diff --git a/cluster/apps/kube-tools/kyverno/helm-release.yaml b/cluster/apps/kube-tools/kyverno/helm-release.yaml index 363391154..6eba852fd 100644 --- a/cluster/apps/kube-tools/kyverno/helm-release.yaml +++ b/cluster/apps/kube-tools/kyverno/helm-release.yaml @@ -22,12 +22,8 @@ spec: remediation: retries: 5 values: - installCRDs: false - replicaCount: 1 - extraArgs: - - --autogenInternals=false - - --clientRateLimitQPS=30 - - --clientRateLimitBurst=60 + installCRDs: true + replicaCount: 3 serviceMonitor: enabled: true topologySpreadConstraints: diff --git a/cluster/apps/kube-tools/kyverno/kustomization.yaml b/cluster/apps/kube-tools/kyverno/kustomization.yaml index e7b56c03d..6570e67cf 100644 --- a/cluster/apps/kube-tools/kyverno/kustomization.yaml +++ b/cluster/apps/kube-tools/kyverno/kustomization.yaml @@ -2,8 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - # renovate: registryUrl=https://kyverno.github.io/kyverno/ chart=kyverno - - github.com/kyverno/kyverno//config/crds?ref=kyverno-chart-2.6.0 - helm-release.yaml - - rbac.yaml - policies diff --git a/cluster/apps/kube-tools/kyverno/policies/apply-ingress-auth-annotations.yaml b/cluster/apps/kube-tools/kyverno/policies/apply-ingress-auth-annotations.yaml deleted file mode 100644 index ce2924ab4..000000000 --- a/cluster/apps/kube-tools/kyverno/policies/apply-ingress-auth-annotations.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: apply-ingress-auth-annotations - annotations: - policies.kyverno.io/title: Apply Ingress Auth Annotations - policies.kyverno.io/subject: Ingress - policies.kyverno.io/description: >- - This policy creates auth annotations on ingresses. When - the `auth.home.arpa/enabled` annotation is `true` it - applies the nginx auth annotations for use with Authelia. -spec: - mutateExistingOnPolicyUpdate: true - generateExistingOnPolicyUpdate: true - rules: - - name: auth - match: - any: - - resources: - kinds: ["Ingress"] - annotations: - auth.home.arpa/enabled: "true" - mutate: - patchStrategicMerge: - metadata: - annotations: - +(nginx.ingress.kubernetes.io/auth-method): GET - +(nginx.ingress.kubernetes.io/auth-url): |- - http://authelia.default.svc.cluster.local./api/verify - +(nginx.ingress.kubernetes.io/auth-signin): |- - https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method - +(nginx.ingress.kubernetes.io/auth-response-headers): |- - Remote-User,Remote-Name,Remote-Groups,Remote-Email - +(nginx.ingress.kubernetes.io/auth-snippet): | - proxy_set_header X-Forwarded-Method $request_method; diff --git a/cluster/apps/kube-tools/kyverno/policies/apply-ingress-external-dns-annotations.yaml b/cluster/apps/kube-tools/kyverno/policies/apply-ingress-external-dns-annotations.yaml deleted file mode 100644 index 772507368..000000000 --- a/cluster/apps/kube-tools/kyverno/policies/apply-ingress-external-dns-annotations.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: apply-ingress-external-dns-annotations - annotations: - policies.kyverno.io/title: Apply Ingress External-DNS Annotations - policies.kyverno.io/subject: Ingress - policies.kyverno.io/description: >- - This policy creates external-dns annotations on ingresses. - When the `external-dns.home.arpa/enabled` annotation is `true` - it applies the external-dns annotations for use with external - application access. -spec: - mutateExistingOnPolicyUpdate: true - generateExistingOnPolicyUpdate: true - rules: - - name: external-dns - match: - any: - - resources: - kinds: ["Ingress"] - annotations: - external-dns.home.arpa/enabled: "true" - mutate: - patchStrategicMerge: - metadata: - annotations: - +(external-dns.alpha.kubernetes.io/target): |- - services.