml # Flux-Kustomizations + - ./cloudflared/ks.yaml - ./external-dns/ks.yaml - - ./ingress-nginx/ks.yaml + - ./nginx/ks.yaml - ./k8s-gateway/ks.yaml diff --git a/kubernetes/apps/networking/namespace.yaml b/kubernetes/apps/network/namespace.yaml similarity index 85% rename from kubernetes/apps/networking/namespace.yaml rename to kubernetes/apps/network/namespace.yaml index 69b2a226a..f4b75a40f 100644 --- a/kubernetes/apps/networking/namespace.yaml +++ b/kubernetes/apps/network/namespace.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Namespace metadata: - name: networking + name: network labels: kustomize.toolkit.fluxcd.io/prune: disabled --- @@ -11,17 +11,17 @@ apiVersion: notification.toolkit.fluxcd.io/v1beta3 kind: Provider metadata: name: alert-manager - namespace: networking + namespace: network spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 kind: Alert metadata: name: alert-manager - namespace: networking + namespace: network spec: providerRef: name: alert-manager diff --git a/kubernetes/apps/networking/ingress-nginx/certificates/certificates.yaml b/kubernetes/apps/network/nginx/certificates/certificates.yaml similarity index 93% rename from kubernetes/apps/networking/ingress-nginx/certificates/certificates.yaml rename to kubernetes/apps/network/nginx/certificates/certificates.yaml index 2f18e4bf7..38d396322 100644 --- a/kubernetes/apps/networking/ingress-nginx/certificates/certificates.yaml +++ b/kubernetes/apps/network/nginx/certificates/certificates.yaml @@ -3,7 +3,7 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: ${SECRET_EXTERNAL_DOMAIN//./-} - namespace: networking + namespace: network spec: secretName: ${SECRET_EXTERNAL_DOMAIN//./-}-tls issuerRef: diff --git a/kubernetes/apps/networking/ingress-nginx/certificates/kustomization.yaml b/kubernetes/apps/network/nginx/certificates/kustomization.yaml similarity index 100% rename from kubernetes/apps/networking/ingress-nginx/certificates/kustomization.yaml rename to kubernetes/apps/network/nginx/certificates/kustomization.yaml diff --git a/kubernetes/apps/network/nginx/external/helmrelease.yaml b/kubernetes/apps/network/nginx/external/helmrelease.yaml new file mode 100644 index 000000000..ad33975d7 --- /dev/null +++ b/kubernetes/apps/network/nginx/external/helmrelease.yaml @@ -0,0 +1,101 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: nginx-external +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.12.0 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: nginx-external + controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: &hostname "external.${SECRET_EXTERNAL_DOMAIN}" + lbipam.cilium.io/ips: ${CLUSTER_LB_NGINX_EXTERNAL} + externalTrafficPolicy: Local + ingressClassResource: + name: external + default: false + controllerValue: k8s.io/external + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: [external] + config: + # allow-snippet-annotations: true + annotations-risk-level: Critical + block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot, # taken from https://github.com/ai-robots-txt/ai.robots.txt + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + custom-http-errors: 400,403,404,500,501,502,503,504 + enable-brotli: "true" + enable-ocsp: "true" + enable-real-ip: "true" + force-ssl-redirect: "true" + hide-headers: Server,X-Powered-By + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + use-forwarded-headers: "true" + metrics: + enabled: true + serviceMonitor: + enabled: true + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: |- + network/${SECRET_EXTERNAL_DOMAIN//./-}-tls + publish-status-address: *hostname + terminationGracePeriodSeconds: 120 + publishService: + enabled: false + resources: + requests: + cpu: 100m + limits: + memory: 500Mi + defaultBackend: + enabled: true + image: + repository: ghcr.io/tarampampam/error-pages + tag: 3.3.1@sha256:8aa49143d301a8e43fb38578a21450567169c32068db7c43a05a67ac9f9283c8 + pullPolicy: IfNotPresent + extraEnvs: + - name: TEMPLATE_NAME + value: connection + - name: SHOW_DETAILS + value: "true" + - name: READ_BUFFER_SIZE + value: "8192" + - name: SEND_SAME_HTTP_CODE + value: "true" diff --git a/kubernetes/apps/networking/ingress-nginx/app/kustomization.yaml b/kubernetes/apps/network/nginx/external/kustomization.yaml similarity index 86% rename from kubernetes/apps/networking/ingress-nginx/app/kustomization.yaml rename to kubernetes/apps/network/nginx/external/kustomization.yaml index 32b294662..b27f49367 100644 --- a/kubernetes/apps/networking/ingress-nginx/app/kustomization.yaml +++ b/kubernetes/apps/network/nginx/external/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: networking +namespace: network resources: - - ./dashboard - ./helmrelease.yaml diff --git a/kubernetes/apps/network/nginx/internal/helmrelease.yaml b/kubernetes/apps/network/nginx/internal/helmrelease.yaml new file mode 100644 index 000000000..5bc407a60 --- /dev/null +++ b/kubernetes/apps/network/nginx/internal/helmrelease.yaml @@ -0,0 +1,100 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: nginx-internal +spec: + interval: 30m + chart: + spec: + chart: ingress-nginx + version: 4.12.0 + sourceRef: + kind: HelmRepository + name: ingress-nginx + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + fullnameOverride: nginx-internal + controller: + service: + annotations: + external-dns.alpha.kubernetes.io/hostname: &hostname "internal.${SECRET_EXTERNAL_DOMAIN}" + lbipam.cilium.io/ips: ${CLUSTER_LB_NGINX_INTERNAL} + externalTrafficPolicy: Local + ingressClassResource: + name: internal + default: false + controllerValue: k8s.io/internal + admissionWebhooks: + objectSelector: + matchExpressions: + - key: ingress-class + operator: In + values: [internal] + config: + # allow-snippet-annotations: true + annotations-risk-level: Critical + block-user-agents: AdsBot-Google,Amazonbot,anthropic-ai,Applebot-Extended,Bytespider,CCBot,ChatGPT-User,ClaudeBot,Claude-Web,cohere-ai,Diffbot,FacebookBot,FriendlyCrawler,Google-Extended,GoogleOther,GPTBot,img2dataset,omgili,omgilibot,peer39_crawler,peer39_crawler/1.0,PerplexityBot,YouBot, # taken from https://github.com/ai-robots-txt/ai.robots.txt + client-body-buffer-size: 100M + client-body-timeout: 120 + client-header-timeout: 120 + custom-http-errors: 400,403,404,500,501,502,503,504 + enable-brotli: "true" + enable-ocsp: "true" + enable-real-ip: "true" + force-ssl-redirect: "true" + hide-headers: Server,X-Powered-By + hsts-max-age: 31449600 + keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent"} + proxy-body-size: 0 + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + metrics: + enabled: true + serviceMonitor: + enabled: true + namespaceSelector: + any: true + extraArgs: + default-ssl-certificate: |- + network/${SECRET_EXTERNAL_DOMAIN//./-}-tls + publish-status-address: *hostname + terminationGracePeriodSeconds: 120 + publishService: + enabled: false + resources: + requests: + cpu: 100m + limits: + memory: 500Mi + defaultBackend: + enabled: true + image: + repository: ghcr.io/tarampampam/error-pages + tag: 3.3.1@sha256:8aa49143d301a8e43fb38578a21450567169c32068db7c43a05a67ac9f9283c8 + pullPolicy: IfNotPresent + extraEnvs: + - name: TEMPLATE_NAME + value: connection + - name: SHOW_DETAILS + value: "true" + - name: READ_BUFFER_SIZE + value: "8192" + - name: SEND_SAME_HTTP_CODE + value: "true" diff --git a/kubernetes/apps/network/nginx/internal/kustomization.yaml b/kubernetes/apps/network/nginx/internal/kustomization.yaml new file mode 100644 index 000000000..b27f49367 --- /dev/null +++ b/kubernetes/apps/network/nginx/internal/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: network +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/nginx/ks.yaml b/kubernetes/apps/network/nginx/ks.yaml new file mode 100644 index 000000000..eb0fb7137 --- /dev/null +++ b/kubernetes/apps/network/nginx/ks.yaml @@ -0,0 +1,78 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app nginx-certificates + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cert-manager-issuers + path: ./kubernetes/apps/network/nginx/certificates + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app nginx-external + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: nginx-certificates + path: ./kubernetes/apps/network/nginx/external + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app nginx-internal + namespace: flux-system +spec: + targetNamespace: network + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: nginx-certificates + path: ./kubernetes/apps/network/nginx/internal + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/apps/networking/external-dns/app/helmrelease.yaml b/kubernetes/apps/networking/external-dns/app/helmrelease.yaml deleted file mode 100644 index 8b248d28e..000000000 --- a/kubernetes/apps/networking/external-dns/app/helmrelease.