new talos cluster

This commit is contained in:
auricom
2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions

View File

@@ -0,0 +1,42 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager-certificates
namespace: default
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: cert-manager-issuers
namespace: default
values:
resources:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "${SECRET_CLUSTER_DOMAIN/./-}"
namespace: default
spec:
secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls"
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "${SECRET_CLUSTER_DOMAIN}"
dnsNames:
- "${SECRET_CLUSTER_DOMAIN}"
- "*.${SECRET_CLUSTER_DOMAIN}"

View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

View File

@@ -0,0 +1,35 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager
namespace: default
spec:
interval: 15m
chart:
spec:
chart: cert-manager
version: v1.10.0
sourceRef:
kind: HelmRepository
name: jetstack
namespace: flux-system
interval: 15m
install:
createNamespace: true
remediation:
retries: 3
values:
installCRDs: true
webhook:
enabled: true
extraArgs:
- --dns01-recursive-nameservers=ns15.ovh.net:53,dns15.ovh.net:53
- --dns01-recursive-nameservers-only
cainjector:
replicaCount: 1
prometheus:
enabled: true
servicemonitor:
enabled: true
prometheusInstance: monitoring

View File

@@ -0,0 +1,74 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager-issuers
namespace: default
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: cert-manager
namespace: default
- name: cert-manager-webhook-ovh
namespace: default
values:
resources:
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
privateKeySecretRef:
name: letsencrypt-production
solvers:
- dns01:
webhook:
groupName: "${SECRET_DOMAIN}"
solverName: ovh
config:
endpoint: ovh-eu
applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
applicationSecretRef:
key: applicationSecret
name: ovh-credentials
consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
privateKeySecretRef:
name: letsencrypt-production
solvers:
- dns01:
webhook:
groupName: "${SECRET_DOMAIN}"
solverName: ovh
config:
endpoint: ovh-eu
applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
applicationSecretRef:
key: applicationSecret
name: ovh-credentials
consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"

View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

View File

@@ -0,0 +1,11 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.sops.yaml
- helm-release.yaml
- rbac.yaml
- webhook-ovh
- issuers
- certificates
- prometheus-rule.yaml

View File

@@ -0,0 +1,68 @@
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: cert-manager.rules
namespace: default
spec:
groups:
- name: cert-manager
rules:
- alert: CertManagerAbsent
expr: |
absent(up{job="cert-manager"})
for: 10m
labels:
severity: critical
annotations:
description:
"New certificates will not be able to be minted, and existing
ones can't be renewed until cert-manager is back."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
summary: "Cert Manager has dissapeared from Prometheus service discovery."
- name: certificates
rules:
- alert: CertManagerCertExpirySoon
expr: |
avg by (exported_namespace, namespace, name) (
certmanager_certificate_expiration_timestamp_seconds - time())
< (21 * 24 * 3600)
for: 1h
labels:
severity: warning
annotations:
description:
"The domain that this cert covers will be unavailable after
{{ $value | humanizeDuration }}. Clients using endpoints that this cert
protects will start to fail in {{ $value | humanizeDuration }}."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
summary:
"The cert {{ $labels.name }} is {{ $value | humanizeDuration }}
from expiry, it should have renewed over a week ago."
- alert: CertManagerCertNotReady
expr: |
max by (name, exported_namespace, namespace, condition) (
certmanager_certificate_ready_status{condition!="True"} == 1)
for: 10m
labels:
severity: critical
annotations:
description:
"This certificate has not been ready to serve traffic for at least
10m. If the cert is being renewed or there is another valid cert, the ingress
controller _may_ be able to serve that instead."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
summary: "The cert {{ $labels.name }} is not ready to serve traffic."
- alert: CertManagerHittingRateLimits
expr: |
sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
> 0
for: 5m
labels:
severity: critical
annotations:
description:
"Depending on the rate limit, cert-manager may be unable to generate
certificates for up to a week."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
summary: "Cert manager hitting LetsEncrypt rate limits."