${SECRET_DOMAIN}. diff --git a/cluster/apps/kube-tools/kyverno/policies/apply-ingress-whitelist-annotations.yaml b/cluster/apps/kube-tools/kyverno/policies/apply-ingress-whitelist-annotations.yaml deleted file mode 100644 index 7a5e39a4a..000000000 --- a/cluster/apps/kube-tools/kyverno/policies/apply-ingress-whitelist-annotations.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: apply-ingress-whitelist-annotations - annotations: - policies.kyverno.io/title: Apply Ingress Whitelist Annotations - policies.kyverno.io/subject: Ingress - policies.kyverno.io/description: >- - This policy creates annotations on ingresses. When - the `external-dns.home.arpa/enabled` annotation is not - set it applies the nginx annotations for use with only - internal application access. -spec: - mutateExistingOnPolicyUpdate: true - generateExistingOnPolicyUpdate: true - rules: - - name: whitelist - match: - any: - - resources: - kinds: ["Ingress"] - exclude: - any: - - resources: - annotations: - external-dns.home.arpa/enabled: "true" - mutate: - patchStrategicMerge: - metadata: - annotations: - +(nginx.ingress.kubernetes.io/whitelist-source-range): |- - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 diff --git a/cluster/apps/kube-tools/kyverno/policies/delete-cpu-limits.yaml b/cluster/apps/kube-tools/kyverno/policies/delete-cpu-limits.yaml deleted file mode 100644 index 85eb8cba9..000000000 --- a/cluster/apps/kube-tools/kyverno/policies/delete-cpu-limits.yaml +++ /dev/null @@ -1,51 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: delete-cpu-limits - annotations: - policies.kyverno.io/title: Delete CPU limits - policies.kyverno.io/subject: Pod - policies.kyverno.io/description: >- - This policy deletes CPU limits from all Pods. -spec: - mutateExistingOnPolicyUpdate: true - generateExistingOnPolicyUpdate: true - rules: - - name: delete-cpu-limits - match: - any: - - resources: - kinds: ["Pod"] - exclude: - any: - - resources: - namespaces: - - calico-system - - tigera-operator - - resources: - kinds: ["Pod"] - selector: - matchLabels: - job-name: "*" - - resources: - kinds: ["Pod"] - selector: - matchLabels: - statefulset.kubernetes.io/pod-name: "*" - - resources: - annotations: - kyverno.io/ignore: "true" - mutate: - patchStrategicMerge: - spec: - initContainers: - - (name): "*" - resources: - limits: - cpu: null - containers: - - (name): "*" - resources: - limits: - cpu: null diff --git a/cluster/apps/kube-tools/kyverno/policies/helm-release.yaml b/cluster/apps/kube-tools/kyverno/policies/helm-release.yaml new file mode 100644 index 000000000..a2ce0e8d1 --- /dev/null +++ b/cluster/apps/kube-tools/kyverno/policies/helm-release.yaml @@ -0,0 +1,327 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: kyverno-policies + namespace: kyverno +spec: + interval: 15m + chart: + spec: + chart: raw + version: v0.3.1 + sourceRef: + kind: HelmRepository + name: dysnix-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + dependsOn: + - name: kyverno + namespace: kyverno + values: + resources: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: kyverno:admin + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin + subjects: + - kind: ServiceAccount + name: kyverno + namespace: kyverno + + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: apply-ingress-auth-annotations + annotations: + policies.kyverno.io/title: Apply Ingress Auth Annotations + policies.kyverno.io/subject: Ingress + policies.kyverno.io/description: >- + This policy creates auth annotations on ingresses. When + the `auth.home.arpa/enabled` annotation is `true` it + applies the nginx auth annotations for use with Authelia. + spec: + mutateExistingOnPolicyUpdate: true + generateExistingOnPolicyUpdate: true + rules: + - name: auth + match: + any: + - resources: + kinds: ["Ingress"] + annotations: + auth.home.arpa/enabled: "true" + mutate: + patchStrategicMerge: + metadata: + annotations: + +(nginx.ingress.kubernetes.io/auth-method): GET + +(nginx.ingress.kubernetes.io/auth-url): |- + http://authelia.default.svc.cluster.local./api/verify + +(nginx.ingress.kubernetes.io/auth-signin): |- + https://auth.${SECRET_CLUSTER_DOMAIN}?rm=$request_method + +(nginx.ingress.kubernetes.io/auth-response-headers): |- + Remote-User,Remote-Name,Remote-Groups,Remote-Email + +(nginx.ingress.kubernetes.io/auth-snippet): | + proxy_set_header X-Forwarded-Method $request_method; + + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: apply-ingress-external-dns-annotations + annotations: + policies.kyverno.io/title: Apply Ingress External-DNS Annotations + policies.kyverno.io/subject: Ingress + policies.kyverno.io/description: >- + This policy creates external-dns annotations on ingresses. + When the `external-dns.home.arpa/enabled` annotation is `true` + it applies the external-dns annotations for use with external + application access. + spec: + mutateExistingOnPolicyUpdate: true + generateExistingOnPolicyUpdate: true + rules: + - name: external-dns + match: + any: + - resources: + kinds: ["Ingress"] + annotations: + external-dns.home.arpa/enabled: "true" + mutate: + patchStrategicMerge: + metadata: + annotations: + +(external-dns.alpha.kubernetes.io/target): |- + services.${SECRET_DOMAIN}. + + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: apply-ingress-whitelist-annotations + annotations: + policies.kyverno.io/title: Apply Ingress Whitelist Annotations + policies.kyverno.io/subject: Ingress + policies.kyverno.io/description: >- + This policy creates annotations on ingresses. When + the `external-dns.home.arpa/enabled` annotation is not + set it applies the nginx annotations for use with only + internal application access. + spec: + mutateExistingOnPolicyUpdate: true + generateExistingOnPolicyUpdate: true + rules: + - name: whitelist + match: + any: + - resources: + kinds: ["Ingress"] + exclude: + any: + - resources: + annotations: + external-dns.home.arpa/enabled: "true" + mutate: + patchStrategicMerge: + metadata: + annotations: + +(nginx.ingress.kubernetes.io/whitelist-source-range): |- + 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16 + + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: delete-cpu-limits + annotations: + policies.kyverno.io/title: Delete CPU limits + policies.kyverno.io/subject: Pod + policies.kyverno.io/description: >- + This policy deletes CPU limits from all Pods. + spec: + mutateExistingOnPolicyUpdate: true + generateExistingOnPolicyUpdate: true + rules: + - name: delete-cpu-limits + match: + any: + - resources: + kinds: ["Pod"] + exclude: + any: + - resources: + namespaces: + - calico-system + - tigera-operator + - resources: + kinds: ["Pod"] + selector: + matchLabels: + job-name: "*" + - resources: + kinds: ["Pod"] + selector: + matchLabels: + statefulset.kubernetes.io/pod-name: "*" + - resources: + annotations: + kyverno.io/ignore: "true" + mutate: + patchStrategicMerge: + spec: + initContainers: + - (name): "*" + resources: + limits: + cpu: null + containers: + - (name): "*" + resources: + limits: + cpu: null + + - apiVersion: kyverno.io/v1 + kind: ClusterPolicy + metadata: + name: snapshot-cronjob-controller + annotations: + policies.kyverno.io/title: Snapshot CronJob controller + policies.kyverno.io/subject: PersistentVolumeClaim + policies.kyverno.io/description: | + This policy creates a Kopia snapshot CronJob for labeled PersistentVolumeClaims + + The following labels on PVCs with their respective labels are required for this to run: + - snapshot.home.arpa/enabled + - app.kubernetes.io/name + - app.kubernetes.io/instance + + An optional label of "snapshot.home.arpa/ignoreAffinity" may be set on the PVC + if the pod is guaranteed to not run during the time of this jobs execution + spec: + generateExistingOnPolicyUpdate: true + mutateExistingOnPolicyUpdate: true + rules: + - name: create-snapshot-cronjob + match: + any: + - resources: + kinds: + - PersistentVolumeClaim + selector: + matchLabels: + snapshot.home.arpa/enabled: "true" + app.kubernetes.io/name: "*" + app.kubernetes.io/instance: "*" + context: + - name: appName + variable: + jmesPath: 'request.object.metadata.labels."app.kubernetes.io/name"' + - name: claimName + variable: + jmesPath: "request.object.metadata.name" + - name: namespace + variable: + jmesPath: "request.object.metadata.namespace" + - name: nodeAffinity + variable: + value: + ignored: '{{ (request.object.metadata.labels."snapshot.home.arpa/ignoreAffinity" || ''false'') == ''false'' }}' + labels: + - key: app.kubernetes.io/name + operator: "In" + values: + - '{{ request.object.metadata.labels."app.kubernetes.io/name" }}' + - key: app.kubernetes.io/instance + operator: "In" + values: + - '{{ request.object.metadata.labels."app.kubernetes.io/instance" }}' + generate: + synchronize: true + apiVersion: batch/v1 + kind: CronJob + name: "{{ appName }}-{{ claimName }}-snapshot" + namespace: "{{ request.object.metadata.namespace }}" + data: + metadata: + labels: + app.kubernetes.io/name: '{{ request.object.metadata.labels."app.kubernetes.io/name" }}' + app.kubernetes.io/instance: '{{ request.object.metadata.labels."app.kubernetes.io/instance" }}' + ownerReferences: + - apiVersion: "{{ request.object.apiVersion }}" + kind: "{{ request.object.kind }}" + name: "{{ request.object.metadata.name }}" + uid: "{{ request.object.metadata.uid }}" + spec: + schedule: "0 3 * * *" + suspend: false + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 2 + jobTemplate: + spec: + # Keep at least one job in completed state in accordance to the schedule + ttlSecondsAfterFinished: 86400 + template: + spec: + automountServiceAccountToken: false + restartPolicy: OnFailure + # Stagger jobs to run randomly within X seconds to avoid bringing down all apps at once + initContainers: + - name: wait + image: ghcr.io/onedr0p/kopia:0.12.1@sha256:e333295b519ce586e7c050c970b2255d87bdb2979298ff87ebdb1113e381ba3b + command: ["/scripts/sleep.sh"] + args: ["1", "900"] + containers: + - name: snapshot + image: ghcr.io/onedr0p/kopia:0.12.1@sha256:e333295b519ce586e7c050c970b2255d87bdb2979298ff87ebdb1113e381ba3b + env: + - name: KOPIA_CACHE_DIRECTORY + value: /snapshots/{{ namespace }}/{{ appName }}/{{ claimName }}/cache + - name: KOPIA_LOG_DIR + value: /snapshots/{{ namespace }}/{{ appName }}/{{ claimName }}/logs + - name: KOPIA_PASSWORD + value: "none" + command: + - /bin/bash + - -c + - |- + printf "\e[1;32m%-6s\e[m\n" "[01/10] Create repo ..." && [[ ! -f /snapshots/kopia.repository.f ]] && kopia repository create filesystem --path=/snapshots + printf "\e[1;32m%-6s\e[m\n" "[02/10] Connect to repo ..." && kopia repo connect filesystem --path=/snapshots --override-hostname=cluster --override-username=root + printf "\e[1;32m%-6s\e[m\n" "[03/10] Set policies ..." && kopia policy set /data/{{ namespace }}/{{ appName }}/{{ claimName }} --compression=zstd --keep-latest 14 --keep-hourly 0 --keep-daily 7 --keep-weekly 2 --keep-monthly 0 --keep-annual 0 + printf "\e[1;32m%-6s\e[m\n" "[04/10] Freeze {{ claimName }} ..." && fsfreeze -f /data/{{ namespace }}/{{ appName }}/{{ claimName }} + printf "\e[1;32m%-6s\e[m\n" "[05/10] Snapshot {{ claimName }} ..." && kopia snap create /data/{{ namespace }}/{{ appName }}/{{ claimName }} + printf "\e[1;32m%-6s\e[m\n" "[06/10] Unfreeze {{ claimName }} ..." && fsfreeze -u /data/{{ namespace }}/{{ appName }}/{{ claimName }} + printf "\e[1;32m%-6s\e[m\n" "[07/10] List snapshots ..." && kopia snap list /data/{{ namespace }}/{{ appName }}/{{ claimName }} + printf "\e[1;32m%-6s\e[m\n" "[08/10] Show stats ..." && kopia content stats + printf "\e[1;32m%-6s\e[m\n" "[09/10] Show maintenance info ..." && kopia maintenance info + printf "\e[1;32m%-6s\e[m\n" "[10/10] Disconnect from repo ..." && kopia repo disconnect + volumeMounts: + - name: data + mountPath: "/data/{{ namespace }}/{{ appName }}/{{ claimName }}" + - name: snapshots + mountPath: /snapshots + securityContext: + privileged: true + volumes: + - name: data + persistentVolumeClaim: + claimName: "{{ claimName }}" + - name: snapshots + nfs: + server: "expanse.${SECRET_PRIVATE_DOMAIN}" + path: /eros/Apps/Kopia + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - topologyKey: kubernetes.io/hostname + labelSelector: + matchExpressions: "{{ nodeAffinity.ignored && [] || nodeAffinity.labels }}" diff --git a/cluster/apps/kube-tools/kyverno/policies/kustomization.yaml b/cluster/apps/kube-tools/kyverno/policies/kustomization.yaml index bab5ead7f..2fa2de20c 100644 --- a/cluster/apps/kube-tools/kyverno/policies/kustomization.yaml +++ b/cluster/apps/kube-tools/kyverno/policies/kustomization.yaml @@ -2,9 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - apply-ingress-auth-annotations.yaml - - apply-ingress-external-dns-annotations.yaml - - apply-ingress-whitelist-annotations.yaml - - delete-cpu-limits.yaml - - snapshot-cronjob-controller.yaml - - sync-postgres-secrets.yaml + - helm-release.yaml diff --git a/cluster/apps/kube-tools/kyverno/policies/snapshot-cronjob-controller.yaml b/cluster/apps/kube-tools/kyverno/policies/snapshot-cronjob-controller.yaml deleted file mode 100644 index 53ed4ed0d..000000000 --- a/cluster/apps/kube-tools/kyverno/policies/snapshot-cronjob-controller.yaml +++ /dev/null @@ -1,137 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: snapshot-cronjob-controller - annotations: - policies.kyverno.io/title: Snapshot CronJob controller - policies.kyverno.io/subject: PersistentVolumeClaim - policies.kyverno.io/description: | - This policy creates a Kopia snapshot CronJob for labeled PersistentVolumeClaims - - The following labels on PVCs with their respective labels are required for this to run: - - snapshot.home.arpa/enabled - - app.kubernetes.io/name - - app.kubernetes.io/instance - - An optional label of "snapshot.home.arpa/ignoreAffinity" may be set on the PVC - if the pod is guaranteed to not run during the time of this jobs execution -spec: - generateExistingOnPolicyUpdate: true - mutateExistingOnPolicyUpdate: true - rules: - - name: create-snapshot-cronjob - match: - any: - - resources: - kinds: - - PersistentVolumeClaim - selector: - matchLabels: - snapshot.home.arpa/enabled: "true" - app.kubernetes.io/name: "*" - app.kubernetes.io/instance: "*" - context: - - name: appName - variable: - jmesPath: "request.object.metadata.labels.