diff --git a/.gitignore b/.gitignore index e700b27e9..b8d5a3892 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ ### SOPS ### -.decrypted~*.yaml \ No newline at end of file +.decrypted~*.yaml +### KUBECONFIG ### +provision diff --git a/README.md b/README.md index 8f17be7f0..2f3112267 100644 --- a/README.md +++ b/README.md @@ -23,23 +23,16 @@ ## Bootstrap Flux ```bash -flux bootstrap github \ - --version=latest \ - --owner=auricom \ - --repository=home-ops \ - --path=cluster/base \ - --personal \ - --network-policy=false +kubectl apply -k cluster/bootstrap/ ``` ## SOPS secret from age key ```bash -age-keygen -o $HOME/sops/age/keys.txt -cat $HOME/sops/age/keys.txt | +cat ~/.config/sops/age/keys.txt | kubectl create secret generic sops-age \ ---namespace=flux-system \ ---from-file=$HOME/sops/age/keys.txt=/dev/stdin + --namespace=flux-system \ + --from-file=age.agekey=/dev/stdin ``` ## Encrypt kubernetes resources with sops binary diff --git a/ansible/inventory/group_vars/all/k3s.yml b/ansible/inventory/group_vars/all/k3s.yml index 99a19c180..5a1dda687 100644 --- a/ansible/inventory/group_vars/all/k3s.yml +++ b/ansible/inventory/group_vars/all/k3s.yml @@ -34,7 +34,7 @@ k3s_server_manifests_templates: # -- /var/lib/rancher/k3s/server/manifests k3s_server_manifests_urls: - - url: https://docs.projectcalico.org/archive/v3.23/manifests/tigera-operator.yaml + - url: https://docs.projectcalico.org/archive/v3.24/manifests/tigera-operator.yaml filename: tigera-operator.yaml # -- /etc/rancher/k3s/registries.yaml diff --git a/ansible/inventory/group_vars/worker/k3s.yml b/ansible/inventory/group_vars/worker/k3s.yml index 3d4ae6d80..9b300015d 100644 --- a/ansible/inventory/group_vars/worker/k3s.yml +++ b/ansible/inventory/group_vars/worker/k3s.yml @@ -17,4 +17,3 @@ k3s_agent: - "max-pods=150" node-label: - "upgrade.cattle.io/plan=k3s-agent" - - "node-role.kubernetes.io/worker=true" diff --git a/cluster/apps/authentication/authelia/helm-release.yaml b/cluster/apps/authentication/authelia/helm-release.yaml index 47da049aa..cf76cda98 100644 --- a/cluster/apps/authentication/authelia/helm-release.yaml +++ b/cluster/apps/authentication/authelia/helm-release.yaml @@ -24,7 +24,7 @@ spec: dependsOn: - name: glauth namespace: default - - name: postgres + - name: postgres-cluster namespace: default - name: redis namespace: default diff --git a/cluster/apps/databases/postgres/cluster/helm-release.yaml b/cluster/apps/databases/postgres/cluster/helm-release.yaml index 09246bbcb..fd9eed4fd 100644 --- a/cluster/apps/databases/postgres/cluster/helm-release.yaml +++ b/cluster/apps/databases/postgres/cluster/helm-release.yaml @@ -53,7 +53,7 @@ spec: maxParallel: 8 destinationPath: s3://postgresql/ endpointURL: https://truenas.${SECRET_DOMAIN}:9000 - serverName: postgres + serverName: postgres-v2 s3Credentials: accessKeyId: name: postgres-minio @@ -61,3 +61,20 @@ spec: secretAccessKey: name: postgres-minio key: MINIO_SECRET_KEY + bootstrap: + recovery: + source: postgres + externalClusters: + - name: postgres + barmanObjectStore: + destinationPath: s3://postgresql/ + endpointURL: https://truenas.