From 296a956c03d026862ab3543733f73bb74dc205ab Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Mon, 9 Aug 2021 01:50:30 +0200 Subject: [PATCH] fix: traefik --- cluster/apps/data/bookstack/helm-release.yaml | 38 +++++----- .../apps/data/forecastle/helm-release.yaml | 44 ----------- cluster/apps/data/freshrss/helm-release.yaml | 25 +++--- cluster/apps/data/homer/helm-release.yaml | 43 +++++++---- .../apps/data/joplin-server/helm-release.yaml | 25 +++--- cluster/apps/data/kustomization.yaml | 1 - cluster/apps/data/pgadmin/helm-release.yaml | 46 ++++++----- cluster/apps/data/recipes/helm-release.yaml | 51 +++++++------ .../apps/data/resilio-sync/statefulset.yaml | 15 ++-- cluster/apps/data/sharry/helm-release.yaml | 62 +++++++-------- .../apps/data/vaultwarden/helm-release.yaml | 27 ++++--- cluster/apps/data/vikunja/helm-release.yaml | 51 ++++++------- cluster/apps/data/wallabag/helm-release.yaml | 60 ++++++++------- .../docker-registry/helm-release.yaml | 37 ++++++--- .../apps/development/drone/helm-release.yaml | 29 +++++-- .../apps/development/gitea/helm-release.yaml | 69 ++++++++++------- .../home-automation/emqx/helm-release.yaml | 48 ++++++++---- .../home-automation/frigate/helm-release.yaml | 47 +++++++----- .../home-assistant/helm-release.yaml | 35 +++++++-- .../zigbee2mqtt/helm-release.yaml | 14 +++- .../zwavejs2mqtt/helm-release.yaml | 21 +++-- cluster/apps/kasten-io/k10/helm-release.yaml | 21 +++-- cluster/apps/kustomization.yaml | 1 + cluster/apps/media/bazarr/helm-release.yaml | 36 +++++---- cluster/apps/media/flood/helm-release.yaml | 38 +++++----- cluster/apps/media/jellyfin/helm-release.yaml | 65 ++++++++-------- cluster/apps/media/lidarr/helm-release.yaml | 75 +++++++++--------- cluster/apps/media/lychee/helm-release.yaml | 45 +++++------ .../apps/media/navidrome/helm-release.yaml | 45 +++++------ cluster/apps/media/prowlarr/helm-release.yaml | 33 ++++---- cluster/apps/media/pyload/helm-release.yaml | 45 ++++++----- .../apps/media/qbittorrent/helm-release.yaml | 66 ++++++++-------- cluster/apps/media/radarr/helm-release.yaml | 74 ++++++++++-------- cluster/apps/media/sabnzbd/helm-release.yaml | 73 ++++++++++-------- cluster/apps/media/sonarr/helm-release.yaml | 72 ++++++++++-------- cluster/apps/media/tdarr/helm-release.yaml | 39 +++++----- .../apps/media/travelstories/deployment.yaml | 17 ++--- .../blackbox-exporter/helm-release.yaml | 22 +++++- .../monitoring/healthchecks/helm-release.yaml | 23 +++--- .../kube-prometheus-stack/helm-release.yaml | 10 +-- .../apps/monitoring/thanos/helm-release.yaml | 14 +++- .../monitoring/uptime-kuma/statefulset.yaml | 8 +- .../apps/networking/authelia/deployment.yaml | 6 +- .../networking/authentik/helm-release.yaml | 9 ++- .../networking/certificate/certificate.yaml | 2 +- .../networking/certificate/kustomization.yaml | 1 + .../ingress-nginx/helm-release.yaml | 2 +- .../ingress-nginx/ingressclass.yaml | 9 +++ .../ingress-nginx/kustomization.yaml | 1 + .../networking/traefik/dashboard/ingress.yaml | 8 +- .../apps/networking/traefik/helm-release.yaml | 37 +++++++-- .../apps/networking/traefik/ingressclass.yaml | 9 +++ .../networking/traefik/kustomization.yaml | 2 + .../traefik/middlewares/kustomization.yaml | 1 + .../traefik/middlewares/ratelimit.yaml | 10 +++ .../networking/traefik/prometheus-rules.yaml | 72 ++++++++++++++++++ .../networking/traefik/tls-store/default.yaml | 2 +- .../apps/networking/unifi/helm-release.yaml | 76 +++++++++---------- .../kustomization.yaml | 4 +- cluster/apps/secret-reflector/rbac.yaml | 40 ++++++++++ .../secret-reflector/secret-reflector.yaml | 49 ++++++++++++ cluster/base-custom/charts/kustomization.yaml | 1 - .../base-custom/charts/mittwald-charts.yaml | 10 --- .../base-custom/secrets/cluster-secrets.yaml | 5 +- .../base-custom/secrets/kustomization.yaml | 5 +- cluster/base-custom/secrets/regcred-data.yaml | 59 -------------- .../secrets/regcred-development.yaml | 59 -------------- .../{regcred-media.yaml => regcred.yaml} | 6 +- cluster/base-custom/secrets/replicated.yaml | 10 --- .../kubernetes-replicator/helm-release.yaml | 20 ----- .../kubernetes-replicator/kustomization.yaml | 4 - cluster/core/kube-system/kustomization.yaml | 1 - cluster/core/rook-ceph/dashboard/ingress.yaml | 6 +- 73 files changed, 1167 insertions(+), 969 deletions(-) delete mode 100644 cluster/apps/data/forecastle/helm-release.yaml create mode 100644 cluster/apps/networking/ingress-nginx/ingressclass.yaml create mode 100644 cluster/apps/networking/traefik/ingressclass.yaml create mode 100644 cluster/apps/networking/traefik/middlewares/ratelimit.yaml create mode 100644 cluster/apps/networking/traefik/prometheus-rules.yaml rename cluster/apps/{data/forecastle => secret-reflector}/kustomization.yaml (63%) create mode 100644 cluster/apps/secret-reflector/rbac.yaml create mode 100644 cluster/apps/secret-reflector/secret-reflector.yaml delete mode 100644 cluster/base-custom/charts/mittwald-charts.yaml delete mode 100644 cluster/base-custom/secrets/regcred-data.yaml delete mode 100644 cluster/base-custom/secrets/regcred-development.yaml rename cluster/base-custom/secrets/{regcred-media.yaml => regcred.yaml} (89%) delete mode 100644 cluster/base-custom/secrets/replicated.yaml delete mode 100644 cluster/core/kube-system/kubernetes-replicator/helm-release.yaml delete mode 100644 cluster/core/kube-system/kubernetes-replicator/kustomization.yaml diff --git a/cluster/apps/data/bookstack/helm-release.yaml b/cluster/apps/data/bookstack/helm-release.yaml index 83a79008a..45291c3eb 100644 --- a/cluster/apps/data/bookstack/helm-release.yaml +++ b/cluster/apps/data/bookstack/helm-release.yaml @@ -20,8 +20,21 @@ spec: image: repository: ghcr.io/linuxserver/bookstack pullPolicy: IfNotPresent - # Overrides the image tag whose default is the chart appVersion. tag: "version-v21.05.4" + + env: + APP_URL: https://bookstack.${SECRET_CLUSTER_DOMAIN}/ + DB_HOST: bookstack-mariadb + DB_DATABASE: bookstack + DB_USERNAME: bookstack + DB_PASSWORD: ${SECRET_BOOKSTACK_DB_PASSWORD} + + persistence: + config: + enabled: true + mountPath: /config + existingClaim: bookstack-config + mariadb: enabled: true image: @@ -36,34 +49,25 @@ spec: persistence: enabled: true existingClaim: bookstack-db - env: - APP_URL: https://bookstack.${SECRET_CLUSTER_DOMAIN}/ - DB_HOST: bookstack-mariadb - DB_DATABASE: bookstack - DB_USERNAME: bookstack - DB_PASSWORD: ${SECRET_BOOKSTACK_DB_PASSWORD} + service: main: annotations: prometheus.io/probe: "true" prometheus.io/protocol: http + ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Bookstack" - forecastle.stakater.com/icon: "https://yunohost.org/user/images/logo-bookstack.png?height=80?height=80" - forecastle.stakater.com/network-restricted: "true" hosts: - host: bookstack.${SECRET_CLUSTER_DOMAIN} paths: - path: / pathType: Prefix - persistence: - config: - enabled: true - mountPath: /config - existingClaim: bookstack-config + tls: + - hosts: + - "bookstack.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/data/forecastle/helm-release.yaml b/cluster/apps/data/forecastle/helm-release.yaml deleted file mode 100644 index a26c94ced..000000000 --- a/cluster/apps/data/forecastle/helm-release.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: forecastle - namespace: data -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://stakater.github.io/stakater-charts - chart: forecastle - version: v1.0.65 - sourceRef: - kind: HelmRepository - name: stakater-charts - namespace: flux-system - interval: 5m - values: - forecastle: - config: - title: "Healthchecks" - namespaceSelector: - matchNames: - - data - - development - - home - - media - - networking - ingress: - enabled: true - ingressClassName: "nginx" - annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd - hosts: - - host: home.${SECRET_CLUSTER_DOMAIN} - paths: - - / - - host: services.${SECRET_CLUSTER_DOMAIN} - paths: - - / diff --git a/cluster/apps/data/freshrss/helm-release.yaml b/cluster/apps/data/freshrss/helm-release.yaml index 5f73b7117..5527fef8a 100644 --- a/cluster/apps/data/freshrss/helm-release.yaml +++ b/cluster/apps/data/freshrss/helm-release.yaml @@ -17,32 +17,34 @@ spec: namespace: flux-system interval: 5m values: - controllerType: deployment - strategy: - type: Recreate image: repository: freshrss/freshrss tag: 1.18.1 pullPolicy: IfNotPresent + env: TZ: Europe/Paris CRON_MIN: "18,48" DOMAIN: "https://freshrss.${SECRET_CLUSTER_DOMAIN}/" + + persistence: + config: + enabled: true + mountPath: /var/www/FreshRSS/data + existingClaim: freshrss-config + service: main: annotations: prometheus.io/probe: "true" prometheus.io/protocol: http + ingress: main: enabled: true + ingressClassName: "traefik" annotations: - kubernetes.io/ingress.class: "nginx" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "FreshRSS" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/FreshRSS/FreshRSS/edge/docs/img/FreshRSS-logo.png" - forecastle.stakater.com/network-restricted: "true" hosts: - host: freshrss.${SECRET_CLUSTER_DOMAIN} paths: @@ -51,11 +53,8 @@ spec: tls: - hosts: - "freshrss.${SECRET_CLUSTER_DOMAIN}" - persistence: - config: - enabled: true - mountPath: /var/www/FreshRSS/data - existingClaim: freshrss-config + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + resources: requests: cpu: 50m diff --git a/cluster/apps/data/homer/helm-release.yaml b/cluster/apps/data/homer/helm-release.yaml index 346e0104d..78f7f8aca 100644 --- a/cluster/apps/data/homer/helm-release.yaml +++ b/cluster/apps/data/homer/helm-release.yaml @@ -21,20 +21,39 @@ spec: repository: b4bz/homer tag: 21.07.1 pullPolicy: IfNotPresent + env: TZ: "Europe/Paris" + + persistence: + config: + enabled: true + mountPath: /www/assets + existingClaim: homer-config + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd hosts: - - host: homer.${SECRET_CLUSTER_DOMAIN} + - host: "homer.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - "homer.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + addons: codeserver: enabled: true @@ -51,21 +70,19 @@ spec: - "/www/assets/.vscode" ingress: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd hosts: - - host: homer-config.${SECRET_CLUSTER_DOMAIN} + - host: "homer-config.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - "homer-config.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" volumeMounts: - name: config mountPath: /www/assets - persistence: - config: - enabled: true - mountPath: /www/assets - existingClaim: homer-config diff --git a/cluster/apps/data/joplin-server/helm-release.yaml b/cluster/apps/data/joplin-server/helm-release.yaml index 8641b0158..38d172591 100644 --- a/cluster/apps/data/joplin-server/helm-release.yaml +++ b/cluster/apps/data/joplin-server/helm-release.yaml @@ -22,17 +22,6 @@ spec: tag: 2.2.10 pullPolicy: IfNotPresent - controllerType: deployment - - strategy: - type: Recreate - - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: tcp - env: APP_BASE_URL: https://joplin.