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: external-dns - namespace: networking -spec: - interval: 30m - chart: - spec: - chart: external-dns - version: 1.15.0 - sourceRef: - kind: HelmRepository - name: external-dns - namespace: flux-system - maxHistory: 2 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - podAnnotations: - reloader.stakater.com/auto: "true" - interval: 2m - logLevel: debug - provider: ovh - env: - - name: OVH_APPLICATION_KEY - valueFrom: - secretKeyRef: - name: external-dns-secret - key: OVH_APPLICATION_KEY - - name: OVH_APPLICATION_SECRET - valueFrom: - secretKeyRef: - name: external-dns-secret - key: OVH_APPLICATION_SECRET - - name: OVH_CONSUMER_KEY - valueFrom: - secretKeyRef: - name: external-dns-secret - key: OVH_CONSUMER_KEY - extraArgs: - - --annotation-filter=external-dns.alpha.kubernetes.io/enabled in (true) - policy: sync - sources: - - ingress - txtOwnerId: default - domainFilters: - - "${SECRET_DOMAIN}" - serviceMonitor: - enabled: true - resources: - requests: - memory: 100Mi - cpu: 25m - limits: - memory: 250Mi diff --git a/kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml b/kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml deleted file mode 100644 index cd45b263b..000000000 --- a/kubernetes/apps/networking/ingress-nginx/app/dashboard/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: networking -configMapGenerator: - - name: nginx-dashboard - files: - - nginx-dashboard.json=https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json - - name: nginx-request-handling-performance-dashboard - files: - - nginx-request-handling-performance-dashboard.json=https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json -generatorOptions: - disableNameSuffixHash: true - annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled - labels: - grafana_dashboard: "true" diff --git a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml b/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml deleted file mode 100644 index 75f542b7f..000000000 --- a/kubernetes/apps/networking/ingress-nginx/app/helmrelease.yaml +++ /dev/null @@ -1,147 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: ingress-nginx - namespace: networking -spec: - interval: 30m - chart: - spec: - chart: ingress-nginx - version: 4.12.0 - sourceRef: - kind: HelmRepository - name: ingress-nginx - namespace: flux-system - maxHistory: 2 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - uninstall: - keepHistory: false - values: - controller: - replicaCount: 2 - service: - type: LoadBalancer - loadBalancerIP: 192.168.169.101 - externalTrafficPolicy: Local - publishService: - enabled: true - ingressClassResource: - default: true - allowSnippetAnnotations: true - config: - client-body-buffer-size: "100M" - client-body-timeout: 120 - client-header-timeout: 120 - # custom-http-errors: 400,403,404,500,501,502,503,504 - enable-brotli: "true" - enable-real-ip: "true" - hsts-max-age: "31449600" - keep-alive-requests: 10000 - keep-alive: 120 - proxy-body-size: "100M" - proxy-buffering: "off" - proxy-read-timeout: "6000" - proxy-send-timeout: "6000" - # proxy-buffer-size: "16k" - ssl-protocols: "TLSv1.3 TLSv1.2" - use-forwarded-headers: "true" - # crowdsec bouncer - # plugins: "crowdsec" - # lua-shared-dicts: "crowdsec_cache: 50m" - metrics: - enabled: true - serviceMonitor: - enabled: true - namespace: default - namespaceSelector: - any: true - extraArgs: - default-ssl-certificate: |- - networking/${SECRET_EXTERNAL_DOMAIN//./-}-tls - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/component: controller - # crowdsec bouncer - # extraVolumes: - # - name: crowdsec-bouncer-plugin - # emptyDir: {} - # extraInitContainers: - # - name: init-clone-crowdsec-bouncer - # image: crowdsecurity/lua-bouncer-plugin - # tag: v0.1.11 - # imagePullPolicy: IfNotPresent - # env: - # - name: API_URL - # value: "http://crowdsec-service.crowdsec.svc.cluster.local:8080" - # - name: API_KEY - # value: "${SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY}" - # - name: DISABLE_RUN - # value: "true" - # - name: BOUNCER_CONFIG - # value: "/crowdsec/crowdsec-bouncer.conf" - # command: - # - "/bin/sh" - # - "-c" - # - | - # #!/bin/sh - - # sh /docker_start.sh - # mkdir -p /lua_plugins/crowdsec/ - # cp -pr /crowdsec/* /lua_plugins/crowdsec/ - # volumeMounts: - # - name: crowdsec-bouncer-plugin - # mountPath: /lua_plugins - # extraVolumeMounts: - # - name: crowdsec-bouncer-plugin - # mountPath: /etc/nginx/lua/plugins/crowdsec - # subPath: crowdsec - # resources: - # requests: - # memory: 400Mi - # cpu: 25m - # limits: - # memory: 1Gi - defaultBackend: - enabled: false - image: - repository: ghcr.io/tarampampam/error-pages - tag: 3.3.1@sha256:8aa49143d301a8e43fb38578a21450567169c32068db7c43a05a67ac9f9283c8 - pullPolicy: IfNotPresent - extraEnvs: - - name: TEMPLATE_NAME - value: connection - - name: SHOW_DETAILS - value: "true" - - name: READ_BUFFER_SIZE - value: "8192" - - name: SEND_SAME_HTTP_CODE - value: "true" - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: app.kubernetes.io/name - operator: In - values: ["ingress-nginx"] - - key: app.kubernetes.io/component - operator: In - values: ["default-backend"] - topologyKey: kubernetes.io/hostname diff --git a/kubernetes/apps/networking/ingress-nginx/ks.yaml b/kubernetes/apps/networking/ingress-nginx/ks.yaml deleted file mode 100644 index 7222ba076..000000000 --- a/kubernetes/apps/networking/ingress-nginx/ks.yaml +++ /dev/null @@ -1,52 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: ingress-nginx-certificates - namespace: flux-system -spec: - targetNamespace: networking - commonMetadata: - labels: - app.kubernetes.io/name: &app ingress-nginx - dependsOn: - - name: cert-manager-webhook-ovh - path: ./kubernetes/apps/networking/ingress-nginx/certificates - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ingress-nginx - namespace: flux-system -spec: - targetNamespace: networking - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: ingress-nginx-certificates - path: ./kubernetes/apps/networking/ingress-nginx/app - prune: true - sourceRef: - kind: GitRepository - name: home-ops-kubernetes - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - postBuild: - substitute: - APP: *app diff --git a/kubernetes/apps/networking/k8s-gateway/app/Corefile b/kubernetes/apps/networking/k8s-gateway/app/Corefile deleted file mode 100644 index 5815da1d5..000000000 --- a/kubernetes/apps/networking/k8s-gateway/app/Corefile +++ /dev/null @@ -1,17 +0,0 @@ -.:1053 { - errors - log - health { - lameduck 5s - } - ready - k8s_gateway ${SECRET_EXTERNAL_DOMAIN} { - apex k8s-gateway.network - resources Ingress Service - ttl 300 - } - prometheus 0.0.0.0:9153 - loop - reload - loadbalance -} diff --git a/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml b/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml deleted file mode 100644 index 82402ad76..000000000 --- a/kubernetes/apps/networking/k8s-gateway/app/helmrelease.yaml +++ /dev/null @@ -1,104 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app k8s-gateway - namespace: networking -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 3.6.0 - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - maxHistory: 2 - install: - createNamespace: true - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - uninstall: - keepHistory: false - values: - defaultPodOptions: - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: *app - controllers: - k8s-gateway: - replicas: 2 - strategy: RollingUpdate - annotations: - reloader.stakater.com/auto: "true" - containers: - app: - image: - repository: quay.io/oriedge/k8s_gateway - tag: v0.4.0@sha256:7bdbd447c0244b8f89de9cd6f4826ed0ac66c9406fac3a4ac80081020c251c6b - args: ["-conf", "/etc/coredns/Corefile"] - probes: - readiness: - custom: true - spec: - httpGet: - path: /ready - port: 8181 - liveness: - custom: true - spec: - httpGet: - path: /health - port: 8080 - startup: - enabled: false - service: - app: - controller: *app - type: LoadBalancer - loadBalancerIP: 192.168.169.100 - externalTrafficPolicy: Local - ports: - http: - enabled: false - port: 8080 - metrics: - enabled: true - port: 9153 - dns: - enabled: true - port: 53 - targetPort: 1053 - protocol: UDP - serviceMonitor: - app: - serviceName: *app - enabled: true - endpoints: - - port: metrics - scheme: http - path: /metrics - interval: 1m - scrapeTimeout: 10s - serviceAccount: - create: true - name: *app - persistence: - config-file: - type: configMap - name: k8s-gateway-configmap - globalMounts: - - path: /etc/coredns/Corefile - subPath: Corefile - readOnly: true diff --git a/kubernetes/apps/networking/k8s-gateway/app/rbac.yaml b/kubernetes/apps/networking/k8s-gateway/app/rbac.yaml deleted file mode 100644 index 999630ce9..000000000 --- a/kubernetes/apps/networking/k8s-gateway/app/rbac.yaml +++ /dev/null @@ -1,48 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: k8s-gateway - namespace: networking - labels: - app.kubernetes.io/instance: k8s-gateway - app.kubernetes.io/name: k8s-gateway -rules: - - apiGroups: - - "" - resources: - - services - - namespaces - verbs: - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io - resources: - - ingresses - verbs: - - list - - watch - - apiGroups: ["gateway.networking.k8s.io"] - resources: ["*"] - verbs: ["watch", "list"] - - apiGroups: ["k8s.nginx.org"] - resources: ["*"] - verbs: ["watch", "list"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: k8s-gateway - labels: - app.kubernetes.io/instance: k8s-gateway - app.kubernetes.io/name: k8s-gateway -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: k8s-gateway -subjects: - - kind: ServiceAccount - name: k8s-gateway - namespace: networking diff --git a/kubernetes/apps/ngnode/landing-page/app-staging/helmrelease.yaml b/kubernetes/apps/ngnode/landing-page/app-staging/helmrelease.yaml index 14936e36e..6b69fd03e 100644 --- a/kubernetes/apps/ngnode/landing-page/app-staging/helmrelease.yaml +++ b/kubernetes/apps/ngnode/landing-page/app-staging/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta2 kind: HelmRelease metadata: name: &app ngnode-landing-page-staging - namespace: ngnode spec: interval: 30m chart: @@ -50,10 +49,7 @@ spec: ingress: app: enabled: true - className: nginx - annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. + className: external hosts: - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" paths: diff --git a/kubernetes/apps/ngnode/landing-page/app-staging/kustomization.yaml b/kubernetes/apps/ngnode/landing-page/app-staging/kustomization.yaml index c56190ebc..022692cb5 100644 --- a/kubernetes/apps/ngnode/landing-page/app-staging/kustomization.yaml +++ b/kubernetes/apps/ngnode/landing-page/app-staging/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: ngnode resources: - ./helmrelease.yaml - ../../../../templates/gatus/external diff --git a/kubernetes/apps/ngnode/landing-page/app/helmrelease.yaml b/kubernetes/apps/ngnode/landing-page/app/helmrelease.yaml index d48c92a8c..d674424ef 100644 --- a/kubernetes/apps/ngnode/landing-page/app/helmrelease.yaml +++ b/kubernetes/apps/ngnode/landing-page/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app ngnode-landing-page - namespace: ngnode spec: interval: 30m chart: @@ -50,10 +49,7 @@ spec: ingress: app: enabled: true - className: nginx - annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. + className: external hosts: - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" paths: @@ -61,13 +57,13 @@ spec: service: identifier: app port: http - - host: "www.ngnode.com" + - host: www.ngnode.com paths: - path: / service: identifier: app port: http - - host: "ngnode.com" + - host: ngnode.com paths: - path: / service: diff --git a/kubernetes/apps/ngnode/landing-page/app/kustomization.yaml b/kubernetes/apps/ngnode/landing-page/app/kustomization.yaml index c56190ebc..022692cb5 100644 --- a/kubernetes/apps/ngnode/landing-page/app/kustomization.yaml +++ b/kubernetes/apps/ngnode/landing-page/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: ngnode resources: - ./helmrelease.yaml - ../../../../templates/gatus/external diff --git a/kubernetes/apps/ngnode/landing-page/ks.yaml b/kubernetes/apps/ngnode/landing-page/ks.yaml index 35733e2c9..f90ce91fa 100644 --- a/kubernetes/apps/ngnode/landing-page/ks.yaml +++ b/kubernetes/apps/ngnode/landing-page/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -24,7 +24,7 @@ spec: substitute: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/monitoring/apprise/app/helmrelease.yaml b/kubernetes/apps/observability/apprise/app/helmrelease.yaml similarity index 98% rename from kubernetes/apps/monitoring/apprise/app/helmrelease.yaml rename to kubernetes/apps/observability/apprise/app/helmrelease.yaml index cb05533f0..a83684065 100644 --- a/kubernetes/apps/monitoring/apprise/app/helmrelease.yaml +++ b/kubernetes/apps/observability/apprise/app/helmrelease.yaml @@ -54,7 +54,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: bell-cog hosts: diff --git a/kubernetes/apps/monitoring/apprise/app/kustomization.yaml b/kubernetes/apps/observability/apprise/app/kustomization.yaml similarity index 93% rename from kubernetes/apps/monitoring/apprise/app/kustomization.yaml rename to kubernetes/apps/observability/apprise/app/kustomization.yaml index b2cb78cca..fd54ff7cc 100644 --- a/kubernetes/apps/monitoring/apprise/app/kustomization.yaml +++ b/kubernetes/apps/observability/apprise/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: monitoring resources: - ./helmrelease.yaml - ../../../../templates/gatus/guarded diff --git a/kubernetes/apps/monitoring/apprise/ks.yaml b/kubernetes/apps/observability/apprise/ks.yaml similarity index 69% rename from kubernetes/apps/monitoring/apprise/ks.yaml rename to kubernetes/apps/observability/apprise/ks.yaml index a67a078e5..b4df25469 100644 --- a/kubernetes/apps/monitoring/apprise/ks.yaml +++ b/kubernetes/apps/observability/apprise/ks.yaml @@ -1,19 +1,19 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app apprise namespace: flux-system spec: - targetNamespace: monitoring + targetNamespace: observability commonMetadata: labels: app.kubernetes.io/name: *app dependsOn: - name: rook-ceph-cluster - name: volsync - path: ./kubernetes/apps/monitoring/apprise/app + path: ./kubernetes/apps/observability/apprise/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml b/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml new file mode 100644 index 000000000..d94f70614 --- /dev/null +++ b/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml @@ -0,0 +1,74 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app blackbox-exporter +spec: + interval: 30m + chart: + spec: + chart: prometheus-blackbox-exporter + version: 9.1.0 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: *app + ingress: + enabled: true + className: internal + hosts: + - host: blackbox-exporter.${SECRET_EXTERNAL_DOMAIN} + paths: + - path: / + pathType: Prefix + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + add: [NET_RAW] + config: + modules: + http_2xx: + prober: http + timeout: 5s + http: + valid_http_versions: [HTTP/1.1, HTTP/2.0] + follow_redirects: true + preferred_ip_protocol: ipv4 + icmp: + prober: icmp + timeout: 5s + icmp: + preferred_ip_protocol: ipv4 + tcp_connect: + prober: tcp + timeout: 5s + tcp: + preferred_ip_protocol: ipv4 + serviceMonitor: + enabled: true + defaults: + interval: 1m + scrapeTimeout: 10s + prometheusRule: + enabled: true + rules: + - alert: BlackboxProbeFailed + expr: probe_success == 0 + for: 15m + labels: + severity: critical + annotations: + summary: |- + The host {{ $labels.target }} is currently unreachable diff --git a/kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml b/kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml new file mode 100644 index 000000000..e6e03c605 --- /dev/null +++ b/kubernetes/apps/observability/blackbox-exporter/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./probes.yaml diff --git a/kubernetes/apps/observability/blackbox-exporter/app/probes.yaml b/kubernetes/apps/observability/blackbox-exporter/app/probes.yaml new file mode 100644 index 000000000..e41ed8508 --- /dev/null +++ b/kubernetes/apps/observability/blackbox-exporter/app/probes.yaml @@ -0,0 +1,14 @@ +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/probe_v1.json +--- +kind: Probe +apiVersion: monitoring.coreos.com/v1 +metadata: + name: devices +spec: + module: icmp + prober: + url: blackbox-exporter.observability.svc.cluster.local:9115 + targets: + staticConfig: + static: + - pikvm.${SECRET_INTERNAL_DOMAIN} diff --git a/kubernetes/apps/observability/blackbox-exporter/ks.yaml b/kubernetes/apps/observability/blackbox-exporter/ks.yaml new file mode 100644 index 000000000..ffd25fe7b --- /dev/null +++ b/kubernetes/apps/observability/blackbox-exporter/ks.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app blackbox-exporter + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/observability/blackbox-exporter/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + timeout: 15m diff --git a/kubernetes/apps/monitoring/gatus/app/config/config.yaml b/kubernetes/apps/observability/gatus/app/config/config.yaml similarity index 83% rename from kubernetes/apps/monitoring/gatus/app/config/config.yaml rename to kubernetes/apps/observability/gatus/app/config/config.yaml index 6007d7a3d..9e7b006b7 100644 --- a/kubernetes/apps/monitoring/gatus/app/config/config.yaml +++ b/kubernetes/apps/observability/gatus/app/config/config.yaml @@ -2,8 +2,8 @@ web: port: ${CUSTOM_WEB_PORT} storage: - type: postgres - path: postgres://${INIT_POSTGRES_USER}:${INIT_POSTGRES_PASS}@${INIT_POSTGRES_HOST}:5432/${INIT_POSTGRES_DBNAME}?sslmode=require + type: sqlite + path: /config/sqlite.db caching: true metrics: true debug: false diff --git a/kubernetes/apps/monitoring/gatus/app/externalsecret.yaml b/kubernetes/apps/observability/gatus/app/externalsecret.yaml similarity index 59% rename from kubernetes/apps/monitoring/gatus/app/externalsecret.yaml rename to kubernetes/apps/observability/gatus/app/externalsecret.yaml index fafaa1915..92d4b2ae8 100644 --- a/kubernetes/apps/monitoring/gatus/app/externalsecret.yaml +++ b/kubernetes/apps/observability/gatus/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: gatus - namespace: monitoring spec: secretStoreRef: kind: ClusterSecretStore @@ -13,18 +12,9 @@ spec: name: gatus-secret template: data: - # App CUSTOM_PUSHOVER_APP_TOKEN: '{{ .PUSHOVER_API_TOKEN }}' CUSTOM_PUSHOVER_USER_KEY: '{{ .PUSHOVER_USER_KEY }}' - # Postgres Init - INIT_POSTGRES_DBNAME: gatus - INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local - INIT_POSTGRES_USER: '{{ .POSTGRES_USER }}' - INIT_POSTGRES_PASS: '{{ .POSTGRES_PASS }}' - INIT_POSTGRES_SUPER_PASS: '{{ .POSTGRES_SUPER_PASS }}' dataFrom: - - extract: - key: cloudnative-pg - extract: key: gatus - extract: diff --git a/kubernetes/apps/monitoring/gatus/app/helmrelease.yaml b/kubernetes/apps/observability/gatus/app/helmrelease.yaml similarity index 68% rename from kubernetes/apps/monitoring/gatus/app/helmrelease.yaml rename to kubernetes/apps/observability/gatus/app/helmrelease.yaml index af1bec25a..37fe8f09b 100644 --- a/kubernetes/apps/monitoring/gatus/app/helmrelease.yaml +++ b/kubernetes/apps/observability/gatus/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app gatus - namespace: monitoring spec: interval: 30m chart: @@ -15,9 +14,7 @@ spec: kind: HelmRepository name: bjw-s namespace: flux-system - maxHistory: 2 install: - createNamespace: true remediation: retries: 3 upgrade: @@ -25,24 +22,17 @@ spec: remediation: strategy: rollback retries: 3 - uninstall: - keepHistory: false + dependsOn: + - name: rook-ceph-cluster + namespace: rook-ceph values: controllers: gatus: annotations: reloader.stakater.com/auto: "true" initContainers: - 01-init-db: + init-config: image: - repository: ghcr.io/onedr0p/postgres-init - tag: 16 - pullPolicy: IfNotPresent - envFrom: &envFrom - - secretRef: - name: gatus-secret - 02-init-config: - image: &configSyncImage repository: ghcr.io/kiwigrid/k8s-sidecar tag: 1.28.4@sha256:20caf4e241e1f9f9231527db5e75b735aa7b0da7bee3d262cbe369bb9b33469f env: @@ -51,11 +41,11 @@ spec: NAMESPACE: ALL RESOURCE: both UNIQUE_FILENAMES: true - METHOD: LIST - resources: &configSyncResources + METHOD: WATCH + restartPolicy: Always + resources: requests: cpu: 10m - memory: 10Mi limits: memory: 128Mi containers: @@ -64,37 +54,54 @@ spec: repository: ghcr.io/twin/gatus tag: v5.15.0@sha256:45686324db605e57dfa8b0931d8d57fe06298f52685f06aa9654a1f710d461bb