mirror of
https://github.com/auricom/home-cluster.git
synced 2025-09-17 18:24:14 +02:00
fix: traefik
This commit is contained in:
auricom
@@ -20,8 +20,21 @@ spec:
|
||||
image:
|
||||
repository: ghcr.io/linuxserver/bookstack
|
||||
pullPolicy: IfNotPresent
|
||||
# Overrides the image tag whose default is the chart appVersion.
|
||||
tag: "version-v21.05.4"
|
||||
|
||||
env:
|
||||
APP_URL: https://bookstack.${SECRET_CLUSTER_DOMAIN}/
|
||||
DB_HOST: bookstack-mariadb
|
||||
DB_DATABASE: bookstack
|
||||
DB_USERNAME: bookstack
|
||||
DB_PASSWORD: ${SECRET_BOOKSTACK_DB_PASSWORD}
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
mountPath: /config
|
||||
existingClaim: bookstack-config
|
||||
|
||||
mariadb:
|
||||
enabled: true
|
||||
image:
|
||||
@@ -36,34 +49,25 @@ spec:
|
||||
persistence:
|
||||
enabled: true
|
||||
existingClaim: bookstack-db
|
||||
env:
|
||||
APP_URL: https://bookstack.${SECRET_CLUSTER_DOMAIN}/
|
||||
DB_HOST: bookstack-mariadb
|
||||
DB_DATABASE: bookstack
|
||||
DB_USERNAME: bookstack
|
||||
DB_PASSWORD: ${SECRET_BOOKSTACK_DB_PASSWORD}
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Bookstack"
|
||||
forecastle.stakater.com/icon: "https://yunohost.org/user/images/logo-bookstack.png?height=80?height=80"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: bookstack.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
mountPath: /config
|
||||
existingClaim: bookstack-config
|
||||
tls:
|
||||
- hosts:
|
||||
- "bookstack.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -1,44 +0,0 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: forecastle
|
||||
namespace: data
|
||||
spec:
|
||||
interval: 5m
|
||||
chart:
|
||||
spec:
|
||||
# renovate: registryUrl=https://stakater.github.io/stakater-charts
|
||||
chart: forecastle
|
||||
version: v1.0.65
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: stakater-charts
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
forecastle:
|
||||
config:
|
||||
title: "Healthchecks"
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- data
|
||||
- development
|
||||
- home
|
||||
- media
|
||||
- networking
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts:
|
||||
- host: home.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- /
|
||||
- host: services.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- /
|
||||
@@ -17,32 +17,34 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
strategy:
|
||||
type: Recreate
|
||||
image:
|
||||
repository: freshrss/freshrss
|
||||
tag: 1.18.1
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
TZ: Europe/Paris
|
||||
CRON_MIN: "18,48"
|
||||
DOMAIN: "https://freshrss.${SECRET_CLUSTER_DOMAIN}/"
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
mountPath: /var/www/FreshRSS/data
|
||||
existingClaim: freshrss-config
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "FreshRSS"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/FreshRSS/FreshRSS/edge/docs/img/FreshRSS-logo.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: freshrss.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
@@ -51,11 +53,8 @@ spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- "freshrss.${SECRET_CLUSTER_DOMAIN}"
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
mountPath: /var/www/FreshRSS/data
|
||||
existingClaim: freshrss-config
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 50m
|
||||
|
||||
@@ -21,20 +21,39 @@ spec:
|
||||
repository: b4bz/homer
|
||||
tag: 21.07.1
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
mountPath: /www/assets
|
||||
existingClaim: homer-config
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts:
|
||||
- host: homer.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "homer.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "homer.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
addons:
|
||||
codeserver:
|
||||
enabled: true
|
||||
@@ -51,21 +70,19 @@ spec:
|
||||
- "/www/assets/.vscode"
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts:
|
||||
- host: homer-config.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "homer-config.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "homer-config.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /www/assets
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
mountPath: /www/assets
|
||||
existingClaim: homer-config
|
||||
|
||||
@@ -22,17 +22,6 @@ spec:
|
||||
tag: 2.2.10
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
controllerType: deployment
|
||||
|
||||
strategy:
|
||||
type: Recreate
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: tcp
|
||||
|
||||
env:
|
||||
APP_BASE_URL: https://joplin.${SECRET_CLUSTER_DOMAIN}
|
||||
APP_PORT: 22300
|
||||
@@ -43,14 +32,24 @@ spec:
|
||||
POSTGRES_USER: joplin
|
||||
POSTGRES_PASSWORD: ${SECRET_JOPLIN_DB_PASSWORD}
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: tcp
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: joplin.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "joplin.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "joplin.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -4,7 +4,6 @@ kind: Kustomization
|
||||
resources:
|
||||
- namespace.yaml
|
||||
- bookstack
|
||||
- forecastle
|
||||
- freshrss
|
||||
- homer
|
||||
- jobs
|
||||
|
||||
@@ -17,32 +17,40 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
strategy:
|
||||
type: Recreate
|
||||
image:
|
||||
repository: dpage/pgadmin4
|
||||
tag: 5.5
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
email: ${SECRET_PGADMIN_EMAIL}
|
||||
password: ${SECRET_PGADMIN_PASSWORD}
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/client-body-buffer-size: "50m"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-medium@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "pgAdmin"
|
||||
forecastle.stakater.com/icon: "https://bitnami.com/assets/stacks/postgresql/img/postgresql-stack-110x117.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: pgadmin.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
persistentVolume:
|
||||
enabled: true
|
||||
existingClaim: pgadmin-config
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-medium@kubernetescrd
|
||||
hosts:
|
||||
- host: "pgadmin.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "pgadmin.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
postRenderers:
|
||||
- kustomize:
|
||||
patchesJson6902:
|
||||
- target:
|
||||
kind: Ingress
|
||||
name: pgadmin-pgadmin4
|
||||
patch:
|
||||
- op: add
|
||||
path: /spec/ingressClassName
|
||||
value: traefik
|
||||
|
||||
@@ -17,13 +17,11 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
strategy:
|
||||
type: Recreate
|
||||
image:
|
||||
repository: vabene1111/recipes
|
||||
tag: 0.16.7
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
SECRET_KEY: ${SECRET_RECIPES_SECRET_KEY}
|
||||
DEBUG: "0"
|
||||
@@ -39,33 +37,13 @@ spec:
|
||||
FRACTION_PREF_DEFAULT: "0"
|
||||
COMMENT_PREF_DEFAULT: "1"
|
||||
SHOPPING_MIN_AUTOSYNC_INTERVAL: "5"
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
sidecar:
|
||||
image:
|
||||
repository: nginx
|
||||
tag: 1.21.1
|
||||
pullPolicy: IfNotPresent
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/client-body-buffer-size: "10m"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-small@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Recipes"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/vabene1111/recipes/develop/docs/logo_color.svg"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: recipes.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
persistence:
|
||||
media:
|
||||
enabled: true
|
||||
@@ -74,3 +52,26 @@ spec:
|
||||
static:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-small@kubernetescrd
|
||||
hosts:
|
||||
- host: "recipes.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "recipes.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -207,19 +207,20 @@ kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Resilio Sync"
|
||||
forecastle.stakater.com/icon: "https://avatars.githubusercontent.com/u/12284211?s=200&v=4"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
labels:
|
||||
app.kubernetes.io/instance: resilio-sync
|
||||
app.kubernetes.io/name: resilio-sync
|
||||
name: resilio-sync
|
||||
namespace: data
|
||||
spec:
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
tls:
|
||||
- hosts:
|
||||
- "resilio-sync-claude.${SECRET_CLUSTER_DOMAIN}"
|
||||
- "resilio-sync-helene.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
rules:
|
||||
- host: resilio-sync-claude.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "resilio-sync-claude.${SECRET_CLUSTER_DOMAIN}"
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
@@ -229,7 +230,7 @@ spec:
|
||||
name: resilio-sync
|
||||
port:
|
||||
number: 8888
|
||||
- host: resilio-sync-helene.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "resilio-sync-helene.${SECRET_CLUSTER_DOMAIN}"
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
|
||||
@@ -22,44 +22,9 @@ spec:
|
||||
tag: 1.8.0
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
controllerType: deployment
|
||||
|
||||
strategy:
|
||||
type: Recreate
|
||||
|
||||
persistence:
|
||||
sharry-config:
|
||||
enabled: "false"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
args:
|
||||
- "/opt/sharry.conf"
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/client-body-buffer-size: "2048m"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "2048m"
|
||||
nginx.ingress.kubernetes.io/proxy-buffering: "off"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-large@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Sharry"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/eikek/sharry/master/artwork/icon.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: sharry.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
config: |
|
||||
sharry.restserver {
|
||||
base-url = "https://sharry.${SECRET_CLUSTER_DOMAIN}"
|
||||
@@ -135,3 +100,30 @@ spec:
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
persistence:
|
||||
sharry-config:
|
||||
enabled: "false"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-large@kubernetescrd
|
||||
hosts:
|
||||
- host: "sharry.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "sharry.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -21,6 +21,7 @@ spec:
|
||||
repository: vaultwarden/server
|
||||
tag: 1.22.2
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
DOMAIN: "https://vaultwarden.${SECRET_CLUSTER_DOMAIN}/"
|
||||
ADMIN_TOKEN: ${SECRET_VAULTWARDEN_ADMIN_TOKEN}
|
||||
@@ -36,23 +37,26 @@ spec:
|
||||
SMTP_SSL: "true"
|
||||
SMTP_USERNAME: ${SECRET_SMTP_USERNAME}
|
||||
SMTP_PASSWORD: ${SECRET_VAULTWARDEN_SMTP_PASSWORD}
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
existingClaim: vaultwarden-data
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: tcp
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Vaultwarden"
|
||||
forecastle.stakater.com/icon: "https://image.winudf.com/v2/image1/Y29tLng4Yml0LmJpdHdhcmRlbl9pY29uXzE1OTM0NTk3NDNfMDA2/icon.png?fakeurl=1&h=120"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: vaultwarden.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "vaultwarden.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
@@ -61,11 +65,12 @@ spec:
|
||||
- path: /notifications/hub
|
||||
pathType: Prefix
|
||||
servicePort: 3012
|
||||
- host: bitwarden.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "bitwarden.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
existingClaim: vaultwarden-data
|
||||
tls:
|
||||
- hosts:
|
||||
- "vaultwarden.${SECRET_CLUSTER_DOMAIN}"
|
||||
- "bitwarden.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -22,10 +22,14 @@ spec:
|
||||
tag: 2.4.3-alpine
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
controllerType: deployment
|
||||
postgresql:
|
||||
enabled: false
|
||||
|
||||
strategy:
|
||||
type: Recreate
|
||||
persistence:
|
||||
files:
|
||||
enabled: true
|
||||
existingClaim: vikunja-files
|
||||
mountpath: /app/vikunja/files
|
||||
|
||||
service:
|
||||
main:
|
||||
@@ -35,6 +39,22 @@ spec:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "vikunja.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "vikunja.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
additionalContainers:
|
||||
- name: api
|
||||
image: vikunja/api:0.17.1
|
||||
@@ -56,28 +76,3 @@ spec:
|
||||
mountPath: /app/vikunja/files
|
||||
- name: frontend
|
||||
image: vikunja/frontend:0.17.0
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Vikunja"
|
||||
forecastle.stakater.com/icon: "https://vikunja.io/docs/images/vikunja-logo-white.svg"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: vikunja.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
persistence:
|
||||
files:
|
||||
enabled: true
|
||||
existingClaim: vikunja-files
|
||||
mountpath: /app/vikunja/files
|
||||
|
||||
postgresql:
|
||||
enabled: false
|
||||
|
||||
@@ -21,6 +21,7 @@ spec:
