shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

new talos cluster

Browse Source
This commit is contained in:
auricom
2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
kubernetes/cluster-0/apps/networking/cert-manager/certificates/helm-release.yaml Normal file
View File

@@ -0,0 +1,42 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager-certificates
namespace: default
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: cert-manager-issuers
namespace: default
values:
resources:
- apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "${SECRET_CLUSTER_DOMAIN/./-}"
namespace: default
spec:
secretName: "${SECRET_CLUSTER_DOMAIN/./-}-tls"
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "${SECRET_CLUSTER_DOMAIN}"
dnsNames:
- "${SECRET_CLUSTER_DOMAIN}"
- "*.${SECRET_CLUSTER_DOMAIN}"

5
kubernetes/cluster-0/apps/networking/cert-manager/certificates/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

35
kubernetes/cluster-0/apps/networking/cert-manager/helm-release.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager
namespace: default
spec:
interval: 15m
chart:
spec:
chart: cert-manager
version: v1.10.0
sourceRef:
kind: HelmRepository
name: jetstack
namespace: flux-system
interval: 15m
install:
createNamespace: true
remediation:
retries: 3
values:
installCRDs: true
webhook:
enabled: true
extraArgs:
- --dns01-recursive-nameservers=ns15.ovh.net:53,dns15.ovh.net:53
- --dns01-recursive-nameservers-only
cainjector:
replicaCount: 1
prometheus:
enabled: true
servicemonitor:
enabled: true
prometheusInstance: monitoring

74
kubernetes/cluster-0/apps/networking/cert-manager/issuers/helm-release.yaml Normal file
View File

@@ -0,0 +1,74 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager-issuers
namespace: default
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: cert-manager
namespace: default
- name: cert-manager-webhook-ovh
namespace: default
values:
resources:
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
privateKeySecretRef:
name: letsencrypt-production
solvers:
- dns01:
webhook:
groupName: "${SECRET_DOMAIN}"
solverName: ovh
config:
endpoint: ovh-eu
applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
applicationSecretRef:
key: applicationSecret
name: ovh-credentials
consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: "${SECRET_CLUSTER_DOMAIN_EMAIL}"
privateKeySecretRef:
name: letsencrypt-production
solvers:
- dns01:
webhook:
groupName: "${SECRET_DOMAIN}"
solverName: ovh
config:
endpoint: ovh-eu
applicationKey: "${SECRET_CLUSTER_OVH_APPLICATION_KEY}"
applicationSecretRef:
key: applicationSecret
name: ovh-credentials
consumerKey: "${SECRET_CLUSTER_OVH_CONSUMER_KEY}"

5
kubernetes/cluster-0/apps/networking/cert-manager/issuers/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

11
kubernetes/cluster-0/apps/networking/cert-manager/kustomization.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.sops.yaml
- helm-release.yaml
- rbac.yaml
- webhook-ovh
- issuers
- certificates
- prometheus-rule.yaml

68
kubernetes/cluster-0/apps/networking/cert-manager/prometheus-rule.yaml Normal file
View File

@@ -0,0 +1,68 @@
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: cert-manager.rules
namespace: default
spec:
groups:
- name: cert-manager
rules:
- alert: CertManagerAbsent
expr: |
absent(up{job="cert-manager"})
for: 10m
labels:
severity: critical
annotations:
description:
"New certificates will not be able to be minted, and existing
ones can't be renewed until cert-manager is back."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
summary: "Cert Manager has dissapeared from Prometheus service discovery."
- name: certificates
rules:
- alert: CertManagerCertExpirySoon
expr: |
avg by (exported_namespace, namespace, name) (
certmanager_certificate_expiration_timestamp_seconds - time())
< (21 * 24 * 3600)
for: 1h
labels:
severity: warning
annotations:
description:
"The domain that this cert covers will be unavailable after
{{ $value | humanizeDuration }}. Clients using endpoints that this cert
protects will start to fail in {{ $value | humanizeDuration }}."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
summary:
"The cert {{ $labels.name }} is {{ $value | humanizeDuration }}
from expiry, it should have renewed over a week ago."
- alert: CertManagerCertNotReady
expr: |
max by (name, exported_namespace, namespace, condition) (
certmanager_certificate_ready_status{condition!="True"} == 1)
for: 10m
labels:
severity: critical
annotations:
description:
"This certificate has not been ready to serve traffic for at least
10m. If the cert is being renewed or there is another valid cert, the ingress
controller _may_ be able to serve that instead."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
summary: "The cert {{ $labels.name }} is not ready to serve traffic."
- alert: CertManagerHittingRateLimits
expr: |
sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
> 0
for: 5m
labels:
severity: critical
annotations:
description:
"Depending on the rate limit, cert-manager may be unable to generate
certificates for up to a week."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
summary: "Cert manager hitting LetsEncrypt rate limits."