env: - TZ: ${TIMEZONE} GATUS_CONFIG_PATH: /config - CUSTOM_WEB_PORT: &port 8080 - SECRET_EXTERNAL_DOMAIN: ${SECRET_EXTERNAL_DOMAIN} - envFrom: *envFrom + GATUS_DELAY_START_SECONDS: 5 + WEB_PORT: &port 80 + envFrom: + - secretRef: + name: gatus-secret + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /health + port: *port + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: [ALL] } resources: requests: - cpu: 10m - memory: 256M + cpu: 100m limits: - memory: 512M - config-sync: - image: *configSyncImage - env: - FOLDER: /config - LABEL: gatus.io/enabled - NAMESPACE: ALL - RESOURCE: both - UNIQUE_FILENAMES: true - METHOD: WATCH - envFrom: *envFrom - resources: *configSyncResources + memory: 256Mi + defaultPodOptions: + dnsConfig: + options: + - { name: ndots, value: "1" } + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + fsGroupChangePolicy: OnRootMismatch + seccompProfile: { type: RuntimeDefault } service: app: - controller: *app + controller: gatus ports: http: port: *port serviceMonitor: app: - serviceName: *app + serviceName: gatus endpoints: - port: http scheme: http @@ -104,10 +111,8 @@ spec: ingress: app: enabled: true - className: nginx + className: external annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. hajimari.io/icon: mdi:list-status gethomepage.dev/enabled: "true" gethomepage.dev/name: Gatus @@ -133,8 +138,7 @@ spec: name: *app persistence: config: - enabled: true - type: emptyDir + existingClaim: gatus config-file: type: configMap name: gatus-configmap diff --git a/kubernetes/apps/monitoring/gatus/app/kustomization.yaml b/kubernetes/apps/observability/gatus/app/kustomization.yaml similarity index 95% rename from kubernetes/apps/monitoring/gatus/app/kustomization.yaml rename to kubernetes/apps/observability/gatus/app/kustomization.yaml index 584c12c91..a4878692b 100644 --- a/kubernetes/apps/monitoring/gatus/app/kustomization.yaml +++ b/kubernetes/apps/observability/gatus/app/kustomization.yaml @@ -2,10 +2,10 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: monitoring resources: - ./externalsecret.yaml - ./helmrelease.yaml + - ./pvc.yaml - ./rbac.yaml configMapGenerator: - name: gatus-configmap diff --git a/kubernetes/apps/observability/gatus/app/pvc.yaml b/kubernetes/apps/observability/gatus/app/pvc.yaml new file mode 100644 index 000000000..1d660c4b9 --- /dev/null +++ b/kubernetes/apps/observability/gatus/app/pvc.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gatus +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 2Gi + storageClassName: rook-ceph-block diff --git a/kubernetes/apps/monitoring/gatus/app/rbac.yaml b/kubernetes/apps/observability/gatus/app/rbac.yaml similarity index 69% rename from kubernetes/apps/monitoring/gatus/app/rbac.yaml rename to kubernetes/apps/observability/gatus/app/rbac.yaml index 0355e0351..15b8f601e 100644 --- a/kubernetes/apps/monitoring/gatus/app/rbac.yaml +++ b/kubernetes/apps/observability/gatus/app/rbac.yaml @@ -1,30 +1,29 @@ --- +# trunk-ignore(checkov/CKV_K8S_21) apiVersion: v1 kind: ServiceAccount metadata: name: gatus - namespace: monitoring labels: app.kubernetes.io/managed-by: Helm annotations: meta.helm.sh/release-name: gatus - meta.helm.sh/release-namespace: monitoring + meta.helm.sh/release-namespace: observability --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gatus - namespace: monitoring rules: + # trunk-ignore(trivy/KSV041) - apiGroups: [""] - resources: ["configmaps", "secrets"] - verbs: ["get", "watch", "list"] + resources: [configmaps, secrets] + verbs: [get, watch, list] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gatus - namespace: monitoring roleRef: kind: ClusterRole name: gatus @@ -32,4 +31,4 @@ roleRef: subjects: - kind: ServiceAccount name: gatus - namespace: monitoring + namespace: observability diff --git a/kubernetes/apps/monitoring/gatus/ks.yaml b/kubernetes/apps/observability/gatus/ks.yaml similarity index 67% rename from kubernetes/apps/monitoring/gatus/ks.yaml rename to kubernetes/apps/observability/gatus/ks.yaml index d3113d460..6a4d96963 100644 --- a/kubernetes/apps/monitoring/gatus/ks.yaml +++ b/kubernetes/apps/observability/gatus/ks.yaml @@ -1,18 +1,18 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app gatus namespace: flux-system spec: - targetNamespace: monitoring + targetNamespace: observability commonMetadata: labels: app.kubernetes.io/name: *app dependsOn: - name: external-secrets-stores - path: ./kubernetes/apps/monitoring/gatus/app + path: ./kubernetes/apps/observability/gatus/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/monitoring/grafana/app/externalsecret.yaml b/kubernetes/apps/observability/grafana/app/externalsecret.yaml similarity index 91% rename from kubernetes/apps/monitoring/grafana/app/externalsecret.yaml rename to kubernetes/apps/observability/grafana/app/externalsecret.yaml index e3d7ca01f..efa36e6eb 100644 --- a/kubernetes/apps/monitoring/grafana/app/externalsecret.yaml +++ b/kubernetes/apps/observability/grafana/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: grafana-secrets - namespace: monitoring spec: secretStoreRef: kind: ClusterSecretStore @@ -12,7 +11,7 @@ spec: target: name: grafana-secret creationPolicy: Owner - deletionPolicy: "Delete" + deletionPolicy: Delete template: engineVersion: v2 data: diff --git a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml similarity index 81% rename from kubernetes/apps/monitoring/grafana/app/helmrelease.yaml rename to kubernetes/apps/observability/grafana/app/helmrelease.yaml index b9296342e..e03c88797 100644 --- a/kubernetes/apps/monitoring/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -39,7 +39,7 @@ spec: GF_PANELS_DISABLE_SANITIZE_HTML: true GF_LOG_FILTERS: rendering:debug GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel - GF_DATE_FORMATS_FULL_DATE: "DD.MM.YYYY hh:mm:ss" + GF_DATE_FORMATS_FULL_DATE: DD.MM.YYYY hh:mm:ss GF_SECURITY_ALLOW_EMBEDDING: true GF_SECURITY_COOKIE_SAMESITE: grafana GF_SERVER_ROOT_URL: https://grafana.${SECRET_EXTERNAL_DOMAIN} @@ -58,7 +58,7 @@ spec: enabled: true name: Authelia icon: signin - scopes: "openid profile email groups" + scopes: openid profile email groups empty_scopes: false login_attribute_path: preferred_username groups_attribute_path: groups @@ -128,14 +128,6 @@ spec: editable: true options: path: /var/lib/grafana/dashboards/prometheus-folder - - name: thanos - orgId: 1 - folder: Thanos - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/thanos-folder - name: unifi orgId: 1 folder: Unifi @@ -156,27 +148,27 @@ spec: type: prometheus uid: prometheus access: proxy - url: http://thanos-query-frontend.monitoring.svc.cluster.local.:10902 + url: http://prometheus-operated.observability.svc.cluster.local:9090 isDefault: true # - name: Loki # type: loki # uid: loki # access: proxy - # url: http://loki-gateway.monitoring.svc.cluster.local.:80 + # url: http://loki-gateway.observability.svc.cluster.local.:80 - name: Alertmanager type: alertmanager uid: alertmanager access: proxy - url: http://alertmanager-operated.monitoring.svc.cluster.local:9093 + url: http://alertmanager-operated.observability.svc.cluster.local:9093 jsonData: implementation: prometheus dashboards: default: home-assistant: - url: https://raw.githubusercontent.com/auricom/home-ops/main/kubernetes/apps/monitoring/grafana/dashboards/home-assistant.json + url: https://raw.githubusercontent.com/auricom/home-ops/main/kubernetes/apps/observability/grafana/dashboards/home-assistant.json datasource: Prometheus homelab-temperatures: - url: https://raw.githubusercontent.com/auricom/home-ops/main/kubernetes/apps/monitoring/grafana/dashboards/homelab-temperatures.json + url: https://raw.githubusercontent.com/auricom/home-ops/main/kubernetes/apps/observability/grafana/dashboards/homelab-temperatures.json datasource: Prometheus external-dns: # renovate: depName="External-dns" @@ -292,34 +284,6 @@ spec: gnetId: 19105 revision: 6 datasource: Prometheus - thanos: - thanos-bucket-replicate: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/bucket-replicate.json - datasource: Prometheus - thanos-compact: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/compact.json - datasource: Prometheus - thanos-overview: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/overview.json - datasource: Prometheus - thanos-query: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query.json - datasource: Prometheus - thanos-query-frontend: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/query-frontend.json - datasource: Prometheus - thanos-receieve: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/receive.json - datasource: Prometheus - thanos-rule: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/rule.json - datasource: Prometheus - thanos-sidecar: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/sidecar.json - datasource: Prometheus - thanos-store: - url: https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/thanos/dashboards/store.json - datasource: Prometheus unifi: unifi-insights: # renovate: depName="UniFi-Poller: Client Insights - Prometheus" @@ -366,7 +330,7 @@ spec: enabled: true ingress: enabled: true - ingressClassName: "nginx" + ingressClassName: internal annotations: hajimari.io/icon: simple-icons:grafana gethomepage.dev/enabled: "true" @@ -387,10 +351,3 @@ spec: enabled: false testFramework: enabled: false - topologySpreadConstraints: - - maxSkew: 1 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/name: grafana diff --git a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml b/kubernetes/apps/observability/grafana/app/kustomization.yaml similarity index 92% rename from kubernetes/apps/monitoring/grafana/app/kustomization.yaml rename to kubernetes/apps/observability/grafana/app/kustomization.yaml index 