|
||||
# Upgrading the wallabag version generally requires a migration.
|
||||
# see https://doc.wallabag.org/en/admin/upgrade.html
|
||||
tag: 2.4.2
|
||||
|
||||
env:
|
||||
SYMFONY__ENV__DATABASE_DRIVER: pdo_pgsql
|
||||
SYMFONY__ENV__DATABASE_HOST: postgresql-kube.data.svc.cluster.local.
|
||||
@@ -34,33 +35,7 @@ spec:
|
||||
SYMFONY__ENV__FOSUSER_REGISTRATION: "false"
|
||||
SYMFONY__ENV__FOSUSER_CONFIRMATION: "false"
|
||||
POPULATE_DATABASE: "false"
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Wallabag"
|
||||
forecastle.stakater.com/icon: "https://cdnx.nextinpact.com/compress/850-412/data-next/images/bd/wide-linked-media/545.jpg"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: wallabag.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
persistence:
|
||||
images:
|
||||
enabled: true
|
||||
existingClaim: wallabag-images
|
||||
|
||||
redis:
|
||||
enabled: true
|
||||
clusterDomain: ${CLUSTER_DOMAIN}
|
||||
@@ -69,3 +44,34 @@ spec:
|
||||
replicaCount: 0
|
||||
persistence:
|
||||
enabled: false
|
||||
|
||||
persistence:
|
||||
images:
|
||||
enabled: true
|
||||
existingClaim: wallabag-images
|
||||
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "wallabag.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "wallabag.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -18,29 +18,44 @@ spec:
|
||||
interval: 5m
|
||||
values:
|
||||
storage: s3
|
||||
|
||||
s3:
|
||||
region: "us-east-1"
|
||||
regionEndpoint: ${SECRET_MINIO_ENDPOINT}
|
||||
bucket: docker-registry
|
||||
encrypt: false
|
||||
secure: true
|
||||
|
||||
secrets:
|
||||
htpasswd: ${SECRET_DOCKER_REGISTRY_HTPASSWD}
|
||||
s3:
|
||||
accessKey: ${SECRET_MINIO_ACCESS_KEY}
|
||||
secretKey: ${SECRET_MINIO_SECRET_KEY}
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/proxy-body-size: "0"
|
||||
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
|
||||
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-large@kubernetescrd
|
||||
hosts:
|
||||
- registry.${SECRET_CLUSTER_DOMAIN}
|
||||
|
||||
service:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-large@kubernetescrd
|
||||
hosts:
|
||||
- "registry.${SECRET_CLUSTER_DOMAIN}"
|
||||
tls:
|
||||
- hosts:
|
||||
- "registry.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
postRenderers:
|
||||
- kustomize:
|
||||
patchesJson6902:
|
||||
- target:
|
||||
kind: Ingress
|
||||
name: docker-registry
|
||||
patch:
|
||||
- op: add
|
||||
path: /spec/ingressClassName
|
||||
value: traefik
|
||||
|
||||
@@ -17,13 +17,10 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
updateStrategy:
|
||||
type: Recreate
|
||||
image:
|
||||
repository: drone/drone
|
||||
tag: 2.0.4
|
||||
persistentVolume:
|
||||
enabled: false
|
||||
|
||||
env:
|
||||
DRONE_DATABASE_DRIVER: postgres
|
||||
DRONE_DATABASE_DATASOURCE: ${SECRET_DRONE_DATABASE_DATASOURCE}
|
||||
@@ -38,11 +35,31 @@ spec:
|
||||
DRONE_LOGS_COLOR: true
|
||||
DRONE_SERVER_PROTO: https
|
||||
DRONE_SERVER_HOST: drone.${SECRET_CLUSTER_DOMAIN}
|
||||
|
||||
updateStrategy:
|
||||
type: Recreate
|
||||
|
||||
persistentVolume:
|
||||
enabled: false
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: drone.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "drone.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths: ["/"]
|
||||
tls:
|
||||
- hosts:
|
||||
- "wallabag.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
postRenderers:
|
||||
- kustomize:
|
||||
patchesJson6902:
|
||||
- target:
|
||||
kind: Ingress
|
||||
name: drone
|
||||
patch:
|
||||
- op: add
|
||||
path: /spec/ingressClassName
|
||||
value: traefik
|
||||
|
||||
@@ -20,32 +20,7 @@ spec:
|
||||
image:
|
||||
repository: gitea/gitea
|
||||
tag: 1.14.6
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 10Gi
|
||||
existingClaim: "gitea-config"
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "gitea.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
service:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: "tcp"
|
||||
http:
|
||||
port: 3000
|
||||
ssh:
|
||||
type: LoadBalancer
|
||||
port: 22
|
||||
externalTrafficPolicy: Local
|
||||
externalIPs:
|
||||
- ${CLUSTER_LB_GITEA}
|
||||
|
||||
gitea:
|
||||
admin:
|
||||
email: ${SECRET_GITEA_ADMIN_EMAIL}
|
||||
@@ -86,9 +61,51 @@ spec:
|
||||
cache:
|
||||
builtIn:
|
||||
enabled: true
|
||||
|
||||
memcached:
|
||||
image:
|
||||
repository: bitnami/memcached
|
||||
tag: 1.6.10
|
||||
service:
|
||||
port: 11211
|
||||
|
||||
persistence:
|
||||
enabled: true
|
||||
size: 10Gi
|
||||
existingClaim: "gitea-config"
|
||||
|
||||
service:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: "tcp"
|
||||
ssh:
|
||||
type: LoadBalancer
|
||||
port: 22
|
||||
externalTrafficPolicy: Local
|
||||
externalIPs:
|
||||
- ${CLUSTER_LB_GITEA}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "gitea.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "gitea.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
postRenderers:
|
||||
- kustomize:
|
||||
patchesJson6902:
|
||||
- target:
|
||||
kind: Ingress
|
||||
name: gitea
|
||||
patch:
|
||||
- op: add
|
||||
path: /spec/ingressClassName
|
||||
value: traefik
|
||||
|
||||
@@ -19,28 +19,14 @@ spec:
|
||||
values:
|
||||
replicaCount: 3
|
||||
recreatePods: true
|
||||
service:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: tcp
|
||||
type: LoadBalancer
|
||||
loadBalancerIP: ${CLUSTER_LB_EMQX}
|
||||
externalTrafficPolicy: Local
|
||||
ingress:
|
||||
dashboard:
|
||||
enabled: true
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
path: /
|
||||
hosts:
|
||||
- emqx.${SECRET_CLUSTER_DOMAIN}
|
||||
|
||||
emqxConfig:
|
||||
EMQX_ALLOW_ANONYMOUS: "false"
|
||||
EMQX_ADMIN_PASSWORD: "${SECRET_EMQX_ADMIN_PASSWORD}"
|
||||
EMQX_AUTH__MNESIA__PASSWORD_HASH: plain
|
||||
EMQX_AUTH__USER__1__USERNAME: "${SECRET_MQTT_USERNAME}"
|
||||
EMQX_AUTH__USER__1__PASSWORD: "${SECRET_MQTT_PASSWORD}"
|
||||
|
||||
emqxAclConfig: >
|
||||
{allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}.
|
||||
{allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}.
|
||||
@@ -62,6 +48,28 @@ spec:
|
||||
{emqx_mod_rewrite, false}.
|
||||
{emqx_mod_subscription, false}.
|
||||
{emqx_mod_topic_metrics, true}.