${SECRET_DOMAIN}:9000 + s3Credentials: + accessKeyId: + name: postgres-minio + key: MINIO_ACCESS_KEY + secretAccessKey: + name: postgres-minio + key: MINIO_SECRET_KEY + wal: + maxParallel: 8 diff --git a/cluster/apps/databases/postgres/external-backup/helm-release.yaml b/cluster/apps/databases/postgres/external-backup/helm-release.yaml index e312fa0c4..bb7f77d2b 100644 --- a/cluster/apps/databases/postgres/external-backup/helm-release.yaml +++ b/cluster/apps/databases/postgres/external-backup/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: resources: diff --git a/cluster/apps/databases/postgres/helm-release.yaml b/cluster/apps/databases/postgres/helm-release.yaml index 722884be6..a335c8967 100644 --- a/cluster/apps/databases/postgres/helm-release.yaml +++ b/cluster/apps/databases/postgres/helm-release.yaml @@ -23,7 +23,7 @@ spec: retries: 5 values: crds: - create: false + create: true config: data: INHERITED_ANNOTATIONS: kyverno.io/ignore diff --git a/cluster/apps/development/gitea/helm-release.yaml b/cluster/apps/development/gitea/helm-release.yaml index 8e7918831..a077058e3 100644 --- a/cluster/apps/development/gitea/helm-release.yaml +++ b/cluster/apps/development/gitea/helm-release.yaml @@ -21,6 +21,9 @@ spec: upgrade: remediation: retries: 5 + dependsOn: + - name: postgres-cluster + namespace: default values: image: repository: gitea/gitea diff --git a/cluster/apps/development/gitea/kustomization.yaml b/cluster/apps/development/gitea/kustomization.yaml index 65df7f6a3..6d2fd934e 100644 --- a/cluster/apps/development/gitea/kustomization.yaml +++ b/cluster/apps/development/gitea/kustomization.yaml @@ -5,3 +5,5 @@ resources: - volume.yaml - helm-release.yaml - external-backup +patchesStrategicMerge: + - patches/postgres.yaml diff --git a/cluster/apps/development/gitea/patches/postgres.yaml b/cluster/apps/development/gitea/patches/postgres.yaml new file mode 100644 index 000000000..1da970980 --- /dev/null +++ b/cluster/apps/development/gitea/patches/postgres.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: gitea + namespace: default +spec: + values: + initContainers: + init-db: + image: ghcr.io/onedr0p/postgres-initdb:14.5 + env: + - name: POSTGRES_HOST + value: postgres-rw.default.svc.cluster.local. + - name: POSTGRES_DB + value: gitea + - name: POSTGRES_SUPER_PASS + valueFrom: + secretKeyRef: + name: postgres-superuser + key: password + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: gitea-config + key: dbUser + - name: POSTGRES_PASS + valueFrom: + secretKeyRef: + name: gitea-config + key: dbPassword diff --git a/cluster/apps/development/readme.md b/cluster/apps/development/readme.md index b7a4dc1f7..fad181c09 100644 --- a/cluster/apps/development/readme.md +++ b/cluster/apps/development/readme.md @@ -21,13 +21,13 @@ } ``` -2. Create the outline user and password +2. Create the gitea user and password ```sh mc admin user add minio gitea ``` -3. Create the outline bucket +3. Create the gitea bucket ```sh mc mb minio/gitea diff --git a/cluster/apps/home-automation/home-assistant/helm-release.yaml b/cluster/apps/home-automation/home-assistant/helm-release.yaml index 7de0c531c..1c4c0ba92 100644 --- a/cluster/apps/home-automation/home-assistant/helm-release.yaml +++ b/cluster/apps/home-automation/home-assistant/helm-release.yaml @@ -24,7 +24,7 @@ spec: dependsOn: - name: emqx namespace: default - - name: postgres + - name: postgres-cluster namespace: default values: image: diff --git a/cluster/apps/kube-tools/goldilocks/helm-release.yaml b/cluster/apps/kube-tools/goldilocks/helm-release.yaml index fe89aff56..113a219d8 100644 --- a/cluster/apps/kube-tools/goldilocks/helm-release.yaml +++ b/cluster/apps/kube-tools/goldilocks/helm-release.yaml @@ -25,10 +25,10 @@ spec: controller: resources: requests: - cpu: 126m + cpu: 200m memory: 105M limits: - cpu: 126m + cpu: 300m memory: 105M dashboard: replicaCount: 1 diff --git a/cluster/apps/kube-tools/node-feature-discovery/helm-release.yaml