5358f1cd5..d6adbe135 100644 --- a/kubernetes/apps/monitoring/grafana/app/kustomization.yaml +++ b/kubernetes/apps/observability/grafana/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: monitoring resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/grafana/dashboards/home-assistant.json b/kubernetes/apps/observability/grafana/dashboards/home-assistant.json similarity index 100% rename from kubernetes/apps/monitoring/grafana/dashboards/home-assistant.json rename to kubernetes/apps/observability/grafana/dashboards/home-assistant.json diff --git a/kubernetes/apps/monitoring/grafana/dashboards/homelab-temperatures.json b/kubernetes/apps/observability/grafana/dashboards/homelab-temperatures.json similarity index 100% rename from kubernetes/apps/monitoring/grafana/dashboards/homelab-temperatures.json rename to kubernetes/apps/observability/grafana/dashboards/homelab-temperatures.json diff --git a/kubernetes/apps/monitoring/grafana/dashboards/truenas.json b/kubernetes/apps/observability/grafana/dashboards/truenas.json similarity index 100% rename from kubernetes/apps/monitoring/grafana/dashboards/truenas.json rename to kubernetes/apps/observability/grafana/dashboards/truenas.json diff --git a/kubernetes/apps/monitoring/grafana/ks.yaml b/kubernetes/apps/observability/grafana/ks.yaml similarity index 64% rename from kubernetes/apps/monitoring/grafana/ks.yaml rename to kubernetes/apps/observability/grafana/ks.yaml index e7f9df8fb..55f33b7c0 100644 --- a/kubernetes/apps/monitoring/grafana/ks.yaml +++ b/kubernetes/apps/observability/grafana/ks.yaml @@ -1,16 +1,16 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app grafana namespace: flux-system spec: - targetNamespace: monitoring + targetNamespace: observability commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/monitoring/grafana/app + path: ./kubernetes/apps/observability/grafana/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/externalsecret.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/externalsecret.yaml similarity index 96% rename from kubernetes/apps/monitoring/kube-prometheus-stack/app/externalsecret.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/app/externalsecret.yaml index eb92fde2d..56a2a9224 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/externalsecret.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: kube-prometheus-stack - namespace: default spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml similarity index 76% rename from kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml index 717c4b1e1..c4591a705 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: kube-prometheus-stack - namespace: monitoring spec: interval: 30m chart: @@ -16,25 +15,24 @@ spec: name: prometheus-community namespace: flux-system interval: 5m - maxHistory: 2 install: - createNamespace: true - crds: CreateReplace + crds: Skip remediation: retries: 3 upgrade: cleanupOnFail: true - crds: CreateReplace + crds: Skip remediation: + strategy: rollback retries: 3 - uninstall: - keepHistory: false dependsOn: - - name: openebs - namespace: openebs-system - - name: thanos - namespace: monitoring + - name: kube-prometheus-stack-crds + namespace: observability + - name: rook-ceph-cluster + namespace: rook-ceph values: + crds: + enabled: false ### ### Component values ### @@ -58,7 +56,7 @@ spec: kubeStateMetrics: metricLabelsAllowlist: - - "persistentvolumeclaims=[*]" + - persistentvolumeclaims=[*] prometheus: monitor: enabled: true @@ -111,14 +109,14 @@ spec: ingress: enabled: true pathType: Prefix - ingressClassName: "nginx" + ingressClassName: internal annotations: - # nginx.ingress.kubernetes.io/auth-method: GET - # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - hajimari.io/appName: "Prometheus" + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; + hajimari.io/appName: Prometheus hajimari.io/icon: simple-icons:prometheus gethomepage.dev/enabled: "true" gethomepage.dev/name: Prometheus @@ -134,9 +132,6 @@ spec: - hosts: - "prometheus.${SECRET_EXTERNAL_DOMAIN}" prometheusSpec: - podMetadata: - annotations: - secret.reloader.stakater.com/reload: &secret thanos-objstore-config replicas: 2 replicaExternalLabelName: replica scrapeInterval: 1m # Must match interval in Grafana Helm chart @@ -146,35 +141,24 @@ spec: ruleSelector: *selector scrapeConfigSelector: *selector serviceMonitorSelector: *selector - retention: 2d - retentionSize: 15GB + retention: 14d + retentionSize: 50GB enableAdminAPI: true walCompression: true storageSpec: volumeClaimTemplate: spec: - storageClassName: "rook-ceph-block" + storageClassName: rook-ceph-block resources: requests: storage: 20Gi - thanos: - image: quay.io/thanos/thanos:${THANOS_VERSION} - version: "${THANOS_VERSION#v}" - objectStorageConfig: - existingSecret: - name: *secret - key: config - thanosService: - enabled: true - thanosServiceMonitor: - enabled: true alertmanager: config: global: resolve_timeout: 5m receivers: - name: "null" - - name: "pushover" + - name: pushover pushover_configs: - user_key: ${SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY} token: ${SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN} @@ -211,12 +195,12 @@ spec: {{- end }} {{- end }} route: - receiver: "pushover" + receiver: pushover routes: - receiver: "null" matchers: - alertname =~ "InfoInhibitor|Watchdog|RebootScheduled" - - receiver: "pushover" + - receiver: pushover matchers: - severity = "critical" continue: true @@ -225,7 +209,7 @@ spec: - severity = "critical" target_matchers: - severity = "warning" - equal: ["alertname", "namespace"] + equal: [alertname, namespace] alertmanagerSpec: replicas: 1 podAntiAffinity: hard @@ -239,14 +223,14 @@ spec: ingress: enabled: true pathType: Prefix - ingressClassName: "nginx" + ingressClassName: internal annotations: - # nginx.ingress.kubernetes.io/auth-method: GET - # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - hajimari.io/appName: "Alert Manager" + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; + hajimari.io/appName: Alert Manager hajimari.io/icon: mdi:alert-decagram-outline gethomepage.dev/enabled: "true" gethomepage.dev/name: Alert-Manager diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml similarity index 93% rename from kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml index adae1e16c..8e2d781b0 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/app/kustomization.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: monitoring resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/prometheusrule.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/prometheusrule.yaml similarity index 100% rename from kubernetes/apps/monitoring/kube-prometheus-stack/app/prometheusrule.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/app/prometheusrule.yaml diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/app/scrapeconfig.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/scrapeconfig.yaml similarity index 100% rename from kubernetes/apps/monitoring/kube-prometheus-stack/app/scrapeconfig.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/app/scrapeconfig.yaml diff --git a/kubernetes/apps/observability/kube-prometheus-stack/crds/helmrelease.yaml b/kubernetes/apps/observability/kube-prometheus-stack/crds/helmrelease.yaml new file mode 100644 index 000000000..d426472c7 --- /dev/null +++ b/kubernetes/apps/observability/kube-prometheus-stack/crds/helmrelease.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: kube-prometheus-stack-crds +spec: + interval: 30m + chart: + spec: + chart: prometheus-operator-crds + version: 17.0.2 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 diff --git a/kubernetes/apps/observability/kube-prometheus-stack/crds/kustomization.yaml b/kubernetes/apps/observability/kube-prometheus-stack/crds/kustomization.yaml new file mode 100644 index 000000000..17cbc72b2 --- /dev/null +++ b/kubernetes/apps/observability/kube-prometheus-stack/crds/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml new file mode 100644 index 000000000..c77549ea0 --- /dev/null +++ b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml @@ -0,0 +1,72 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kube-prometheus-stack-crds + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/observability/kube-prometheus-stack/crds + prune: false # never should be deleted + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + timeout: 5m +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kube-prometheus-stack + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: rook-ceph-cluster + - name: kube-prometheus-stack-crds + path: ./kubernetes/apps/observability/kube-prometheus-stack/app + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app + # renovate: datasource=docker depName=quay.io/thanos/thanos + THANOS_VERSION: v0.35.0 +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kube-prometheus-rules + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: kube-prometheus-stack + path: ./kubernetes/apps/observability/kube-prometheus-stack/rules + prune: true + sourceRef: + kind: GitRepository + name: home-ops-kubernetes + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/rules/kustomization.yaml b/kubernetes/apps/observability/kube-prometheus-stack/rules/kustomization.yaml similarity index 91% rename from kubernetes/apps/monitoring/kube-prometheus-stack/rules/kustomization.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/rules/kustomization.yaml index 5ebada61e..ded29f67c 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/rules/kustomization.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/rules/kustomization.yaml @@ -2,6 +2,5 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: monitoring resources: - ./zfs.yaml diff --git a/kubernetes/apps/monitoring/kube-prometheus-stack/rules/zfs.yaml b/kubernetes/apps/observability/kube-prometheus-stack/rules/zfs.yaml similarity index 95% rename from kubernetes/apps/monitoring/kube-prometheus-stack/rules/zfs.