|
||||
|
||||
service:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: tcp
|
||||
type: LoadBalancer
|
||||
loadBalancerIP: ${CLUSTER_LB_EMQX}
|
||||
externalTrafficPolicy: Local
|
||||
|
||||
ingress:
|
||||
dashboard:
|
||||
enabled: true
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
path: /
|
||||
hosts:
|
||||
- emqx.${SECRET_CLUSTER_DOMAIN}
|
||||
tls:
|
||||
- hosts:
|
||||
- "emqx.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
@@ -74,6 +82,7 @@ spec:
|
||||
values:
|
||||
- emqx
|
||||
topologyKey: kubernetes.io/hostname
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 100m
|
||||
@@ -93,3 +102,10 @@ spec:
|
||||
path: /spec/externalIPs
|
||||
value:
|
||||
- "${CLUSTER_LB_EMQX}"
|
||||
- target:
|
||||
kind: Ingress
|
||||
name: emqx-dashboard
|
||||
patch:
|
||||
- op: add
|
||||
path: /spec/ingressClassName
|
||||
value: traefik
|
||||
|
||||
@@ -20,27 +20,10 @@ spec:
|
||||
image:
|
||||
repository: blakeblackshear/frigate
|
||||
tag: 0.8.4-amd64
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts:
|
||||
- host: "frigate.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
securityContext:
|
||||
privileged: true
|
||||
|
||||
persistence:
|
||||
data:
|
||||
enabled: true
|
||||
@@ -56,6 +39,7 @@ spec:
|
||||
medium: Memory
|
||||
sizeLimit: 2Gi
|
||||
mountPath: /dev/shm
|
||||
|
||||
config: |
|
||||
mqtt:
|
||||
host: emqx
|
||||
@@ -101,6 +85,30 @@ spec:
|
||||
|
||||
podAnnotations:
|
||||
configmap.reloader.stakater.com/reload: "frigate-config"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts:
|
||||
- host: "frigate.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "frigate.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
@@ -114,6 +122,7 @@ spec:
|
||||
operator: In
|
||||
values:
|
||||
- "true"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
gpu.intel.com/i915: 1
|
||||
|
||||
@@ -17,10 +17,10 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
image:
|
||||
repository: ghcr.io/home-assistant/home-assistant
|
||||
tag: 2021.8.4
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
HASS_SECRET_URL: https://home-assistant.${SECRET_CLUSTER_DOMAIN}
|
||||
@@ -30,8 +30,10 @@ spec:
|
||||
HASS_SECRET_MQTT_USERNAME: ${SECRET_MQTT_USERNAME}
|
||||
HASS_SECRET_MQTT_PASSWORD: ${SECRET_MQTT_PASSWORD}
|
||||
HASS_SECRET_DB_URL: ${SECRET_HASS_DB_URL}
|
||||
|
||||
hostNetwork: true
|
||||
dnsPolicy: ClusterFirstWithHostNet
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
@@ -41,24 +43,32 @@ spec:
|
||||
externalIPs:
|
||||
- ${CLUSTER_LB_HASS}
|
||||
externalTrafficPolicy: Local
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: hass.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "hass.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
- host: home-assistant.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "home-assistant.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "hass.${SECRET_CLUSTER_DOMAIN}"
|
||||
- "home-assistant.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
prometheus:
|
||||
serviceMonitor:
|
||||
enabled: false
|
||||
|
||||
probes:
|
||||
liveness:
|
||||
enabled: false
|
||||
@@ -66,10 +76,15 @@ spec:
|
||||
enabled: false
|
||||
startup:
|
||||
enabled: false
|
||||
|
||||
postgresql:
|
||||
enabled: false
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
existingClaim: hass-config
|
||||
|
||||
addons:
|
||||
codeserver:
|
||||
enabled: true
|
||||
@@ -86,20 +101,24 @@ spec:
|
||||
- "/config/.vscode"
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts:
|
||||
- host: hass-config.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "hass-config.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "hass-config.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
volumeMounts:
|
||||
- name: config
|
||||
mountPath: /config
|
||||
|
||||
resources:
|
||||
requests:
|
||||
cpu: 500m
|
||||
memory: 1000Mi
|
||||
postgresql:
|
||||
enabled: false
|
||||
|
||||
@@ -20,9 +20,11 @@ spec:
|
||||
image:
|
||||
repository: koenkk/zigbee2mqtt
|
||||
tag: 1.21.0
|
||||
|
||||
env:
|
||||
TZ: Europe/Paris
|
||||
ZIGBEE2MQTT_DATA: /data
|
||||
|
||||
config:
|
||||
homeassistant: true
|
||||
device_options:
|
||||
@@ -61,18 +63,18 @@ spec:
|
||||
new_api: true
|
||||
securityContext:
|
||||
privileged: true
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: "http"
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts:
|
||||
@@ -80,6 +82,11 @@ spec:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "zigbee.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -90,6 +97,7 @@ spec:
|
||||
type: hostPath
|
||||
hostPath: /dev/serial/by-id/usb-1a86_USB_Serial-if00-port0
|
||||
hostPathType: CharDevice
|
||||
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
|
||||
@@ -21,17 +21,24 @@ spec:
|
||||
image:
|
||||
repository: ghcr.io/zwave-js/zwavejs2mqtt
|
||||
tag: 5.4.5
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
|
||||
securityContext:
|
||||
privileged: true
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts:
|
||||
@@ -42,11 +49,8 @@ spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- zwave.${SECRET_CLUSTER_DOMAIN}
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -57,6 +61,7 @@ spec:
|
||||
type: hostPath
|
||||
hostPath: /dev/serial/by-id/usb-0658_0200-if00
|
||||
hostPathType: CharDevice
|
||||
|
||||
affinity:
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
|
||||
@@ -33,18 +33,17 @@ spec:
|
||||
create: true
|
||||
host: "k10.${SECRET_CLUSTER_DOMAIN}"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
urlPath: k10
|
||||
hosts:
|
||||
- "k10.${SECRET_CLUSTER_DOMAIN}"
|
||||
# postRenderers:
|
||||
# - kustomize:
|
||||
# patchesJson6902:
|
||||
# - target:
|
||||
# kind: Ingress
|
||||
# name: k10-ingress
|
||||
# patch:
|
||||
# - op: add
|
||||
# path: /spec/ingressClassName
|
||||
# value: traefik
|
||||
postRenderers:
|
||||
- kustomize:
|
||||
patchesJson6902:
|
||||
- target:
|
||||
kind: Ingress
|
||||
name: k10-ingress
|
||||
patch:
|
||||
- op: add
|
||||
path: /spec/ingressClassName
|
||||
value: traefik
|
||||
|
||||
@@ -8,3 +8,4 @@ resources:
|
||||
- media
|
||||
- monitoring
|
||||
- networking
|
||||
- secret-reflector
|
||||
|
||||
@@ -17,17 +17,19 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
image:
|
||||
repository: ghcr.io/k8s-at-home/bazarr
|
||||
tag: v0.9.6
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
|
||||
podSecurityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
fsGroup: 568
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -36,28 +38,32 @@ spec:
|
||||
enabled: true
|
||||
existingClaim: nfs-video-media
|
||||
mountPath: "/mnt/storage/video"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
hosts:
|
||||
- host: "bazarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "bazarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 500Mi
|
||||
cpu: 500m
|
||||
limits:
|
||||
memory: 1500Mi
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
hosts:
|
||||
- host: bazarr.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
@@ -17,51 +17,53 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
image:
|
||||
repository: jesec/flood
|
||||
tag: 4.6.1
|
||||
pullPolicy: Always
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
FLOOD_OPTION_RUNDIR: /data
|
||||
FLOOD_OPTION_AUTH: "none"
|
||||
FLOOD_OPTION_QBURL: "http://qbittorrent:8080"
|
||||
FLOOD_OPTION_QBUSER: admin
|
||||
FLOOD_OPTION_QBPASS: ${SECRET_QBITTORRENT_PASSWORD}
|
||||
|
||||
podSecurityContext:
|
||||
runAsUser: 1001
|
||||
runAsGroup: 1001
|
||||
fsGroup: 1001
|
||||
|
||||
persistence:
|
||||
data:
|
||||
enabled: true
|
||||
existingClaim: flood-config
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Flood"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/jesec/flood/master/flood.svg"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: flood.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
persistence:
|
||||
data:
|
||||
enabled: true
|
||||
existingClaim: flood-config
|
||||
tls:
|
||||
- hosts:
|
||||
- "flood.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 250Mi
|
||||
cpu: 500m
|
||||
limits:
|
||||
memory: 1500Mi
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
@@ -21,13 +21,7 @@ spec:
|
||||
repository: jellyfin/jellyfin
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 10.7.6
|
||||
strategy:
|
||||
type: Recreate
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -44,34 +38,41 @@ spec:
|
||||
enabled: true
|
||||
existingClaim: nfs-photo-media
|
||||
mountPath: "/mnt/storage/photo"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "jellyfin.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "jellyfin.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 4Gi
|
||||
cpu: 1
|
||||
limits:
|
||||
gpu.intel.com/i915: 1
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Jellyfin"
|
||||
forecastle.stakater.com/icon: "https://features.jellyfin.org/images/logos/a7Lx9nYDzWuDR94Az8Yum7neWMvNMndkm9qr4QVtmjaMrOHDLisS5K7LJctTRzK9-icon-transparent.png?size=200"
|
||||
hosts:
|
||||
- host: jellyfin.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 100
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: feature.node.kubernetes.io/custom-coral-tpu
|
||||
nodeAffinity:
|
||||
requiredDuringSchedulingIgnoredDuringExecution:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: feature.node.kubernetes.io/custom-intel-gpu
|
||||
operator: In
|
||||
values:
|
||||
- "true"
|
||||
|
||||
@@ -17,45 +17,19 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
image:
|
||||
repository: ghcr.io/k8s-at-home/lidarr
|
||||
tag: v1.0.0.2248
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
|
||||
podSecurityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
fsGroup: 568
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Lidarr"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/lidarr/Lidarr/14c3d31c2bf64893e9e7c137a04bfc096e6d36fe/frontend/src/Content/Images/Icons/android-chrome-192x192.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: lidarr.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
api:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "lidarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /api
|
||||
pathType: Prefix
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -72,22 +46,55 @@ spec:
|
||||
enabled: true
|
||||
existingClaim: qbittorrent-cache
|
||||
mountPath: "/downloads"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
hosts:
|
||||
- host: "lidarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "lidarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
api:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "lidarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /api
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "lidarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 500Mi
|
||||
cpu: 500m
|
||||
limits:
|
||||
memory: 1500Mi
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
prometheus:
|
||||
podMonitor:
|
||||
enabled: true
|
||||
interval: 10m
|
||||
scrapeTimeout: 2m
|
||||
|
||||
additionalContainers:
|
||||
- name: exportarr
|
||||
image: ghcr.io/onedr0p/exportarr:v0.6.1
