diff --git a/cluster/apps/kube-tools/kyverno/policies/apply-ingress-external-dns-annotations.yaml b/cluster/apps/kube-tools/kyverno/policies/apply-ingress-external-dns-annotations.yaml index fcc632772..772507368 100644 --- a/cluster/apps/kube-tools/kyverno/policies/apply-ingress-external-dns-annotations.yaml +++ b/cluster/apps/kube-tools/kyverno/policies/apply-ingress-external-dns-annotations.yaml @@ -28,5 +28,3 @@ spec: annotations: +(external-dns.alpha.kubernetes.io/target): |- services.${SECRET_DOMAIN}. - +(external-dns/is-public): |- - true diff --git a/cluster/apps/networking/external-dns/helm-release.yaml b/cluster/apps/networking/external-dns/helm-release.yaml index d251f67fe..c29b69fcf 100644 --- a/cluster/apps/networking/external-dns/helm-release.yaml +++ b/cluster/apps/networking/external-dns/helm-release.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: external-dns - namespace: networking + namespace: default spec: interval: 15m chart: @@ -14,7 +14,6 @@ spec: kind: HelmRepository name: external-dns-charts namespace: flux-system - interval: 15m install: createNamespace: true remediation: @@ -23,7 +22,7 @@ spec: remediation: retries: 5 values: - interval: 15m + interval: 2m logLevel: debug provider: ovh env: @@ -43,7 +42,7 @@ spec: name: ovh-external-dns-creds key: consummer-key extraArgs: - - --annotation-filter=external-dns/is-public in (true) + - --annotation-filter=external-dns.home.arpa/enabled in (true) policy: sync sources: - ingress diff --git a/cluster/apps/networking/external-dns/secret.sops.yaml b/cluster/apps/networking/external-dns/secret.sops.yaml index 01e61a4c0..058b09701 100644 --- a/cluster/apps/networking/external-dns/secret.sops.yaml +++ b/cluster/apps/networking/external-dns/secret.sops.yaml @@ -4,7 +4,7 @@ kind: Secret type: Opaque metadata: name: ovh-external-dns-creds - namespace: networking + namespace: default stringData: application-key: ENC[AES256_GCM,data:eM+c4o7krcCr38iYl+V9aw==,iv:bWvn6Du2AYczidEiYcCiiXiCWQoNTM55+pEqEDT5gVg=,tag:XAtpQsK7J7mQWs47qqAt/Q==,type:str] application-secret: ENC[AES256_GCM,data:dsAI3MXIpqC5FQZojzchOUfJPARBYOOUbnmY042w9DQ=,iv:gLh0ySZfm1akVIcnN/LMuuI7GZrBBq/X6mnQd1j9BeA=,tag:wIKWVoDMRfn68Ot56HFPGA==,type:str] @@ -24,8 +24,8 @@ sops: bi8wYjlEM0xGZExSV05HSGlkYjQ2VlUKesUixJpqR2iYx5kNxrbD0kTG1siHVKqq sh8UblAqd1av0/3Qpj9dMF8awR8Q80dElcEwXT90Ks/S7p/uEA358g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-07-03T14:42:00Z" - mac: ENC[AES256_GCM,data:xJz+bm7161D3j/NEHZi9XxEp5uHsDDIqKow/nOQzSeHufyiGg34pdR8ibXt+7p6sru64ZIRNKV/OklwtRrLFoiyM/+ZFsgpWC67ACIdksu0cBjIKXsaKSyvdkcZ/hC9C5wMpYMqABBDogYPhR32PqsJ1VBWlCckG0kjo7PNOubk=,iv:ponCl1jFjElSY8HbCbRv4w4gL0C12deWBRzgrXSQpTE=,tag:p/kxR5ZiVxvX7JO6e/ZtMw==,type:str] + lastmodified: "2022-09-15T09:52:51Z" + mac: ENC[AES256_GCM,data:cZAwl1uF59cBodh8F4KSZU8/sLyoRy6k2rFuYx3KH/YpICKj2Omg9D3cH1uUF+x1URYbRcKajKrIZMmpd6gjvoRERjnreuzosZwxeannkTpfZ0N5ivydTSETa9mjPXCP+4VdPQISG0ZYx91uf0nrsZnK3dPOT0W/TfEhAI3JB9c=,iv:ufpSLuakm9X5VB8ZgHdyZyH6PAo11yKHV5jj7TuNPcU=,tag:+GY39oTJ91codPkDrTQYTw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.7.3 diff --git a/cluster/apps/networking/certificate/certificate.yaml b/cluster/apps/networking/ingress-nginx/certificate.yaml similarity index 67% rename from cluster/apps/networking/certificate/certificate.yaml rename to cluster/apps/networking/ingress-nginx/certificate.yaml index 5823d8b27..4520402c2 100644 --- a/cluster/apps/networking/certificate/certificate.yaml +++ b/cluster/apps/networking/ingress-nginx/certificate.yaml @@ -2,9 +2,10 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" - namespace: networking + name: "${SECRET_CLUSTER_DOMAIN/./-}" + namespace: default spec: + secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" issuerRef: name: letsencrypt-production kind: ClusterIssuer @@ -12,4 +13,3 @@ spec: dnsNames: - "${SECRET_CLUSTER_DOMAIN}" - "*.