mirror of
https://github.com/auricom/home-cluster.git
synced 2025-09-17 18:24:14 +02:00
✨ new talos cluster
This commit is contained in:
@@ -0,0 +1,42 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: cert-manager-certificates
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: raw
|
||||
version: v0.3.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: dysnix
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: 5
|
||||
upgrade:
|
||||
remediation:
|
||||
retries: 5
|
||||
dependsOn:
|
||||
- name: cert-manager-issuers
|
||||
namespace: default
|
||||
values:
|
||||
resources:
|
||||
- apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: "${SECRET_CLUSTER_DOMAIN/./-}"
|
||||
namespace: default
|
||||
spec:
|
||||
secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls"
|
||||
issuerRef:
|
||||
name: letsencrypt-production
|
||||
kind: ClusterIssuer
|
||||
commonName: "${SECRET_CLUSTER_DOMAIN}"
|
||||
dnsNames:
|
||||
- "${SECRET_CLUSTER_DOMAIN}"
|
||||
- "*.${SECRET_CLUSTER_DOMAIN}"
|
@@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
@@ -0,0 +1,35 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: cert-manager
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: cert-manager
|
||||
version: v1.10.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: jetstack
|
||||
namespace: flux-system
|
||||
interval: 15m
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: 3
|
||||
values:
|
||||
installCRDs: true
|
||||
webhook:
|
||||
enabled: true
|
||||
extraArgs:
|
||||
- --dns01-recursive-nameservers=ns15.ovh.net:53,dns15.ovh.net:53
|
||||
- --dns01-recursive-nameservers-only
|
||||
cainjector:
|
||||
replicaCount: 1
|
||||
prometheus:
|
||||
enabled: true
|
||||
servicemonitor:
|
||||
enabled: true
|
||||
prometheusInstance: monitoring
|
@@ -0,0 +1,74 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: cert-manager-issuers
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: raw
|
||||
version: v0.3.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: dysnix
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: 5
|
||||
upgrade:
|
||||
remediation:
|
||||
retries: 5
|
||||
dependsOn:
|
||||
- name: cert-manager
|
||||
namespace: default
|
||||
- name: cert-manager-webhook-ovh
|
||||
namespace: default
|
||||
values:
|
||||
resources:
|
||||
- apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-production
|
||||
spec:
|
||||
acme:
|
||||
server: https://acme-v02.api.letsencrypt.org/directory
|
||||
email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-production
|
||||
solvers:
|
||||
- dns01:
|
||||
webhook:
|
||||
groupName: "${SECRET_DOMAIN}"
|
||||
solverName: ovh
|
||||
config:
|
||||
endpoint: ovh-eu
|
||||
applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
|
||||
applicationSecretRef:
|
||||
key: applicationSecret
|
||||
name: ovh-credentials
|
||||
consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"
|
||||
- apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-staging
|
||||
spec:
|
||||
acme:
|
||||
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
||||
email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-production
|
||||
solvers:
|
||||
- dns01:
|
||||
webhook:
|
||||
groupName: "${SECRET_DOMAIN}"
|
||||
solverName: ovh
|
||||
config:
|
||||
endpoint: ovh-eu
|
||||
applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
|
||||
applicationSecretRef:
|
||||
key: applicationSecret
|
||||
name: ovh-credentials
|
||||
consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"
|
@@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
@@ -0,0 +1,11 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- secret.sops.yaml
|
||||
- helm-release.yaml
|
||||
- rbac.yaml
|
||||
- webhook-ovh
|
||||
- issuers
|
||||
- certificates
|
||||
- prometheus-rule.yaml
|
@@ -0,0 +1,68 @@
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: PrometheusRule
|
||||
metadata:
|
||||
name: cert-manager.rules
|
||||
namespace: default
|
||||
spec:
|
||||
groups:
|
||||
- name: cert-manager
|
||||
rules:
|
||||
- alert: CertManagerAbsent
|
||||
expr: |
|
||||
absent(up{job="cert-manager"})
|
||||
for: 10m
|
||||
labels:
|
||||
severity: critical
|
||||
annotations:
|
||||
description:
|
||||
"New certificates will not be able to be minted, and existing
|
||||
ones can't be renewed until cert-manager is back."