|
||||
|
||||
@@ -22,30 +22,6 @@ spec:
|
||||
pullPolicy: IfNotPresent
|
||||
tag: v4.3.4
|
||||
|
||||
strategy:
|
||||
type: Recreate
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Lychee"
|
||||
forecastle.stakater.com/icon: "https://lycheeorg.github.io/docs/img/logo.png"
|
||||
hosts:
|
||||
- host: lychee.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
env:
|
||||
PHP_TZ: Europe/Paris
|
||||
DB_CONNECTION: pgsql
|
||||
@@ -65,3 +41,24 @@ spec:
|
||||
enabled: true
|
||||
mountPath: /uploads
|
||||
existingClaim: lychee-files
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
# annotations:
|
||||
# traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "lychee.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "lychee.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
@@ -21,34 +21,14 @@ spec:
|
||||
repository: deluan/navidrome
|
||||
pullPolicy: IfNotPresent
|
||||
tag: 0.44.1
|
||||
strategy:
|
||||
type: Recreate
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Navidrome"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/navidrome/navidrome/master/resources/logo-192x192.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: navidrome.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
env:
|
||||
ND_SCANINTERVAL: 15m
|
||||
ND_LOGLEVEL: info
|
||||
ND_SESSIONTIMEOUT: 24h
|
||||
ND_ENABLETRANSCODINGCONFIG: "true"
|
||||
ND_MUSICFOLDER: /mnt/storage/music/Artistes
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -58,3 +38,24 @@ spec:
|
||||
enabled: true
|
||||
mountPath: /mnt/storage/music/
|
||||
existingClaim: nfs-music-media
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "navidrome.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "navidrome.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
@@ -17,47 +17,44 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
image:
|
||||
repository: ghcr.io/k8s-at-home/prowlarr
|
||||
tag: v0.1.0.768
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
podSecurityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
fsGroup: 568
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
existingClaim: prowlarr-config
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Prowlarr"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/Prowlarr/Prowlarr/develop/Logo/256.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: prowlarr.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "prowlarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "prowlarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 100Mi
|
||||
cpu: 100m
|
||||
limits:
|
||||
memory: 1000Mi
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
@@ -17,13 +17,14 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
image:
|
||||
repository: linuxserver/pyload
|
||||
tag: version-5f5aaf56
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -32,29 +33,31 @@ spec:
|
||||
enabled: true
|
||||
existingClaim: nfs-downloads-media
|
||||
mountPath: "/mnt/storage/downloads"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "pyload.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "pyload.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 1Gi
|
||||
cpu: 100m
|
||||
limits:
|
||||
memory: 5Gi
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "pyLoad"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/pyload/pyload/main/media/logo.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: pyload.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
@@ -17,13 +17,32 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
image:
|
||||
repository: ghcr.io/k8s-at-home/qbittorrent
|
||||
tag: v4.3.7
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
|
||||
podSecurityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
fsGroup: 568
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
existingClaim: qbittorrent-config
|
||||
qbittorrent-cache:
|
||||
enabled: true
|
||||
existingClaim: qbittorrent-cache
|
||||
mountPath: "/downloads"
|
||||
nfs-downloads-media:
|
||||
enabled: true
|
||||
existingClaim: nfs-downloads-media
|
||||
mountPath: "/mnt/storage/downloads"
|
||||
|
||||
service:
|
||||
bittorrent:
|
||||
enabled: true
|
||||
@@ -40,38 +59,23 @@ spec:
|
||||
protocol: TCP
|
||||
targetPort: 6881
|
||||
externalTrafficPolicy: Local
|
||||
podSecurityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
fsGroup: 568
|
||||
persistence:
|
||||
config:
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
existingClaim: qbittorrent-config
|
||||
qbittorrent-cache:
|
||||
enabled: true
|
||||
existingClaim: qbittorrent-cache
|
||||
mountPath: "/downloads"
|
||||
nfs-downloads-media:
|
||||
enabled: true
|
||||
existingClaim: nfs-downloads-media
|
||||
mountPath: "/mnt/storage/downloads"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "qbittorrent.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "qbittorrent.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 4Gi
|
||||
cpu: 500m
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "qBittorrent"
|
||||
forecastle.stakater.com/icon: "https://upload.wikimedia.org/wikipedia/commons/thumb/6/66/New_qBittorrent_Logo.svg/600px-New_qBittorrent_Logo.svg.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: qbittorrent.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
|
||||
@@ -22,40 +22,15 @@ spec:
|
||||
repository: ghcr.io/k8s-at-home/radarr
|
||||
tag: v3.2.2.5080
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
|
||||
podSecurityContext:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
fsGroup: 568
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Radarr"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/Radarr/Radarr/develop/Logo/256.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: radarr.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
api:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "radarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /api
|
||||
pathType: Prefix
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -68,22 +43,55 @@ spec:
|
||||
enabled: true
|
||||
existingClaim: qbittorrent-cache
|
||||
mountPath: "/downloads"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
hosts:
|
||||
- host: "radarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "radarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
api:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "radarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /api
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "radarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 500Mi
|
||||
cpu: 500m
|
||||
limits:
|
||||
memory: 1500Mi
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
prometheus:
|
||||
podMonitor:
|
||||
enabled: true
|
||||
interval: 10m
|
||||
scrapeTimeout: 2m
|
||||
|
||||
additionalContainers:
|
||||
- name: exportarr
|
||||
image: ghcr.io/onedr0p/exportarr:v0.6.1
|
||||
|
||||
@@ -20,41 +20,10 @@ spec:
|
||||
image:
|
||||
repository: ghcr.io/k8s-at-home/sabnzbd
|
||||
tag: v3.3.1
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
# disable service monitoring because of ip blacklist
|
||||
# service:
|
||||
# main:
|
||||
# annotations:
|
||||
# prometheus.io/probe: "true"
|
||||
# prometheus.io/protocol: http
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "SABnzbd"
|
||||
forecastle.stakater.com/icon: "https://avatars.githubusercontent.com/u/16778130?v=4"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: "sabnzbd.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
api:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
nameSuffix: "api"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "sabnzbd.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /api
|
||||
pathType: Prefix
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -66,6 +35,44 @@ spec:
|
||||
podSecurityContext:
|
||||
supplementalGroups:
|
||||
- 100
|
||||
|
||||
# disable service monitoring because of ip blacklist
|
||||
# service:
|
||||
# main:
|
||||
# annotations:
|
||||
# prometheus.io/probe: "true"
|
||||
# prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
hosts:
|
||||
- host: "sabnzbd.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "sabnzbd.${SECRET_CLUSTER_DOMAIN}"
|
||||
api:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
nameSuffix: "api"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "sabnzbd.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /api
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "sabnzbd.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 250Mi
|
||||
|
||||
@@ -28,34 +28,7 @@ spec:
|
||||
runAsUser: 568
|
||||
runAsGroup: 568
|
||||
fsGroup: 568
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Sonarr"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/Sonarr/Sonarr/develop/Logo/256.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: sonarr.${SECRET_CLUSTER_DOMAIN}
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
api:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "sonarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /api
|
||||
pathType: Prefix
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
@@ -68,22 +41,55 @@ spec:
|
||||
enabled: true
|
||||
existingClaim: qbittorrent-cache
|
||||
mountPath: "/downloads"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
hosts:
|
||||
- host: "sonarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "sonarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
api:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: "sonarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /api
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "sonarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 500Mi
|
||||
cpu: 500m
|
||||
limits:
|
||||
memory: 1500Mi
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
prometheus:
|
||||
podMonitor:
|
||||
enabled: true
|
||||
interval: 10m
|
||||
scrapeTimeout: 2m
|
||||
|
||||
additionalContainers:
|
||||
- name: exportarr
|
||||
image: ghcr.io/onedr0p/exportarr:v0.6.1
|
||||
|
||||
@@ -22,19 +22,6 @@ spec:
|
||||
tag: 2.00.10
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
http:
|
||||
port: 8265
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
server:
|
||||
enabled: true
|
||||
protocol: TCP
|
||||
port: 8266
|
||||
|
||||
env:
|
||||
TZ: Europe/Paris
|
||||
webUIPort: 8265
|
||||
@@ -59,21 +46,31 @@ spec:
|
||||
mountPath: /media
|
||||
existingClaim: nfs-video-media
|
||||
|
||||
service:
|
||||
main:
|
||||
ports:
|
||||
http:
|
||||
port: 8265
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
server:
|
||||
enabled: true
|
||||
protocol: TCP
|
||||
port: 8266
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Tdarr"
|
||||
forecastle.stakater.com/icon: "https://raw.githubusercontent.com/HaveAGitGat/Tdarr/master/public/images/icon_dark.png"
|
||||
forecastle.stakater.com/network-restricted: "true"
|
||||
hosts:
|
||||
- host: tdarr.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "tdarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "tdarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
@@ -36,10 +36,6 @@ spec:
|
||||
- name: caddyfile
|
||||
configMap:
|
||||
name: travelstories-caddyfile
|
||||
dnsConfig:
|
||||