View File

@@ -0,0 +1,25 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager:ovh-dns-challenge
namespace: default
rules:
- apiGroups: ["${SECRET_DOMAIN}"]
resources: ["ovh"]
verbs: ["get", "watch", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager:ovh-dns-challenge
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager:ovh-dns-challenge
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: default

View File

@@ -0,0 +1,28 @@
kind: Secret
apiVersion: v1
metadata:
name: ovh-credentials
namespace: default
stringData:
applicationSecret: ENC[AES256_GCM,data:9vWD0QZ5mSIVhTOg5BinGUhEdJW0Tv6/CzoJor2FO5I=,iv:ymVqh3DKnvTzKi8nWW6ULDLyJLfXE/HDGLmTmLuo9WE=,tag:Aoy6ClqB1K4HVNn6d8H94w==,type:str]
type: Opaque
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcGV1NGhhY3hOa0pjSThx
ZGt5Y2FPNVcrN0d1SCtCS2NjMHFjM2Y0QUJ3CncvUzB2QlpDL0xxZTQ4NVFyNm51
bFovMHhXRDVwSmpGaDR2YnBlTUQzTEkKLS0tIGx6bjRQNHQ4enJZN1UydEtiSkxP
d0Vid3lIQ0NPSmxicFlBN2NCRnE5ZFUKo1l3ST2oUmaWBgbjub/BWPpRzB588ZoJ
NvB6P1YivKsDZf/fsRT0gf1GPx9gZgql/w3g/9mggKANW4rFrMH1Mg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-03T14:42:43Z"
mac: ENC[AES256_GCM,data:shI/qzyWbCozb7CH4KgwZStp21+c/CsT5y+TtdzI+O5Xbbg4WHwUIw73DEqvOD8Rrj39Ym53L8f6G7apvAToU1nv23POs/e4ew2yMOhypfsw19hq93IDLmon6jmj7C2DCSwLWukzCX3/Ot+OELm8t8svZYDD+xE1wtYidmfiZdo=,iv:tURq+EP7UqMKaKHkWD4K3E4lLKFNqBLFut1Se8sC9No=,tag:RAbjiVPIEtkOoAFWE+/l7A==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

View File

@@ -0,0 +1,19 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager-webhook-ovh
namespace: default
spec:
interval: 15m
chart:
spec:
chart: ./deploy/cert-manager-webhook-ovh
version: 0.3.0
sourceRef:
kind: GitRepository
name: cert-manager-webhook-ovh
namespace: flux-system
interval: 1440m
values:
groupName: "${SECRET_DOMAIN}"

View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- rbac.yaml
- helm-release.yaml

View File

@@ -0,0 +1,26 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-ovh:secret-reader
namespace: default
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["ovh-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook-ovh:secret-reader
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-ovh:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-ovh
namespace: default

View File

@@ -0,0 +1,59 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: external-dns
namespace: default
spec:
interval: 15m
chart:
spec:
chart: external-dns
version: 1.11.0
sourceRef:
kind: HelmRepository
name: external-dns
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
interval: 2m
logLevel: debug
provider: ovh
env:
- name: OVH_APPLICATION_KEY
valueFrom:
secretKeyRef:
name: ovh-external-dns-creds
key: application-key
- name: OVH_APPLICATION_SECRET
valueFrom:
secretKeyRef:
name: ovh-external-dns-creds
key: application-secret
- name: OVH_CONSUMER_KEY
valueFrom:
secretKeyRef:
name: ovh-external-dns-creds
key: consummer-key
extraArgs:
- --annotation-filter=external-dns.home.arpa/enabled in (true)
policy: sync
sources:
- ingress
txtOwnerId: "default"
domainFilters:
- "${SECRET_DOMAIN}"
serviceMonitor:
enabled: true
resources:
requests:
memory: 100Mi
cpu: 25m
limits:
memory: 250Mi

View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.sops.yaml
- helm-release.yaml

View File

@@ -0,0 +1,31 @@
# yamllint disable
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: ovh-external-dns-creds
namespace: default
stringData:
application-key: ENC[AES256_GCM,data:eM+c4o7krcCr38iYl+V9aw==,iv:bWvn6Du2AYczidEiYcCiiXiCWQoNTM55+pEqEDT5gVg=,tag:XAtpQsK7J7mQWs47qqAt/Q==,type:str]
application-secret: ENC[AES256_GCM,data:dsAI3MXIpqC5FQZojzchOUfJPARBYOOUbnmY042w9DQ=,iv:gLh0ySZfm1akVIcnN/LMuuI7GZrBBq/X6mnQd1j9BeA=,tag:wIKWVoDMRfn68Ot56HFPGA==,type:str]
consummer-key: ENC[AES256_GCM,data:5RZrrLBGOhmnPLyRBy83SSAYz67h9zfIwx2cEUSxFAs=,iv:x3rMt3obLjR12PSiuzFb4qPirnMXpxojFZ9sTDp2pis=,tag:2ve3wWb2bHQQUA8m7+gyKQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByazlaTU9oZFR2Y2U1blg0
VXdUK3BzL1hsM3RydHQzcE95RklOTUdVWEE4CnNkOGprRVFCNFZjTkpOMnJ0R09T
RWhhemdvb243UGlVMHhjWVUzTW03V00KLS0tIDJ3d1NYdkJLaHlvQXBCbFlDZXRp
bi8wYjlEM0xGZExSV05HSGlkYjQ2VlUKesUixJpqR2iYx5kNxrbD0kTG1siHVKqq
sh8UblAqd1av0/3Qpj9dMF8awR8Q80dElcEwXT90Ks/S7p/uEA358g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-15T09:52:51Z"
mac: ENC[AES256_GCM,data:cZAwl1uF59cBodh8F4KSZU8/sLyoRy6k2rFuYx3KH/YpICKj2Omg9D3cH1uUF+x1URYbRcKajKrIZMmpd6gjvoRERjnreuzosZwxeannkTpfZ0N5ivydTSETa9mjPXCP+4VdPQISG0ZYx91uf0nrsZnK3dPOT0W/TfEhAI3JB9c=,iv:ufpSLuakm9X5VB8ZgHdyZyH6PAo11yKHV5jj7TuNPcU=,tag:+GY39oTJ91codPkDrTQYTw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