${SECRET_CLUSTER_DOMAIN}" - secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/networking/ingress-nginx/helm-release.yaml b/cluster/apps/networking/ingress-nginx/helm-release.yaml index 0b499c04f..856c5a046 100644 --- a/cluster/apps/networking/ingress-nginx/helm-release.yaml +++ b/cluster/apps/networking/ingress-nginx/helm-release.yaml @@ -3,22 +3,30 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: ingress-nginx - namespace: networking + namespace: default spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://kubernetes.github.io/ingress-nginx chart: ingress-nginx version: 4.2.5 sourceRef: kind: HelmRepository name: ingress-nginx-charts namespace: flux-system - interval: 5m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + dependsOn: + - name: cert-manager + namespace: cert-manager values: controller: - replicaCount: 2 + replicaCount: 3 service: type: LoadBalancer externalIPs: @@ -26,31 +34,36 @@ spec: externalTrafficPolicy: Local publishService: enabled: true - + ingressClassResource: + default: true config: - ssl-protocols: "TLSv1.3 TLSv1.2" - custom-http-errors: | - 401,403,404,500,501,502,503 - enable-vts-status: "false" + client-header-timeout: 120 + client-body-buffer-size: "100M" + client-body-timeout: 120 + custom-http-errors: |- + 400,401,403,404,500,502,503,504 + enable-brotli: "true" + forwarded-for-header: "CF-Connecting-IP" hsts-max-age: "31449600" - proxy-body-size: "50m" - + keep-alive: 120 + keep-alive-requests: 10000 + proxy-body-size: "100M" + ssl-protocols: "TLSv1.3 TLSv1.2" + use-forwarded-headers: "true" extraArgs: - default-ssl-certificate: "networking/${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" - - resources: - requests: - memory: 250Mi - cpu: 50m - + default-ssl-certificate: |- + default/${SECRET_CLUSTER_DOMAIN/./-}-tls metrics: enabled: true serviceMonitor: enabled: true - namespace: networking + namespace: default namespaceSelector: any: true - + resources: + requests: + memory: 250Mi + cpu: 50m affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -63,7 +76,6 @@ spec: values: - ingress-nginx topologyKey: kubernetes.io/hostname - defaultBackend: enabled: true image: diff --git a/cluster/apps/networking/ingress-nginx/kustomization.yaml b/cluster/apps/networking/ingress-nginx/kustomization.yaml index 2fa2de20c..b2e0fefe4 100644 --- a/cluster/apps/networking/ingress-nginx/kustomization.yaml +++ b/cluster/apps/networking/ingress-nginx/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - certificate.yaml - helm-release.yaml diff --git a/cluster/apps/networking/k8s-gateway/helm-release.yaml b/cluster/apps/networking/k8s-gateway/helm-release.yaml index fde965f67..d444ac959 100644 --- a/cluster/apps/networking/k8s-gateway/helm-release.yaml +++ b/cluster/apps/networking/k8s-gateway/helm-release.yaml @@ -3,9 +3,9 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: k8s-gateway - namespace: networking + namespace: default spec: - interval: 5m + interval: 15m chart: spec: # renovate: registryUrl=https://ori-edge.github.io/k8s_gateway/ @@ -15,7 +15,15 @@ spec: kind: HelmRepository name: k8s-gateway-charts namespace: flux-system - interval: 5m + install: + createNamespace: true + crds: CreateReplace + remediation: + retries: 5 + upgrade: + crds: CreateReplace + remediation: + retries: 5 values: domain: "${SECRET_CLUSTER_DOMAIN}" service: diff --git a/cluster/apps/networking/kustomization.yaml b/cluster/apps/networking/kustomization.yaml index 807fd0410..1c7009a47 100644 --- a/cluster/apps/networking/kustomization.yaml +++ b/cluster/apps/networking/kustomization.yaml @@ -2,10 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - namespace.yaml - - certificate - external-dns - ingress-nginx - k8s-gateway - smtp-relay + - tigera-operator - unifi diff --git a/cluster/apps/networking/namespace.yaml b/cluster/apps/networking/namespace.yaml deleted file mode 100644 index fa9575eae..000000000 --- a/cluster/apps/networking/namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: networking diff --git a/cluster/apps/networking/tigera-operator/helm-release.yaml b/cluster/apps/networking/tigera-operator/helm-release.yaml