options:
|
||||
- name: ndots
|
||||
value: "1"
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
@@ -79,22 +75,17 @@ apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd, networking-buffering-small@kubernetescrd
|
||||
forecastle.stakater.com/expose: "true"
|
||||
forecastle.stakater.com/appName: "Travelstories"
|
||||
forecastle.stakater.com/icon: "https://image.flaticon.com/icons/png/512/120/120653.png"
|
||||
labels:
|
||||
app.kubernetes.io/instance: travelstories
|
||||
app.kubernetes.io/name: travelstories
|
||||
name: travelstories
|
||||
namespace: media
|
||||
spec:
|
||||
ingressClassName: "traefik"
|
||||
rules:
|
||||
- host: travelstories.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "travelstories.${SECRET_CLUSTER_DOMAIN}"
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
@@ -104,3 +95,7 @@ spec:
|
||||
name: travelstories
|
||||
port:
|
||||
number: 80
|
||||
tls:
|
||||
- hosts:
|
||||
- "tdarr.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -18,6 +18,7 @@ spec:
|
||||
interval: 5m
|
||||
values:
|
||||
allowIcmp: true
|
||||
|
||||
config:
|
||||
modules:
|
||||
icmp:
|
||||
@@ -35,6 +36,7 @@ spec:
|
||||
tcp_connect:
|
||||
prober: tcp
|
||||
timeout: 30s
|
||||
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
defaults:
|
||||
@@ -64,6 +66,7 @@ spec:
|
||||
- name: k3s-worker3
|
||||
url: "${LOCAL_LAN_K3SWORKER3}"
|
||||
module: icmp
|
||||
|
||||
prometheusRule:
|
||||
enabled: true
|
||||
additionalLabels:
|
||||
@@ -84,12 +87,10 @@ spec:
|
||||
for: 15m
|
||||
labels:
|
||||
severity: warning
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts:
|
||||
@@ -97,3 +98,18 @@ spec:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "blackbox.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
postRenderers:
|
||||
- kustomize:
|
||||
patchesJson6902:
|
||||
- target:
|
||||
kind: Ingress
|
||||
name: blackbox-exporter-prometheus-blackbox-exporter
|
||||
patch:
|
||||
- op: add
|
||||
path: /spec/ingressClassName
|
||||
value: traefik
|
||||
|
||||
@@ -22,13 +22,6 @@ spec:
|
||||
tag: v1.22.0-ls95
|
||||
pullPolicy: IfNotPresent
|
||||
|
||||
controllerType: deployment
|
||||
|
||||
strategy:
|
||||
type: Recreate
|
||||
|
||||
resources: {}
|
||||
|
||||
env:
|
||||
SECRET_KEY: ${SECRET_HEALTHECKS_SECRET_KEY}
|
||||
REGENERATE_SETTINGS: "True"
|
||||
@@ -48,24 +41,28 @@ spec:
|
||||
SITE_NAME: "Homelab HealthChecks"
|
||||
SITE_LOGO_URL: "https://image.flaticon.com/icons/svg/1219/1219758.svg"
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: false
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: http
|
||||
|
||||
persistence:
|
||||
config:
|
||||
enabled: false
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: healthchecks.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "healthchecks.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
tls:
|
||||
- hosts:
|
||||
- "healthchecks.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -32,10 +32,8 @@ spec:
|
||||
ingress:
|
||||
enabled: true
|
||||
pathType: Prefix
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts: ["alert-manager.${SECRET_CLUSTER_DOMAIN}"]
|
||||
@@ -196,8 +194,8 @@ spec:
|
||||
ingress:
|
||||
enabled: true
|
||||
pathType: Prefix
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts: ["grafana.${SECRET_CLUSTER_DOMAIN}"]
|
||||
kubeEtcd:
|
||||
@@ -212,10 +210,8 @@ spec:
|
||||
ingress:
|
||||
enabled: true
|
||||
pathType: Prefix
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
hosts: ["prometheus.${SECRET_CLUSTER_DOMAIN}"]
|
||||
|
||||
@@ -29,9 +29,6 @@ spec:
|
||||
enabled: true
|
||||
hostname: "thanos.${SECRET_CLUSTER_DOMAIN}"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local./api/verify"
|
||||
nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}/"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
|
||||
tls: false
|
||||
@@ -60,3 +57,14 @@ spec:
|
||||
access_key: "${SECRET_MINIO_ACCESS_KEY}"
|
||||
secret_key: "${SECRET_MINIO_SECRET_KEY}"
|
||||
insecure: false
|
||||
|
||||
postRenderers:
|
||||
- kustomize:
|
||||
patchesJson6902:
|
||||
- target:
|
||||
kind: Ingress
|
||||
name: thanos-query
|
||||
patch:
|
||||
- op: add
|
||||
path: /spec/ingressClassName
|
||||
value: traefik
|
||||
|
||||
@@ -68,7 +68,6 @@ apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
labels:
|
||||
app.kubernetes.io/instance: uptime-kuma
|
||||
@@ -76,8 +75,9 @@ metadata:
|
||||
name: uptime-kuma
|
||||
namespace: monitoring
|
||||
spec:
|
||||
ingressClassName: "traefik"
|
||||
rules:
|
||||
- host: uptime-kuma.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "uptime-kuma.${SECRET_CLUSTER_DOMAIN}"
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
@@ -87,3 +87,7 @@ spec:
|
||||
name: uptime-kuma
|
||||
port:
|
||||
number: 3001
|
||||
tls:
|
||||
- hosts:
|
||||
- "healthchecks.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -91,7 +91,6 @@ apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
labels:
|
||||
app.kubernetes.io/instance: authelia
|
||||
@@ -99,6 +98,7 @@ metadata:
|
||||
name: authelia
|
||||
namespace: networking
|
||||
spec:
|
||||
ingressClassName: "traefik"
|
||||
rules:
|
||||
- host: login.${SECRET_CLUSTER_DOMAIN}
|
||||
http:
|
||||
@@ -110,6 +110,10 @@ spec:
|
||||
name: authelia
|
||||
port:
|
||||
number: 80
|
||||
tls:
|
||||
- hosts:
|
||||
- "login.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
---
|
||||
kind: ConfigMap
|
||||
apiVersion: v1
|
||||
|
||||
@@ -23,14 +23,17 @@ spec:
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
hosts:
|
||||
- host: id.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "id.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
|
||||
tls:
|
||||
- hosts:
|
||||
- "id.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
geoip:
|
||||
enabled: false
|
||||
authentik:
|
||||
|
||||
@@ -5,7 +5,7 @@ metadata:
|
||||
name: "${SECRET_CLUSTER_DOMAIN/./-}"
|
||||
namespace: networking
|
||||
spec:
|
||||
secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
issuerRef:
|
||||
name: letsencrypt-production
|
||||
kind: ClusterIssuer
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
|
||||
@@ -39,7 +39,7 @@ spec:
|
||||
namespaceSelector:
|
||||
any: true
|
||||
extraArgs:
|
||||
default-ssl-certificate: "networking/${SECRET_CLUSTER_DOMAIN/./-}-tls"
|
||||
default-ssl-certificate: "networking/${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
resources:
|
||||
requests:
|
||||
memory: 250Mi
|
||||
|
||||
9
cluster/apps/networking/ingress-nginx/ingressclass.yaml
Normal file
9
cluster/apps/networking/ingress-nginx/ingressclass.yaml
Normal file
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: IngressClass
|
||||
metadata:
|
||||
annotations:
|
||||
ingressclass.kubernetes.io/is-default-class: "false"
|
||||
name: nginx
|
||||
spec:
|
||||
controller: k8s.io/ingress-nginx
|
||||
@@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
||||
- ingressclass.yaml
|
||||
|
||||
@@ -5,13 +5,15 @@ metadata:
|
||||
name: traefik-dashboard
|
||||
namespace: networking
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "traefik"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.tls: "true"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd"
|
||||
spec:
|
||||
ingressClassName: "traefik"
|
||||
tls:
|
||||
- secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls"
|
||||
- secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
rules:
|
||||
- host: traefik.${SECRET_CLUSTER_DOMAIN}
|
||||
- host: "traefik.${SECRET_CLUSTER_DOMAIN}"
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
|
||||
@@ -17,9 +17,13 @@ spec:
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
image:
|
||||
tag: 2.5.0-rc3
|
||||
|
||||
deployment:
|
||||
enabled: true
|
||||
kind: DaemonSet
|
||||
kind: Deployment
|
||||
replicas: 3
|
||||
|
||||
service:
|
||||
enabled: true
|
||||
type: LoadBalancer
|
||||
@@ -27,6 +31,7 @@ spec:
|
||||
externalIPs:
|
||||
- "${CLUSTER_LB_TRAEFIK}"
|
||||
externalTrafficPolicy: Local
|
||||
|
||||
logs:
|
||||
general:
|
||||
format: json
|
||||
@@ -34,22 +39,23 @@ spec:
|
||||
access:
|
||||
enabled: true
|
||||
format: json
|
||||
|
||||
ingressClass:
|
||||
enabled: true
|
||||
isDefaultClass: true
|
||||
fallbackApiVersion: v1
|
||||
enabled: false
|
||||
|
||||
ingressRoute:
|
||||
dashboard:
|
||||
enabled: false
|
||||
|
||||
globalArguments:
|
||||
- "--api.insecure=true"
|
||||
- "--serverstransport.insecureskipverify=true"
|
||||
- "--providers.kubernetesingress.ingressclass=traefik"
|
||||
- "--metrics.prometheus=true"
|
||||
- "--metrics.prometheus.entryPoint=metrics"
|
||||
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32"
|
||||
|
||||
additionalArguments:
|
||||
- "--providers.kubernetesingress.ingressendpoint.ip=${CLUSTER_LB_TRAEFIK}"
|
||||
|
||||
ports:
|
||||
traefik:
|
||||
expose: true
|
||||
@@ -63,17 +69,34 @@ spec:
|
||||
port: 8082
|
||||
expose: true
|
||||
exposedPort: 8082
|
||||
|
||||
tlsOptions:
|
||||
default:
|
||||
minVersion: VersionTLS12
|
||||
maxVersion: VersionTLS13
|
||||
sniStrict: true
|
||||
|
||||
pilot:
|
||||
enabled: true
|
||||
token: "${SECRET_TRAEFIK_PILOT_TOKEN}"
|
||||
|
||||
experimental:
|
||||
plugins:
|
||||
enabled: true
|
||||
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 100
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values:
|
||||
- traefik
|
||||
topologyKey: kubernetes.io/hostname
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 100Mi
|
||||
|
||||
9
cluster/apps/networking/traefik/ingressclass.yaml
Normal file
9
cluster/apps/networking/traefik/ingressclass.yaml
Normal file
@@ -0,0 +1,9 @@
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: IngressClass
|
||||
metadata:
|
||||
annotations:
|
||||
ingressclass.kubernetes.io/is-default-class: "true"
|
||||
name: traefik
|
||||
spec:
|
||||
controller: traefik.io/ingress-controller
|
||||
@@ -3,7 +3,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
||||
- ingressclass.yaml
|
||||
- service-monitor.yaml
|
||||
- tls-store
|
||||
- dashboard
|
||||
- middlewares
|
||||
- prometheus-rules.yaml
|
||||
|
||||
@@ -6,6 +6,7 @@ resources:
|
||||
- buffering-large.yaml
|
||||
- buffering-medium.yaml
|
||||
- buffering-small.yaml
|
||||
- ratelimit.yaml
|
||||
- rfc1918.yaml
|
||||
- redirect-path.yaml
|
||||
- forward-auth.yaml
|
||||
|
||||
10
cluster/apps/networking/traefik/middlewares/ratelimit.yaml
Normal file
10
cluster/apps/networking/traefik/middlewares/ratelimit.yaml
Normal file
@@ -0,0 +1,10 @@
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: ratelimit
|
||||
namespace: networking
|
||||
spec:
|
||||
rateLimit:
|
||||
average: 10
|
||||
period: "10s"
|
||||
72
cluster/apps/networking/traefik/prometheus-rules.yaml
Normal file
72
cluster/apps/networking/traefik/prometheus-rules.yaml
Normal file
@@ -0,0 +1,72 @@
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
labels:
|
||||
app: traefik
|
||||
name: traefik.rules
|
||||
namespace: networking
|
||||
spec:
|
||||
groups:
|
||||
- name: traefik.rules
|
||||
rules:
|
||||
- alert: TraefikAbsent
|
||||
annotations:
|
||||
summary: "Traefik has disappeared from Prometheus service discovery."