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/rules/zfs.yaml index 18ceedcc2..e3b5aea66 100644 --- a/kubernetes/apps/monitoring/kube-prometheus-stack/rules/zfs.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/rules/zfs.yaml @@ -3,7 +3,6 @@ apiVersion: monitoring.coreos.com/v1 kind: PrometheusRule metadata: name: zrepl-replication-errors - namespace: monitoring spec: groups: - name: zrepl.rules diff --git a/kubernetes/apps/monitoring/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml similarity index 93% rename from kubernetes/apps/monitoring/kustomization.yaml rename to kubernetes/apps/observability/kustomization.yaml index 53c3d74cd..c400eca60 100644 --- a/kubernetes/apps/monitoring/kustomization.yaml +++ b/kubernetes/apps/observability/kustomization.yaml @@ -7,9 +7,9 @@ resources: - ./namespace.yaml # Flux-Kustomizations - ./apprise/ks.yaml + - ./blackbox-exporter/ks.yaml - ./gatus/ks.yaml - ./grafana/ks.yaml - ./kube-prometheus-stack/ks.yaml - ./mailrise/ks.yaml - ./scrutiny/ks.yaml - - ./thanos/ks.yaml diff --git a/kubernetes/apps/monitoring/mailrise/app/externalsecret.yaml b/kubernetes/apps/observability/mailrise/app/externalsecret.yaml similarity index 94% rename from kubernetes/apps/monitoring/mailrise/app/externalsecret.yaml rename to kubernetes/apps/observability/mailrise/app/externalsecret.yaml index 8dc97295c..fd47e5363 100644 --- a/kubernetes/apps/monitoring/mailrise/app/externalsecret.yaml +++ b/kubernetes/apps/observability/mailrise/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: mailrise - namespace: monitoring spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/monitoring/mailrise/app/helmrelease.yaml b/kubernetes/apps/observability/mailrise/app/helmrelease.yaml similarity index 97% rename from kubernetes/apps/monitoring/mailrise/app/helmrelease.yaml rename to kubernetes/apps/observability/mailrise/app/helmrelease.yaml index 687383f39..4ab2c8f3d 100644 --- a/kubernetes/apps/monitoring/mailrise/app/helmrelease.yaml +++ b/kubernetes/apps/observability/mailrise/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app mailrise - namespace: monitoring spec: interval: 30m chart: @@ -70,7 +69,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/enable: "false" hosts: diff --git a/kubernetes/apps/monitoring/mailrise/app/kustomization.yaml b/kubernetes/apps/observability/mailrise/app/kustomization.yaml similarity index 95% rename from kubernetes/apps/monitoring/mailrise/app/kustomization.yaml rename to kubernetes/apps/observability/mailrise/app/kustomization.yaml index e9f07a437..9db0ee1cf 100644 --- a/kubernetes/apps/monitoring/mailrise/app/kustomization.yaml +++ b/kubernetes/apps/observability/mailrise/app/kustomization.yaml @@ -2,7 +2,6 @@ # yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: monitoring resources: - ./externalsecret.yaml - ./helmrelease.yaml diff --git a/kubernetes/apps/monitoring/mailrise/app/mailrise.yaml b/kubernetes/apps/observability/mailrise/app/mailrise.yaml similarity index 100% rename from kubernetes/apps/monitoring/mailrise/app/mailrise.yaml rename to kubernetes/apps/observability/mailrise/app/mailrise.yaml diff --git a/kubernetes/apps/monitoring/mailrise/ks.yaml b/kubernetes/apps/observability/mailrise/ks.yaml similarity index 66% rename from kubernetes/apps/monitoring/mailrise/ks.yaml rename to kubernetes/apps/observability/mailrise/ks.yaml index db0f2ca38..3693e28df 100644 --- a/kubernetes/apps/monitoring/mailrise/ks.yaml +++ b/kubernetes/apps/observability/mailrise/ks.yaml @@ -1,16 +1,16 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app mailrise namespace: flux-system spec: - targetNamespace: monitoring + targetNamespace: observability commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/monitoring/mailrise/app + path: ./kubernetes/apps/observability/mailrise/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/monitoring/namespace.yaml b/kubernetes/apps/observability/namespace.yaml similarity index 81% rename from kubernetes/apps/monitoring/namespace.yaml rename to kubernetes/apps/observability/namespace.yaml index 19159d6e6..7f1c648be 100644 --- a/kubernetes/apps/monitoring/namespace.yaml +++ b/kubernetes/apps/observability/namespace.yaml @@ -2,27 +2,26 @@ apiVersion: v1 kind: Namespace metadata: - name: monitoring + name: observability labels: kustomize.toolkit.fluxcd.io/prune: disabled - pod-security.kubernetes.io/enforce: privileged --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 kind: Provider metadata: name: alert-manager - namespace: monitoring + namespace: observability spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 kind: Alert metadata: name: alert-manager - namespace: monitoring + namespace: observability spec: providerRef: name: alert-manager diff --git a/kubernetes/apps/monitoring/scrutiny/app/externalsecret.yaml b/kubernetes/apps/observability/scrutiny/app/externalsecret.yaml similarity index 95% rename from kubernetes/apps/monitoring/scrutiny/app/externalsecret.yaml rename to kubernetes/apps/observability/scrutiny/app/externalsecret.yaml index cdf1ef894..b22dda0e7 100644 --- a/kubernetes/apps/monitoring/scrutiny/app/externalsecret.yaml +++ b/kubernetes/apps/observability/scrutiny/app/externalsecret.yaml @@ -4,7 +4,6 @@ apiVersion: external-secrets.io/v1beta1 kind: ExternalSecret metadata: name: scrutiny - namespace: monitoring spec: secretStoreRef: kind: ClusterSecretStore diff --git a/kubernetes/apps/monitoring/scrutiny/app/helmrelease.yaml b/kubernetes/apps/observability/scrutiny/app/helmrelease.yaml similarity index 98% rename from kubernetes/apps/monitoring/scrutiny/app/helmrelease.yaml rename to kubernetes/apps/observability/scrutiny/app/helmrelease.yaml index ad846ffcd..602a79cf2 100644 --- a/kubernetes/apps/monitoring/scrutiny/app/helmrelease.yaml +++ b/kubernetes/apps/observability/scrutiny/app/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app scrutiny - namespace: monitoring spec: interval: 30m chart: @@ -59,7 +58,7 @@ spec: ingress: app: enabled: true - className: nginx + className: internal annotations: hajimari.io/icon: mdi:harddiskstatus gethomepage.dev/enabled: "true" diff --git a/kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml b/kubernetes/apps/observability/scrutiny/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/monitoring/scrutiny/app/kustomization.yaml rename to kubernetes/apps/observability/scrutiny/app/kustomization.yaml diff --git a/kubernetes/apps/monitoring/scrutiny/collector/helmrelease.yaml b/kubernetes/apps/observability/scrutiny/collector/helmrelease.yaml similarity index 94% rename from kubernetes/apps/monitoring/scrutiny/collector/helmrelease.yaml rename to kubernetes/apps/observability/scrutiny/collector/helmrelease.yaml index 2c8470256..115bd2cac 100644 --- a/kubernetes/apps/monitoring/scrutiny/collector/helmrelease.yaml +++ b/kubernetes/apps/observability/scrutiny/collector/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app scrutiny-collector - namespace: monitoring spec: interval: 30m chart: @@ -42,7 +41,7 @@ spec: repository: ghcr.io/analogj/scrutiny tag: master-collector@sha256:c98f3ee3ce30239b166717e94ebcc856fddd907fc105af6cb7345eea54584ff1 env: - COLLECTOR_API_ENDPOINT: http://scrutiny.monitoring.svc.cluster.local:8080 + COLLECTOR_API_ENDPOINT: http://scrutiny.observability.svc.cluster.local:8080 COLLECTOR_HOST_ID: valueFrom: fieldRef: diff --git a/kubernetes/apps/monitoring/scrutiny/collector/kustomization.yaml b/kubernetes/apps/observability/scrutiny/collector/kustomization.yaml similarity index 100% rename from kubernetes/apps/monitoring/scrutiny/collector/kustomization.yaml rename to kubernetes/apps/observability/scrutiny/collector/kustomization.yaml diff --git a/kubernetes/apps/monitoring/scrutiny/ks.yaml b/kubernetes/apps/observability/scrutiny/ks.yaml similarity index 67% rename from kubernetes/apps/monitoring/scrutiny/ks.yaml rename to kubernetes/apps/observability/scrutiny/ks.yaml index 152858155..730ac17a2 100644 --- a/kubernetes/apps/monitoring/scrutiny/ks.yaml +++ b/kubernetes/apps/observability/scrutiny/ks.yaml @@ -1,12 +1,12 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app scrutiny namespace: flux-system spec: - targetNamespace: monitoring + targetNamespace: observability commonMetadata: labels: app.kubernetes.io/name: *app @@ -14,7 +14,7 @@ spec: - name: external-secrets-stores - name: rook-ceph-cluster - name: volsync - path: ./kubernetes/apps/monitoring/scrutiny/app + path: ./kubernetes/apps/observability/scrutiny/app prune: true sourceRef: kind: GitRepository @@ -28,18 +28,18 @@ spec: APP: *app VOLSYNC_CAPACITY: 2Gi --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app scrutiny-collector namespace: flux-system spec: - targetNamespace: monitoring + targetNamespace: observability commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/apps/monitoring/scrutiny/collector + path: ./kubernetes/apps/observability/scrutiny/collector prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/apps/openebs-system/namespace.yaml b/kubernetes/apps/openebs-system/namespace.yaml index ec4682d95..49bcf897d 100644 --- a/kubernetes/apps/openebs-system/namespace.yaml +++ b/kubernetes/apps/openebs-system/namespace.yaml @@ -15,7 +15,7 @@ metadata: namespace: openebs-system spec: type: alertmanager - address: http://alertmanager-operated.monitoring.svc.cluster.local:9093/api/v2/alerts/ + address: http://alertmanager-operated.observability.svc.cluster.local:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 @@ -35,4 +35,4 @@ spec: - "error.*lookup raw\\.githubusercontent\\.com" - "dial.*tcp.*timeout" - "waiting.