b/cluster/apps/kube-tools/node-feature-discovery/helm-release.yaml index 076d3e0b7..9241ab5f0 100644 --- a/cluster/apps/kube-tools/node-feature-discovery/helm-release.yaml +++ b/cluster/apps/kube-tools/node-feature-discovery/helm-release.yaml @@ -27,8 +27,6 @@ spec: worker: annotations: configmap.reloader.stakater.com/reload: node-feature-discovery-worker-conf - nodeSelector: - node-role.kubernetes.io/worker: "true" config: core: sources: diff --git a/cluster/apps/media-servers/lychee/helm-release.yaml b/cluster/apps/media-servers/lychee/helm-release.yaml index 6ebf9b281..00a456442 100644 --- a/cluster/apps/media-servers/lychee/helm-release.yaml +++ b/cluster/apps/media-servers/lychee/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default - name: redis namespace: default diff --git a/cluster/apps/monitoring/healthchecks/helm-release.yaml b/cluster/apps/monitoring/healthchecks/helm-release.yaml index 9cfe71ed0..7304b19a6 100644 --- a/cluster/apps/monitoring/healthchecks/helm-release.yaml +++ b/cluster/apps/monitoring/healthchecks/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: image: diff --git a/cluster/apps/networking/cert-manager/helm-release.yaml b/cluster/apps/networking/cert-manager/helm-release.yaml index 7e5f3627a..7e5cb2c56 100644 --- a/cluster/apps/networking/cert-manager/helm-release.yaml +++ b/cluster/apps/networking/cert-manager/helm-release.yaml @@ -17,11 +17,10 @@ spec: interval: 15m install: createNamespace: true - crds: CreateReplace remediation: retries: 3 values: - installCRDs: false + installCRDs: true webhook: enabled: true extraArgs: diff --git a/cluster/apps/networking/cert-manager/issuers/helm-release.yaml b/cluster/apps/networking/cert-manager/issuers/helm-release.yaml index 672b3ef38..76e89a7e6 100644 --- a/cluster/apps/networking/cert-manager/issuers/helm-release.yaml +++ b/cluster/apps/networking/cert-manager/issuers/helm-release.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: name: cert-manager-issuers - namespace: cert-manager + namespace: default spec: interval: 15m chart: diff --git a/cluster/apps/networking/cert-manager/kustomization.yaml b/cluster/apps/networking/cert-manager/kustomization.yaml index eafa59a09..7d874accb 100644 --- a/cluster/apps/networking/cert-manager/kustomization.yaml +++ b/cluster/apps/networking/cert-manager/kustomization.yaml @@ -2,8 +2,10 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - namespace.yaml - secret.sops.yaml - helm-release.yaml + - rbac.yaml - webhook-ovh + - issuers + - certificates - prometheus-rule.yaml diff --git a/cluster/apps/networking/cert-manager/namespace.yaml b/cluster/apps/networking/cert-manager/namespace.yaml deleted file mode 100644 index 977c578a1..000000000 --- a/cluster/apps/networking/cert-manager/namespace.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager - labels: - kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" diff --git a/cluster/apps/networking/cert-manager/rbac.yaml b/cluster/apps/networking/cert-manager/rbac.yaml new file mode 100644 index 000000000..2c011349f --- /dev/null +++ b/cluster/apps/networking/cert-manager/rbac.