${SECRET_CLUSTER_DOMAIN} APP_PORT: 22300 @@ -43,14 +32,24 @@ spec: POSTGRES_USER: joplin POSTGRES_PASSWORD: ${SECRET_JOPLIN_DB_PASSWORD} + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: tcp + ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: traefik.ingress.kubernetes.io/router.entrypoints: "websecure" hosts: - - host: joplin.${SECRET_CLUSTER_DOMAIN} + - host: "joplin.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - "joplin.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/data/kustomization.yaml b/cluster/apps/data/kustomization.yaml index eb17dd94a..e659300d2 100644 --- a/cluster/apps/data/kustomization.yaml +++ b/cluster/apps/data/kustomization.yaml @@ -4,7 +4,6 @@ kind: Kustomization resources: - namespace.yaml - bookstack - - forecastle - freshrss - homer - jobs diff --git a/cluster/apps/data/pgadmin/helm-release.yaml b/cluster/apps/data/pgadmin/helm-release.yaml index 70a79a4ca..9c5e7463c 100644 --- a/cluster/apps/data/pgadmin/helm-release.yaml +++ b/cluster/apps/data/pgadmin/helm-release.yaml @@ -17,32 +17,40 @@ spec: namespace: flux-system interval: 5m values: - strategy: - type: Recreate image: repository: dpage/pgadmin4 tag: 5.5 pullPolicy: IfNotPresent + env: email: ${SECRET_PGADMIN_EMAIL} password: ${SECRET_PGADMIN_PASSWORD} - ingress: - enabled: true - ingressClassName: "nginx" - annotations: - nginx.ingress.kubernetes.io/client-body-buffer-size: "50m" - nginx.ingress.kubernetes.io/proxy-body-size: "50m" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-medium@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "pgAdmin" - forecastle.stakater.com/icon: "https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: pgadmin.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix + persistentVolume: enabled: true existingClaim: pgadmin-config + + ingress: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-medium@kubernetescrd + hosts: + - host: "pgadmin.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "pgadmin.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + postRenderers: + - kustomize: + patchesJson6902: + - target: + kind: Ingress + name: pgadmin-pgadmin4 + patch: + - op: add + path: /spec/ingressClassName + value: traefik diff --git a/cluster/apps/data/recipes/helm-release.yaml b/cluster/apps/data/recipes/helm-release.yaml index 3010bbcd1..bd29ab6e2 100644 --- a/cluster/apps/data/recipes/helm-release.yaml +++ b/cluster/apps/data/recipes/helm-release.yaml @@ -17,13 +17,11 @@ spec: namespace: flux-system interval: 5m values: - controllerType: deployment - strategy: - type: Recreate image: repository: vabene1111/recipes tag: 0.16.7 pullPolicy: IfNotPresent + env: SECRET_KEY: ${SECRET_RECIPES_SECRET_KEY} DEBUG: "0" @@ -39,33 +37,13 @@ spec: FRACTION_PREF_DEFAULT: "0" COMMENT_PREF_DEFAULT: "1" SHOPPING_MIN_AUTOSYNC_INTERVAL: "5" - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http + sidecar: image: repository: nginx tag: 1.21.1 pullPolicy: IfNotPresent - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - nginx.ingress.kubernetes.io/client-body-buffer-size: "10m" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-small@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Recipes" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/vabene1111/recipes/develop/docs/logo_color.svg" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: recipes.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix + persistence: media: enabled: true @@ -74,3 +52,26 @@ spec: static: enabled: true type: emptyDir + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-small@kubernetescrd + hosts: + - host: "recipes.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "recipes.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/data/resilio-sync/statefulset.yaml b/cluster/apps/data/resilio-sync/statefulset.yaml index 3f79ef8c4..fa8f31029 100644 --- a/cluster/apps/data/resilio-sync/statefulset.yaml +++ b/cluster/apps/data/resilio-sync/statefulset.yaml @@ -207,19 +207,20 @@ kind: Ingress metadata: annotations: traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Resilio Sync" - forecastle.stakater.com/icon: "https://avatars.githubusercontent.com/u/12284211?s=200&v=4" - forecastle.stakater.com/network-restricted: "true" labels: app.kubernetes.io/instance: resilio-sync app.kubernetes.io/name: resilio-sync name: resilio-sync namespace: data spec: - ingressClassName: "nginx" + ingressClassName: "traefik" + tls: + - hosts: + - "resilio-sync-claude.${SECRET_CLUSTER_DOMAIN}" + - "resilio-sync-helene.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" rules: - - host: resilio-sync-claude.${SECRET_CLUSTER_DOMAIN} + - host: "resilio-sync-claude.${SECRET_CLUSTER_DOMAIN}" http: paths: - path: / @@ -229,7 +230,7 @@ spec: name: resilio-sync port: number: 8888 - - host: resilio-sync-helene.${SECRET_CLUSTER_DOMAIN} + - host: "resilio-sync-helene.${SECRET_CLUSTER_DOMAIN}" http: paths: - path: / diff --git a/cluster/apps/data/sharry/helm-release.yaml b/cluster/apps/data/sharry/helm-release.yaml index d8f1c84d0..58803d787 100644 --- a/cluster/apps/data/sharry/helm-release.yaml +++ b/cluster/apps/data/sharry/helm-release.yaml @@ -22,44 +22,9 @@ spec: tag: 1.8.0 pullPolicy: IfNotPresent - controllerType: deployment - - strategy: - type: Recreate - - persistence: - sharry-config: - enabled: "false" - - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http - args: - "/opt/sharry.conf" - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - nginx.ingress.kubernetes.io/client-body-buffer-size: "2048m" - nginx.ingress.kubernetes.io/proxy-body-size: "2048m" - nginx.ingress.kubernetes.io/proxy-buffering: "off" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-large@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Sharry" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/eikek/sharry/master/artwork/icon.png" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: sharry.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix - config: | sharry.restserver { base-url = "https://sharry.${SECRET_CLUSTER_DOMAIN}" @@ -135,3 +100,30 @@ spec: } } } + + persistence: + sharry-config: + enabled: "false" + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-large@kubernetescrd + hosts: + - host: "sharry.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "sharry.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/data/vaultwarden/helm-release.yaml b/cluster/apps/data/vaultwarden/helm-release.yaml index 590484743..e5878ba97 100644 --- a/cluster/apps/data/vaultwarden/helm-release.yaml +++ b/cluster/apps/data/vaultwarden/helm-release.yaml @@ -21,6 +21,7 @@ spec: repository: vaultwarden/server tag: 1.22.2 pullPolicy: IfNotPresent + env: DOMAIN: "https://vaultwarden.${SECRET_CLUSTER_DOMAIN}/" ADMIN_TOKEN: ${SECRET_VAULTWARDEN_ADMIN_TOKEN} @@ -36,23 +37,26 @@ spec: SMTP_SSL: "true" SMTP_USERNAME: ${SECRET_SMTP_USERNAME} SMTP_PASSWORD: ${SECRET_VAULTWARDEN_SMTP_PASSWORD} + + persistence: + config: + enabled: true + existingClaim: vaultwarden-data + service: main: annotations: prometheus.io/probe: "true" prometheus.io/protocol: tcp + ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Vaultwarden" - forecastle.stakater.com/icon: "https://image.winudf.com/v2/image1/Y29tLng4Yml0LmJpdHdhcmRlbl9pY29uXzE1OTM0NTk3NDNfMDA2/icon.png?fakeurl=1&h=120" - forecastle.stakater.com/network-restricted: "true" hosts: - - host: vaultwarden.${SECRET_CLUSTER_DOMAIN} + - host: "vaultwarden.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix @@ -61,11 +65,12 @@ spec: - path: /notifications/hub pathType: Prefix servicePort: 3012 - - host: bitwarden.${SECRET_CLUSTER_DOMAIN} + - host: "bitwarden.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix - persistence: - config: - enabled: true - existingClaim: vaultwarden-data + tls: + - hosts: + - "vaultwarden.${SECRET_CLUSTER_DOMAIN}" + - "bitwarden.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/data/vikunja/helm-release.yaml b/cluster/apps/data/vikunja/helm-release.yaml index 5f46c06b0..27f93d30e 100644 --- a/cluster/apps/data/vikunja/helm-release.yaml +++ b/cluster/apps/data/vikunja/helm-release.yaml @@ -22,10 +22,14 @@ spec: tag: 2.4.3-alpine pullPolicy: IfNotPresent - controllerType: deployment + postgresql: + enabled: false - strategy: - type: Recreate + persistence: + files: + enabled: true + existingClaim: vikunja-files + mountpath: /app/vikunja/files service: main: @@ -35,6 +39,22 @@ spec: prometheus.io/probe: "true" prometheus.io/protocol: http + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "vikunja.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "vikunja.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + additionalContainers: - name: api image: vikunja/api:0.17.1 @@ -56,28 +76,3 @@ spec: mountPath: /app/vikunja/files - name: frontend image: vikunja/frontend:0.17.0 - - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Vikunja" - forecastle.stakater.com/icon: "https://vikunja.io/docs/images/vikunja-logo-white.svg" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: vikunja.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix - - persistence: - files: - enabled: true - existingClaim: vikunja-files - mountpath: /app/vikunja/files - - postgresql: - enabled: false diff --git a/cluster/apps/data/wallabag/helm-release.yaml b/cluster/apps/data/wallabag/helm-release.yaml index 1c9bffddf..519016ddb 100644 --- a/cluster/apps/data/wallabag/helm-release.yaml +++ b/cluster/apps/data/wallabag/helm-release.yaml @@ -21,6 +21,7 @@ spec: # Upgrading the wallabag version generally requires a migration. # see https://doc.wallabag.org/en/admin/upgrade.html tag: 2.4.2 + env: SYMFONY__ENV__DATABASE_DRIVER: pdo_pgsql SYMFONY__ENV__DATABASE_HOST: postgresql-kube.data.svc.cluster.local. @@ -34,33 +35,7 @@ spec: SYMFONY__ENV__FOSUSER_REGISTRATION: "false" SYMFONY__ENV__FOSUSER_CONFIRMATION: "false" POPULATE_DATABASE: "false" - securityContext: - runAsUser: 0 - service: - main: - ports: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Wallabag" - forecastle.stakater.com/icon: "https://cdnx.nextinpact.com/compress/850-412/data-next/images/bd/wide-linked-media/545.jpg" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: wallabag.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix - persistence: - images: - enabled: true - existingClaim: wallabag-images + redis: enabled: true clusterDomain: ${CLUSTER_DOMAIN} @@ -69,3 +44,34 @@ spec: replicaCount: 0 persistence: enabled: false + + persistence: + images: + enabled: true + existingClaim: wallabag-images + + securityContext: + runAsUser: 0 + + service: + main: + ports: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "wallabag.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "wallabag.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/development/docker-registry/helm-release.yaml b/cluster/apps/development/docker-registry/helm-release.yaml index f96c005d3..8200e23a7 100644 --- a/cluster/apps/development/docker-registry/helm-release.yaml +++ b/cluster/apps/development/docker-registry/helm-release.yaml @@ -18,29 +18,44 @@ spec: interval: 5m values: storage: s3 + s3: region: "us-east-1" regionEndpoint: ${SECRET_MINIO_ENDPOINT} bucket: docker-registry encrypt: false secure: true + secrets: htpasswd: ${SECRET_DOCKER_REGISTRY_HTPASSWD} s3: accessKey: ${SECRET_MINIO_ACCESS_KEY} secretKey: ${SECRET_MINIO_SECRET_KEY} - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/proxy-body-size: "0" - nginx.ingress.kubernetes.io/proxy-read-timeout: "600" - nginx.ingress.kubernetes.io/proxy-send-timeout: "600" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-large@kubernetescrd - hosts: - - registry.