\"app.kubernetes.io/name\"" - - name: claimName - variable: - jmesPath: "request.object.metadata.name" - - name: namespace - variable: - jmesPath: "request.object.metadata.namespace" - - name: nodeAffinity - variable: - value: - ignored: "{{ (request.object.metadata.labels.\"snapshot.home.arpa/ignoreAffinity\" || 'false') == 'false' }}" - labels: - - key: app.kubernetes.io/name - operator: "In" - values: - - "{{ request.object.metadata.labels.\"app.kubernetes.io/name\" }}" - - key: app.kubernetes.io/instance - operator: "In" - values: - - "{{ request.object.metadata.labels.\"app.kubernetes.io/instance\" }}" - generate: - synchronize: true - apiVersion: batch/v1 - kind: CronJob - name: "{{ appName }}-{{ claimName }}-snapshot" - namespace: "{{ request.object.metadata.namespace }}" - data: - metadata: - labels: - app.kubernetes.io/name: "{{ request.object.metadata.labels.\"app.kubernetes.io/name\" }}" - app.kubernetes.io/instance: "{{ request.object.metadata.labels.\"app.kubernetes.io/instance\" }}" - ownerReferences: - - apiVersion: "{{ request.object.apiVersion }}" - kind: "{{ request.object.kind }}" - name: "{{ request.object.metadata.name }}" - uid: "{{ request.object.metadata.uid }}" - spec: - schedule: "0 3 * * *" - suspend: false - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: 1 - failedJobsHistoryLimit: 2 - jobTemplate: - spec: - # Keep at least one job in completed state in accordance to the schedule - ttlSecondsAfterFinished: 86400 - template: - spec: - automountServiceAccountToken: false - restartPolicy: OnFailure - # Stagger jobs to run randomly within X seconds to avoid bringing down all apps at once - initContainers: - - name: wait - image: ghcr.io/onedr0p/kopia:0.12.1@sha256:e333295b519ce586e7c050c970b2255d87bdb2979298ff87ebdb1113e381ba3b - command: ["/scripts/sleep.sh"] - args: ["1", "900"] - containers: - - name: snapshot - image: ghcr.io/onedr0p/kopia:0.12.1@sha256:e333295b519ce586e7c050c970b2255d87bdb2979298ff87ebdb1113e381ba3b - env: - - name: KOPIA_CACHE_DIRECTORY - value: /snapshots/{{ namespace }}/{{ appName }}/{{ claimName }}/cache - - name: KOPIA_LOG_DIR - value: /snapshots/{{ namespace }}/{{ appName }}/{{ claimName }}/logs - - name: KOPIA_PASSWORD - value: "none" - command: - - /bin/bash - - -c - - |- - printf "\e[1;32m%-6s\e[m\n" "[01/10] Create repo ..." && [[ ! -f /snapshots/kopia.repository.f ]] && kopia repository create filesystem --path=/snapshots - printf "\e[1;32m%-6s\e[m\n" "[02/10] Connect to repo ..." && kopia repo connect filesystem --path=/snapshots --override-hostname=cluster --override-username=root - printf "\e[1;32m%-6s\e[m\n" "[03/10] Set policies ..." && kopia policy set /data/{{ namespace }}/{{ appName }}/{{ claimName }} --compression=zstd --keep-latest 14 --keep-hourly 0 --keep-daily 7 --keep-weekly 2 --keep-monthly 0 --keep-annual 0 - printf "\e[1;32m%-6s\e[m\n" "[04/10] Freeze {{ claimName }} ..." && fsfreeze -f /data/{{ namespace }}/{{ appName }}/{{ claimName }} - printf "\e[1;32m%-6s\e[m\n" "[05/10] Snapshot {{ claimName }} ..." && kopia