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cert-manager:ovh-dns-challenge + namespace: default +rules: + - apiGroups: ["${SECRET_DOMAIN}"] + resources: ["ovh"] + verbs: ["get", "watch", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cert-manager:ovh-dns-challenge + namespace: default +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cert-manager:ovh-dns-challenge +subjects: + - apiGroup: "" + kind: ServiceAccount + name: cert-manager + namespace: default diff --git a/cluster/apps/storage/k10/kustomization.yaml b/cluster/apps/storage/k10/kustomization.yaml index a156ba350..136d50ba8 100644 --- a/cluster/apps/storage/k10/kustomization.yaml +++ b/cluster/apps/storage/k10/kustomization.yaml @@ -3,4 +3,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - monitoring - - profiles diff --git a/cluster/apps/storage/k10/profiles/k10-disaster-discovery.yaml b/cluster/apps/storage/k10/profiles/k10-disaster-discovery.yaml deleted file mode 100644 index 310c91c81..000000000 --- a/cluster/apps/storage/k10/profiles/k10-disaster-discovery.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -kind: Profile -apiVersion: config.kio.kasten.io/v1alpha1 -metadata: - name: k10-disaster-recovery - namespace: kasten-io -spec: - locationSpec: - type: FileStore - fileStore: - claimName: nfs-backups-kubernetes - path: k10-disaster-recovery - credential: - secretType: "" - secret: - apiVersion: "" - kind: "" - name: "" - namespace: "" - type: Location diff --git a/cluster/apps/storage/k10/profiles/kustomization.yaml b/cluster/apps/storage/k10/profiles/kustomization.yaml deleted file mode 100644 index f72a80be7..000000000 --- a/cluster/apps/storage/k10/profiles/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - volumes.yaml - - k10-disaster-discovery.yaml - - pvc-export.yaml diff --git a/cluster/apps/storage/k10/profiles/pvc-export.yaml b/cluster/apps/storage/k10/profiles/pvc-export.yaml deleted file mode 100644 index 714c175d9..000000000 --- a/cluster/apps/storage/k10/profiles/pvc-export.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -kind: Profile -apiVersion: config.kio.kasten.io/v1alpha1 -metadata: - name: pvc-export - namespace: kasten-io -spec: - locationSpec: - type: FileStore - fileStore: - claimName: nfs-backups-kubernetes - path: pvc-export - credential: - secretType: "" - secret: - apiVersion: "" - kind: "" - name: "" - namespace: "" - type: Location diff --git a/cluster/apps/storage/k10/profiles/volumes.yaml b/cluster/apps/storage/k10/profiles/volumes.yaml deleted file mode 100644 index 8c48f783a..000000000 --- a/cluster/apps/storage/k10/profiles/volumes.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: nfs-backups-kubernetes -provisioner: nfs -reclaimPolicy: Retain ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: nfs-backups-kubernetes -spec: - storageClassName: nfs-backups-kubernetes - capacity: - storage: 1Mi - accessModes: - - ReadWriteMany - persistentVolumeReclaimPolicy: Retain - nfs: - server: "${LOCAL_LAN_TRUENAS}" - path: /mnt/storage/backups/kubernetes ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: nfs-backups-kubernetes - namespace: kasten-io -spec: - accessModes: - - ReadWriteMany - storageClassName: nfs-backups-kubernetes - resources: - requests: - storage: 1Mi diff --git a/cluster/apps/web-tools/homer-code/helm-release.yaml b/cluster/apps/web-tools/homer-code/helm-release.yaml index 4dced86e9..21b9af4c5 100644 --- a/cluster/apps/web-tools/homer-code/helm-release.yaml +++ b/cluster/apps/web-tools/homer-code/helm-release.yaml @@ -72,10 +72,10 @@ spec: matchExpressions: - key: app.kubernetes.io/name operator: In - values: ["home-assistant"] + values: ["homer"] - key: app.kubernetes.io/instance operator: In - values: ["home-assistant"] + values: ["homer"] topologyKey: kubernetes.io/hostname resources: requests: diff --git a/cluster/apps/web-tools/invidious/helm-release.yaml b/cluster/apps/web-tools/invidious/helm-release.yaml index 1e7cc6471..10ea311a0 