|
||||
description: "Ingresses will be down until the Traefik reverse proxy is back up."
|
||||
expr: |
|
||||
absent(up{job="traefik"})
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
- alert: TraefikConfigError
|
||||
annotations:
|
||||
summary: "Traefik config error."
|
||||
description:
|
||||
"Traefik has failed to load the config file. Check Traefik
|
||||
logs for exact parsing error."
|
||||
expr: |
|
||||
traefik_config_last_reload_failure{job="traefik"} == 1
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
- alert: TraefikHighHttp4xxErrorRateService
|
||||
annotations:
|
||||
summary: "Traefik has a high HTTP 4xx error rate."
|
||||
description:
|
||||
"Traefik is reporting {{ $value | humanizePercentage }} of 4xx
|
||||
errors on {{ $labels.exported_service }}"
|
||||
expr: |
|
||||
sum(rate(traefik_service_requests_total{code=~"4.*"}[1m])) by (exported_service)
|
||||
/
|
||||
sum(rate(traefik_service_requests_total[1m])) by (exported_service)
|
||||
> .10
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
- alert: TraefikHighHttp5xxErrorRateService
|
||||
annotations:
|
||||
summary: "Traefik has a high HTTP 5xx error rate."
|
||||
description:
|
||||
"Traefik is reporting {{ $value | humanizePercentage }} of 5xx
|
||||
errors on {{ $labels.exported_service }}"
|
||||
expr: |
|
||||
sum(rate(traefik_service_requests_total{code=~"5.*"}[1m])) by (exported_service)
|
||||
/
|
||||
sum(rate(traefik_service_requests_total[1m])) by (exported_service)
|
||||
> .10
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
- alert: TraefikTooManyRequest
|
||||
annotations:
|
||||
summary: "Traefik has too many open connections"
|
||||
description:
|
||||
"Traefik is reporting {{ $value }} of open connections on entrypoint
|
||||
{{ $labels.entrypoint }}"
|
||||
expr: |
|
||||
avg(traefik_entrypoint_open_connections{job="traefik"})
|
||||
> 5
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
@@ -6,4 +6,4 @@ metadata:
|
||||
namespace: networking
|
||||
spec:
|
||||
defaultCertificate:
|
||||
secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
@@ -10,59 +10,51 @@ spec:
|
||||
spec:
|
||||
# renovate: registryUrl=https://k8s-at-home.com/charts/
|
||||
chart: unifi
|
||||
version: 2.0.4
|
||||
version: 3.1.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: k8s-at-home-charts
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
controllerType: deployment
|
||||
strategy:
|
||||
type: Recreate
|
||||
image:
|
||||
repository: jacobalberty/unifi
|
||||
tag: v6.2.26
|
||||
pullPolicy: IfNotPresent
|
||||
persistence:
|
||||
enabled: true
|
||||
existingClaim: unifi-config
|
||||
timezone: "Europe/Paris"
|
||||
runAsRoot: false
|
||||
ingress:
|
||||
enabled: true
|
||||
|
||||
env:
|
||||
TZ: "Europe/Paris"
|
||||
|
||||
service:
|
||||
main:
|
||||
annotations:
|
||||
coredns.io/hostname: unifi
|
||||
traefik.ingress.kubernetes.io/service.serversscheme: https
|
||||
type: LoadBalancer
|
||||
externalIPs:
|
||||
- ${CLUSTER_LB_UNIFI}
|
||||
externalTrafficPolicy: Local
|
||||
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "traefik"
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
traefik.ingress.kubernetes.io/router.middlewares: networking-buffering-medium@kubernetescrd
|
||||
hosts:
|
||||
- unifi.${SECRET_CLUSTER_DOMAIN}
|
||||
guiService:
|
||||
type: LoadBalancer
|
||||
externalIPs:
|
||||
- ${CLUSTER_LB_UNIFI}
|
||||
externalTrafficPolicy: Local
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: tcp
|
||||
controllerService:
|
||||
type: LoadBalancer
|
||||
externalIPs:
|
||||
- ${CLUSTER_LB_UNIFI}
|
||||
externalTrafficPolicy: Local
|
||||
annotations:
|
||||
prometheus.io/probe: "true"
|
||||
prometheus.io/protocol: tcp
|
||||
stunService:
|
||||
type: LoadBalancer
|
||||
externalIPs:
|
||||
- ${CLUSTER_LB_UNIFI}
|
||||
externalTrafficPolicy: Local
|
||||
discoveryService:
|
||||
type: LoadBalancer
|
||||
externalIPs:
|
||||
- ${CLUSTER_LB_UNIFI}
|
||||
externalTrafficPolicy: Local
|
||||
- host: "unifi.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
tls:
|
||||
- hosts:
|
||||
- "unifi.${SECRET_CLUSTER_DOMAIN}"
|
||||
|
||||
persistence:
|
||||
data:
|
||||
enabled: true
|
||||
existingClaim: unifi-config
|
||||
|
||||
resources:
|
||||
requests:
|
||||
memory: 2Gi
|
||||
|
||||
@@ -1,4 +1,6 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
||||
- rbac.yaml
|
||||
- secret-reflector.yaml
|
||||
40
cluster/apps/secret-reflector/rbac.yaml
Normal file
40
cluster/apps/secret-reflector/rbac.yaml
Normal file
@@ -0,0 +1,40 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: secret-reflector
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["configmaps", "secrets"]
|
||||
verbs: ["*"]
|
||||
- apiGroups: [""]
|
||||
resources: ["namespaces"]
|
||||
verbs: ["watch", "list"]
|
||||
- apiGroups: ["apiextensions.k8s.io"]
|
||||
resources: ["customresourcedefinitions"]
|
||||
verbs: ["watch", "list"]
|
||||
- apiGroups: ["certmanager.k8s.io"]
|
||||
resources: ["certificates", "certificates/finalizers"]
|
||||
verbs: ["watch", "list"]
|
||||
- apiGroups: ["cert-manager.io"]
|
||||
resources: ["certificates", "certificates/finalizers"]
|
||||
verbs: ["watch", "list"]
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: secret-reflector
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: secret-reflector
|
||||
roleRef:
|
||||
kind: ClusterRole
|
||||
name: secret-reflector
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: secret-reflector
|
||||
namespace: kube-system
|
||||
49
cluster/apps/secret-reflector/secret-reflector.yaml
Normal file
49
cluster/apps/secret-reflector/secret-reflector.yaml
Normal file
@@ -0,0 +1,49 @@
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: secret-reflector
|
||||
namespace: kube-system
|
||||
spec:
|
||||
schedule: "0 */12 * * *"
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: secret-reflector
|
||||
containers:
|
||||
- name: secret-reflector
|
||||
image: ghcr.io/k8s-at-home/kubectl:v1.22.0
|
||||
command:
|
||||
- "/bin/sh"
|
||||
- "-ec"
|
||||
- |
|
||||
set -o nounset
|
||||
set -o errexit
|
||||
|
||||
# space delimited secrets to copy
|
||||
secrets="${SECRET_CLUSTER_CERTIFICATE_DEFAULT} regcred"
|
||||
# source namespace to reflect secret from
|
||||
namespace_source="networking"
|
||||
# space delimited namespace where to reflect the secrets to
|
||||
namespace_destination="data development home-automation kasten-io media monitoring rook-ceph"
|
||||
for secret in $secrets; do
|
||||
secret_source_content=$(/app/kubectl get secret $secret -n $namespace_source -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid, .metadata.annotations)')
|
||||