*socket" - suspend: false \ No newline at end of file + suspend: false diff --git a/kubernetes/apps/rook-ceph/namespace.yaml b/kubernetes/apps/rook-ceph/namespace.yaml index af497d407..b2a3d943f 100644 --- a/kubernetes/apps/rook-ceph/namespace.yaml +++ b/kubernetes/apps/rook-ceph/namespace.yaml @@ -15,7 +15,7 @@ metadata: namespace: rook-ceph spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 diff --git a/kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml index 49992fc7c..5eb420351 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/app/helmrelease.yaml @@ -4,13 +4,12 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: rook-ceph-operator - namespace: rook-ceph spec: interval: 30m chart: spec: chart: rook-ceph - version: v1.16.0 + version: v1.16.1 sourceRef: kind: HelmRepository name: rook-ceph @@ -44,6 +43,4 @@ spec: requests: cpu: 10m memory: 128Mi - limits: - cpu: 300m - memory: 256Mi + limits: {} diff --git a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml index 0f6ff72ca..28c18116b 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml @@ -4,13 +4,12 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: rook-ceph-cluster - namespace: rook-ceph spec: interval: 30m chart: spec: chart: rook-ceph-cluster - version: v1.16.0 + version: v1.16.1 sourceRef: kind: HelmRepository name: rook-ceph @@ -37,7 +36,7 @@ spec: createPrometheusRules: true ingress: dashboard: - ingressClassName: nginx + ingressClassName: internal annotations: hajimari.io/appName: Rook hajimari.io/icon: mdi:chess-rook @@ -78,13 +77,13 @@ spec: - name: sda - name: talos-node-2 devices: - - name: sda + - name: sdb - name: talos-node-3 devices: - - name: sda + - name: sdb - name: talos-node-4 devices: - - name: sda + - name: sdb resources: mgr: requests: diff --git a/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml b/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml index b8869d177..aae69dfe0 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -24,7 +24,7 @@ spec: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -51,7 +51,7 @@ spec: APP: *app --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/apps/rook-ceph/rook-ceph/tools/helmrelease.yaml b/kubernetes/apps/rook-ceph/rook-ceph/tools/helmrelease.yaml index 750337c9c..3f6a204b1 100644 --- a/kubernetes/apps/rook-ceph/rook-ceph/tools/helmrelease.yaml +++ b/kubernetes/apps/rook-ceph/rook-ceph/tools/helmrelease.yaml @@ -4,7 +4,6 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app rook-ceph-tools - namespace: rook-ceph spec: interval: 30m chart: diff --git a/kubernetes/apps/volsync/namespace.yaml b/kubernetes/apps/volsync/namespace.yaml index 76207f7cc..98e09620d 100644 --- a/kubernetes/apps/volsync/namespace.yaml +++ b/kubernetes/apps/volsync/namespace.yaml @@ -14,7 +14,7 @@ metadata: namespace: volsync spec: type: alertmanager - address: http://kube-prometheus-stack-alertmanager.monitoring:9093/api/v2/alerts/ + address: http://kube-prometheus-stack-alertmanager.observability:9093/api/v2/alerts/ --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json apiVersion: notification.toolkit.fluxcd.io/v1beta3 diff --git a/kubernetes/apps/volsync/volsync/ks.yaml b/kubernetes/apps/volsync/volsync/ks.yaml index 418ad6beb..5f4007858 100644 --- a/kubernetes/apps/volsync/volsync/ks.yaml +++ b/kubernetes/apps/volsync/volsync/ks.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/bootstrap/apps/helmfile.yaml b/kubernetes/bootstrap/apps/helmfile.yaml new file mode 100644 index 000000000..788baab73 --- /dev/null +++ b/kubernetes/bootstrap/apps/helmfile.yaml @@ -0,0 +1,56 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/helmfile + +# renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet +kubeVersion: v1.32.0 + +helmDefaults: + force: true + recreatePods: true + timeout: 600 + wait: true + waitForJobs: true + +repositories: + - name: cilium + url: https://helm.cilium.io + + - name: coredns + url: https://coredns.github.io/helm + + - name: postfinance + url: https://postfinance.github.io/kubelet-csr-approver + +releases: + - name: kube-prometheus-stack-crds + namespace: observability + chart: oci://ghcr.io/prometheus-community/charts/prometheus-operator-crds + version: 17.0.2 + + - name: cilium + namespace: kube-system + chart: cilium/cilium + version: 1.16.5 + values: ["../../apps/kube-system/cilium/app/helm-values.yaml"] + needs: ["observability/kube-prometheus-stack-crds"] + + - name: coredns + namespace: kube-system + chart: coredns/coredns + version: 1.37.0 + values: ["../../apps/kube-system/coredns/app/helm-values.yaml"] + needs: ["kube-system/cilium"] + + - name: kubelet-csr-approver + namespace: kube-system + chart: postfinance/kubelet-csr-approver + version: 1.2.4 + values: ["../../apps/kube-system/kubelet-csr-approver/app/helm-values.yaml"] + needs: ["kube-system/coredns"] + + - name: spegel + namespace: kube-system + chart: oci://ghcr.io/spegel-org/helm-charts/spegel + version: v0.0.28 + values: ["../../apps/kube-system/spegel/app/helm-values.yaml"] + needs: ["kube-system/kubelet-csr-approver"] diff --git a/kubernetes/bootstrap/cilium/kustomization.yaml b/kubernetes/bootstrap/cilium/kustomization.yaml deleted file mode 100644 index 60a3e28a2..000000000 --- a/kubernetes/bootstrap/cilium/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -helmCharts: - - name: cilium - repo: https://helm.cilium.io/ - version: 1.16.5 - releaseName: cilium - namespace: kube-system - valuesFile: values.yaml -commonAnnotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system -commonLabels: - app.kubernetes.io/managed-by: Helm diff --git a/kubernetes/bootstrap/flux/kustomization.yaml b/kubernetes/bootstrap/flux/kustomization.yaml index 2c22b4931..30f336421 100644 --- a/kubernetes/bootstrap/flux/kustomization.yaml +++ b/kubernetes/bootstrap/flux/kustomization.yaml @@ -1,17 +1,61 @@ +# IMPORTANT: This file is not tracked by flux and should never be. Its +# purpose is to only install the Flux components and CRDs into your cluster. --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - github.com/fluxcd/flux2/manifests/install?ref=v2.4.0 patches: - - target: - group: networking.k8s.io - version: v1 - kind: NetworkPolicy - patch: | + # Remove the default network policies + - patch: |- $patch: delete apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: not-used + target: + group: networking.k8s.io + kind: NetworkPolicy + # Resources renamed to match those installed by oci://ghcr.io/fluxcd/flux-manifests + - target: + kind: ResourceQuota + name: critical-pods + patch: | + - op: replace + path: /metadata/name + value: critical-pods-flux-system + - target: + kind: ClusterRoleBinding + name: cluster-reconciler + patch: | + - op: replace + path: /metadata/name + value: cluster-reconciler-flux-system + - target: + kind: ClusterRoleBinding + name: crd-controller + patch: | + - op: replace + path: /metadata/name + value: crd-controller-flux-system + - target: + kind: ClusterRole + name: crd-controller + patch: | + - op: replace + path: /metadata/name + value: crd-controller-flux-system + - target: + kind: ClusterRole + name: flux-edit + patch: | + - op: replace + path: /metadata/name + value: flux-edit-flux-system + - target: + kind: ClusterRole + name: flux-view + patch: | + - op: replace + path: /metadata/name + value: flux-view-flux-system diff --git a/kubernetes/bootstrap/kubelet-csr-approver/kustomization.yaml b/kubernetes/bootstrap/kubelet-csr-approver/kustomization.yaml deleted file mode 100644 index 4e19b5e12..000000000 --- a/kubernetes/bootstrap/kubelet-csr-approver/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: kube-system -helmCharts: - - name: kubelet-csr-approver - repo: https://postfinance.github.io/kubelet-csr-approver - version: 1.2.4 - releaseName: kubelet-csr-approver - namespace: kube-system - valuesInline: - providerRegex: | - ^talos-node-[1-9]$ -commonAnnotations: - meta.helm.sh/release-name: kubelet-csr-approver - meta.helm.sh/release-namespace: kube-system -commonLabels: - app.kubernetes.io/managed-by: Helm diff --git a/kubernetes/flux/apps.yaml b/kubernetes/flux/apps.yaml index 8057258e9..e905709cd 100644 --- a/kubernetes/flux/apps.yaml +++ b/kubernetes/flux/apps.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/flux/config/cluster.yaml b/kubernetes/flux/config/cluster.yaml index 38051e13a..22fa506c6 100644 --- a/kubernetes/flux/config/cluster.yaml +++ b/kubernetes/flux/config/cluster.yaml @@ -19,7 +19,7 @@ spec: # include kubernetes directory !/kubernetes --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: diff --git a/kubernetes/flux/config/flux.yaml b/kubernetes/flux/config/flux.yaml index ef5bfc685..b4fa27094 100644 --- a/kubernetes/flux/config/flux.yaml +++ b/kubernetes/flux/config/flux.yaml @@ -11,7 +11,7 @@ spec: ref: tag: v2.4.0 --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -26,7 +26,7 @@ spec: kind: OCIRepository name: flux-manifests patches: - # Remove the network policies that does not work with k3s + # Remove the network policies - patch: | $patch: delete apiVersion: networking.k8s.io/v1 @@ -37,11 +37,11 @@ spec: group: networking.k8s.io kind: NetworkPolicy # Increase the number of reconciliations that can be performed in parallel and bump the resources limits - # Ref: https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers + # https://fluxcd.io/flux/cheatsheets/bootstrap/#increase-the-number-of-workers - patch: | - op: add path: /spec/template/spec/containers/0/args/- - value: --concurrent=12 + value: --concurrent=8 - op: add path: /spec/template/spec/containers/0/args/- value: --kube-api-qps=500 @@ -66,24 +66,13 @@ spec: - name: manager resources: limits: + cpu: 2000m memory: 2Gi target: kind: Deployment name: (kustomize-controller|helm-controller|source-controller) - # Enable in-memory-kustomize builds - # Ref: https://fluxcd.io/flux/installation/configuration/vertical-scaling/#enable-in-memory-kustomize-builds - - patch: | - - op: replace - path: /spec/template/spec/volumes/0 - value: - name: temp - emptyDir: - medium: Memory - target: - kind: Deployment - name: kustomize-controller # Enable Helm near OOM detection - # Ref: https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection + # https://fluxcd.io/flux/cheatsheets/bootstrap/#enable-helm-near-oom-detection - patch: | - op: add path: /spec/template/spec/containers/0/args/- diff --git a/kubernetes/flux/repositories/helm/coredns.yaml b/kubernetes/flux/repositories/helm/coredns.yaml new file mode 100644 index 000000000..bf97567ce --- /dev/null +++ b/kubernetes/flux/repositories/helm/coredns.