100644 --- a/cluster/apps/web-tools/invidious/helm-release.yaml +++ b/cluster/apps/web-tools/invidious/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: image: diff --git a/cluster/apps/web-tools/joplin/helm-release.yaml b/cluster/apps/web-tools/joplin/helm-release.yaml index 3e23dff41..7206bd43e 100644 --- a/cluster/apps/web-tools/joplin/helm-release.yaml +++ b/cluster/apps/web-tools/joplin/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: global: diff --git a/cluster/apps/web-tools/libreddit/helm-release.yaml b/cluster/apps/web-tools/libreddit/helm-release.yaml index 255f6b8e3..5c1b2bb6f 100644 --- a/cluster/apps/web-tools/libreddit/helm-release.yaml +++ b/cluster/apps/web-tools/libreddit/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: image: diff --git a/cluster/apps/web-tools/nitter/helm-release.yaml b/cluster/apps/web-tools/nitter/helm-release.yaml index 2d88b421e..31f5ea1e4 100644 --- a/cluster/apps/web-tools/nitter/helm-release.yaml +++ b/cluster/apps/web-tools/nitter/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: image: diff --git a/cluster/apps/web-tools/sharry/helm-release.yaml b/cluster/apps/web-tools/sharry/helm-release.yaml index 8c8332bf7..435a7cfa9 100644 --- a/cluster/apps/web-tools/sharry/helm-release.yaml +++ b/cluster/apps/web-tools/sharry/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: controller: diff --git a/cluster/apps/web-tools/tandoor/helm-release.yaml b/cluster/apps/web-tools/tandoor/helm-release.yaml index 7f31a0a69..a8a4fea64 100644 --- a/cluster/apps/web-tools/tandoor/helm-release.yaml +++ b/cluster/apps/web-tools/tandoor/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: image: diff --git a/cluster/apps/web-tools/vaultwarden/helm-release.yaml b/cluster/apps/web-tools/vaultwarden/helm-release.yaml index 73ac00aa6..59d328f02 100644 --- a/cluster/apps/web-tools/vaultwarden/helm-release.yaml +++ b/cluster/apps/web-tools/vaultwarden/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: image: diff --git a/cluster/apps/web-tools/vikunja/helm-release.yaml b/cluster/apps/web-tools/vikunja/helm-release.yaml index 6773a5b33..f07b92009 100644 --- a/cluster/apps/web-tools/vikunja/helm-release.yaml +++ b/cluster/apps/web-tools/vikunja/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default values: controller: diff --git a/cluster/apps/web-tools/wallabag/helm-release.yaml b/cluster/apps/web-tools/wallabag/helm-release.yaml index af4f0aec8..dda30cc53 100644 --- a/cluster/apps/web-tools/wallabag/helm-release.yaml +++ b/cluster/apps/web-tools/wallabag/helm-release.yaml @@ -22,7 +22,7 @@ spec: remediation: retries: 5 dependsOn: - - name: postgres + - name: postgres-cluster namespace: default - name: redis namespace: default diff --git a/cluster/bootstrap/kustomization.yaml b/cluster/bootstrap/kustomization.yaml new file mode 100644 index 000000000..b80c354ea --- /dev/null +++ b/cluster/bootstrap/kustomization.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - github.com/fluxcd/flux2/manifests/install?ref=v0.36.0 +patches: + - target: + group: networking.k8s.io + version: v1 + kind: NetworkPolicy + patch: |- + $patch: delete + apiVersion: networking.k8s.io/v1 + kind: NetworkPolicy + metadata: + name: all diff --git a/cluster/core/k10/helm-release.yaml b/cluster/core/k10/helm-release.yaml index 1e0f1d7e5..dff3731bf 100644 --- a/cluster/core/k10/helm-release.yaml +++ b/cluster/core/k10/helm-release.yaml @@ -25,6 +25,9 @@ spec: crds: CreateReplace remediation: retries: 3 + dependsOn: + - name: rook-ceph-cluster + namespace: rook-ceph values: eula: accept: true diff --git a/cluster/core/k10/kustomization.yaml b/cluster/core/k10/kustomization.yaml index 1b2b2dc29..4443e4517 100644 --- a/cluster/core/k10/kustomization.yaml +++ b/cluster/core/k10/kustomization.yaml @@ -3,4 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml + - secret.sops.yaml - helm-release.yaml + - profiles diff --git a/cluster/core/k10/profiles/helm-release.yaml b/cluster/core/k10/profiles/helm-release.yaml new file mode 100644 index 000000000..ab3e1536e --- /dev/null +++ b/cluster/core/k10/profiles/helm-release.yaml @@ -0,0 +1,98 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app kasten-k10-profiles + namespace: &namespace kasten-io +spec: + interval: 15m + chart: + spec: + chart: raw + version: v0.3.1 + sourceRef: + kind: HelmRepository + name: dysnix-charts + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 + dependsOn: + - name: k10 + namespace: *namespace + values: + resources: + - apiVersion: config.kio.kasten.io/v1alpha1 + kind: Profile + metadata: + name: k10-disaster-recovery + namespace: *namespace + spec: + locationSpec: + type: FileStore + fileStore: + claimName: nfs-backups-kubernetes + path: k10-disaster-recovery + credential: + secretType: "" + secret: + apiVersion: "" + kind: "" + name: "" + namespace: "" + type: Location + - apiVersion: config.kio.kasten.io/v1alpha1 + kind: Profile + metadata: + name: pvc-export + namespace: *namespace + spec: + locationSpec: + type: FileStore + fileStore: + claimName: nfs-backups-kubernetes + path: pvc-export + credential: + secretType: "" + secret: + apiVersion: "" + kind: "" + name: "" + namespace: "" + type: Location + - apiVersion: storage.k8s.io/v1 + kind: StorageClass + metadata: + name: nfs-backups-kubernetes + provisioner: nfs + reclaimPolicy: Retain + - apiVersion: v1 + kind: PersistentVolume + metadata: + name: nfs-backups-kubernetes + spec: + storageClassName: nfs-backups-kubernetes + capacity: + storage: 1Mi + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + nfs: + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/backups/kubernetes + - apiVersion: v1 + kind: PersistentVolumeClaim + metadata: + name: nfs-backups-kubernetes + namespace: *namespace + spec: + accessModes: + - ReadWriteMany + storageClassName: nfs-backups-kubernetes + resources: + requests: + storage: 1Mi diff --git a/cluster/crds/cloudnative-pg/kustomization.yaml b/cluster/core/k10/profiles/kustomization.yaml similarity index 78% rename from cluster/crds/cloudnative-pg/kustomization.yaml rename to cluster/core/k10/profiles/kustomization.yaml index 7d6dc05e9..2fa2de20c 100644 --- a/cluster/crds/cloudnative-pg/kustomization.yaml +++ b/cluster/core/k10/profiles/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - crds.yaml + - helm-release.yaml diff --git a/cluster/core/k10/secret.sops.yaml b/cluster/core/k10/secret.sops.yaml new file mode 100644 index 000000000..f6f0d0fa8 --- /dev/null +++ b/cluster/core/k10/secret.sops.yaml @@ -0,0 +1,29 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: k10-dr-secret + namespace: kasten-io +type: Opaque +data: + key: ENC[AES256_GCM,data:IvEWafKCr3S6bwf1plG7FC3jRZM=,iv:KiWWGBKdx06ZDFuuvIhIOc6q15aaspgAt7E9qh9RmKk=,tag:e6GaVyeG+CDzTHD4OS0/4A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2 + akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC + Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT + Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq + DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-10-26T13:59:32Z" + mac: ENC[AES256_GCM,data:jnRPyEky1h4b3ZkLhx+rIPkb9aSOUnaAc1YoHniTJjGAvmLZ7cyEwWzcSd+Okz6LPMWYSIwzxoeawhV5aSPnGVbgPZpVxHUyEolDyeqTUi/IJHyF1800Yaq9N2Q4GCma/xyRu7tO7u0rcrWiMQM9jQ5yFEWCKwWxbNKyUipqvuE=,iv:/x0fryns2Ubx+2LStBnducT1i+RmOah9HM/K0EdU7H8=,tag:ot9l5331qzvmlsEdftqNpw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/core/kustomization.yaml b/cluster/core/kustomization.yaml index f1a01c6ae..7814af03e 100644 --- a/cluster/core/kustomization.yaml +++ b/cluster/core/kustomization.yaml @@ -4,4 +4,3 @@ resources: - flux-system - k10 - rook-ceph - - storageclasses.yaml diff --git a/cluster/core/rook-ceph/cluster/helm-release.yaml b/cluster/core/rook-ceph/cluster/helm-release.yaml index 68367b744..76d82bd17 100644 --- a/cluster/core/rook-ceph/cluster/helm-release.yaml +++ b/cluster/core/rook-ceph/cluster/helm-release.yaml @@ -82,12 +82,6 @@ spec: memory: "512Mi" limits: memory: "6Gi" - prepareosd: - requests: - cpu: "250m" - memory: "50Mi" - limits: - memory: "200Mi" mgr-sidecar: requests: cpu: "50m" diff --git a/cluster/core/rook-ceph/operator/helm-release.yaml b/cluster/core/rook-ceph/operator/helm-release.yaml index d0b023fd4..368717ff8 100644 --- a/cluster/core/rook-ceph/operator/helm-release.yaml +++ b/cluster/core/rook-ceph/operator/helm-release.yaml @@ -16,7 +16,7 @@ spec: namespace: flux-system values: crds: - enabled: false + enabled: true pspEnable: false monitoring: enabled: true diff --git a/cluster/core/storageclasses.yaml b/cluster/core/storageclasses.yaml deleted file mode 100644 index 96e23d1ec..000000000 --- a/cluster/core/storageclasses.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -kind: StorageClass -apiVersion: storage.k8s.io/v1 -metadata: - name: local -provisioner: Local -reclaimPolicy: Retain diff --git a/cluster/crds/cert-manager/kustomization.yaml b/cluster/crds/cert-manager/kustomization.yaml deleted file mode 100644 index 8ed292895..000000000 --- a/cluster/crds/cert-manager/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - # renovate: datasource=docker image=quay.io/jetstack/cert-manager-controller - - https://github.com/cert-manager/cert-manager/releases/download/v1.10.0/cert-manager.crds.yaml diff --git a/cluster/crds/cloudnative-pg/crds.yaml b/cluster/crds/cloudnative-pg/crds.yaml deleted file mode 100644 index 127774622..000000000 --- a/cluster/crds/cloudnative-pg/crds.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: GitRepository -metadata: - name: cloudnative-pg-source - namespace: flux-system -spec: - interval: 12h - url: https://github.com/cloudnative-pg/cloudnative-pg.git - ref: - # renovate: datasource=github-releases depName=cloudnative-pg/cloudnative-pg - tag: "v1.17.1" - ignore: | - # exclude all - /* - # include crd directory - !/config/crd/bases ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: crds-cloudnative-pg - namespace: flux-system -spec: - interval: 30m - prune: false - wait: true - sourceRef: - kind: GitRepository - name: cloudnative-pg-source diff --git a/cluster/crds/kustomization.yaml b/cluster/crds/kustomization.yaml index 656ccf726..1d6bbe331 100644 --- a/cluster/crds/kustomization.yaml +++ b/cluster/crds/kustomization.yaml @@ -1,8 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - cert-manager - - cloudnative-pg - external-snapshotter - kube-prometheus-stack - - rook-ceph diff --git a/cluster/crds/rook-ceph/crds.yaml b/cluster/crds/rook-ceph/crds.yaml deleted file mode 100644 index db2202a63..000000000 --- a/cluster/crds/rook-ceph/crds.