${SECRET_CLUSTER_DOMAIN} + service: annotations: prometheus.io/probe: "true" prometheus.io/protocol: http + + ingress: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-large@kubernetescrd + hosts: + - "registry.${SECRET_CLUSTER_DOMAIN}" + tls: + - hosts: + - "registry.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + + postRenderers: + - kustomize: + patchesJson6902: + - target: + kind: Ingress + name: docker-registry + patch: + - op: add + path: /spec/ingressClassName + value: traefik diff --git a/cluster/apps/development/drone/helm-release.yaml b/cluster/apps/development/drone/helm-release.yaml index ac7d30cba..4268b1b2c 100644 --- a/cluster/apps/development/drone/helm-release.yaml +++ b/cluster/apps/development/drone/helm-release.yaml @@ -17,13 +17,10 @@ spec: namespace: flux-system interval: 5m values: - updateStrategy: - type: Recreate image: repository: drone/drone tag: 2.0.4 - persistentVolume: - enabled: false + env: DRONE_DATABASE_DRIVER: postgres DRONE_DATABASE_DATASOURCE: ${SECRET_DRONE_DATABASE_DATASOURCE} @@ -38,11 +35,31 @@ spec: DRONE_LOGS_COLOR: true DRONE_SERVER_PROTO: https DRONE_SERVER_HOST: drone.${SECRET_CLUSTER_DOMAIN} + + updateStrategy: + type: Recreate + + persistentVolume: + enabled: false + ingress: enabled: true annotations: - kubernetes.io/ingress.class: "nginx" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" hosts: - - host: drone.${SECRET_CLUSTER_DOMAIN} + - host: "drone.${SECRET_CLUSTER_DOMAIN}" paths: ["/"] + tls: + - hosts: + - "wallabag.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + postRenderers: + - kustomize: + patchesJson6902: + - target: + kind: Ingress + name: drone + patch: + - op: add + path: /spec/ingressClassName + value: traefik diff --git a/cluster/apps/development/gitea/helm-release.yaml b/cluster/apps/development/gitea/helm-release.yaml index 9858c6dcd..e04c35ddf 100644 --- a/cluster/apps/development/gitea/helm-release.yaml +++ b/cluster/apps/development/gitea/helm-release.yaml @@ -20,32 +20,7 @@ spec: image: repository: gitea/gitea tag: 1.14.6 - persistence: - enabled: true - size: 10Gi - existingClaim: "gitea-config" - ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: "nginx" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - hosts: - - host: "gitea.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: / - pathType: Prefix - service: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: "tcp" - http: - port: 3000 - ssh: - type: LoadBalancer - port: 22 - externalTrafficPolicy: Local - externalIPs: - - ${CLUSTER_LB_GITEA} + gitea: admin: email: ${SECRET_GITEA_ADMIN_EMAIL} @@ -86,9 +61,51 @@ spec: cache: builtIn: enabled: true + memcached: image: repository: bitnami/memcached tag: 1.6.10 service: port: 11211 + + persistence: + enabled: true + size: 10Gi + existingClaim: "gitea-config" + + service: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: "tcp" + ssh: + type: LoadBalancer + port: 22 + externalTrafficPolicy: Local + externalIPs: + - ${CLUSTER_LB_GITEA} + + ingress: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "gitea.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "gitea.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + + postRenderers: + - kustomize: + patchesJson6902: + - target: + kind: Ingress + name: gitea + patch: + - op: add + path: /spec/ingressClassName + value: traefik diff --git a/cluster/apps/home-automation/emqx/helm-release.yaml b/cluster/apps/home-automation/emqx/helm-release.yaml index 014580210..26c8c0ff6 100644 --- a/cluster/apps/home-automation/emqx/helm-release.yaml +++ b/cluster/apps/home-automation/emqx/helm-release.yaml @@ -19,28 +19,14 @@ spec: values: replicaCount: 3 recreatePods: true - service: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: tcp - type: LoadBalancer - loadBalancerIP: ${CLUSTER_LB_EMQX} - externalTrafficPolicy: Local - ingress: - dashboard: - enabled: true - annotations: - kubernetes.io/ingress.class: "nginx" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - path: / - hosts: - - emqx.${SECRET_CLUSTER_DOMAIN} + emqxConfig: EMQX_ALLOW_ANONYMOUS: "false" EMQX_ADMIN_PASSWORD: "${SECRET_EMQX_ADMIN_PASSWORD}" EMQX_AUTH__MNESIA__PASSWORD_HASH: plain EMQX_AUTH__USER__1__USERNAME: "${SECRET_MQTT_USERNAME}" EMQX_AUTH__USER__1__PASSWORD: "${SECRET_MQTT_PASSWORD}" + emqxAclConfig: > {allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}. {allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}. @@ -62,6 +48,28 @@ spec: {emqx_mod_rewrite, false}. {emqx_mod_subscription, false}. {emqx_mod_topic_metrics, true}. + + service: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: tcp + type: LoadBalancer + loadBalancerIP: ${CLUSTER_LB_EMQX} + externalTrafficPolicy: Local + + ingress: + dashboard: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + path: / + hosts: + - emqx.${SECRET_CLUSTER_DOMAIN} + tls: + - hosts: + - "emqx.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + affinity: podAntiAffinity: preferredDuringSchedulingIgnoredDuringExecution: @@ -74,6 +82,7 @@ spec: values: - emqx topologyKey: kubernetes.io/hostname + resources: requests: cpu: 100m @@ -93,3 +102,10 @@ spec: path: /spec/externalIPs value: - "${CLUSTER_LB_EMQX}" + - target: + kind: Ingress + name: emqx-dashboard + patch: + - op: add + path: /spec/ingressClassName + value: traefik diff --git a/cluster/apps/home-automation/frigate/helm-release.yaml b/cluster/apps/home-automation/frigate/helm-release.yaml index b4b301b2a..8dd598f47 100644 --- a/cluster/apps/home-automation/frigate/helm-release.yaml +++ b/cluster/apps/home-automation/frigate/helm-release.yaml @@ -20,27 +20,10 @@ spec: image: repository: blakeblackshear/frigate tag: 0.8.4-amd64 - ingress: - main: - enabled: true - annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd - hosts: - - host: "frigate.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: / - pathType: Prefix - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http + securityContext: privileged: true + persistence: data: enabled: true @@ -56,6 +39,7 @@ spec: medium: Memory sizeLimit: 2Gi mountPath: /dev/shm + config: | mqtt: host: emqx @@ -101,6 +85,30 @@ spec: podAnnotations: configmap.reloader.stakater.com/reload: "frigate-config" + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd + hosts: + - host: "frigate.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "frigate.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: @@ -114,6 +122,7 @@ spec: operator: In values: - "true" + resources: requests: gpu.intel.com/i915: 1 diff --git a/cluster/apps/home-automation/home-assistant/helm-release.yaml b/cluster/apps/home-automation/home-assistant/helm-release.yaml index 858253a4e..2cdeed4ae 100644 --- a/cluster/apps/home-automation/home-assistant/helm-release.yaml +++ b/cluster/apps/home-automation/home-assistant/helm-release.yaml @@ -17,10 +17,10 @@ spec: namespace: flux-system interval: 5m values: - controllerType: deployment image: repository: ghcr.io/home-assistant/home-assistant tag: 2021.8.4 + env: TZ: "Europe/Paris" HASS_SECRET_URL: https://home-assistant.${SECRET_CLUSTER_DOMAIN} @@ -30,8 +30,10 @@ spec: HASS_SECRET_MQTT_USERNAME: ${SECRET_MQTT_USERNAME} HASS_SECRET_MQTT_PASSWORD: ${SECRET_MQTT_PASSWORD} HASS_SECRET_DB_URL: ${SECRET_HASS_DB_URL} + hostNetwork: true dnsPolicy: ClusterFirstWithHostNet + service: main: annotations: @@ -41,24 +43,32 @@ spec: externalIPs: - ${CLUSTER_LB_HASS} externalTrafficPolicy: Local + ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: traefik.ingress.kubernetes.io/router.entrypoints: "websecure" hosts: - - host: hass.${SECRET_CLUSTER_DOMAIN} + - host: "hass.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix - - host: home-assistant.${SECRET_CLUSTER_DOMAIN} + - host: "home-assistant.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - "hass.${SECRET_CLUSTER_DOMAIN}" + - "home-assistant.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + prometheus: serviceMonitor: enabled: false + probes: liveness: enabled: false @@ -66,10 +76,15 @@ spec: enabled: false startup: enabled: false + + postgresql: + enabled: false + persistence: config: enabled: true existingClaim: hass-config + addons: codeserver: enabled: true @@ -86,20 +101,24 @@ spec: - "/config/.vscode" ingress: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd hosts: - - host: hass-config.${SECRET_CLUSTER_DOMAIN} + - host: "hass-config.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - "hass-config.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" volumeMounts: - name: config mountPath: /config + resources: requests: cpu: 500m memory: 1000Mi - postgresql: - enabled: false diff --git a/cluster/apps/home-automation/zigbee2mqtt/helm-release.yaml b/cluster/apps/home-automation/zigbee2mqtt/helm-release.yaml index 5fedade1e..cf93cf99a 100644 --- a/cluster/apps/home-automation/zigbee2mqtt/helm-release.yaml +++ b/cluster/apps/home-automation/zigbee2mqtt/helm-release.yaml @@ -20,9 +20,11 @@ spec: image: repository: koenkk/zigbee2mqtt tag: 1.21.0 + env: TZ: Europe/Paris ZIGBEE2MQTT_DATA: /data + config: homeassistant: true device_options: @@ -61,18 +63,18 @@ spec: new_api: true securityContext: privileged: true + service: main: annotations: prometheus.io/probe: "true" prometheus.io/protocol: "http" + ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd hosts: @@ -80,6 +82,11 @@ spec: paths: - path: / pathType: Prefix + tls: + - hosts: + - "zigbee.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + persistence: config: enabled: true @@ -90,6 +97,7 @@ spec: type: hostPath hostPath: /dev/serial/by-id/usb-1a86_USB_Serial-if00-port0 hostPathType: CharDevice + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/cluster/apps/home-automation/zwavejs2mqtt/helm-release.yaml b/cluster/apps/home-automation/zwavejs2mqtt/helm-release.yaml index 27dca5921..df5fd4756 100644 --- a/cluster/apps/home-automation/zwavejs2mqtt/helm-release.yaml +++ b/cluster/apps/home-automation/zwavejs2mqtt/helm-release.yaml @@ -21,17 +21,24 @@ spec: image: repository: ghcr.io/zwave-js/zwavejs2mqtt tag: 5.4.5 + env: TZ: "Europe/Paris" + securityContext: privileged: true + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd hosts: @@ -42,11 +49,8 @@ spec: tls: - hosts: - zwave.${SECRET_CLUSTER_DOMAIN} - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + persistence: config: enabled: true @@ -57,6 +61,7 @@ spec: type: hostPath hostPath: /dev/serial/by-id/usb-0658_0200-if00 hostPathType: CharDevice + affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: diff --git a/cluster/apps/kasten-io/k10/helm-release.yaml b/cluster/apps/kasten-io/k10/helm-release.yaml index 2f26c00e9..90536fb45 100644 --- a/cluster/apps/kasten-io/k10/helm-release.yaml +++ b/cluster/apps/kasten-io/k10/helm-release.yaml @@ -33,18 +33,17 @@ spec: create: true host: "k10.