|
||||
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
|
||||
summary: "Cert Manager has dissapeared from Prometheus service discovery."
|
||||
- name: certificates
|
||||
rules:
|
||||
- alert: CertManagerCertExpirySoon
|
||||
expr: |
|
||||
avg by (exported_namespace, namespace, name) (
|
||||
certmanager_certificate_expiration_timestamp_seconds - time())
|
||||
< (21 * 24 * 3600)
|
||||
for: 1h
|
||||
labels:
|
||||
severity: warning
|
||||
annotations:
|
||||
description:
|
||||
"The domain that this cert covers will be unavailable after
|
||||
{{ $value | humanizeDuration }}. Clients using endpoints that this cert
|
||||
protects will start to fail in {{ $value | humanizeDuration }}."
|
||||
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
|
||||
summary:
|
||||
"The cert {{ $labels.name }} is {{ $value | humanizeDuration }}
|
||||
from expiry, it should have renewed over a week ago."
|
||||
- alert: CertManagerCertNotReady
|
||||
expr: |
|
||||
max by (name, exported_namespace, namespace, condition) (
|
||||
certmanager_certificate_ready_status{condition!="True"} == 1)
|
||||
for: 10m
|
||||
labels:
|
||||
severity: critical
|
||||
annotations:
|
||||
description:
|
||||
"This certificate has not been ready to serve traffic for at least
|
||||
10m. If the cert is being renewed or there is another valid cert, the ingress
|
||||
controller _may_ be able to serve that instead."
|
||||
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
|
||||
summary: "The cert {{ $labels.name }} is not ready to serve traffic."
|
||||
- alert: CertManagerHittingRateLimits
|
||||
expr: |
|
||||
sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
|
||||
> 0
|
||||
for: 5m
|
||||
labels:
|
||||
severity: critical
|
||||
annotations:
|
||||
description:
|
||||
"Depending on the rate limit, cert-manager may be unable to generate
|
||||
certificates for up to a week."
|
||||
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
|
||||
summary: "Cert manager hitting LetsEncrypt rate limits."
|
25
kubernetes/cluster-0/apps/networking/cert-manager/rbac.yaml
Normal file
25
kubernetes/cluster-0/apps/networking/cert-manager/rbac.yaml
Normal file
@@ -0,0 +1,25 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: cert-manager:ovh-dns-challenge
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: ["${SECRET_DOMAIN}"]
|
||||
resources: ["ovh"]
|
||||
verbs: ["get", "watch", "list", "create"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: cert-manager:ovh-dns-challenge
|
||||
namespace: default
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cert-manager:ovh-dns-challenge
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager
|
||||
namespace: default
|
@@ -0,0 +1,28 @@
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: ovh-credentials
|
||||
namespace: default
|
||||
stringData:
|
||||
applicationSecret: ENC[AES256_GCM,data:9vWD0QZ5mSIVhTOg5BinGUhEdJW0Tv6/CzoJor2FO5I=,iv:ymVqh3DKnvTzKi8nWW6ULDLyJLfXE/HDGLmTmLuo9WE=,tag:Aoy6ClqB1K4HVNn6d8H94w==,type:str]
|
||||
type: Opaque