25
kubernetes/cluster-0/apps/networking/cert-manager/rbac.yaml Normal file
View File

@@ -0,0 +1,25 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cert-manager:ovh-dns-challenge
namespace: default
rules:
- apiGroups: ["${SECRET_DOMAIN}"]
resources: ["ovh"]
verbs: ["get", "watch", "list", "create"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cert-manager:ovh-dns-challenge
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cert-manager:ovh-dns-challenge
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager
namespace: default

28
kubernetes/cluster-0/apps/networking/cert-manager/secret.sops.yaml Normal file
View File

@@ -0,0 +1,28 @@
kind: Secret
apiVersion: v1
metadata:
name: ovh-credentials
namespace: default
stringData:
applicationSecret: ENC[AES256_GCM,data:9vWD0QZ5mSIVhTOg5BinGUhEdJW0Tv6/CzoJor2FO5I=,iv:ymVqh3DKnvTzKi8nWW6ULDLyJLfXE/HDGLmTmLuo9WE=,tag:Aoy6ClqB1K4HVNn6d8H94w==,type:str]
type: Opaque
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDcGV1NGhhY3hOa0pjSThx
ZGt5Y2FPNVcrN0d1SCtCS2NjMHFjM2Y0QUJ3CncvUzB2QlpDL0xxZTQ4NVFyNm51
bFovMHhXRDVwSmpGaDR2YnBlTUQzTEkKLS0tIGx6bjRQNHQ4enJZN1UydEtiSkxP
d0Vid3lIQ0NPSmxicFlBN2NCRnE5ZFUKo1l3ST2oUmaWBgbjub/BWPpRzB588ZoJ
NvB6P1YivKsDZf/fsRT0gf1GPx9gZgql/w3g/9mggKANW4rFrMH1Mg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-07-03T14:42:43Z"
mac: ENC[AES256_GCM,data:shI/qzyWbCozb7CH4KgwZStp21+c/CsT5y+TtdzI+O5Xbbg4WHwUIw73DEqvOD8Rrj39Ym53L8f6G7apvAToU1nv23POs/e4ew2yMOhypfsw19hq93IDLmon6jmj7C2DCSwLWukzCX3/Ot+OELm8t8svZYDD+xE1wtYidmfiZdo=,iv:tURq+EP7UqMKaKHkWD4K3E4lLKFNqBLFut1Se8sC9No=,tag:RAbjiVPIEtkOoAFWE+/l7A==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

19
kubernetes/cluster-0/apps/networking/cert-manager/webhook-ovh/helm-release.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cert-manager-webhook-ovh
namespace: default
spec:
interval: 15m
chart:
spec:
chart: ./deploy/cert-manager-webhook-ovh
version: 0.3.0
sourceRef:
kind: GitRepository
name: cert-manager-webhook-ovh
namespace: flux-system
interval: 1440m
values:
groupName: "${SECRET_DOMAIN}"

6
kubernetes/cluster-0/apps/networking/cert-manager/webhook-ovh/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- rbac.yaml
- helm-release.yaml

26
kubernetes/cluster-0/apps/networking/cert-manager/webhook-ovh/rbac.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cert-manager-webhook-ovh:secret-reader
namespace: default
rules:
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["ovh-credentials"]
verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cert-manager-webhook-ovh:secret-reader
namespace: default
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cert-manager-webhook-ovh:secret-reader
subjects:
- apiGroup: ""
kind: ServiceAccount
name: cert-manager-webhook-ovh
namespace: default