secret_source_checksum=$(printf '%s' "$secret_source_content" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')
|
||||
for namespace in $namespace_destination; do
|
||||
if /app/kubectl get secret $secret -n $namespace >/dev/null 2>&1; then
|
||||
secret_dest_content=$(/app/kubectl get secret $secret -n $namespace -o json | jq 'del(.metadata.managedFields, .metadata.creationTimestamp, .metadata.resourceVersion, .metadata.uid, .metadata.annotations)')
|
||||
secret_dest_checksum=$(printf '%s' "$secret_dest_content" | jq 'del(.metadata.namespace)' | md5sum | awk '{ print $1 }')
|
||||
if [ "$secret_source_checksum" != "$secret_dest_checksum" ]; then
|
||||
printf '%s' "$secret_source_content" | \
|
||||
jq -r --arg namespace $namespace '.metadata.namespace = $namespace' | \
|
||||
/app/kubectl replace -n $namespace -f -
|
||||
fi
|
||||
else
|
||||
printf '%s' "$secret_source_content" | \
|
||||
jq -r --arg namespace $namespace '.metadata.namespace = $namespace' | \
|
||||
/app/kubectl apply -n $namespace -f -
|
||||
fi
|
||||
done
|
||||
done
|
||||
restartPolicy: OnFailure
|
||||
@@ -17,7 +17,6 @@ resources:
|
||||
- k8s-gateway-charts.yaml
|
||||
- kasten-charts.yaml
|
||||
- kubernetes-sigs-descheduler-charts.yaml
|
||||
- mittwald-charts.yaml
|
||||
- node-feature-discovery.yaml
|
||||
- prometheus-community-charts.yaml
|
||||
- rook-ceph-charts.yaml
|
||||
|
||||
@@ -1,10 +0,0 @@
|
||||
---
|
||||
apiVersion: source.toolkit.fluxcd.io/v1beta1
|
||||
kind: HelmRepository
|
||||
metadata:
|
||||
name: mittwald-charts
|
||||
namespace: flux-system
|
||||
spec:
|
||||
interval: 1h
|
||||
url: https://helm.mittwald.de./
|
||||
timeout: 3m
|
||||
@@ -26,6 +26,7 @@ stringData:
|
||||
SECRET_BOOKSTACK_DB_ROOT_PASSWORD: ENC[AES256_GCM,data:4/o956Da0ckVLdxUqs1WWA==,iv:G8DddhYyMZKuGJyWnj+eOaNRiJm7oGetiIZlQgtRFEo=,tag:WX9+DDnA2UPm9nPRLYibXw==,type:str]
|
||||
SECRET_BOTKUBE_DISCORD_BOTID: ENC[AES256_GCM,data:bK1J9v+/Dajd9qrvz3lH49GY,iv:Hq6cY96Te1frwXVf3HC3qgOiaCZW2hHCqjVvvslUGFg=,tag:Dq0cUemHKfcdpx9hLkUekQ==,type:str]
|
||||
SECRET_BOTKUBE_DISCORD_TOKEN: ENC[AES256_GCM,data:pDPm3TYITWApPZRMcSH6ijtPQQuHSd/PNT2Wy23tUp7uzluhHS5hvlujTkjk7oRb95kE6Gi2D8yDmNg=,iv:HQyMQiaRsjNIfPUTjLRVL/zchSdXFmevxaeruwGx3tk=,tag:l+po8014SaZd61DxE1T43A==,type:str]
|
||||
SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:NlCiFO/3sseKI3fVzQ4ajeMOrg==,iv:seSVdR5wkR8sf/PKSy7T3P5oCkbJI4sMNC8XWSJUnh0=,tag:jSjCQVDNPQ7c8Dlg8yozPg==,type:str]
|
||||
SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:kiuNa+aDxNQwby0BorWtRylnjbWw,iv:0j20Vdux17muKzlO2Q3KzsZg9VrT411VoYxjqQC5xhQ=,tag:w7gCUgQFIlVdUFfHhB7pvQ==,type:str]
|
||||
SECRET_CLUSTER_DOMAIN_ROOT: ENC[AES256_GCM,data:ho+ylXKrt7CZiOM=,iv:8873E4Td/82lWVwq/kXkEB8vgxEYha23/nbTkXfle/w=,tag:Yb/VInyUUOPhLUtq+Q+krQ==,type:str]
|
||||
SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:mVPDuVpAXej8CQ0AO85o,iv:PF739I+LZMZaPpfCMZO62eMUbFqgtMszj2cOuIgfcfI=,tag:zEAjj33h/Ux53ctkCzapyw==,type:str]
|
||||
@@ -92,8 +93,8 @@ sops:
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2021-08-06T12:33:06Z"
|
||||
mac: ENC[AES256_GCM,data:kvUJdqOsMCa02I9GjZuxGdj/Y4GOEisrx5gMLrU6LeDb0qeUuqm3++8FhB38J4DTpitWxDivc8MBiYXFCgcQis7SRqPDGT+f/0scL0qCklsX0Q1PUOD9uG9M1ZBS+oo78i20rx5YJ6uv8M7SOVg4MwpG0HkNHuU9dPs1rUzQ4lY=,iv:f2wzA3gdagZsw4gTTDeenH8voLq9B4z5j5WbgBpLygQ=,tag:9+PRb5ch0J4qPC4gjgrjKw==,type:str]
|
||||
lastmodified: "2021-08-09T07:16:35Z"
|
||||
mac: ENC[AES256_GCM,data:BfNqHhc7m2OPJ2cYPOC0i/bLjAWGEGZiQE+oThTaKgj4+FQtmB/faWTkuMhHRjA5eHred2F0Gr7Dz0fvE4oVMegJTgixUhS2KM98+ndI3//ktC0WrSMUCRvnE4lw2ClFfkabYoz3ESahDbOwvvfYUthyc/+j0GFTYafMkxhflOQ=,iv:sjVKEM7Sh1j5ZrNcXKSuEXKG90qQgC0jlSK0ulte9k0=,tag:xLOAcGAN+lm98c3G8dCSmg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2021-07-17T21:14:34Z"
|
||||
enc: |
|
||||
|
||||
@@ -3,7 +3,4 @@ kind: Kustomization
|
||||
resources:
|
||||
- cluster-secrets.yaml
|
||||
- drone-pipelines.yaml
|
||||
- regcred-data.yaml
|
||||
- regcred-development.yaml
|
||||
- regcred-media.yaml
|
||||
- replicated.yaml
|
||||
- regcred.yaml
|
||||
|
||||
@@ -1,59 +0,0 @@
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: data
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
stringData:
|
||||
.dockerconfigjson: ENC[AES256_GCM,data:Ez8e/N1OSqwrSp6tw3r8kslzr6bGQa+rrJweghKYx57klHSctExrzJu30Ans8ga9WGH0uYEKAOMcaEPCI9vZjP+vgewVrCF7eXU/qRhBpsF0iVTzPezZYoWoKTpet/kgXu6e1KYFViY84SYCMbet5ICERfkAScNSU92b1P9zxdi/mZw41kHTPM5vAxlDBtUt71aOO083dinSrYY4VuUk11BmduaZuj4=,iv:z8z5bZ0S/Dh8G3/F52nRNzvDBQ7/3lG3vu5RGLQXPEU=,tag:7gQKHiNRAQ9Fm6Z133NoGw==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2021-07-17T21:37:34Z"
|
||||
mac: ENC[AES256_GCM,data:5rck34eEAoRBYUpn38ZT48SK0Cn7KEp5DUJ5s+wBvO9Jp9Rw8bqjFk8iBKUqagQ1T6C5oeRmzpRjY0r4L1PDE2Ar9AEtiVEDsaGEWwupcORqZaja9XD4OVS0LCyVgyFQVGsQyun7a2AbV0tRekteugDCBb/cOaENzZO/1dGvJMA=,iv:x4aROnco8gv0YLWz0uJ8gl9g++RDbS6OHRJHM1GbChA=,tag:Znj3rk7+LErG2E6IE1Wq4A==,type:str]
|
||||
pgp:
|
||||
- created_at: "2021-07-17T21:25:02Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6nQR2zACjUjAQ//TMhxKW9Fybga4mHBsr7lTNpq+/gXEbOGW892Q4Pbd9hi
|
||||
g/9bzFcfZ7ndWAUIZBhfdvpa6c/Hre8878YdW7JwQq1xI7oLH8hL8Kj5kx/Pwhwy
|
||||
Kx66gUoUwglpNurO5cNfXdJW9jY4Qyy+C98kQH3+ADQMpWcy3ofGlPt0zT284bP5
|
||||
6bP65A1R5UeOxPodJszDxfMSoV9xt39fjsOUZ8ZmpDs9IDdtx1hDMuAqEkysW6f1
|
||||
jChypr/kYDttOOuWYeFLL0yEWOKUp1WLs45TwQPSod6Zdj2+r2N/7379Cx7krcCM
|
||||
af0aS50J7l405Q/9bfKUVRB+xkfFLz/+mzVz606vG/MKqCJyBpPxeOngR96cqFcr
|
||||
DgxJZgXvHsXogKBTaXxoKNsaeyVpE00/pEo4CTJY2sZqce/eBJaj1olyBh4K3YAd
|
||||
H1CFK2ExfoKFwdnX0T8SM/IPpCfRPNPtbgMUiOpLRVkaH1f4dNq84jKKnpHtDVfr
|
||||
cao2uSHN2yBOql7gUOToroTs6blOmmwkHlnToB5RGuFxU2P8QWcYftk1w1Iv7rtC
|
||||
Z8FBLbXDJJPfhJ4XTOi52BGZkdYpys/mtp8l7qTSG0blLzADa8RuOEy15sYZ5mFQ
|
||||
RH7G2XL63QCCXXnLP3RDMf7jKC6BgBljaOIlvv3GY3sqFfiWj15Olxe/E63NlNLS
|
||||
XgEHrdlbPTCx96tQ2qgFyrNal2gFq2PEJ+k11cQs7FxrQsIVbI4w410FrEvcEm/n
|
||||
fG2EFIC0qpT3ryBp/mIprwMRzKPvd5qctsziMsE3aRuU+uCeukvIxSq7YVrzYYA=
|
||||
=8Czp
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
|
||||
- created_at: "2021-07-17T21:25:02Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA98IrODHuiZ9ARAAqlACQXKtlWDm7JQ7XpXQA+N+rRM5OnvAvu+eln32V3SJ
|
||||
56hdIbJQOE36mB0w8baYIk7sWcDxiuajyzQgWVRpew308Lu78ml2mr2qvTbEQoZh
|
||||
EKMRH67smnVzSxMqnYlKC9V5jjs3zQySKFlb+RiNiXMBp9K9XIkI7syTnxsN50v8
|
||||
ZfdG0zhG42I2NnqE2SFRHIwYhW6iRUTY7ZFD63uZq7JiPGcy5vp+8xyLTfe935a6
|
||||
/heWrUme81eGJuoPnfx2a7cpccpqnnwGlB+VMjhoeO2A9YysMCjQcW7+WsWwmRTe
|
||||
mFo+gsWX5sFi4l4G8bsxV/Z3zc3Li7+c74XqkAepzbOUZrLhM4Fl6TGUW052e+uh
|
||||
pFcYa9mxkqTYb61/3SUJK2eQd6a4Fj8Krzh2Z1WWymRYQytyy+SOBzeFy3SEXshv
|
||||
Z0MUdL/v+VndGpoFljdZYhZRuUDLfgOlciYpAgxLvnHM71W2LNusbxEI+OZ0GwdU
|
||||
v54wJEUtEaMAYMb/H0yzm/bqgV/t42ip9gUsvKKvkzNZm3jT3LuY2moqkIsFXVNj
|
||||