${SECRET_CLUSTER_DOMAIN}" annotations: - kubernetes.io/ingress.class: "nginx" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" urlPath: k10 hosts: - "k10.${SECRET_CLUSTER_DOMAIN}" - # postRenderers: - # - kustomize: - # patchesJson6902: - # - target: - # kind: Ingress - # name: k10-ingress - # patch: - # - op: add - # path: /spec/ingressClassName - # value: traefik + postRenderers: + - kustomize: + patchesJson6902: + - target: + kind: Ingress + name: k10-ingress + patch: + - op: add + path: /spec/ingressClassName + value: traefik diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml index c0d2fc549..9a1fb9f5a 100644 --- a/cluster/apps/kustomization.yaml +++ b/cluster/apps/kustomization.yaml @@ -8,3 +8,4 @@ resources: - media - monitoring - networking + - secret-reflector diff --git a/cluster/apps/media/bazarr/helm-release.yaml b/cluster/apps/media/bazarr/helm-release.yaml index 46ca456b3..946eae8b2 100644 --- a/cluster/apps/media/bazarr/helm-release.yaml +++ b/cluster/apps/media/bazarr/helm-release.yaml @@ -17,17 +17,19 @@ spec: namespace: flux-system interval: 5m values: - controllerType: deployment image: repository: ghcr.io/k8s-at-home/bazarr tag: v0.9.6 pullPolicy: IfNotPresent + env: TZ: "Europe/Paris" + podSecurityContext: runAsUser: 568 runAsGroup: 568 fsGroup: 568 + persistence: config: enabled: true @@ -36,28 +38,32 @@ spec: enabled: true existingClaim: nfs-video-media mountPath: "/mnt/storage/video" + service: main: annotations: prometheus.io/probe: "true" prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd + hosts: + - host: "bazarr.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "bazarr.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 500Mi cpu: 500m limits: memory: 1500Mi - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd - hosts: - - host: bazarr.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix diff --git a/cluster/apps/media/flood/helm-release.yaml b/cluster/apps/media/flood/helm-release.yaml index eec25fd9d..077c9067a 100644 --- a/cluster/apps/media/flood/helm-release.yaml +++ b/cluster/apps/media/flood/helm-release.yaml @@ -17,51 +17,53 @@ spec: namespace: flux-system interval: 5m values: - controllerType: deployment image: repository: jesec/flood tag: 4.6.1 - pullPolicy: Always + pullPolicy: IfNotPresent + env: FLOOD_OPTION_RUNDIR: /data FLOOD_OPTION_AUTH: "none" FLOOD_OPTION_QBURL: "http://qbittorrent:8080" FLOOD_OPTION_QBUSER: admin FLOOD_OPTION_QBPASS: ${SECRET_QBITTORRENT_PASSWORD} + podSecurityContext: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 + + persistence: + data: + enabled: true + existingClaim: flood-config + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + ingress: main: enabled: true + ingressClassName: "traefik" annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Flood" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/jesec/flood/master/flood.svg" - forecastle.stakater.com/network-restricted: "true" hosts: - host: flood.${SECRET_CLUSTER_DOMAIN} paths: - path: / pathType: Prefix - persistence: - data: - enabled: true - existingClaim: flood-config + tls: + - hosts: + - "flood.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 250Mi cpu: 500m limits: memory: 1500Mi - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http diff --git a/cluster/apps/media/jellyfin/helm-release.yaml b/cluster/apps/media/jellyfin/helm-release.yaml index f56a39c96..cbd38fc7d 100644 --- a/cluster/apps/media/jellyfin/helm-release.yaml +++ b/cluster/apps/media/jellyfin/helm-release.yaml @@ -21,13 +21,7 @@ spec: repository: jellyfin/jellyfin pullPolicy: IfNotPresent tag: 10.7.6 - strategy: - type: Recreate - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http + persistence: config: enabled: true @@ -44,34 +38,41 @@ spec: enabled: true existingClaim: nfs-photo-media mountPath: "/mnt/storage/photo" + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "jellyfin.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "jellyfin.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 4Gi cpu: 1 limits: gpu.intel.com/i915: 1 - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Jellyfin" - forecastle.stakater.com/icon: "https://features.jellyfin.org/images/logos/a7Lx9nYDzWuDR94Az8Yum7neWMvNMndkm9qr4QVtmjaMrOHDLisS5K7LJctTRzK9-icon-transparent.png?size=200" - hosts: - - host: jellyfin.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 100 - podAffinityTerm: - labelSelector: - matchExpressions: - - key: feature.node.kubernetes.io/custom-coral-tpu - operator: In - values: - - "true" + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: feature.node.kubernetes.io/custom-intel-gpu + operator: In + values: + - "true" diff --git a/cluster/apps/media/lidarr/helm-release.yaml b/cluster/apps/media/lidarr/helm-release.yaml index 78c3c68fa..dd2acf26f 100644 --- a/cluster/apps/media/lidarr/helm-release.yaml +++ b/cluster/apps/media/lidarr/helm-release.yaml @@ -17,45 +17,19 @@ spec: namespace: flux-system interval: 5m values: - controllerType: deployment image: repository: ghcr.io/k8s-at-home/lidarr tag: v1.0.0.2248 pullPolicy: IfNotPresent + env: TZ: "Europe/Paris" + podSecurityContext: runAsUser: 568 runAsGroup: 568 fsGroup: 568 - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Lidarr" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/lidarr/Lidarr/14c3d31c2bf64893e9e7c137a04bfc096e6d36fe/frontend/src/Content/Images/Icons/android-chrome-192x192.png" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: lidarr.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix - api: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - hosts: - - host: "lidarr.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: /api - pathType: Prefix + persistence: config: enabled: true @@ -72,22 +46,55 @@ spec: enabled: true existingClaim: qbittorrent-cache mountPath: "/downloads" + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd + hosts: + - host: "lidarr.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "lidarr.${SECRET_CLUSTER_DOMAIN}" + api: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "lidarr.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: /api + pathType: Prefix + tls: + - hosts: + - "lidarr.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 500Mi cpu: 500m limits: memory: 1500Mi - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http + prometheus: podMonitor: enabled: true interval: 10m scrapeTimeout: 2m + additionalContainers: - name: exportarr image: ghcr.io/onedr0p/exportarr:v0.6.1 diff --git a/cluster/apps/media/lychee/helm-release.yaml b/cluster/apps/media/lychee/helm-release.yaml index 499ed47e9..fd71d1a42 100644 --- a/cluster/apps/media/lychee/helm-release.yaml +++ b/cluster/apps/media/lychee/helm-release.yaml @@ -22,30 +22,6 @@ spec: pullPolicy: IfNotPresent tag: v4.3.4 - strategy: - type: Recreate - - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http - - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Lychee" - forecastle.stakater.com/icon: "https://lycheeorg.github.io/docs/img/logo.png" - hosts: - - host: lychee.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix - env: PHP_TZ: Europe/Paris DB_CONNECTION: pgsql @@ -65,3 +41,24 @@ spec: enabled: true mountPath: /uploads existingClaim: lychee-files + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "nginx" + # annotations: + # traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "lychee.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "lychee.${SECRET_CLUSTER_DOMAIN}" diff --git a/cluster/apps/media/navidrome/helm-release.yaml b/cluster/apps/media/navidrome/helm-release.yaml index f65310411..9646393cc 100644 --- a/cluster/apps/media/navidrome/helm-release.yaml +++ b/cluster/apps/media/navidrome/helm-release.yaml @@ -21,34 +21,14 @@ spec: repository: deluan/navidrome pullPolicy: IfNotPresent tag: 0.44.1 - strategy: - type: Recreate - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Navidrome" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/navidrome/navidrome/master/resources/logo-192x192.png" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: navidrome.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix + env: ND_SCANINTERVAL: 15m ND_LOGLEVEL: info ND_SESSIONTIMEOUT: 24h ND_ENABLETRANSCODINGCONFIG: "true" ND_MUSICFOLDER: /mnt/storage/music/Artistes + persistence: config: enabled: true @@ -58,3 +38,24 @@ spec: enabled: true mountPath: /mnt/storage/music/ existingClaim: nfs-music-media + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "navidrome.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "navidrome.${SECRET_CLUSTER_DOMAIN}" diff --git a/cluster/apps/media/prowlarr/helm-release.yaml b/cluster/apps/media/prowlarr/helm-release.yaml index 6dc6246a7..42d10ab7f 100644 --- a/cluster/apps/media/prowlarr/helm-release.yaml +++ b/cluster/apps/media/prowlarr/helm-release.yaml @@ -17,47 +17,44 @@ spec: namespace: flux-system interval: 5m values: - controllerType: deployment image: repository: ghcr.io/k8s-at-home/prowlarr tag: v0.1.0.768 pullPolicy: IfNotPresent + env: TZ: "Europe/Paris" - podSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 + persistence: config: enabled: true existingClaim: prowlarr-config + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Prowlarr" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/Prowlarr/Prowlarr/develop/Logo/256.png" - forecastle.stakater.com/network-restricted: "true" hosts: - - host: prowlarr.${SECRET_CLUSTER_DOMAIN} + - host: "prowlarr.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - "prowlarr.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 100Mi cpu: 100m limits: memory: 1000Mi - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http diff --git a/cluster/apps/media/pyload/helm-release.yaml b/cluster/apps/media/pyload/helm-release.yaml index 8a9b32aee..3998a2594 100644 --- a/cluster/apps/media/pyload/helm-release.yaml +++ b/cluster/apps/media/pyload/helm-release.yaml @@ -17,13 +17,14 @@ spec: namespace: flux-system interval: 5m values: - controllerType: deployment image: repository: linuxserver/pyload tag: version-5f5aaf56 pullPolicy: IfNotPresent + env: TZ: "Europe/Paris" + persistence: config: enabled: true @@ -32,29 +33,31 @@ spec: enabled: true existingClaim: nfs-downloads-media mountPath: "/mnt/storage/downloads" + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "pyload.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "pyload.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 1Gi cpu: 100m limits: memory: 5Gi - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "pyLoad" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/pyload/pyload/main/media/logo.png" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: pyload.