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcGV1NGhhY3hOa0pjSThx
|
||||
ZGt5Y2FPNVcrN0d1SCtCS2NjMHFjM2Y0QUJ3CncvUzB2QlpDL0xxZTQ4NVFyNm51
|
||||
bFovMHhXRDVwSmpGaDR2YnBlTUQzTEkKLS0tIGx6bjRQNHQ4enJZN1UydEtiSkxP
|
||||
d0Vid3lIQ0NPSmxicFlBN2NCRnE5ZFUKo1l3ST2oUmaWBgbjub/BWPpRzB588ZoJ
|
||||
NvB6P1YivKsDZf/fsRT0gf1GPx9gZgql/w3g/9mggKANW4rFrMH1Mg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-07-03T14:42:43Z"
|
||||
mac: ENC[AES256_GCM,data:shI/qzyWbCozb7CH4KgwZStp21+c/CsT5y+TtdzI+O5Xbbg4WHwUIw73DEqvOD8Rrj39Ym53L8f6G7apvAToU1nv23POs/e4ew2yMOhypfsw19hq93IDLmon6jmj7C2DCSwLWukzCX3/Ot+OELm8t8svZYDD+xE1wtYidmfiZdo=,iv:tURq+EP7UqMKaKHkWD4K3E4lLKFNqBLFut1Se8sC9No=,tag:RAbjiVPIEtkOoAFWE+/l7A==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.7.3
|
@@ -0,0 +1,19 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: cert-manager-webhook-ovh
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: ./deploy/cert-manager-webhook-ovh
|
||||
version: 0.3.0
|
||||
sourceRef:
|
||||
kind: GitRepository
|
||||
name: cert-manager-webhook-ovh
|
||||
namespace: flux-system
|
||||
interval: 1440m
|
||||
values:
|
||||
groupName: "${SECRET_DOMAIN}"
|
@@ -0,0 +1,6 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- rbac.yaml
|
||||
- helm-release.yaml
|
@@ -0,0 +1,26 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: cert-manager-webhook-ovh:secret-reader
|
||||
namespace: default
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
resourceNames: ["ovh-credentials"]
|
||||
verbs: ["get", "watch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: cert-manager-webhook-ovh:secret-reader
|
||||
namespace: default
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: cert-manager-webhook-ovh:secret-reader
|
||||
subjects:
|
||||
- apiGroup: ""
|
||||
kind: ServiceAccount
|
||||
name: cert-manager-webhook-ovh
|
||||
namespace: default
|
@@ -0,0 +1,59 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: external-dns
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: external-dns
|
||||
version: 1.11.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: external-dns
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: 5
|
||||
upgrade:
|
||||
remediation:
|
||||
retries: 5
|
||||
values:
|
||||
interval: 2m
|
||||
logLevel: debug
|
||||
provider: ovh
|
||||
env:
|
||||
- name: OVH_APPLICATION_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ovh-external-dns-creds
|
||||
key: application-key
|
||||
- name: OVH_APPLICATION_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ovh-external-dns-creds
|
||||
key: application-secret
|
||||
- name: OVH_CONSUMER_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: ovh-external-dns-creds
|
||||
key: consummer-key
|
||||
extraArgs:
|
||||
- --annotation-filter=external-dns.home.arpa/enabled in (true)
|
||||
policy: sync
|
||||
sources:
|
||||
- ingress
|
||||
txtOwnerId: "default"
|
||||
domainFilters:
|
||||
- "${SECRET_DOMAIN}"
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
resources:
|
||||
requests:
|
||||
memory: 100Mi
|
||||
cpu: 25m
|
||||
limits:
|
||||
memory: 250Mi
|