IFOuPL1xxTUlkBZ+EaHOMRmtJq3NGsYVebkBQEhojdXOyZCGlPEcis5NasWMpIFO
|
||||
tPPYao7d680ZDa5nM4JORKKaMtsNPFnUkGHg00GrkRec29UoJJqLLWS7z5zEWzPS
|
||||
XgGc2zsbBDRp1VdKRjheTY+Vgi8oci6ZsNC9U2SvfIh9YGOKVBUCcRlxVS3Xb7hs
|
||||
09Ukr5k/yny0H6edpJ2ImZcn4KTnFhELqKXbbdUBmQ8e5xPUBX5BeemIwDLXAu0=
|
||||
=4LIz
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.7.1
|
||||
@@ -1,59 +0,0 @@
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: development
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
stringData:
|
||||
.dockerconfigjson: ENC[AES256_GCM,data:HfEH30Dis81WFXJ2bAbKPVUmHTkqcpPB7bLm1Zn1f0ELUJzD2Z8JGJ7xOBcfJR9CvzUma9gLYlrz1J8moy4B2n/hIGQFySN4zKR3iDjHNFLJo+HcRn2rONzfKX0lTFZ4YXWhw6Rlx3j0MZ7OFBnhI2I5kyfEyYcc1Xqq4c8++GosYCG4lwTrwFjmTeCo9BoTvOphgnkC5NuihDQ/UiHV9/po9zeQO/I=,iv:3XqfPFv3Rc7g8W7Bk1Q0n945mPvQTqkLX4yWh9CfLyc=,tag:l+LpDfWt1K5uRfBbM71DhQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2021-07-19T12:09:05Z"
|
||||
mac: ENC[AES256_GCM,data:WAteda2YTX0sgGtNJX/QI5bNBCBGdv+lSMM2gyoZfzmRS6Uj5Y7pPHf7EScqGcou8ZfEcGdJG/lA9A7hONETAf+2fKdn9g7FM7cVvh493+wLr8drtJMu/mqqP3A72tbhi6PMtmUHAtF2+gNyYak1QAmvEfO/+cAJC4TfxXaBsZ4=,iv:0PUuKI1qewENzW0KTq+Cm9LpdJ60OvhZ1CEqZXvH/tI=,tag:fWLUbqnV5FGqkVucFBciaw==,type:str]
|
||||
pgp:
|
||||
- created_at: "2021-07-17T21:25:06Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6nQR2zACjUjAQ/9G4rlzO+Mf9NXs5jwGf+yuj0VM3SWl9Rz7kEAFdnEhYNG
|
||||
RWBu/lpg6ipIBAIramz1hV4NQPraoEEO/OwEwj0Bez88ydt3a7CxMFyu2q+pNjvi
|
||||
QIrQuM+3J3dM8l5qVh3/5r81QvSb/g+USgYIGhbd9jABxBzglnb3GYA+KBgWncsp
|
||||
PVaBG5t3+7jd2FbKd+6fzYkMiW1kZmK4/3P2etoDFR4bgoADck0Coy9Y155QAlnk
|
||||
/AYVwS6IIZ8+BUwwT+gOk8V9QJRwcKFFo9TJ2gmnkNb5MbXgX7DEKwGPIegEUyKY
|
||||
Ex9x+yEdfy5dlsJ7TE4C5olk4yOEnXfhxUeiMD6myEJjVM9SjP3A7DK+/f/E6+9Q
|
||||
MAMFxxHaKGLu2wRmUPMWH78VhVLExgq7P9l8YGMEKch32wdwo4b4295mLe+AtXlw
|
||||
z3vWLx1PYU+l0sJ8leVZtd//547NbLxtUGYhI+5ozzxaL8Hwps5fWbcmXLWaz8Dr
|
||||
Lj1zwatetd1Loc0OZFR90giQVl9JREHK9QlARAFnIMnu7eKZlln/TnF7MjdgAuD4
|
||||
2diAocyU+X7PZty+oWbi56LQE90Vr01MBO/wsvUUETZ+6sAEYB805EKpGj+r432H
|
||||
/WPx2Yedn9HAE8ZPIRedYK5gXh8867mA3XCw6sd9ELI67BWiqdveR1jeKreFPJjS
|
||||
XgHx9krMM0IcX2V0rT0nJea8m3M+b6ZpvdBicmfjTCBxrnAgMnbOGuzwoUGNePX2
|
||||
IZtgHNvqEaQfEONDtIJM6gtY6soJJxQ790w+FmTGs7av4o0IHgT4xqZRhDZSF/8=
|
||||
=p08Q
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 19B850FBA7685A526CF11E5F9BBE834259976EE8
|
||||
- created_at: "2021-07-17T21:25:06Z"
|
||||
enc: |
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA98IrODHuiZ9ARAArzhyppi7wq055mnLiBm3CG1JUIELebfLwyD4Xj46Rjq4
|
||||
cRZAeRKSM/MjUT0G8RuhssaJPoI2uNtZT9z3+qIZDUoCHLt8horo147oMzN7RqVW
|
||||
VjEbO63Tiv253Jles3lax5eCmO0f88frzOqs4IqSluYWL1AlKkA6zGZuEhysasHk
|
||||
RtZh2jWe7/ZBP8gICgTaPv/ptIWF4mJYcK2rD9mM3PeZ1oBVfwVhsxumGISo9hEm
|
||||
oDtfFqTaX+nDRcjofIp/u85Jt3SrD+NCyCyBUzoprs5npPlLcy/cjrQ1HCxrOSxh
|
||||
fzGo90CWg0TqSFx545CiTxT6wJzRVsLspP662/nV1wHXOu3fO1IqAjWsmDk66oBp
|
||||
A4tgE8eDo7NA849VmsUkNfdgFOiFFBW8TolHZUJHbV4BomWK1KXJuRRAqIdg620Y
|
||||
oDjHClWLpJTpkhlN+GhU0AojXWEYnpQhDApqrFnpQECEjOUuu643JSjDOj/kY/IJ
|
||||
0DeveaBy9clylq8G+SMXSKt/LivATquvuMzsDnLzy+SYjnOsjpIL/JNdFH5uWqm7
|
||||
1erIyM9Ix7cIAzk4qm/5M3smy/7p+eOMlqFgRrN+fbt54uSbW+7BamjTCPsXnqk5
|
||||
0zHMdf6BHC1QKgOH24jhPFUATiJeY4fJBPIJF+orbWlBTBrFFp3h6W12HdHUG83S
|
||||
XgHN9EqRP9PC1n+F3Ni4VVVfx5kBr4g5tyrGhpSgYNJqSdIQCdaWySsTVLs2D4Xr
|
||||
69Bdc0tBQv5aCyU4g2PT2CDYjLrPFxImCcyr/JeZd2x44scuHUqjAl/plihSmes=
|
||||
=cyE+
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 5749D0AE39445C1CCA6006DF8913091C690BDD69
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.7.1
|
||||
@@ -2,7 +2,7 @@ kind: Secret
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: regcred
|
||||
namespace: media
|
||||
namespace: networking
|
||||
type: kubernetes.io/dockerconfigjson
|
||||
stringData:
|
||||
.dockerconfigjson: ENC[AES256_GCM,data:HfEH30Dis81WFXJ2bAbKPVUmHTkqcpPB7bLm1Zn1f0ELUJzD2Z8JGJ7xOBcfJR9CvzUma9gLYlrz1J8moy4B2n/hIGQFySN4zKR3iDjHNFLJo+HcRn2rONzfKX0lTFZ4YXWhw6Rlx3j0MZ7OFBnhI2I5kyfEyYcc1Xqq4c8++GosYCG4lwTrwFjmTeCo9BoTvOphgnkC5NuihDQ/UiHV9/po9zeQO/I=,iv:3XqfPFv3Rc7g8W7Bk1Q0n945mPvQTqkLX4yWh9CfLyc=,tag:l+LpDfWt1K5uRfBbM71DhQ==,type:str]
|
||||
@@ -12,8 +12,8 @@ sops:
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age: []
|
||||
lastmodified: "2021-07-17T23:05:26Z"
|
||||
mac: ENC[AES256_GCM,data:ECbE73I+IwPsfekBj6oar9zob0xomHSrTBqav47NeLo/fl6zw3gBIdRu4uCT8rk5i53SPCR7RELdwjfCKAgMBRFmLqoFPIi81dO5O2dG5SnwzjYakYY8Arj0uA6aQkIYOPmkSg543W91iYNK0m7LHDwVYjSD2ibhwO3cs0yluH0=,iv:2RAFdbfihliQoRQfj9D6jZpcOlN649ate3UCI2yTZks=,tag:saEIAzXsMpI0V6slQg3Cng==,type:str]
|
||||
lastmodified: "2021-08-09T14:19:09Z"
|
||||
mac: ENC[AES256_GCM,data:dDz9VfodCTZWDvMZGU40zRoxOhd2P/0AjRTs5p/wwFjRVw/QjVwSRQ5hcf/BhbKMIAG2xa1k4UWE3bkymf/g4avtwejAJVz69gUPe+RVqNVsEuG1YXJYVG7lPd+gzOPwH2wo0zr0+LX6+D9IaKPeQ2Sngyxl7ITRRoxVizbJzK0=,iv:CuFQyDTRH8CW0ysqsAWERPkGC3wk9Taclq7oG5XUyMo=,tag:e7f7IrLDMt7mCzXCfT/DwA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2021-07-17T21:25:06Z"
|
||||
enc: |
|
||||
@@ -1,10 +0,0 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: cluster-secrets
|
||||
namespace: development
|
||||
annotations:
|
||||
replicator.v1.mittwald.de/replicate-from: flux-system/cluster-secrets
|
||||
data: {}
|
||||
type: Opaque
|
||||
@@ -1,20 +0,0 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: kubernetes-replicator
|
||||
namespace: kube-system
|
||||
spec:
|
||||
interval: 5m
|
||||
chart:
|
||||
spec:
|
||||
# renovate: registryUrl=https://helm.mittwald.de/
|
||||
chart: kubernetes-replicator
|
||||
version: 2.6.3
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: mittwald-charts
|
||||
namespace: flux-system
|
||||
interval: 5m
|
||||
values:
|
||||
grantClusterAdminto: true
|
||||
@@ -1,4 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
||||
@@ -5,7 +5,6 @@ resources:
|
||||
- coredns-nodecache
|
||||
- descheduler
|
||||
- intel-gpu-plugin
|
||||
- kubernetes-replicator
|
||||
- kured
|
||||
- node-feature-discovery
|
||||
- reloader
|
||||
|
||||
@@ -5,12 +5,12 @@ metadata:
|
||||
name: rook-ceph-mgr-dashboard
|
||||
namespace: rook-ceph
|
||||
annotations:
|
||||
kubernetes.io/ingress.class: "nginx"
|
||||
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
|
||||
labels:
|
||||
app.kubernetes.io/instance: rook-ceph-mgr-dashboard
|
||||
app.kubernetes.io/name: rook-ceph-mgr-dashboard
|
||||
spec:
|
||||
ingressClassName: "traefik"
|
||||
rules:
|
||||
- host: "rook.${SECRET_CLUSTER_DOMAIN}"
|
||||
http:
|
||||
@@ -22,3 +22,7 @@ spec:
|
||||
name: rook-ceph-mgr-dashboard
|
||||
port:
|
||||
name: http-dashboard
|
||||
tls:
|
||||
- hosts:
|
||||
- "rook.${SECRET_CLUSTER_DOMAIN}"
|
||||
secretName: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
|
||||
|
||||
Reference in New Issue
Block a user