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix diff --git a/cluster/apps/media/qbittorrent/helm-release.yaml b/cluster/apps/media/qbittorrent/helm-release.yaml index cbb899628..5f1af1950 100644 --- a/cluster/apps/media/qbittorrent/helm-release.yaml +++ b/cluster/apps/media/qbittorrent/helm-release.yaml @@ -17,13 +17,32 @@ spec: namespace: flux-system interval: 5m values: - controllerType: deployment image: repository: ghcr.io/k8s-at-home/qbittorrent tag: v4.3.7 pullPolicy: IfNotPresent + env: TZ: "Europe/Paris" + + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + + persistence: + config: + enabled: true + existingClaim: qbittorrent-config + qbittorrent-cache: + enabled: true + existingClaim: qbittorrent-cache + mountPath: "/downloads" + nfs-downloads-media: + enabled: true + existingClaim: nfs-downloads-media + mountPath: "/mnt/storage/downloads" + service: bittorrent: enabled: true @@ -40,38 +59,23 @@ spec: protocol: TCP targetPort: 6881 externalTrafficPolicy: Local - podSecurityContext: - runAsUser: 568 - runAsGroup: 568 - fsGroup: 568 - persistence: - config: + + ingress: + main: enabled: true - existingClaim: qbittorrent-config - qbittorrent-cache: - enabled: true - existingClaim: qbittorrent-cache - mountPath: "/downloads" - nfs-downloads-media: - enabled: true - existingClaim: nfs-downloads-media - mountPath: "/mnt/storage/downloads" + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "qbittorrent.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "qbittorrent.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 4Gi cpu: 500m - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "qBittorrent" - forecastle.stakater.com/icon: "https://upload.wikimedia.org/wikipedia/commons/thumb/6/66/New_qBittorrent_Logo.svg/600px-New_qBittorrent_Logo.svg.png" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: qbittorrent.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix diff --git a/cluster/apps/media/radarr/helm-release.yaml b/cluster/apps/media/radarr/helm-release.yaml index f7a018703..03599dc27 100644 --- a/cluster/apps/media/radarr/helm-release.yaml +++ b/cluster/apps/media/radarr/helm-release.yaml @@ -22,40 +22,15 @@ spec: repository: ghcr.io/k8s-at-home/radarr tag: v3.2.2.5080 pullPolicy: IfNotPresent + env: TZ: "Europe/Paris" + podSecurityContext: runAsUser: 568 runAsGroup: 568 fsGroup: 568 - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Radarr" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/Radarr/Radarr/develop/Logo/256.png" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: radarr.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix - api: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - hosts: - - host: "radarr.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: /api - pathType: Prefix + persistence: config: enabled: true @@ -68,22 +43,55 @@ spec: enabled: true existingClaim: qbittorrent-cache mountPath: "/downloads" + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd + hosts: + - host: "radarr.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "radarr.${SECRET_CLUSTER_DOMAIN}" + api: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "radarr.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: /api + pathType: Prefix + tls: + - hosts: + - "radarr.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 500Mi cpu: 500m limits: memory: 1500Mi - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http + prometheus: podMonitor: enabled: true interval: 10m scrapeTimeout: 2m + additionalContainers: - name: exportarr image: ghcr.io/onedr0p/exportarr:v0.6.1 diff --git a/cluster/apps/media/sabnzbd/helm-release.yaml b/cluster/apps/media/sabnzbd/helm-release.yaml index e6a09ed1d..bd4996e30 100644 --- a/cluster/apps/media/sabnzbd/helm-release.yaml +++ b/cluster/apps/media/sabnzbd/helm-release.yaml @@ -20,41 +20,10 @@ spec: image: repository: ghcr.io/k8s-at-home/sabnzbd tag: v3.3.1 + env: TZ: "Europe/Paris" - # disable service monitoring because of ip blacklist - # service: - # main: - # annotations: - # prometheus.io/probe: "true" - # prometheus.io/protocol: http - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "SABnzbd" - forecastle.stakater.com/icon: "https://avatars.githubusercontent.com/u/16778130?v=4" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: "sabnzbd.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: / - pathType: Prefix - api: - enabled: true - ingressClassName: "nginx" - nameSuffix: "api" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - hosts: - - host: "sabnzbd.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: /api - pathType: Prefix + persistence: config: enabled: true @@ -66,6 +35,44 @@ spec: podSecurityContext: supplementalGroups: - 100 + + # disable service monitoring because of ip blacklist + # service: + # main: + # annotations: + # prometheus.io/probe: "true" + # prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd + hosts: + - host: "sabnzbd.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "sabnzbd.${SECRET_CLUSTER_DOMAIN}" + api: + enabled: true + ingressClassName: "traefik" + nameSuffix: "api" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "sabnzbd.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: /api + pathType: Prefix + tls: + - hosts: + - "sabnzbd.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 250Mi diff --git a/cluster/apps/media/sonarr/helm-release.yaml b/cluster/apps/media/sonarr/helm-release.yaml index ebb116648..395359531 100644 --- a/cluster/apps/media/sonarr/helm-release.yaml +++ b/cluster/apps/media/sonarr/helm-release.yaml @@ -28,34 +28,7 @@ spec: runAsUser: 568 runAsGroup: 568 fsGroup: 568 - ingress: - main: - enabled: true - ingressClassName: "nginx" - annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Sonarr" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/Sonarr/Sonarr/develop/Logo/256.png" - forecastle.stakater.com/network-restricted: "true" - hosts: - - host: sonarr.${SECRET_CLUSTER_DOMAIN} - paths: - - path: / - pathType: Prefix - api: - enabled: true - ingressClassName: "nginx" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - hosts: - - host: "sonarr.${SECRET_CLUSTER_DOMAIN}" - paths: - - path: /api - pathType: Prefix + persistence: config: enabled: true @@ -68,22 +41,55 @@ spec: enabled: true existingClaim: qbittorrent-cache mountPath: "/downloads" + + service: + main: + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + + ingress: + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd + hosts: + - host: "sonarr.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "sonarr.${SECRET_CLUSTER_DOMAIN}" + api: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + hosts: + - host: "sonarr.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: /api + pathType: Prefix + tls: + - hosts: + - "sonarr.${SECRET_CLUSTER_DOMAIN}" + resources: requests: memory: 500Mi cpu: 500m limits: memory: 1500Mi - service: - main: - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http + prometheus: podMonitor: enabled: true interval: 10m scrapeTimeout: 2m + additionalContainers: - name: exportarr image: ghcr.io/onedr0p/exportarr:v0.6.1 diff --git a/cluster/apps/media/tdarr/helm-release.yaml b/cluster/apps/media/tdarr/helm-release.yaml index 25eb7ecfc..de9d833ce 100644 --- a/cluster/apps/media/tdarr/helm-release.yaml +++ b/cluster/apps/media/tdarr/helm-release.yaml @@ -22,19 +22,6 @@ spec: tag: 2.00.10 pullPolicy: IfNotPresent - service: - main: - ports: - http: - port: 8265 - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: http - server: - enabled: true - protocol: TCP - port: 8266 - env: TZ: Europe/Paris webUIPort: 8265 @@ -59,21 +46,31 @@ spec: mountPath: /media existingClaim: nfs-video-media + service: + main: + ports: + http: + port: 8265 + annotations: + prometheus.io/probe: "true" + prometheus.io/protocol: http + server: + enabled: true + protocol: TCP + port: 8266 + ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Tdarr" - forecastle.stakater.com/icon: "https://raw.githubusercontent.com/HaveAGitGat/Tdarr/master/public/images/icon_dark.png" - forecastle.stakater.com/network-restricted: "true" hosts: - - host: tdarr.${SECRET_CLUSTER_DOMAIN} + - host: "tdarr.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - "tdarr.${SECRET_CLUSTER_DOMAIN}" diff --git a/cluster/apps/media/travelstories/deployment.yaml b/cluster/apps/media/travelstories/deployment.yaml index 985248efc..5da014300 100644 --- a/cluster/apps/media/travelstories/deployment.yaml +++ b/cluster/apps/media/travelstories/deployment.yaml @@ -36,10 +36,6 @@ spec: - name: caddyfile configMap: name: travelstories-caddyfile - dnsConfig: - options: - - name: ndots - value: "1" --- apiVersion: v1 kind: ConfigMap @@ -79,22 +75,17 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd - forecastle.stakater.com/expose: "true" - forecastle.stakater.com/appName: "Travelstories" - forecastle.stakater.com/icon: "https://image.flaticon.com/icons/png/512/120/120653.png" labels: app.kubernetes.io/instance: travelstories app.kubernetes.io/name: travelstories name: travelstories namespace: media spec: + ingressClassName: "traefik" rules: - - host: travelstories.${SECRET_CLUSTER_DOMAIN} + - host: "travelstories.${SECRET_CLUSTER_DOMAIN}" http: paths: - path: / @@ -104,3 +95,7 @@ spec: name: travelstories port: number: 80 + tls: + - hosts: + - "tdarr.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/monitoring/blackbox-exporter/helm-release.yaml b/cluster/apps/monitoring/blackbox-exporter/helm-release.yaml index 7ced07246..7bcb35d50 100644 --- a/cluster/apps/monitoring/blackbox-exporter/helm-release.yaml +++ b/cluster/apps/monitoring/blackbox-exporter/helm-release.yaml @@ -18,6 +18,7 @@ spec: interval: 5m values: allowIcmp: true + config: modules: icmp: @@ -35,6 +36,7 @@ spec: tcp_connect: prober: tcp timeout: 30s + serviceMonitor: enabled: true defaults: @@ -64,6 +66,7 @@ spec: - name: k3s-worker3 url: "${LOCAL_LAN_K3SWORKER3}" module: icmp + prometheusRule: enabled: true additionalLabels: @@ -84,12 +87,10 @@ spec: for: 15m labels: severity: warning + ingress: enabled: true annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd hosts: @@ -97,3 +98,18 @@ spec: paths: - path: / pathType: Prefix + tls: + - hosts: + - "blackbox.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" + + postRenderers: + - kustomize: + patchesJson6902: + - target: + kind: Ingress + name: blackbox-exporter-prometheus-blackbox-exporter + patch: + - op: add + path: /spec/ingressClassName + value: traefik diff --git a/cluster/apps/monitoring/healthchecks/helm-release.yaml b/cluster/apps/monitoring/healthchecks/helm-release.yaml index 84ba00b4b..33898082d 100644 --- a/cluster/apps/monitoring/healthchecks/helm-release.yaml +++ b/cluster/apps/monitoring/healthchecks/helm-release.yaml @@ -22,13 +22,6 @@ spec: tag: v1.22.0-ls95 pullPolicy: IfNotPresent - controllerType: deployment - - strategy: - type: Recreate - - resources: {} - env: SECRET_KEY: ${SECRET_HEALTHECKS_SECRET_KEY} REGENERATE_SETTINGS: "True" @@ -48,24 +41,28 @@ spec: SITE_NAME: "Homelab HealthChecks" SITE_LOGO_URL: "https://image.flaticon.com/icons/svg/1219/1219758.svg" + persistence: + config: + enabled: false + service: main: annotations: prometheus.io/probe: "true" prometheus.io/protocol: http - persistence: - config: - enabled: false - ingress: main: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: traefik.ingress.kubernetes.io/router.entrypoints: "websecure" hosts: - - host: healthchecks.