@@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- secret.sops.yaml
|
||||
- helm-release.yaml
|
@@ -0,0 +1,31 @@
|
||||
# yamllint disable
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: ovh-external-dns-creds
|
||||
namespace: default
|
||||
stringData:
|
||||
application-key: ENC[AES256_GCM,data:eM+c4o7krcCr38iYl+V9aw==,iv:bWvn6Du2AYczidEiYcCiiXiCWQoNTM55+pEqEDT5gVg=,tag:XAtpQsK7J7mQWs47qqAt/Q==,type:str]
|
||||
application-secret: ENC[AES256_GCM,data:dsAI3MXIpqC5FQZojzchOUfJPARBYOOUbnmY042w9DQ=,iv:gLh0ySZfm1akVIcnN/LMuuI7GZrBBq/X6mnQd1j9BeA=,tag:wIKWVoDMRfn68Ot56HFPGA==,type:str]
|
||||
consummer-key: ENC[AES256_GCM,data:5RZrrLBGOhmnPLyRBy83SSAYz67h9zfIwx2cEUSxFAs=,iv:x3rMt3obLjR12PSiuzFb4qPirnMXpxojFZ9sTDp2pis=,tag:2ve3wWb2bHQQUA8m7+gyKQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByazlaTU9oZFR2Y2U1blg0
|
||||
VXdUK3BzL1hsM3RydHQzcE95RklOTUdVWEE4CnNkOGprRVFCNFZjTkpOMnJ0R09T
|
||||
RWhhemdvb243UGlVMHhjWVUzTW03V00KLS0tIDJ3d1NYdkJLaHlvQXBCbFlDZXRp
|
||||
bi8wYjlEM0xGZExSV05HSGlkYjQ2VlUKesUixJpqR2iYx5kNxrbD0kTG1siHVKqq
|
||||
sh8UblAqd1av0/3Qpj9dMF8awR8Q80dElcEwXT90Ks/S7p/uEA358g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-09-15T09:52:51Z"
|
||||
mac: ENC[AES256_GCM,data:cZAwl1uF59cBodh8F4KSZU8/sLyoRy6k2rFuYx3KH/YpICKj2Omg9D3cH1uUF+x1URYbRcKajKrIZMmpd6gjvoRERjnreuzosZwxeannkTpfZ0N5ivydTSETa9mjPXCP+4VdPQISG0ZYx91uf0nrsZnK3dPOT0W/TfEhAI3JB9c=,iv:ufpSLuakm9X5VB8ZgHdyZyH6PAo11yKHV5jj7TuNPcU=,tag:+GY39oTJ91codPkDrTQYTw==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.7.3
|
@@ -0,0 +1,101 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: ingress-nginx
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: ingress-nginx
|
||||
version: 4.4.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: ingress-nginx
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: 5
|
||||
upgrade:
|
||||
remediation:
|
||||
retries: 5
|
||||
dependsOn:
|
||||
- name: cert-manager
|
||||
namespace: default
|
||||
values:
|
||||
controller:
|
||||
replicaCount: 1
|
||||
service:
|
||||
type: LoadBalancer
|
||||
loadBalancerIP: "${CLUSTER_LB_NGINX}"
|
||||
externalTrafficPolicy: Local
|
||||
publishService:
|
||||
enabled: true
|
||||
ingressClassResource:
|
||||
default: true
|
||||
config:
|
||||
client-body-buffer-size: "100M"
|
||||
client-body-timeout: 12
|
||||
client-header-timeout: 12
|
||||
custom-http-errors: 400,401,403,404,500,502,503,504
|
||||
enable-brotli: "true"
|
||||
enable-ocsp: "true"
|
||||
enable-real-ip: "true"
|
||||
hsts-max-age: "31449600"
|
||||
keep-alive-requests: 10000
|
||||
keep-alive: 120
|
||||
proxy-body-size: "100M"
|
||||
proxy-buffer-size: "16k"
|
||||
service-upstream: "true"
|
||||
ssl-protocols: "TLSv1.3 TLSv1.2"
|
||||
use-forwarded-headers: "true"
|
||||
metrics:
|
||||
enabled: true
|
||||
serviceMonitor:
|
||||
enabled: true
|
||||
namespace: default
|
||||
namespaceSelector:
|
||||
any: true
|
||||
extraArgs:
|
||||
default-ssl-certificate: |-
|
||||
default/${SECRET_CLUSTER_DOMAIN/./-}-tls
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: kubernetes.io/hostname