new file mode 100644 index 000000000..00bb5731d --- /dev/null +++ b/cluster/apps/networking/tigera-operator/helm-release.yaml @@ -0,0 +1,47 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: tigera-operator + namespace: tigera-operator +spec: + interval: 15m + chart: + spec: + chart: tigera-operator + version: v3.24.1 + sourceRef: + kind: HelmRepository + name: project-calico-charts + namespace: flux-system + install: + createNamespace: true + crds: CreateReplace + remediation: + retries: 5 + upgrade: + crds: CreateReplace + remediation: + retries: 5 + values: + installation: + enabled: true + registry: quay.io + imagePath: calico + calicoNetwork: + bgp: Enabled + hostPorts: Disabled + # Note: The ipPools section cannot be modified post-install. + ipPools: + - blockSize: 26 + cidr: "${NET_POD_CIDR}" + encapsulation: None + natOutgoing: Enabled + nodeSelector: all() + linuxDataplane: Iptables + multiInterfaceMode: None + nodeAddressAutodetectionV4: + cidrs: + - "${NET_NODE_CIDR}" + nodeMetricsPort: 9091 + typhaMetricsPort: 9093 diff --git a/cluster/apps/networking/certificate/kustomization.yaml b/cluster/apps/networking/tigera-operator/kustomization.yaml similarity index 78% rename from cluster/apps/networking/certificate/kustomization.yaml rename to cluster/apps/networking/tigera-operator/kustomization.yaml index 9d1621978..2fa2de20c 100644 --- a/cluster/apps/networking/certificate/kustomization.yaml +++ b/cluster/apps/networking/tigera-operator/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - certificate.yaml + - helm-release.yaml diff --git a/cluster/apps/networking/unifi/helm-release.yaml b/cluster/apps/networking/unifi/helm-release.yaml index 730cdec1e..659fd2ec7 100644 --- a/cluster/apps/networking/unifi/helm-release.yaml +++ b/cluster/apps/networking/unifi/helm-release.yaml @@ -3,28 +3,33 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: unifi - namespace: networking + namespace: default spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ chart: unifi version: 5.1.2 sourceRef: kind: HelmRepository name: k8s-at-home-charts namespace: flux-system - interval: 5m + install: + createNamespace: true + crds: CreateReplace + remediation: + retries: 5 + upgrade: + crds: CreateReplace + remediation: + retries: 5 values: image: repository: jacobalberty/unifi tag: v7.2.92 pullPolicy: IfNotPresent - env: TZ: "${TIMEZONE}" - service: main: type: LoadBalancer @@ -57,7 +62,6 @@ spec: enabled: true port: 10001 protocol: UDP - ingress: main: enabled: true @@ -69,12 +73,10 @@ spec: tls: - hosts: - "unifi.${SECRET_CLUSTER_DOMAIN}" - persistence: data: enabled: true existingClaim: unifi-config - resources: requests: memory: 2Gi diff --git a/cluster/apps/networking/unifi/volume.yaml b/cluster/apps/networking/unifi/volume.yaml index 3e4e43209..2998d35c3 100644 --- a/cluster/apps/networking/unifi/volume.yaml +++ b/cluster/apps/networking/unifi/volume.yaml @@ -3,8 +3,10 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: unifi-config - namespace: networking + namespace: default labels: + app.kubernetes.io/name: &name unifi + app.kubernetes.io/instance: *name kasten-io/backup: "true" spec: accessModes: diff --git a/cluster/charts/kustomization.yaml b/cluster/charts/kustomization.yaml index 6f5004c91..00fba05ba 100644 --- a/cluster/charts/kustomization.yaml +++ b/cluster/charts/kustomization.yaml @@ -21,6 +21,7 @@ resources: - kyverno-charts.yaml - metrics-server-charts.yaml - node-feature-discovery.yaml + - project-calico-charts.yaml - prometheus-community-charts.yaml - rook-ceph-charts.yaml - runix-charts.yaml diff --git a/cluster/charts/project-calico-charts.yaml b/cluster/charts/project-calico-charts.yaml new file mode 100644 index 000000000..4911c3bd8 --- /dev/null +++ b/cluster/charts/project-calico-charts.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: project-calico-charts + namespace: flux-system +spec: + interval: 1h + url: https://projectcalico.docs.tigera.io/charts