${SECRET_CLUSTER_DOMAIN} + - host: "healthchecks.${SECRET_CLUSTER_DOMAIN}" paths: - path: / pathType: Prefix + tls: + - hosts: + - "healthchecks.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml index 00103cbb7..05149eda3 100644 --- a/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml +++ b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml @@ -32,10 +32,8 @@ spec: ingress: enabled: true pathType: Prefix + ingressClassName: "traefik" annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd hosts: ["alert-manager.${SECRET_CLUSTER_DOMAIN}"] @@ -196,8 +194,8 @@ spec: ingress: enabled: true pathType: Prefix + ingressClassName: "traefik" annotations: - kubernetes.io/ingress.class: "nginx" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" hosts: ["grafana.${SECRET_CLUSTER_DOMAIN}"] kubeEtcd: @@ -212,10 +210,8 @@ spec: ingress: enabled: true pathType: Prefix + ingressClassName: "traefik" annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd hosts: ["prometheus.${SECRET_CLUSTER_DOMAIN}"] diff --git a/cluster/apps/monitoring/thanos/helm-release.yaml b/cluster/apps/monitoring/thanos/helm-release.yaml index 2f4b81cfb..a242f6494 100644 --- a/cluster/apps/monitoring/thanos/helm-release.yaml +++ b/cluster/apps/monitoring/thanos/helm-release.yaml @@ -29,9 +29,6 @@ spec: enabled: true hostname: "thanos.${SECRET_CLUSTER_DOMAIN}" annotations: - kubernetes.io/ingress.class: "nginx" - nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify" - nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd tls: false @@ -60,3 +57,14 @@ spec: access_key: "${SECRET_MINIO_ACCESS_KEY}" secret_key: "${SECRET_MINIO_SECRET_KEY}" insecure: false + + postRenderers: + - kustomize: + patchesJson6902: + - target: + kind: Ingress + name: thanos-query + patch: + - op: add + path: /spec/ingressClassName + value: traefik diff --git a/cluster/apps/monitoring/uptime-kuma/statefulset.yaml b/cluster/apps/monitoring/uptime-kuma/statefulset.yaml index 6bb9c7041..1c806a77c 100644 --- a/cluster/apps/monitoring/uptime-kuma/statefulset.yaml +++ b/cluster/apps/monitoring/uptime-kuma/statefulset.yaml @@ -68,7 +68,6 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - kubernetes.io/ingress.class: "nginx" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" labels: app.kubernetes.io/instance: uptime-kuma @@ -76,8 +75,9 @@ metadata: name: uptime-kuma namespace: monitoring spec: + ingressClassName: "traefik" rules: - - host: uptime-kuma.${SECRET_CLUSTER_DOMAIN} + - host: "uptime-kuma.${SECRET_CLUSTER_DOMAIN}" http: paths: - path: / @@ -87,3 +87,7 @@ spec: name: uptime-kuma port: number: 3001 + tls: + - hosts: + - "healthchecks.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/networking/authelia/deployment.yaml b/cluster/apps/networking/authelia/deployment.yaml index fa7219f9b..392e372cb 100644 --- a/cluster/apps/networking/authelia/deployment.yaml +++ b/cluster/apps/networking/authelia/deployment.yaml @@ -91,7 +91,6 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: - kubernetes.io/ingress.class: "nginx" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" labels: app.kubernetes.io/instance: authelia @@ -99,6 +98,7 @@ metadata: name: authelia namespace: networking spec: + ingressClassName: "traefik" rules: - host: login.${SECRET_CLUSTER_DOMAIN} http: @@ -110,6 +110,10 @@ spec: name: authelia port: number: 80 + tls: + - hosts: + - "login.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" --- kind: ConfigMap apiVersion: v1 diff --git a/cluster/apps/networking/authentik/helm-release.yaml b/cluster/apps/networking/authentik/helm-release.yaml index 1e5f29eb1..a51af07a4 100644 --- a/cluster/apps/networking/authentik/helm-release.yaml +++ b/cluster/apps/networking/authentik/helm-release.yaml @@ -23,14 +23,17 @@ spec: ingress: enabled: true - ingressClassName: "nginx" + ingressClassName: "traefik" annotations: traefik.ingress.kubernetes.io/router.entrypoints: "websecure" hosts: - - host: id.${SECRET_CLUSTER_DOMAIN} + - host: "id.${SECRET_CLUSTER_DOMAIN}" paths: - path: / - + tls: + - hosts: + - "id.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" geoip: enabled: false authentik: diff --git a/cluster/apps/networking/certificate/certificate.yaml b/cluster/apps/networking/certificate/certificate.yaml index a14e7198e..90296988e 100644 --- a/cluster/apps/networking/certificate/certificate.yaml +++ b/cluster/apps/networking/certificate/certificate.yaml @@ -5,7 +5,7 @@ metadata: name: "${SECRET_CLUSTER_DOMAIN/./-}" namespace: networking spec: - secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" issuerRef: name: letsencrypt-production kind: ClusterIssuer diff --git a/cluster/apps/networking/certificate/kustomization.yaml b/cluster/apps/networking/certificate/kustomization.yaml index 1615af253..9d1621978 100644 --- a/cluster/apps/networking/certificate/kustomization.yaml +++ b/cluster/apps/networking/certificate/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/cluster/apps/networking/ingress-nginx/helm-release.yaml b/cluster/apps/networking/ingress-nginx/helm-release.yaml index fd1f43fb5..266baf46e 100644 --- a/cluster/apps/networking/ingress-nginx/helm-release.yaml +++ b/cluster/apps/networking/ingress-nginx/helm-release.yaml @@ -39,7 +39,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: "networking/${SECRET_CLUSTER_DOMAIN/./-}-tls" + default-ssl-certificate: "networking/${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" resources: requests: memory: 250Mi diff --git a/cluster/apps/networking/ingress-nginx/ingressclass.yaml b/cluster/apps/networking/ingress-nginx/ingressclass.yaml new file mode 100644 index 000000000..2d779064c --- /dev/null +++ b/cluster/apps/networking/ingress-nginx/ingressclass.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "false" + name: nginx +spec: + controller: k8s.io/ingress-nginx diff --git a/cluster/apps/networking/ingress-nginx/kustomization.yaml b/cluster/apps/networking/ingress-nginx/kustomization.yaml index 2fa2de20c..14bf34110 100644 --- a/cluster/apps/networking/ingress-nginx/kustomization.yaml +++ b/cluster/apps/networking/ingress-nginx/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - helm-release.yaml + - ingressclass.yaml diff --git a/cluster/apps/networking/traefik/dashboard/ingress.yaml b/cluster/apps/networking/traefik/dashboard/ingress.yaml index d6cdd4e52..c580a59c8 100644 --- a/cluster/apps/networking/traefik/dashboard/ingress.yaml +++ b/cluster/apps/networking/traefik/dashboard/ingress.yaml @@ -5,13 +5,15 @@ metadata: name: traefik-dashboard namespace: networking annotations: - kubernetes.io/ingress.class: "traefik" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.tls: "true" + traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd" spec: + ingressClassName: "traefik" tls: - - secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" + - secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" rules: - - host: traefik.${SECRET_CLUSTER_DOMAIN} + - host: "traefik.${SECRET_CLUSTER_DOMAIN}" http: paths: - path: / diff --git a/cluster/apps/networking/traefik/helm-release.yaml b/cluster/apps/networking/traefik/helm-release.yaml index d46854eee..07d337279 100644 --- a/cluster/apps/networking/traefik/helm-release.yaml +++ b/cluster/apps/networking/traefik/helm-release.yaml @@ -17,9 +17,13 @@ spec: namespace: flux-system interval: 5m values: + image: + tag: 2.5.0-rc3 + deployment: - enabled: true - kind: DaemonSet + kind: Deployment + replicas: 3 + service: enabled: true type: LoadBalancer @@ -27,6 +31,7 @@ spec: externalIPs: - "${CLUSTER_LB_TRAEFIK}" externalTrafficPolicy: Local + logs: general: format: json @@ -34,22 +39,23 @@ spec: access: enabled: true format: json + ingressClass: - enabled: true - isDefaultClass: true - fallbackApiVersion: v1 + enabled: false + ingressRoute: dashboard: enabled: false + globalArguments: - "--api.insecure=true" - "--serverstransport.insecureskipverify=true" - "--providers.kubernetesingress.ingressclass=traefik" - - "--metrics.prometheus=true" - - "--metrics.prometheus.entryPoint=metrics" - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32" + additionalArguments: - "--providers.kubernetesingress.ingressendpoint.ip=${CLUSTER_LB_TRAEFIK}" + ports: traefik: expose: true @@ -63,17 +69,34 @@ spec: port: 8082 expose: true exposedPort: 8082 + tlsOptions: default: minVersion: VersionTLS12 maxVersion: VersionTLS13 sniStrict: true + pilot: enabled: true token: "${SECRET_TRAEFIK_PILOT_TOKEN}" + experimental: plugins: enabled: true + + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + podAffinityTerm: + labelSelector: + matchExpressions: + - key: app.kubernetes.io/name + operator: In + values: + - traefik + topologyKey: kubernetes.io/hostname + resources: requests: memory: 100Mi diff --git a/cluster/apps/networking/traefik/ingressclass.yaml b/cluster/apps/networking/traefik/ingressclass.yaml new file mode 100644 index 000000000..f73c82059 --- /dev/null +++ b/cluster/apps/networking/traefik/ingressclass.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: IngressClass +metadata: + annotations: + ingressclass.kubernetes.io/is-default-class: "true" + name: traefik +spec: + controller: traefik.io/ingress-controller diff --git a/cluster/apps/networking/traefik/kustomization.yaml b/cluster/apps/networking/traefik/kustomization.yaml index f98382ac1..492e5ec53 100644 --- a/cluster/apps/networking/traefik/kustomization.yaml +++ b/cluster/apps/networking/traefik/kustomization.yaml @@ -3,7 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - helm-release.yaml + - ingressclass.yaml - service-monitor.yaml - tls-store - dashboard - middlewares + - prometheus-rules.yaml diff --git a/cluster/apps/networking/traefik/middlewares/kustomization.yaml b/cluster/apps/networking/traefik/middlewares/kustomization.yaml index d6544e459..72fe67ddc 100644 --- a/cluster/apps/networking/traefik/middlewares/kustomization.yaml +++ b/cluster/apps/networking/traefik/middlewares/kustomization.yaml @@ -6,6 +6,7 @@ resources: - buffering-large.yaml - buffering-medium.yaml - buffering-small.yaml + - ratelimit.yaml - rfc1918.yaml - redirect-path.yaml - forward-auth.yaml diff --git a/cluster/apps/networking/traefik/middlewares/ratelimit.yaml b/cluster/apps/networking/traefik/middlewares/ratelimit.yaml new file mode 100644 index 000000000..c534fe0e8 --- /dev/null +++ b/cluster/apps/networking/traefik/middlewares/ratelimit.