|
||||
whenUnsatisfiable: DoNotSchedule
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: ingress-nginx
|
||||
app.kubernetes.io/component: controller
|
||||
resources:
|
||||
requests:
|
||||
memory: 400Mi
|
||||
cpu: 25m
|
||||
limits:
|
||||
memory: 1Gi
|
||||
defaultBackend:
|
||||
enabled: true
|
||||
image:
|
||||
repository: ghcr.io/tarampampam/error-pages
|
||||
tag: 2.19.0
|
||||
extraEnvs:
|
||||
- name: TEMPLATE_NAME
|
||||
value: l7-light
|
||||
- name: SHOW_DETAILS
|
||||
value: "true"
|
||||
affinity:
|
||||
podAntiAffinity:
|
||||
preferredDuringSchedulingIgnoredDuringExecution:
|
||||
- weight: 100
|
||||
podAffinityTerm:
|
||||
labelSelector:
|
||||
matchExpressions:
|
||||
- key: app.kubernetes.io/name
|
||||
operator: In
|
||||
values: ["ingress-nginx"]
|
||||
- key: app.kubernetes.io/component
|
||||
operator: In
|
||||
values: ["default-backend"]
|
||||
topologyKey: kubernetes.io/hostname
|
@@ -0,0 +1,5 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
@@ -0,0 +1,32 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: k8s-gateway
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
# renovate: registryUrl=https://ori-edge.github.io/k8s_gateway/
|
||||
chart: k8s-gateway
|
||||
version: 2.0.0
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: k8s-gateway
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
crds: CreateReplace
|
||||
remediation:
|
||||
retries: 5
|
||||
upgrade:
|
||||
crds: CreateReplace
|
||||
remediation:
|
||||
retries: 5
|
||||
values:
|
||||
domain: "${SECRET_CLUSTER_DOMAIN}"
|
||||
service:
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Local
|
||||
loadBalancerIP: ${CLUSTER_LB_K8SGATEWAY}
|
@@ -0,0 +1,4 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
10
kubernetes/cluster-0/apps/networking/kustomization.yaml
Normal file
10
kubernetes/cluster-0/apps/networking/kustomization.yaml
Normal file
@@ -0,0 +1,10 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- cert-manager
|
||||
- external-dns
|
||||
- ingress-nginx
|
||||
- k8s-gateway
|
||||
- smtp-relay
|
||||
- unifi
|
@@ -0,0 +1,89 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app smtp-relay
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 1.0.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: 5
|
||||
upgrade:
|
||||
remediation:
|
||||
retries: 5
|
||||
values:
|
||||
controller:
|
||||
replicas: 1
|
||||
strategy: RollingUpdate
|
||||
image:
|
||||
repository: ghcr.io/foxcpp/maddy
|
||||
tag: 0.6.2
|
||||
env:
|
||||
DEBUG: "true"
|
||||
SMTP_DOMAIN: "${SECRET_DOMAIN}"
|
||||
SMTP_SERVER: "smtp.fastmail.com"
|
||||
SMTP_USERNAME: "${SECRET_EMAIL_SMTP_USERNAME}"
|
||||
SMTP_PORT: "465"
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: *app
|
||||
service:
|
||||
main:
|
||||
type: LoadBalancer
|
||||
loadBalancerIP: "${CLUSTER_LB_SMTP_RELAY}"
|
||||
externalTrafficPolicy: Local
|
||||
ports:
|
||||
http:
|
||||
port: 2525
|
||||
metrics:
|
||||
enabled: true
|
||||
port: 9749
|
||||
serviceMonitor:
|
||||
main:
|
||||
enabled: true
|
||||
endpoints:
|
||||
