🚀 kubernetes-schemas

.github/workflows/kubeconform.yaml

@@ -3,9 +3,6 @@ name: "Kubeconform"
 
 on:
   workflow_dispatch:
-  push:
-    branches: ["main"]
-    paths: ["kubernetes/**"]
   pull_request:
     branches: ["main"]
     paths: ["kubernetes/**"]
@@ -35,15 +32,16 @@ jobs:
         uses: Homebrew/actions/setup-homebrew@master
 
       - name: Setup Tools
-        run: |
+        shell: bash
-          brew install fluxcd/tap/flux kubeconform kustomize
+        run: brew install fluxcd/tap/flux kubeconform kustomize
 
       - name: Download CRDs
+        shell: bash
         run: |
           mkdir -p ${{ env.SCHEMA_DIR }}
-          flux pull artifact oci://ghcr.io/onedr0p/kubernetes-schemas-oci:latest \
+          flux pull artifact oci://ghcr.io/auricom/manifests/kubernetes-schemas:latest \
               --output=${{ env.SCHEMA_DIR }}
 
       - name: Run kubeconform
-        run: |
+        shell: bash
-          bash ./.github/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }} ${{ env.SCHEMA_DIR }}
+        run: bash ./.github/scripts/kubeconform.sh ${{ env.KUBERNETES_DIR }} ${{ env.SCHEMA_DIR }}

.github/workflows/publish-schemas.yaml

@@ -0,0 +1,126 @@
+---
+name: "Publish Schemas"
+
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * 0"
+  push:
+    branches: ["main"]
+    paths: [".github/workflows/publish-schemas.yaml"]
+
+jobs:
+  publish-manifests:
+    name: Publish Manifests
+    runs-on: ["arc-runner-set-home-ops"]
+    steps:
+      - name: Setup Flux
+        uses: fluxcd/flux2/action@9ea0a535eab2c99121fb3ac742e333b4a9f07970 # v2.0.0
+
+      - name: Setup Kube Tools
+        uses: yokawasa/action-setup-kube-tools@af4ebb1af1efd30c5bd84a2e9773355ad6362a33 # v0.9.3
+        with:
+          setup-tools: kubectl
+
+      - name: Setup Python
+        uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
+        with:
+          python-version: 3.x
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          registry: ghcr.io
+          username: "${{ github.actor }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Setup crd-extractor
+        uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51 # v1.8
+        with:
+          repository: datreeio/CRDs-catalog
+          latest: true
+          fileName: crd-extractor.zip
+
+      - name: Write kubeconfig
+        id: kubeconfig
+        uses: timheuer/base64-to-file@ca9e30baf83f7f26708fb0059af9a0973fe5f27e # v1.2
+        with:
+          encodedString: ${{ secrets.KUBECONFIG }}
+          fileName: kubeconfig
+
+      - name: Run crd-extractor
+        env:
+          KUBECONFIG: ${{ steps.kubeconfig.outputs.filePath }}
+        shell: bash
+        run: |
+          unzip -j $GITHUB_WORKSPACE/crd-extractor.zip -d $GITHUB_WORKSPACE
+          bash $GITHUB_WORKSPACE/crd-extractor.sh
+
+      - name: Generate tag
+        id: generate-tag
+        shell: bash
+        run: echo "tag=ghcr.io/${{ github.repository_owner }}/manifests/kubernetes-schemas:$(git rev-parse --short HEAD)" >> "${GITHUB_OUTPUT}"
+
+      - name: Publish manifests
+        shell: bash
+        run: |
+          flux push artifact oci://${{ steps.generate-tag.outputs.tag }} \
+              --path="/home/runner/.datree/crdSchemas" \
+              --source="${{ github.repositoryUrl }}" \
+              --revision="${{ github.ref_name }}@sha1:$(git rev-parse HEAD)"
+
+      - name: Tag manifests
+        shell: bash
+        run: flux tag artifact oci://${{ steps.generate-tag.outputs.tag }} --tag main
+
+  publish-web:
+    name: Publish Web
+    runs-on: ubuntu-latest
+    needs: ["publish-manifests"]
+    steps:
+      - name: Setup Flux
+        uses: fluxcd/flux2/action@9ea0a535eab2c99121fb3ac742e333b4a9f07970 # v2.0.0
+
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
+
+      - name: Setup Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@2a1a44ac4aa01993040736bd95bb470da1a38365 # v2.9.0
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
+        with:
+          registry: ghcr.io
+          username: "${{ github.actor }}"
+          password: "${{ secrets.GITHUB_TOKEN }}"
+
+      - name: Pull manifests
+        shell: bash
+        run: |
+          mkdir -p /home/runner/crdSchemas
+          flux pull artifact oci://ghcr.io/${{ github.repository_owner }}/manifests/kubernetes-schemas:$(git rev-parse --short HEAD) --output /home/runner/crdSchemas
+
+      - name: Write nginx-unprivileged Dockerfile
+        shell: bash
+        run: |
+          cat <<EOF > /home/runner/crdSchemas/Dockerfile
+          FROM docker.io/nginxinc/nginx-unprivileged:latest
+          COPY --chown=nginx:nginx --chmod=755 . /usr/share/nginx/html
+          USER nginx
+          EOF
+
+      - name: Publish web container
+        uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
+        with:
+          context: /home/runner/crdSchemas
+          platforms: linux/amd64,linux/arm64
+          file: /home/runner/crdSchemas/Dockerfile
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/kubernetes-schemas:latest
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          labels: |
+            org.opencontainers.image.source="${{ github.repositoryUrl }}"
+            org.opencontainers.image.authors="Auricom <auricomp@users.noreply.github.com>"