snap create /data/{{ namespace }}/{{ appName }}/{{ claimName }} - printf "\e[1;32m%-6s\e[m\n" "[06/10] Unfreeze {{ claimName }} ..." && fsfreeze -u /data/{{ namespace }}/{{ appName }}/{{ claimName }} - printf "\e[1;32m%-6s\e[m\n" "[07/10] List snapshots ..." && kopia snap list /data/{{ namespace }}/{{ appName }}/{{ claimName }} - printf "\e[1;32m%-6s\e[m\n" "[08/10] Show stats ..." && kopia content stats - printf "\e[1;32m%-6s\e[m\n" "[09/10] Show maintenance info ..." && kopia maintenance info - printf "\e[1;32m%-6s\e[m\n" "[10/10] Disconnect from repo ..." && kopia repo disconnect - volumeMounts: - - name: data - mountPath: "/data/{{ namespace }}/{{ appName }}/{{ claimName }}" - - name: snapshots - mountPath: /snapshots - securityContext: - privileged: true - volumes: - - name: data - persistentVolumeClaim: - claimName: "{{ claimName }}" - - name: snapshots - nfs: - server: "expanse.${SECRET_PRIVATE_DOMAIN}" - path: /eros/Apps/Kopia - affinity: - podAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - topologyKey: kubernetes.io/hostname - labelSelector: - matchExpressions: "{{ nodeAffinity.ignored && [] || nodeAffinity.labels }}" diff --git a/cluster/apps/kube-tools/kyverno/policies/sync-postgres-secrets.yaml b/cluster/apps/kube-tools/kyverno/policies/sync-postgres-secrets.yaml deleted file mode 100644 index 5b209b27f..000000000 --- a/cluster/apps/kube-tools/kyverno/policies/sync-postgres-secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: kyverno.io/v1 -kind: ClusterPolicy -metadata: - name: sync-postgres-secrets - annotations: - policies.kyverno.io/title: Sync Postgres Secrets - policies.kyverno.io/subject: Secret - policies.kyverno.io/description: >- - This policy will copy a secret called `postgres-superuser` which - exists in the `database` namespace to new namespaces when they are - created. It will also push updates to the copied Secrets should the - source secret be changed. -spec: - mutateExistingOnPolicyUpdate: true - generateExistingOnPolicyUpdate: true - rules: - - name: sync-postgres-superuser-secret - match: - resources: - kinds: ["Namespace"] - exclude: - resources: - namespaces: ["default"] - generate: - apiVersion: v1 - kind: Secret - name: postgres-superuser - namespace: "{{request.object.metadata.name}}" - synchronize: true - clone: - namespace: default - name: postgres-superuser diff --git a/cluster/apps/kube-tools/kyverno/rbac.yaml b/cluster/apps/kube-tools/kyverno/rbac.yaml deleted file mode 100644 index 298701b56..000000000 --- a/cluster/apps/kube-tools/kyverno/rbac.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: kyverno:admin -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: admin -subjects: - - kind: ServiceAccount - name: kyverno - namespace: kyverno diff --git a/cluster/charts/dysnix-charts.yaml b/cluster/charts/dysnix-charts.yaml new file mode 100644 index 000000000..e2530a010 --- /dev/null +++ b/cluster/charts/dysnix-charts.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: dysnix-charts + namespace: flux-system +spec: + interval: 1h + url: https://dysnix.github.io/charts diff --git a/cluster/charts/kustomization.yaml b/cluster/charts/kustomization.yaml index 85d83c0df..fe832832b 100644 --- a/cluster/charts/kustomization.yaml +++ b/cluster/charts/kustomization.yaml @@ -7,6 +7,7 @@ resources: - cert-manager-webhook-ovh.yaml - cloudnative-pg-charts.yaml - descheduler-charts.yaml + - dysnix-charts.yaml - emxq-charts.yaml - external-dns-charts.yaml - fairwinds-charts.yaml