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: ratelimit + namespace: networking +spec: + rateLimit: + average: 10 + period: "10s" diff --git a/cluster/apps/networking/traefik/prometheus-rules.yaml b/cluster/apps/networking/traefik/prometheus-rules.yaml new file mode 100644 index 000000000..4b8f48d10 --- /dev/null +++ b/cluster/apps/networking/traefik/prometheus-rules.yaml @@ -0,0 +1,72 @@ +--- +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + labels: + app: traefik + name: traefik.rules + namespace: networking +spec: + groups: + - name: traefik.rules + rules: + - alert: TraefikAbsent + annotations: + summary: "Traefik has disappeared from Prometheus service discovery." + description: "Ingresses will be down until the Traefik reverse proxy is back up." + expr: | + absent(up{job="traefik"}) + for: 5m + labels: + severity: critical + - alert: TraefikConfigError + annotations: + summary: "Traefik config error." + description: + "Traefik has failed to load the config file. Check Traefik + logs for exact parsing error." + expr: | + traefik_config_last_reload_failure{job="traefik"} == 1 + for: 5m + labels: + severity: critical + - alert: TraefikHighHttp4xxErrorRateService + annotations: + summary: "Traefik has a high HTTP 4xx error rate." + description: + "Traefik is reporting {{ $value | humanizePercentage }} of 4xx + errors on {{ $labels.exported_service }}" + expr: | + sum(rate(traefik_service_requests_total{code=~"4.*"}[1m])) by (exported_service) + / + sum(rate(traefik_service_requests_total[1m])) by (exported_service) + > .10 + for: 5m + labels: + severity: critical + - alert: TraefikHighHttp5xxErrorRateService + annotations: + summary: "Traefik has a high HTTP 5xx error rate." + description: + "Traefik is reporting {{ $value | humanizePercentage }} of 5xx + errors on {{ $labels.exported_service }}" + expr: | + sum(rate(traefik_service_requests_total{code=~"5.*"}[1m])) by (exported_service) + / + sum(rate(traefik_service_requests_total[1m])) by (exported_service) + > .10 + for: 5m + labels: + severity: critical + - alert: TraefikTooManyRequest + annotations: + summary: "Traefik has too many open connections" + description: + "Traefik is reporting {{ $value }} of open connections on entrypoint + {{ $labels.entrypoint }}" + expr: | + avg(traefik_entrypoint_open_connections{job="traefik"}) + > 5 + for: 5m + labels: + severity: critical diff --git a/cluster/apps/networking/traefik/tls-store/default.yaml b/cluster/apps/networking/traefik/tls-store/default.yaml index 2e57282ad..e1044739a 100644 --- a/cluster/apps/networking/traefik/tls-store/default.yaml +++ b/cluster/apps/networking/traefik/tls-store/default.yaml @@ -6,4 +6,4 @@ metadata: namespace: networking spec: defaultCertificate: - secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}" diff --git a/cluster/apps/networking/unifi/helm-release.yaml b/cluster/apps/networking/unifi/helm-release.yaml index 3d7e6016c..84bd8e541 100644 --- a/cluster/apps/networking/unifi/helm-release.yaml +++ b/cluster/apps/networking/unifi/helm-release.yaml @@ -10,59 +10,51 @@ spec: spec: # renovate: registryUrl=https://k8s-at-home.com/charts/ chart: unifi - version: 2.0.4 + version: 3.1.0 sourceRef: kind: HelmRepository name: k8s-at-home-charts namespace: flux-system interval: 5m values: - controllerType: deployment - strategy: - type: Recreate image: repository: jacobalberty/unifi tag: v6.2.26 pullPolicy: IfNotPresent - persistence: - enabled: true - existingClaim: unifi-config - timezone: "Europe/Paris" - runAsRoot: false + + env: + TZ: "Europe/Paris" + + service: + main: + annotations: + coredns.io/hostname: unifi + traefik.ingress.kubernetes.io/service.serversscheme: https + type: LoadBalancer + externalIPs: + - ${CLUSTER_LB_UNIFI} + externalTrafficPolicy: Local + ingress: - enabled: true - annotations: - kubernetes.io/ingress.class: "nginx" - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-medium@kubernetescrd - hosts: - - unifi.${SECRET_CLUSTER_DOMAIN} - guiService: - type: LoadBalancer - externalIPs: - - ${CLUSTER_LB_UNIFI} - externalTrafficPolicy: Local - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: tcp - controllerService: - type: LoadBalancer - externalIPs: - - ${CLUSTER_LB_UNIFI} - externalTrafficPolicy: Local - annotations: - prometheus.io/probe: "true" - prometheus.io/protocol: tcp - stunService: - type: LoadBalancer - externalIPs: - - ${CLUSTER_LB_UNIFI} - externalTrafficPolicy: Local - discoveryService: - type: LoadBalancer - externalIPs: - - ${CLUSTER_LB_UNIFI} - externalTrafficPolicy: Local + main: + enabled: true + ingressClassName: "traefik" + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-medium@kubernetescrd + hosts: + - host: "unifi.${SECRET_CLUSTER_DOMAIN}" + paths: + - path: / + tls: + - hosts: + - "unifi.${SECRET_CLUSTER_DOMAIN}" + + persistence: + data: + enabled: true + existingClaim: unifi-config + resources: requests: memory: 2Gi diff --git a/cluster/apps/data/forecastle/kustomization.yaml b/cluster/apps/secret-reflector/kustomization.yaml similarity index 63% rename from cluster/apps/data/forecastle/kustomization.yaml rename to cluster/apps/secret-reflector/kustomization.yaml index 34a8531ce..9afc39e39 100644 --- a/cluster/apps/data/forecastle/kustomization.yaml +++ b/cluster/apps/secret-reflector/kustomization.yaml @@ -1,4 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml + - rbac.yaml + - secret-reflector.yaml diff --git a/cluster/apps/secret-reflector/rbac.yaml b/cluster/apps/secret-reflector/rbac.yaml new file mode 100644 index 000000000..4fecb428e --- /dev/null +++ b/cluster/apps/secret-reflector/rbac.yaml @@ -0,0 +1,40 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: secret-reflector +rules: + - apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["*"] + - apiGroups: [""] + resources: ["namespaces"] + verbs: ["watch", "list"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["watch", "list"] + - apiGroups: ["certmanager.k8s.io"] + resources: ["certificates", "certificates/finalizers"] + verbs: ["watch", "list"] + - apiGroups: ["cert-manager.io"] + resources: ["certificates", "certificates/finalizers"] + verbs: ["watch", "list"] +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: secret-reflector + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: secret-reflector +roleRef: + kind: ClusterRole + name: secret-reflector + apiGroup: rbac.authorization.k8s.io +subjects: + - kind: ServiceAccount + name: secret-reflector + namespace: kube-system diff --git a/cluster/apps/secret-reflector/secret-reflector.yaml b/cluster/apps/secret-reflector/secret-reflector.yaml new file mode 100644 index 000000000..2030b575d --- /dev/null +++ b/cluster/apps/secret-reflector/secret-reflector.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: secret-reflector + namespace: kube-system +spec: + schedule: "0 */12 * * *" + jobTemplate: + spec: + template: + spec: + serviceAccountName: secret-reflector + containers: + - name: secret-reflector + image: ghcr.io/k8s-at-home/kubectl:v1.22.0 + command: + - "/bin/sh" + - "-ec" + - | + set -o nounset + set -o errexit + + # space delimited secrets to copy + secrets="${SECRET_CLUSTER_CERTIFICATE_DEFAULT} regcred" + # source namespace to reflect secret from + namespace_source="networking" + # space delimited namespace where to reflect the secrets to + namespace_destination="data development home-automation kasten-io media monitoring rook-ceph" + for secret in $secrets; do + secret_source_content=$(/app/kubectl get secret $secret -n $namespace_source -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid, .metadata.annotations)') + secret_source_checksum=$(printf '%s' "$secret_source_content" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }') + for namespace in $namespace_destination; do + if /app/kubectl get secret $secret -n $namespace >/dev/null 2>&1; then + secret_dest_content=$(/app/kubectl get secret $secret -n $namespace -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid, .metadata.annotations)') + secret_dest_checksum=$(printf '%s' "$secret_dest_content" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }') + if [ "$secret_source_checksum" != "$secret_dest_checksum" ]; then + printf '%s' "$secret_source_content" | \ + jq -r --arg namespace $namespace '.metadata.namespace = $namespace' | \ + /app/kubectl replace -n $namespace -f - + fi + else + printf '%s' "$secret_source_content" | \ + jq -r --arg namespace $namespace '.metadata.namespace = $namespace' | \ + /app/kubectl apply -n $namespace -f - + fi + done + done + restartPolicy: OnFailure diff --git a/cluster/base-custom/charts/kustomization.yaml b/cluster/base-custom/charts/kustomization.yaml index b7cd3ed96..be647fbf6 100644 --- a/cluster/base-custom/charts/kustomization.yaml +++ b/cluster/base-custom/charts/kustomization.yaml @@ -17,7 +17,6 @@ resources: - k8s-gateway-charts.yaml - kasten-charts.yaml - kubernetes-sigs-descheduler-charts.yaml - - mittwald-charts.yaml - node-feature-discovery.yaml - prometheus-community-charts.yaml - rook-ceph-charts.yaml diff --git a/cluster/base-custom/charts/mittwald-charts.yaml b/cluster/base-custom/charts/mittwald-charts.yaml deleted file mode 100644 index 82be3c285..000000000 --- a/cluster/base-custom/charts/mittwald-charts.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: HelmRepository -metadata: - name: mittwald-charts - namespace: flux-system -spec: - interval: 1h - url: https://helm.mittwald.de./ - timeout: 3m diff --git a/cluster/base-custom/secrets/cluster-secrets.yaml b/cluster/base-custom/secrets/cluster-secrets.yaml index b0886a8d5..e35a8fca4 100644 --- a/cluster/base-custom/secrets/cluster-secrets.yaml +++ b/cluster/base-custom/secrets/cluster-secrets.yaml @@ -26,6 +26,7 @@ stringData: SECRET_BOOKSTACK_DB_ROOT_PASSWORD: ENC[AES256_GCM,data:4/o956Da0ckVLdxUqs1WWA==,iv:G8DddhYyMZKuGJyWnj+eOaNRiJm7oGetiIZlQgtRFEo=,tag:WX9+DDnA2UPm9nPRLYibXw==,type:str] SECRET_BOTKUBE_DISCORD_BOTID: ENC[AES256_GCM,data:bK1J9v+/Dajd9qrvz3lH49GY,iv:Hq6cY96Te1frwXVf3HC3qgOiaCZW2hHCqjVvvslUGFg=,tag:Dq0cUemHKfcdpx9hLkUekQ==,type:str] SECRET_BOTKUBE_DISCORD_TOKEN: ENC[AES256_GCM,data:pDPm3TYITWApPZRMcSH6ijtPQQuHSd/PNT2Wy23tUp7uzluhHS5hvlujTkjk7oRb95kE6Gi2D8yDmNg=,iv:HQyMQiaRsjNIfPUTjLRVL/zchSdXFmevxaeruwGx3tk=,tag:l+po8014SaZd61DxE1T43A==,type:str] + SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:NlCiFO/3sseKI3fVzQ4ajeMOrg==,iv:seSVdR5wkR8sf/PKSy7T3P5oCkbJI4sMNC8XWSJUnh0=,tag:jSjCQVDNPQ7c8Dlg8yozPg==,type:str] SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:kiuNa+aDxNQwby0BorWtRylnjbWw,iv:0j20Vdux17muKzlO2Q3KzsZg9VrT411VoYxjqQC5xhQ=,tag:w7gCUgQFIlVdUFfHhB7pvQ==,type:str] SECRET_CLUSTER_DOMAIN_ROOT: ENC[AES256_GCM,data:ho+ylXKrt7CZiOM=,iv:8873E4Td/82lWVwq/kXkEB8vgxEYha23/nbTkXfle/w=,tag:Yb/VInyUUOPhLUtq+Q+krQ==,type:str] SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:mVPDuVpAXej8CQ0AO85o,iv:PF739I+LZMZaPpfCMZO62eMUbFqgtMszj2cOuIgfcfI=,tag:zEAjj33h/Ux53ctkCzapyw==,type:str] @@ -92,8 +93,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-08-06T12:33:06Z" - mac: ENC[AES256_GCM,data:kvUJdqOsMCa02I9GjZuxGdj/Y4GOEisrx5gMLrU6LeDb0qeUuqm3++8FhB38J4DTpitWxDivc8MBiYXFCgcQis7SRqPDGT+f/0scL0qCklsX0Q1PUOD9uG9M1ZBS+oo78i20rx5YJ6uv8M7SOVg4MwpG0HkNHuU9dPs1rUzQ4lY=,iv:f2wzA3gdagZsw4gTTDeenH8voLq9B4z5j5WbgBpLygQ=,tag:9+PRb5ch0J4qPC4gjgrjKw==,type:str] + lastmodified: "2021-08-09T07:16:35Z" + mac: ENC[AES256_GCM,data:BfNqHhc7m2OPJ2cYPOC0i/bLjAWGEGZiQE+oThTaKgj4+FQtmB/faWTkuMhHRjA5eHred2F0Gr7Dz0fvE4oVMegJTgixUhS2KM98+ndI3//ktC0WrSMUCRvnE4lw2ClFfkabYoz3ESahDbOwvvfYUthyc/+j0GFTYafMkxhflOQ=,iv:sjVKEM7Sh1j5ZrNcXKSuEXKG90qQgC0jlSK0ulte9k0=,tag:xLOAcGAN+lm98c3G8dCSmg==,type:str] pgp: - created_at: "2021-07-17T21:14:34Z" enc: | diff --git a/cluster/base-custom/secrets/kustomization.yaml