kubernetes/apps/actions-runner-system/namespace.yaml

@@ -5,3 +5,4 @@ metadata:
   name: actions-runner-system
   labels:
     kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: privileged

kubernetes/apps/default/kubernetes-schemas/app/README.md

@@ -0,0 +1,19 @@
+extract_ca_crt_from_secret
+kubectl get secret kubernetes-schemas-sa -o json | jq -r '.data["ca.crt"]' | base64 -d > ca.crt
+
+get_user_token_from_secret
+USER_TOKEN=$(kubectl get secret kubernetes-schemas-sa -o json | jq -r '.data["token"]' | base64 -d)
+
+Create token
+context=$(kubectl config current-context)
+CLUSTER_NAME=$(kubectl config get-contexts "$context" | awk '{print $3}' | tail -n 1)
+ENDPOINT=$(kubectl config view -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_NAME}\")].cluster.server}")
+kubectl config set-cluster "${CLUSTER_NAME}" --kubeconfig=kubernetes-schemas-config --server="${ENDPOINT}" --certificate-authority="ca.crt" --embed-certs=true
+kubectl config set-credentials "kubernetes-schemas-default-${CLUSTER_NAME}" --kubeconfig="kubernetes-schemas-config" --token="${USER_TOKEN}"
+kubectl config set-context "kubernetes-schemas-default-${CLUSTER_NAME}" --kubeconfig="kubernetes-schemas-config" --cluster="${CLUSTER_NAME}" --user="kubernetes-schemas-default-${CLUSTER_NAME}" --namespace="default"
+kubectl config use-context "kubernetes-schemas-default-${CLUSTER_NAME}" --kubeconfig="kubernetes-schemas-config"
+
+# Test
+
+KUBECONFIG=kubernetes-schemas-config kubectl get pods --all-namespaces
+KUBECONFIG=kubernetes-schemas-config kubectl get crds

kubernetes/apps/default/kubernetes-schemas/app/gatus.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kubernetes-schemas-gatus-ep
+  namespace: default
+  labels:
+    gatus.io/enabled: "true"
+data:
+  config.yaml: |
+    endpoints:
+      - name: kubernetes-schemas
+        group: external
+        url: https://kubernetes-schemas.${SECRET_CLUSTER_DOMAIN}
+        interval: 1m
+        client:
+          dns-resolver: tcp://1.1.1.1:53
+          insecure: true
+        conditions:
+          - "[STATUS] == 200"
+        alerts:
+          - type: pushover

kubernetes/apps/default/kubernetes-schemas/app/helmrelease.yaml

@@ -0,0 +1,67 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app kubernetes-schemas
+  namespace: default
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 2
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controller:
+      replicas: 2
+      strategy: RollingUpdate
+    image:
+      repository: ghcr.io/auricom/kubernetes-schemas
+      tag: latest@sha256:7b13c44208301bb787463b2f319cf43d3c67258e034a1dc6a53ec485923f0418
+    service:
+      main:
+        ports:
+          http:
+            port: 8080
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: nginx
+        annotations:
+          external-dns.home.arpa/enabled: "true"
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: *app
+    resources:
+      requests:
+        cpu: 10m
+        memory: 50Mi
+      limits:
+        memory: 100Mi

kubernetes/apps/default/kubernetes-schemas/app/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./helmrelease.yaml
+  - ./gatus.yaml
+  - ./rbac.yaml

kubernetes/apps/default/kubernetes-schemas/app/rbac.yaml

@@ -0,0 +1,41 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kubernetes-schemas
+  namespace: default
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kubernetes-schemas
+rules:
+- apiGroups:
+  - apiextensions.k8s.io
+  resources:
+  - customresourcedefinitions
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kubernetes-schemas
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubernetes-schemas
+subjects:
+- kind: ServiceAccount
+  name: kubernetes-schemas
+  namespace: default
+---
+apiVersion: v1
+kind: Secret
+type: kubernetes.io/service-account-token
+metadata:
+  name: kubernetes-schemas-sa
+  annotations:
+    kubernetes.io/service-account.name:  "kubernetes-schemas"

kubernetes/apps/default/kubernetes-schemas/ks.yaml

@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-kubernetes-schemas
+  namespace: flux-system
+  labels:
+    substitution.flux.home.arpa/enabled: "true"
+spec:
+  path: ./kubernetes/apps/default/kubernetes-schemas/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: false # no flux ks dependents
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/apps/default/kustomization.yaml

@@ -29,6 +29,7 @@ resources:
   - ./joplin/ks.yaml
   - ./komf/ks.yaml
   - ./komga/ks.yaml
+  - ./kubernetes-schemas/ks.yaml
   - ./lidarr/ks.yaml
   - ./libreddit/ks.yaml
   - ./lychee/ks.yaml