- port: metrics
|
||||
scheme: http
|
||||
path: /metrics
|
||||
interval: 1m
|
||||
scrapeTimeout: 10s
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
type: configMap
|
||||
name: *app
|
||||
subPath: maddy.conf
|
||||
mountPath: /data/maddy.conf
|
||||
readOnly: true
|
||||
data:
|
||||
enabled: true
|
||||
type: emptyDir
|
||||
medium: Memory
|
||||
sizeLimit: 1Gi
|
||||
mountPath: /dev/shm
|
||||
podAnnotations:
|
||||
configmap.reloader.stakater.com/reload: *app
|
||||
secret.reloader.stakater.com/reload: *app
|
||||
topologySpreadConstraints:
|
||||
- maxSkew: 1
|
||||
topologyKey: kubernetes.io/hostname
|
||||
whenUnsatisfiable: DoNotSchedule
|
||||
labelSelector:
|
||||
matchLabels:
|
||||
app.kubernetes.io/name: *app
|
||||
resources:
|
||||
requests:
|
||||
cpu: 10m
|
||||
memory: 10Mi
|
||||
limits:
|
||||
memory: 50Mi
|
@@ -0,0 +1,15 @@
|
||||
---
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
||||
- secret.sops.yaml
|
||||
namespace: default
|
||||
configMapGenerator:
|
||||
- name: smtp-relay
|
||||
files:
|
||||
- maddy.conf
|
||||
generatorOptions:
|
||||
disableNameSuffixHash: true
|
||||
annotations:
|
||||
kustomize.toolkit.fluxcd.io/substitute: disabled
|
33
kubernetes/cluster-0/apps/networking/smtp-relay/maddy.conf
Normal file
33
kubernetes/cluster-0/apps/networking/smtp-relay/maddy.conf
Normal file
@@ -0,0 +1,33 @@
|
||||
state_dir /dev/shm/maddy/state
|
||||
runtime_dir /dev/shm/maddy/run
|
||||
|
||||
openmetrics tcp://0.0.0.0:9749 { }
|
||||
|
||||
tls off
|
||||
hostname {env:SMTP_DOMAIN}
|
||||
|
||||
smtp tcp://0.0.0.0:2525 {
|
||||
debug {env:DEBUG}
|
||||
io_debug {env:DEBUG}
|
||||
|
||||
source {env:SMTP_DOMAIN} {
|
||||
deliver_to &remote_queue
|
||||
}
|
||||
|
||||
default_source {
|
||||
reject
|
||||
}
|
||||
}
|
||||
|
||||
target.queue remote_queue {
|
||||
debug {env:DEBUG}
|
||||
target &remote_smtp
|
||||
}
|
||||
|
||||
target.smtp remote_smtp {
|
||||
debug {env:DEBUG}
|
||||
attempt_starttls yes
|
||||
require_tls yes
|
||||
auth plain {env:SMTP_USERNAME} {env:SMTP_PASSWORD}
|
||||
targets tls://{env:SMTP_SERVER}:{env:SMTP_PORT}
|
||||
}
|
@@ -0,0 +1,29 @@
|
||||
# yamllint disable
|
||||
kind: Secret
|
||||
apiVersion: v1
|
||||
type: Opaque
|
||||
metadata:
|
||||
name: smtp-relay
|
||||
namespace: default
|
||||
stringData:
|
||||
SMTP_PASSWORD: ENC[AES256_GCM,data:Yf/FCPWceNJadwSaTvNXug==,iv:eErTrc6gWkClzoMmLgkz6xgaUA/W7cZoxhgGeCuHPyk=,tag:HYWJN3imrt/Umv4NREuQpg==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSGowVER2SFNrYTVxOUc4
|
||||
S1lDV295S2tnTlE1TkFuWnFYdXZoZ2ZlYkVrCmdRaXpGNTZTbDBjbkxPTkhaSkU1
|
||||
ZTZEakZwV1prTXpGalc2L0MrQ3BlVlEKLS0tIDdIdTdKTzBybHc5NjJaU0Z4dFg1
|
||||
U003SkswTXRYaUdWYzVRL2oxb2RGdEEKQojCy0af9JFKnKSYQhT2C1sXIBjfKjEz
|
||||
b7/1MAC99t37PRSsyh+ALf6DctqxysHKpG6Ku/RAchPqd2MwtIjWlQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2022-09-13T20:15:28Z"
|
||||
mac: ENC[AES256_GCM,data:PwHnx7chnuV4lmmdZO+areDkucOHdR03xkk9DPiB3GT4NKGvO0lBBRr/KkrENRRoL8EwsYD2UH/o6SPdes76F0vFJYzP3Q33kBY4dRpIzTcbzKFwpvmQszzmDbFFZoUe25Fq0kDcMN2IC20MwvNHFQDJFwQJ4JkWLwRuP6rAIjQ=,iv:thrY5JxFdidqumX+APUxthqdcKrmozQ6zLnmGTzMrFk=,tag:KBXseUVIAMvIDTN2krEY5Q==,type:str]