View File

@@ -0,0 +1,101 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: ingress-nginx
namespace: default
spec:
interval: 15m
chart:
spec:
chart: ingress-nginx
version: 4.4.0
sourceRef:
kind: HelmRepository
name: ingress-nginx
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: cert-manager
namespace: default
values:
controller:
replicaCount: 1
service:
type: LoadBalancer
loadBalancerIP: "${CLUSTER_LB_NGINX}"
externalTrafficPolicy: Local
publishService:
enabled: true
ingressClassResource:
default: true
config:
client-body-buffer-size: "100M"
client-body-timeout: 12
client-header-timeout: 12
custom-http-errors: 400,401,403,404,500,502,503,504
enable-brotli: "true"
enable-ocsp: "true"
enable-real-ip: "true"
hsts-max-age: "31449600"
keep-alive-requests: 10000
keep-alive: 120
proxy-body-size: "100M"
proxy-buffer-size: "16k"
service-upstream: "true"
ssl-protocols: "TLSv1.3 TLSv1.2"
use-forwarded-headers: "true"
metrics:
enabled: true
serviceMonitor:
enabled: true
namespace: default
namespaceSelector:
any: true
extraArgs:
default-ssl-certificate: |-
default/${SECRET_CLUSTER_DOMAIN/./-}-tls
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
resources:
requests:
memory: 400Mi
cpu: 25m
limits:
memory: 1Gi
defaultBackend:
enabled: true
image:
repository: ghcr.io/tarampampam/error-pages
tag: 2.19.0
extraEnvs:
- name: TEMPLATE_NAME
value: l7-light
- name: SHOW_DETAILS
value: "true"
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values: ["ingress-nginx"]
- key: app.kubernetes.io/component
operator: In
values: ["default-backend"]
topologyKey: kubernetes.io/hostname

View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

View File

@@ -0,0 +1,32 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: k8s-gateway
namespace: default
spec:
interval: 15m
chart:
spec:
# renovate: registryUrl=https://ori-edge.github.io/k8s_gateway/
chart: k8s-gateway
version: 2.0.0
sourceRef:
kind: HelmRepository
name: k8s-gateway
namespace: flux-system
install:
createNamespace: true
crds: CreateReplace
remediation:
retries: 5
upgrade:
crds: CreateReplace
remediation:
retries: 5
values:
domain: "${SECRET_CLUSTER_DOMAIN}"
service:
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: ${CLUSTER_LB_K8SGATEWAY}

View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

View File

@@ -0,0 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cert-manager
- external-dns
- ingress-nginx
- k8s-gateway
- smtp-relay
- unifi

View File

@@ -0,0 +1,89 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app smtp-relay
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
controller:
replicas: 1
strategy: RollingUpdate
image:
repository: ghcr.io/foxcpp/maddy
tag: 0.6.2
env:
DEBUG: "true"
SMTP_DOMAIN: "${SECRET_DOMAIN}"
SMTP_SERVER: "smtp.fastmail.com"
SMTP_USERNAME: "${SECRET_EMAIL_SMTP_USERNAME}"
SMTP_PORT: "465"
envFrom:
- secretRef:
name: *app
service:
main:
type: LoadBalancer
loadBalancerIP: "${CLUSTER_LB_SMTP_RELAY}"
externalTrafficPolicy: Local
ports:
http:
port: 2525
metrics:
enabled: true
port: 9749
serviceMonitor:
main:
enabled: true
endpoints:
- port: metrics
scheme: http
path: /metrics
interval: 1m
scrapeTimeout: 10s
persistence:
config:
enabled: true
type: configMap
name: *app
subPath: maddy.conf
mountPath: /data/maddy.conf
readOnly: true
data:
enabled: true
type: emptyDir
medium: Memory
sizeLimit: 1Gi
mountPath: /dev/shm
podAnnotations:
configmap.reloader.stakater.com/reload: *app
secret.reloader.stakater.com/reload: *app
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
resources:
requests:
cpu: 10m
memory: 10Mi
limits:
memory: 50Mi