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: GitRepository -metadata: - name: rook-ceph-source - namespace: flux-system -spec: - interval: 30m - url: https://github.com/rook/rook.git - ref: - # renovate: registryUrl=https://charts.rook.io/release chart=rook-ceph - tag: v1.10.4 - ignore: | - # exclude all - /* - # path to crds - !/deploy/examples/crds.yaml ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: rook-ceph-crds - namespace: flux-system -spec: - interval: 15m - prune: false - wait: true - sourceRef: - kind: GitRepository - name: rook-ceph-source diff --git a/cluster/crds/rook-ceph/kustomization.yaml b/cluster/crds/rook-ceph/kustomization.yaml deleted file mode 100644 index 2ed3b3515..000000000 --- a/cluster/crds/rook-ceph/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - crds.yaml diff --git a/cluster/flux/flux-system/flux-cluster.yaml b/cluster/flux/flux-system/flux-cluster.yaml index 26c293045..aa5509322 100644 --- a/cluster/flux/flux-system/flux-cluster.yaml +++ b/cluster/flux/flux-system/flux-cluster.yaml @@ -5,7 +5,7 @@ metadata: name: flux-cluster namespace: flux-system spec: - interval: 10m + interval: 30m # https://github.com/k8s-at-home/template-cluster-k3s/issues/324 url: ssh://git@github.com/auricom/home-ops ref: @@ -19,7 +19,7 @@ metadata: name: flux-cluster namespace: flux-system spec: - interval: 10m + interval: 30m path: ./cluster/flux prune: true wait: false diff --git a/cluster/flux/flux-system/flux-installation.yaml b/cluster/flux/flux-system/flux-installation.yaml index ccb4c6ff0..c38bb4b40 100644 --- a/cluster/flux/flux-system/flux-installation.yaml +++ b/cluster/flux/flux-system/flux-installation.yaml @@ -5,7 +5,7 @@ metadata: name: flux-installation namespace: flux-system spec: - interval: 10m + interval: 30m ref: # renovate: datasource=github-releases depName=fluxcd/flux2 tag: "v0.36.0" @@ -22,7 +22,7 @@ metadata: name: flux-installation namespace: flux-system spec: - interval: 10m + interval: 30m path: ./manifests/install prune: true wait: true @@ -39,4 +39,4 @@ spec: apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: not-used + name: all diff --git a/cluster/flux/flux-system/flux-prereqs.yaml b/cluster/flux/flux-system/flux-prereqs.yaml new file mode 100644 index 000000000..1f263982a --- /dev/null +++ b/cluster/flux/flux-system/flux-prereqs.yaml @@ -0,0 +1,60 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: GitRepository +metadata: + name: kube-prometheus-stack + namespace: flux-system +spec: + interval: 12h + url: https://github.com/prometheus-community/helm-charts.git + ref: + # renovate: registryUrl=https://prometheus-community.github.io/helm-charts chart=kube-prometheus-stack + tag: kube-prometheus-stack-41.6.1 + ignore: | + # exclude all + /* + # include crd directory + !/charts/kube-prometheus-stack/crds +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: kube-prometheus-stack-crds + namespace: flux-system +spec: + interval: 30m + prune: false + wait: true + sourceRef: + kind: GitRepository + name: kube-prometheus-stack +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: GitRepository +metadata: + name: kyverno + namespace: flux-system +spec: + interval: 12h + url: https://github.com/kyverno/kyverno.git + ref: + # renovate: registryUrl=https://kyverno.github.io/kyverno chart=kyverno + tag: kyverno-chart-2.6.1 + ignore: | + # exclude all + /* + # include crd directory + !/config/crds +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: kyverno-crds + namespace: flux-system +spec: + interval: 30m + prune: false + wait: true + sourceRef: + kind: GitRepository + name: kyverno