|
||||
pgp: []
|
||||
encrypted_regex: ^(data|stringData)$
|
||||
version: 3.7.3
|
94
kubernetes/cluster-0/apps/networking/unifi/helm-release.yaml
Normal file
94
kubernetes/cluster-0/apps/networking/unifi/helm-release.yaml
Normal file
@@ -0,0 +1,94 @@
|
||||
---
|
||||
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
||||
kind: HelmRelease
|
||||
metadata:
|
||||
name: &app unifi
|
||||
namespace: default
|
||||
spec:
|
||||
interval: 15m
|
||||
chart:
|
||||
spec:
|
||||
chart: app-template
|
||||
version: 1.0.1
|
||||
sourceRef:
|
||||
kind: HelmRepository
|
||||
name: bjw-s
|
||||
namespace: flux-system
|
||||
install:
|
||||
createNamespace: true
|
||||
remediation:
|
||||
retries: 5
|
||||
upgrade:
|
||||
remediation:
|
||||
retries: 5
|
||||
values:
|
||||
image:
|
||||
repository: jacobalberty/unifi
|
||||
tag: v7.2.95
|
||||
pullPolicy: IfNotPresent
|
||||
env:
|
||||
RUNAS_UID0: "false"
|
||||
UNIFI_UID: "999"
|
||||
UNIFI_GID: "999"
|
||||
UNIFI_STDOUT: "true"
|
||||
JVM_INIT_HEAP_SIZE:
|
||||
JVM_MAX_HEAP_SIZE: 1024M
|
||||
service:
|
||||
main:
|
||||
type: LoadBalancer
|
||||
externalTrafficPolicy: Local
|
||||
loadBalancerIP: ${CLUSTER_LB_UNIFI}
|
||||
ports:
|
||||
http:
|
||||
port: 8443
|
||||
protocol: HTTPS
|
||||
controller:
|
||||
enabled: true
|
||||
port: 8080
|
||||
protocol: TCP
|
||||
portal-http:
|
||||
enabled: false
|
||||
port: 8880
|
||||
protocol: HTTP
|
||||
portal-https:
|
||||
enabled: false
|
||||
port: 8843
|
||||
protocol: HTTPS
|
||||
speedtest:
|
||||
enabled: true
|
||||
port: 6789
|
||||
protocol: TCP
|
||||
stun:
|
||||
enabled: true
|
||||
port: 3478
|
||||
protocol: UDP
|
||||
syslog:
|
||||
enabled: true
|
||||
port: 5514
|
||||
protocol: UDP
|
||||
discovery:
|
||||
enabled: true
|
||||
port: 10001
|
||||
protocol: UDP
|
||||
ingress:
|
||||
main:
|
||||
enabled: true
|
||||
ingressClassName: "nginx"
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
|
||||
hosts:
|
||||
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
|
||||
paths:
|
||||
- path: /
|
||||
tls:
|
||||
- hosts:
|
||||
- *host
|
||||
persistence:
|
||||
config:
|
||||
enabled: true
|
||||
existingClaim: unifi-config
|
||||
mountPath: /unifi
|
||||
resources:
|
||||
requests:
|
||||
memory: 2Gi
|
||||
cpu: 50m
|
@@ -0,0 +1,5 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
resources:
|
||||
- helm-release.yaml
|
||||
- volume.yaml
|
17
kubernetes/cluster-0/apps/networking/unifi/volume.yaml
Normal file
17
kubernetes/cluster-0/apps/networking/unifi/volume.yaml
Normal file
@@ -0,0 +1,17 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: unifi-config
|
||||
namespace: default
|
||||
labels:
|
||||
app.kubernetes.io/name: &name unifi
|
||||
app.kubernetes.io/instance: *name
|
||||
snapshot.home.arpa/enabled: "true"
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: rook-ceph-block
|
||||
resources:
|
||||
requests:
|
||||
storage: 10Gi
|
Reference in New Issue
Block a user