b/cluster/base-custom/secrets/kustomization.yaml index 391f4f866..8829591d1 100644 --- a/cluster/base-custom/secrets/kustomization.yaml +++ b/cluster/base-custom/secrets/kustomization.yaml @@ -3,7 +3,4 @@ kind: Kustomization resources: - cluster-secrets.yaml - drone-pipelines.yaml - - regcred-data.yaml - - regcred-development.yaml - - regcred-media.yaml - - replicated.yaml + - regcred.yaml diff --git a/cluster/base-custom/secrets/regcred-data.yaml b/cluster/base-custom/secrets/regcred-data.yaml deleted file mode 100644 index bc68e788d..000000000 --- a/cluster/base-custom/secrets/regcred-data.yaml +++ /dev/null @@ -1,59 +0,0 @@ -kind: Secret -apiVersion: v1 -metadata: - name: regcred - namespace: data -type: kubernetes.io/dockerconfigjson -stringData: - .dockerconfigjson: ENC[AES256_GCM,data:Ez8e/N1OSqwrSp6tw3r8kslzr6bGQa+rrJweghKYx57klHSctExrzJu30Ans8ga9WGH0uYEKAOMcaEPCI9vZjP+vgewVrCF7eXU/qRhBpsF0iVTzPezZYoWoKTpet/kgXu6e1KYFViY84SYCMbet5ICERfkAScNSU92b1P9zxdi/mZw41kHTPM5vAxlDBtUt71aOO083dinSrYY4VuUk11BmduaZuj4=,iv:z8z5bZ0S/Dh8G3/F52nRNzvDBQ7/3lG3vu5RGLQXPEU=,tag:7gQKHiNRAQ9Fm6Z133NoGw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-07-17T21:37:34Z" - mac: ENC[AES256_GCM,data:5rck34eEAoRBYUpn38ZT48SK0Cn7KEp5DUJ5s+wBvO9Jp9Rw8bqjFk8iBKUqagQ1T6C5oeRmzpRjY0r4L1PDE2Ar9AEtiVEDsaGEWwupcORqZaja9XD4OVS0LCyVgyFQVGsQyun7a2AbV0tRekteugDCBb/cOaENzZO/1dGvJMA=,iv:x4aROnco8gv0YLWz0uJ8gl9g++RDbS6OHRJHM1GbChA=,tag:Znj3rk7+LErG2E6IE1Wq4A==,type:str] - pgp: - - created_at: "2021-07-17T21:25:02Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA6nQR2zACjUjAQ//TMhxKW9Fybga4mHBsr7lTNpq+/gXEbOGW892Q4Pbd9hi - g/9bzFcfZ7ndWAUIZBhfdvpa6c/Hre8878YdW7JwQq1xI7oLH8hL8Kj5kx/Pwhwy - Kx66gUoUwglpNurO5cNfXdJW9jY4Qyy+C98kQH3+ADQMpWcy3ofGlPt0zT284bP5 - 6bP65A1R5UeOxPodJszDxfMSoV9xt39fjsOUZ8ZmpDs9IDdtx1hDMuAqEkysW6f1 - jChypr/kYDttOOuWYeFLL0yEWOKUp1WLs45TwQPSod6Zdj2+r2N/7379Cx7krcCM - af0aS50J7l405Q/9bfKUVRB+xkfFLz/+mzVz606vG/MKqCJyBpPxeOngR96cqFcr - DgxJZgXvHsXogKBTaXxoKNsaeyVpE00/pEo4CTJY2sZqce/eBJaj1olyBh4K3YAd - H1CFK2ExfoKFwdnX0T8SM/IPpCfRPNPtbgMUiOpLRVkaH1f4dNq84jKKnpHtDVfr - cao2uSHN2yBOql7gUOToroTs6blOmmwkHlnToB5RGuFxU2P8QWcYftk1w1Iv7rtC - Z8FBLbXDJJPfhJ4XTOi52BGZkdYpys/mtp8l7qTSG0blLzADa8RuOEy15sYZ5mFQ - RH7G2XL63QCCXXnLP3RDMf7jKC6BgBljaOIlvv3GY3sqFfiWj15Olxe/E63NlNLS - XgEHrdlbPTCx96tQ2qgFyrNal2gFq2PEJ+k11cQs7FxrQsIVbI4w410FrEvcEm/n - fG2EFIC0qpT3ryBp/mIprwMRzKPvd5qctsziMsE3aRuU+uCeukvIxSq7YVrzYYA= - =8Czp - -----END PGP MESSAGE----- - fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8 - - created_at: "2021-07-17T21:25:02Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA98IrODHuiZ9ARAAqlACQXKtlWDm7JQ7XpXQA+N+rRM5OnvAvu+eln32V3SJ - 56hdIbJQOE36mB0w8baYIk7sWcDxiuajyzQgWVRpew308Lu78ml2mr2qvTbEQoZh - EKMRH67smnVzSxMqnYlKC9V5jjs3zQySKFlb+RiNiXMBp9K9XIkI7syTnxsN50v8 - ZfdG0zhG42I2NnqE2SFRHIwYhW6iRUTY7ZFD63uZq7JiPGcy5vp+8xyLTfe935a6 - /heWrUme81eGJuoPnfx2a7cpccpqnnwGlB+VMjhoeO2A9YysMCjQcW7+WsWwmRTe - mFo+gsWX5sFi4l4G8bsxV/Z3zc3Li7+c74XqkAepzbOUZrLhM4Fl6TGUW052e+uh - pFcYa9mxkqTYb61/3SUJK2eQd6a4Fj8Krzh2Z1WWymRYQytyy+SOBzeFy3SEXshv - Z0MUdL/v+VndGpoFljdZYhZRuUDLfgOlciYpAgxLvnHM71W2LNusbxEI+OZ0GwdU - v54wJEUtEaMAYMb/H0yzm/bqgV/t42ip9gUsvKKvkzNZm3jT3LuY2moqkIsFXVNj - IFOuPL1xxTUlkBZ+EaHOMRmtJq3NGsYVebkBQEhojdXOyZCGlPEcis5NasWMpIFO - tPPYao7d680ZDa5nM4JORKKaMtsNPFnUkGHg00GrkRec29UoJJqLLWS7z5zEWzPS - XgGc2zsbBDRp1VdKRjheTY+Vgi8oci6ZsNC9U2SvfIh9YGOKVBUCcRlxVS3Xb7hs - 09Ukr5k/yny0H6edpJ2ImZcn4KTnFhELqKXbbdUBmQ8e5xPUBX5BeemIwDLXAu0= - =4LIz - -----END PGP MESSAGE----- - fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69 - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/base-custom/secrets/regcred-development.yaml b/cluster/base-custom/secrets/regcred-development.yaml deleted file mode 100644 index e8941476a..000000000 --- a/cluster/base-custom/secrets/regcred-development.yaml +++ /dev/null @@ -1,59 +0,0 @@ -kind: Secret -apiVersion: v1 -metadata: - name: regcred - namespace: development -type: kubernetes.io/dockerconfigjson -stringData: - .dockerconfigjson: ENC[AES256_GCM,data:HfEH30Dis81WFXJ2bAbKPVUmHTkqcpPB7bLm1Zn1f0ELUJzD2Z8JGJ7xOBcfJR9CvzUma9gLYlrz1J8moy4B2n/hIGQFySN4zKR3iDjHNFLJo+HcRn2rONzfKX0lTFZ4YXWhw6Rlx3j0MZ7OFBnhI2I5kyfEyYcc1Xqq4c8++GosYCG4lwTrwFjmTeCo9BoTvOphgnkC5NuihDQ/UiHV9/po9zeQO/I=,iv:3XqfPFv3Rc7g8W7Bk1Q0n945mPvQTqkLX4yWh9CfLyc=,tag:l+LpDfWt1K5uRfBbM71DhQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2021-07-19T12:09:05Z" - mac: ENC[AES256_GCM,data:WAteda2YTX0sgGtNJX/QI5bNBCBGdv+lSMM2gyoZfzmRS6Uj5Y7pPHf7EScqGcou8ZfEcGdJG/lA9A7hONETAf+2fKdn9g7FM7cVvh493+wLr8drtJMu/mqqP3A72tbhi6PMtmUHAtF2+gNyYak1QAmvEfO/+cAJC4TfxXaBsZ4=,iv:0PUuKI1qewENzW0KTq+Cm9LpdJ60OvhZ1CEqZXvH/tI=,tag:fWLUbqnV5FGqkVucFBciaw==,type:str] - pgp: - - created_at: "2021-07-17T21:25:06Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA6nQR2zACjUjAQ/9G4rlzO+Mf9NXs5jwGf+yuj0VM3SWl9Rz7kEAFdnEhYNG - RWBu/lpg6ipIBAIramz1hV4NQPraoEEO/OwEwj0Bez88ydt3a7CxMFyu2q+pNjvi - QIrQuM+3J3dM8l5qVh3/5r81QvSb/g+USgYIGhbd9jABxBzglnb3GYA+KBgWncsp - PVaBG5t3+7jd2FbKd+6fzYkMiW1kZmK4/3P2etoDFR4bgoADck0Coy9Y155QAlnk - /AYVwS6IIZ8+BUwwT+gOk8V9QJRwcKFFo9TJ2gmnkNb5MbXgX7DEKwGPIegEUyKY - Ex9x+yEdfy5dlsJ7TE4C5olk4yOEnXfhxUeiMD6myEJjVM9SjP3A7DK+/f/E6+9Q - MAMFxxHaKGLu2wRmUPMWH78VhVLExgq7P9l8YGMEKch32wdwo4b4295mLe+AtXlw - z3vWLx1PYU+l0sJ8leVZtd//547NbLxtUGYhI+5ozzxaL8Hwps5fWbcmXLWaz8Dr - Lj1zwatetd1Loc0OZFR90giQVl9JREHK9QlARAFnIMnu7eKZlln/TnF7MjdgAuD4 - 2diAocyU+X7PZty+oWbi56LQE90Vr01MBO/wsvUUETZ+6sAEYB805EKpGj+r432H - /WPx2Yedn9HAE8ZPIRedYK5gXh8867mA3XCw6sd9ELI67BWiqdveR1jeKreFPJjS - XgHx9krMM0IcX2V0rT0nJea8m3M+b6ZpvdBicmfjTCBxrnAgMnbOGuzwoUGNePX2 - IZtgHNvqEaQfEONDtIJM6gtY6soJJxQ790w+FmTGs7av4o0IHgT4xqZRhDZSF/8= - =p08Q - -----END PGP MESSAGE----- - fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8 - - created_at: "2021-07-17T21:25:06Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hQIMA98IrODHuiZ9ARAArzhyppi7wq055mnLiBm3CG1JUIELebfLwyD4Xj46Rjq4 - cRZAeRKSM/MjUT0G8RuhssaJPoI2uNtZT9z3+qIZDUoCHLt8horo147oMzN7RqVW - VjEbO63Tiv253Jles3lax5eCmO0f88frzOqs4IqSluYWL1AlKkA6zGZuEhysasHk - RtZh2jWe7/ZBP8gICgTaPv/ptIWF4mJYcK2rD9mM3PeZ1oBVfwVhsxumGISo9hEm - oDtfFqTaX+nDRcjofIp/u85Jt3SrD+NCyCyBUzoprs5npPlLcy/cjrQ1HCxrOSxh - fzGo90CWg0TqSFx545CiTxT6wJzRVsLspP662/nV1wHXOu3fO1IqAjWsmDk66oBp - A4tgE8eDo7NA849VmsUkNfdgFOiFFBW8TolHZUJHbV4BomWK1KXJuRRAqIdg620Y - oDjHClWLpJTpkhlN+GhU0AojXWEYnpQhDApqrFnpQECEjOUuu643JSjDOj/kY/IJ - 0DeveaBy9clylq8G+SMXSKt/LivATquvuMzsDnLzy+SYjnOsjpIL/JNdFH5uWqm7 - 1erIyM9Ix7cIAzk4qm/5M3smy/7p+eOMlqFgRrN+fbt54uSbW+7BamjTCPsXnqk5 - 0zHMdf6BHC1QKgOH24jhPFUATiJeY4fJBPIJF+orbWlBTBrFFp3h6W12HdHUG83S - XgHN9EqRP9PC1n+F3Ni4VVVfx5kBr4g5tyrGhpSgYNJqSdIQCdaWySsTVLs2D4Xr - 69Bdc0tBQv5aCyU4g2PT2CDYjLrPFxImCcyr/JeZd2x44scuHUqjAl/plihSmes= - =cyE+ - -----END PGP MESSAGE----- - fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69 - encrypted_regex: ^(data|stringData)$ - version: 3.7.1 diff --git a/cluster/base-custom/secrets/regcred-media.yaml b/cluster/base-custom/secrets/regcred.yaml similarity index 89% rename from cluster/base-custom/secrets/regcred-media.yaml rename to cluster/base-custom/secrets/regcred.yaml index 4e9d98ec1..3a151e400 100644 --- a/cluster/base-custom/secrets/regcred-media.yaml +++ b/cluster/base-custom/secrets/regcred.yaml @@ -2,7 +2,7 @@ kind: Secret apiVersion: v1 metadata: name: regcred - namespace: media + namespace: networking type: kubernetes.io/dockerconfigjson stringData: .dockerconfigjson: ENC[AES256_GCM,data:HfEH30Dis81WFXJ2bAbKPVUmHTkqcpPB7bLm1Zn1f0ELUJzD2Z8JGJ7xOBcfJR9CvzUma9gLYlrz1J8moy4B2n/hIGQFySN4zKR3iDjHNFLJo+HcRn2rONzfKX0lTFZ4YXWhw6Rlx3j0MZ7OFBnhI2I5kyfEyYcc1Xqq4c8++GosYCG4lwTrwFjmTeCo9BoTvOphgnkC5NuihDQ/UiHV9/po9zeQO/I=,iv:3XqfPFv3Rc7g8W7Bk1Q0n945mPvQTqkLX4yWh9CfLyc=,tag:l+LpDfWt1K5uRfBbM71DhQ==,type:str] @@ -12,8 +12,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2021-07-17T23:05:26Z" - mac: ENC[AES256_GCM,data:ECbE73I+IwPsfekBj6oar9zob0xomHSrTBqav47NeLo/fl6zw3gBIdRu4uCT8rk5i53SPCR7RELdwjfCKAgMBRFmLqoFPIi81dO5O2dG5SnwzjYakYY8Arj0uA6aQkIYOPmkSg543W91iYNK0m7LHDwVYjSD2ibhwO3cs0yluH0=,iv:2RAFdbfihliQoRQfj9D6jZpcOlN649ate3UCI2yTZks=,tag:saEIAzXsMpI0V6slQg3Cng==,type:str] + lastmodified: "2021-08-09T14:19:09Z" + mac: ENC[AES256_GCM,data:dDz9VfodCTZWDvMZGU40zRoxOhd2P/0AjRTs5p/wwFjRVw/QjVwSRQ5hcf/BhbKMIAG2xa1k4UWE3bkymf/g4avtwejAJVz69gUPe+RVqNVsEuG1YXJYVG7lPd+gzOPwH2wo0zr0+LX6+D9IaKPeQ2Sngyxl7ITRRoxVizbJzK0=,iv:CuFQyDTRH8CW0ysqsAWERPkGC3wk9Taclq7oG5XUyMo=,tag:e7f7IrLDMt7mCzXCfT/DwA==,type:str] pgp: - created_at: "2021-07-17T21:25:06Z" enc: | diff --git a/cluster/base-custom/secrets/replicated.yaml b/cluster/base-custom/secrets/replicated.yaml deleted file mode 100644 index 9308456c6..000000000 --- a/cluster/base-custom/secrets/replicated.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: cluster-secrets - namespace: development - annotations: - replicator.v1.mittwald.de/replicate-from: flux-system/cluster-secrets -data: {} -type: Opaque diff --git a/cluster/core/kube-system/kubernetes-replicator/helm-release.yaml b/cluster/core/kube-system/kubernetes-replicator/helm-release.yaml deleted file mode 100644 index 96a5b3896..000000000 --- a/cluster/core/kube-system/kubernetes-replicator/helm-release.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: kubernetes-replicator - namespace: kube-system -spec: - interval: 5m - chart: - spec: - # renovate: registryUrl=https://helm.mittwald.de/ - chart: kubernetes-replicator - version: 2.6.3 - sourceRef: - kind: HelmRepository - name: mittwald-charts - namespace: flux-system - interval: 5m - values: - grantClusterAdminto: true diff --git a/cluster/core/kube-system/kubernetes-replicator/kustomization.yaml b/cluster/core/kube-system/kubernetes-replicator/kustomization.yaml deleted file mode 100644 index 34a8531ce..000000000 --- a/cluster/core/kube-system/kubernetes-replicator/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - helm-release.yaml diff --git a/cluster/core/kube-system/kustomization.yaml b/cluster/core/kube-system/kustomization.yaml index 1cdb397b2..4ae9e6df3 100644 --- a/cluster/core/kube-system/kustomization.yaml +++ b/cluster/core/kube-system/kustomization.yaml @@ -5,7 +5,6 @@ resources: - coredns-nodecache - descheduler - intel-gpu-plugin - - kubernetes-replicator - kured - node-feature-discovery - reloader diff --git a/cluster/core/rook-ceph/dashboard/ingress.yaml b/cluster/core/rook-ceph/dashboard/ingress.yaml index ee673987b..196ab3061 100644 --- a/cluster/core/rook-ceph/dashboard/ingress.yaml +++ b/cluster/core/rook-ceph/dashboard/ingress.yaml @@ -5,12 +5,12 @@ metadata: name: rook-ceph-mgr-dashboard namespace: rook-ceph annotations: - kubernetes.io/ingress.class: "nginx" traefik.ingress.kubernetes.io/router.entrypoints: "websecure" labels: app.kubernetes.io/instance: rook-ceph-mgr-dashboard app.kubernetes.io/name: rook-ceph-mgr-dashboard spec: + ingressClassName: "traefik" rules: - host: "rook.${SECRET_CLUSTER_DOMAIN}" http: @@ -22,3 +22,7 @@ spec: name: rook-ceph-mgr-dashboard port: name: http-dashboard + tls: + - hosts: + - "rook.${SECRET_CLUSTER_DOMAIN}" + secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"