View File

@@ -0,0 +1,15 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- secret.sops.yaml
namespace: default
configMapGenerator:
- name: smtp-relay
files:
- maddy.conf
generatorOptions:
disableNameSuffixHash: true
annotations:
kustomize.toolkit.fluxcd.io/substitute: disabled

View File

@@ -0,0 +1,33 @@
state_dir /dev/shm/maddy/state
runtime_dir /dev/shm/maddy/run
openmetrics tcp://0.0.0.0:9749 { }
tls off
hostname {env:SMTP_DOMAIN}
smtp tcp://0.0.0.0:2525 {
debug {env:DEBUG}
io_debug {env:DEBUG}
source {env:SMTP_DOMAIN} {
deliver_to &remote_queue
}
default_source {
reject
}
}
target.queue remote_queue {
debug {env:DEBUG}
target &remote_smtp
}
target.smtp remote_smtp {
debug {env:DEBUG}
attempt_starttls yes
require_tls yes
auth plain {env:SMTP_USERNAME} {env:SMTP_PASSWORD}
targets tls://{env:SMTP_SERVER}:{env:SMTP_PORT}
}

View File

@@ -0,0 +1,29 @@
# yamllint disable
kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: smtp-relay
namespace: default
stringData:
SMTP_PASSWORD: ENC[AES256_GCM,data:Yf/FCPWceNJadwSaTvNXug==,iv:eErTrc6gWkClzoMmLgkz6xgaUA/W7cZoxhgGeCuHPyk=,tag:HYWJN3imrt/Umv4NREuQpg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSGowVER2SFNrYTVxOUc4
S1lDV295S2tnTlE1TkFuWnFYdXZoZ2ZlYkVrCmdRaXpGNTZTbDBjbkxPTkhaSkU1
ZTZEakZwV1prTXpGalc2L0MrQ3BlVlEKLS0tIDdIdTdKTzBybHc5NjJaU0Z4dFg1
U003SkswTXRYaUdWYzVRL2oxb2RGdEEKQojCy0af9JFKnKSYQhT2C1sXIBjfKjEz
b7/1MAC99t37PRSsyh+ALf6DctqxysHKpG6Ku/RAchPqd2MwtIjWlQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-13T20:15:28Z"
mac: ENC[AES256_GCM,data:PwHnx7chnuV4lmmdZO+areDkucOHdR03xkk9DPiB3GT4NKGvO0lBBRr/KkrENRRoL8EwsYD2UH/o6SPdes76F0vFJYzP3Q33kBY4dRpIzTcbzKFwpvmQszzmDbFFZoUe25Fq0kDcMN2IC20MwvNHFQDJFwQJ4JkWLwRuP6rAIjQ=,iv:thrY5JxFdidqumX+APUxthqdcKrmozQ6zLnmGTzMrFk=,tag:KBXseUVIAMvIDTN2krEY5Q==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

View File

@@ -0,0 +1,94 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app unifi
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: jacobalberty/unifi
tag: v7.2.95
pullPolicy: IfNotPresent
env:
RUNAS_UID0: "false"
UNIFI_UID: "999"
UNIFI_GID: "999"
UNIFI_STDOUT: "true"
JVM_INIT_HEAP_SIZE:
JVM_MAX_HEAP_SIZE: 1024M
service:
main:
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: ${CLUSTER_LB_UNIFI}
ports:
http:
port: 8443
protocol: HTTPS
controller:
enabled: true
port: 8080
protocol: TCP
portal-http:
enabled: false
port: 8880
protocol: HTTP
portal-https:
enabled: false
port: 8843
protocol: HTTPS
speedtest:
enabled: true
port: 6789
protocol: TCP
stun:
enabled: true
port: 3478
protocol: UDP
syslog:
enabled: true
port: 5514
protocol: UDP
discovery:
enabled: true
port: 10001
protocol: UDP
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
tls:
- hosts:
- *host
persistence:
config:
enabled: true
existingClaim: unifi-config
mountPath: /unifi
resources:
requests:
memory: 2Gi
cpu: 50m

View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- volume.yaml

View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: unifi-config
namespace: default
labels:
app.kubernetes.io/name: &name unifi
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 10Gi