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: coredns + namespace: flux-system +spec: + interval: 1h + url: https://coredns.github.io/helm diff --git a/kubernetes/flux/repositories/helm/crunchydata.yaml b/kubernetes/flux/repositories/helm/crunchydata.yaml new file mode 100644 index 000000000..fb5ffa3b7 --- /dev/null +++ b/kubernetes/flux/repositories/helm/crunchydata.yaml @@ -0,0 +1,12 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: crunchydata + namespace: flux-system +spec: + type: oci + interval: 30m + url: oci://registry.developers.crunchydata.com/crunchydata + timeout: 3m \ No newline at end of file diff --git a/kubernetes/flux/repositories/helm/k8s-gateway.yaml b/kubernetes/flux/repositories/helm/k8s-gateway.yaml new file mode 100644 index 000000000..f2d008cce --- /dev/null +++ b/kubernetes/flux/repositories/helm/k8s-gateway.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: k8s-gateway + namespace: flux-system +spec: + interval: 2h + url: https://ori-edge.github.io/k8s_gateway diff --git a/kubernetes/flux/repositories/helm/kustomization.yaml b/kubernetes/flux/repositories/helm/kustomization.yaml index 59aeee80e..730144f14 100644 --- a/kubernetes/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/flux/repositories/helm/kustomization.yaml @@ -10,6 +10,8 @@ resources: - ./cert-manager-webhook-ovh.yaml - ./cilium.yaml - ./cloudnative-pg.yaml + - ./coredns.yaml + - ./crunchydata.yaml - ./crowdsec.yaml - ./descheduler.yaml - ./dysnix.yaml @@ -22,6 +24,7 @@ resources: - ./ingress-nginx.yaml - ./intel.yaml - ./jetstack.yaml + - ./k8s-gateway.yaml - ./kyverno.yaml - ./metrics-server.yaml - ./node-feature-discovery.yaml diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index aebdb49c8..95d4ae3f4 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -7,6 +7,7 @@ metadata: stringData: SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:8HotHVJva77fd9S+j2BB,iv:fqCDD0NuK9ySCsGGT3G4QsfViM2L9oPp9ZLgwXf0tLI=,tag:rX1quD8RTjvzV75fmwmC6w==,type:str] SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:j1yBajAlXKQeDuvbV2IyJp8IT3wA,iv:pxPgYZEZ6pvcr6trM1gkL5MZORewARaiVfwRTyWxny0=,tag:y31EGp46NgF/Pf3hQ2Iavw==,type:str] + SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:nS0cVHEiuEk1w43AjcWNjGVecEr8RZr4iXsMCO9152bn2wWc,iv:jDz8AP6eCF5+CASt3ogR8vzAO5VkbZQ3pY2+AFmz15U=,tag:DVKZ3xSZLrW9pQIx0HJRCQ==,type:str] SECRET_DOMAIN: ENC[AES256_GCM,data:UtdBDs6+azVHO7Y=,iv:ZnWrBW+vW6HiMs1PbgY2LjcwUwuUh1HxYjqvOXvCrDk=,tag:r6uDIJhVoTIcizIfRW+lHw==,type:str] SECRET_EXTERNAL_DOMAIN: ENC[AES256_GCM,data:Brd9H7gizPxew+4=,iv:YaIxv9TFF0mAks9gJXwXA1N7b8k5mcSJ6hs9lpaUV/M=,tag:8xdRoWun3IUVywagpsrsBw==,type:str] SECRET_INTERNAL_DOMAIN: ENC[AES256_GCM,data:WLuQAi9JsUsD5Q==,iv:Zc+5/rQONxepZFVC/ia01aBdlVyG99thOeIipeAVS3E=,tag:FwwjDKoUMfZ/taFPRRThOQ==,type:str] @@ -31,8 +32,8 @@ sops: WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-21T20:32:55Z" - mac: ENC[AES256_GCM,data:KEiOqecL9LenpkLZZkgfaSA9tZUklild1QHj00n5IuKu3JZVtSfdqG9lDw6KMb02ZenG5e+NRzLQ/kek+TdekoNRFK65zFcPR2DtmimjapE383eNe+gwqGggCynxjse1o+HhtJq/0zeEukRpBVkl8pWt9d10oaGDTpbLfHwZbWg=,iv:p8TsrgDv4GMEnNGaDlBbCmE5MzueKmKReLmHpYME63s=,tag:o7e4sV+eVmhmqcAHOhFkkg==,type:str] + lastmodified: "2025-01-03T20:27:58Z" + mac: ENC[AES256_GCM,data:QgFNCP1l74XISc2/6byMOzk4brz0SkbfjLxgoLRaBx08BHULaJRHiNqRRyhaKF5ZjxsOxVYiFpHrWgfu/mi/InwA6nBttwNSM/+bzKabRC6vdgrLIIXxJKGKu7BlmtILF4uZRqKqcOIK+nrZS8YWdlOY0Vyzunh4kMQoyIvugRk=,iv:0HYH18NEag1KqIXwoiMPHkFiW1jaQkK1LJ5XhENPalw=,tag:RO8oMhTRBLOzf31DgV38CQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.0 + version: 3.9.3 diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml index cf9e162e7..e9b406ca5 100644 --- a/kubernetes/flux/vars/cluster-settings.yaml +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -8,7 +8,6 @@ data: CILIUM_BGP_SVC_RANGE: 192.168.169.0/24 CILIUM_POD_CIDR: 10.69.0.0/16 CLUSTER_LB_K8SGATEWAY: 192.168.169.100 - CLUSTER_LB_NGINX: 192.168.169.101 CLUSTER_LB_SMTP_RELAY: 192.168.169.102 CLUSTER_LB_UNIFI: 192.168.169.103 CLUSTER_LB_GITEA: 192.168.169.104 @@ -25,8 +24,11 @@ data: CLUSTER_LB_CILIUM: 192.168.169.115 CLUSTER_LB_LMS: 192.168.169.116 CLUSTER_LB_TDARR: 192.168.169.117 + CLUSTER_LB_POSTGRES: 192.168.169.118 + CLUSTER_LB_NGINX_INTERNAL: 192.168.169.119 + CLUSTER_LB_NGINX_EXTERNAL: 192.168.169.120 LOCAL_LAN: 192.168.8.0/22 LOCAL_LAN_OPNSENSE: 192.168.8.1 LOCAL_LAN_TRUENAS: 192.168.9.10 LOCAL_LAN_TRUENAS_REMOTE: 10.10.0.2 - TIMEZONE: "Europe/Paris" + TIMEZONE: Europe/Paris diff --git a/kubernetes/talos/cluster-0/talconfig.yaml b/kubernetes/talos/cluster-0/talconfig.yaml index 6292f6dd8..21c685209 100644 --- a/kubernetes/talos/cluster-0/talconfig.yaml +++ b/kubernetes/talos/cluster-0/talconfig.yaml @@ -7,9 +7,9 @@ clusterName: cluster-0 # renovate: datasource=docker depName=ghcr.io/siderolabs/installer -talosVersion: v1.8.1 +talosVersion: v1.9.1 # renovate: datasource=docker depName=ghcr.io/siderolabs/kubelet -kubernetesVersion: v1.31.1 +kubernetesVersion: v1.32.0 endpoint: https://cluster-0.${internalDomain}:6443 allowSchedulingOnMasters: true cniConfig: @@ -35,6 +35,81 @@ patches: - rshared - rw + # Configure containerd + - |- + machine: + files: + - op: create + path: /etc/cri/conf.d/20-customization.part + content: | + [plugins] + [plugins."io.containerd.grpc.v1.cri"] + enable_unprivileged_ports = true + enable_unprivileged_icmp = true + + + # Disable search domain everywhere + - |- + machine: + network: + disableSearchDomain: true + + # Disable Host DNS + - |- + machine: + features: + hostDNS: + enabled: true + resolveMemberNames: true + forwardKubeDNSToHost: false + + # Configure NTP + - |- + machine: + time: + disabled: false + servers: + - time.cloudflare.com + + # Configure cluster loopback + - |- + machine: + network: + extraHostEntries: + - ip: ${clusterEndpointIP} + aliases: + - cluster-0.${internalDomain} + + # Kubelet configuration + - |- + machine: + kubelet: + extraArgs: + rotate-server-certificates: "true" + extraConfig: + maxPods: 150 + + # Custom sysctls + - |- + machine: + sysctls: + fs.inotify.max_queued_events: "65536" + fs.inotify.max_user_instances: "8192" + fs.inotify.max_user_watches: "524288" + net.core.rmem_max: "7500000" + net.core.wmem_max: "7500000" + + # Redirect logs + # - |- + # machine: + # install: + # extraKernelArgs: + # - "talos.logging.kernel=udp://192.168.169.108:6050/" + # logging: + # destinations: + # - endpoint: "udp://192.168.169.108:6051/" + # format: json_lines + nodes: - hostname: talos-node-1 ipAddress: 192.168.9.101 @@ -60,101 +135,51 @@ controlPlane: - net.ifnames=0 systemExtensions: officialExtensions: - - siderolabs/i915-ucode + - siderolabs/i915 - siderolabs/intel-ucode - siderolabs/mei patches: - # Disable search domain everywhere - - |- - machine: - network: - disableSearchDomain: true - - # Disable Host DNS - - |- - machine: - features: - hostDNS: - enabled: true - resolveMemberNames: true - forwardKubeDNSToHost: false - - # Configure NTP - - |- - machine: - time: - disabled: false - servers: - - 192.168.8.1 - - # Enable KubePrism - - |- - machine: - features: - kubePrism: - enabled: true - port: 7445 - - # Configure cluster loopback - - |- - machine: - network: - extraHostEntries: - - ip: ${clusterEndpointIP} - aliases: - - cluster-0.${internalDomain} - # Cluster configuration - |- cluster: - allowSchedulingOnMasters: true + allowSchedulingOnControlPlanes: true + controllerManager: + extraArgs: + bind-address: 0.0.0.0 + coreDNS: + disabled: true proxy: disabled: true - - # Configure containerd - - |- - machine: - files: - - op: create - path: /etc/cri/conf.d/20-customization.part - content: | - [plugins] - [plugins."io.containerd.grpc.v1.cri"] - enable_unprivileged_ports = true - enable_unprivileged_icmp = true + scheduler: + extraArgs: + bind-address: 0.0.0.0 + config: + apiVersion: kubescheduler.config.k8s.io/v1 + kind: KubeSchedulerConfiguration + profiles: + - schedulerName: default-scheduler + pluginConfig: + - name: PodTopologySpread + args: + defaultingType: List + defaultConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: ScheduleAnyway # Disable default API server admission plugins. - |- - op: remove path: /cluster/apiServer/admissionControl - # Kubelet configuration - - |- - machine: - kubelet: - extraArgs: - rotate-server-certificates: "true" - extraConfig: - maxPods: 150 - - # Custom sysctls - - |- - machine: - sysctls: - fs.inotify.max_queued_events: "65536" - fs.inotify.max_user_instances: "8192" - fs.inotify.max_user_watches: "524288" - net.core.rmem_max: "7500000" - net.core.wmem_max: "7500000" - - # Redirect logs - # - |- - # machine: - # install: - # extraKernelArgs: - # - "talos.logging.kernel=udp://192.168.169.108:6050/" - # logging: - # destinations: - # - endpoint: "udp://192.168.169.108:6051/" - # format: json_lines +worker: + schematic: + customization: + extraKernelArgs: + - net.ifnames=0 + systemExtensions: + officialExtensions: + - siderolabs/i915 + - siderolabs/intel-ucode + - siderolabs/mei