shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-12-22 07:26:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

feat: flux instance

Browse Source
This commit is contained in:
auricom
2025-04-03 16:37:50 +02:00
parent d0a14fc471
commit a33b7d9285
106 changed files with 754 additions and 808 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml → kubernetes/apps/cert-manager/cert-manager/app/clusterissuer.yaml
View File

0
kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml → kubernetes/apps/cert-manager/cert-manager/app/externalsecret.yaml
View File

7
kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

11
kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
crds:
enabled: true
enableCertificateOwnerRef: true
dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
dns01RecursiveNameserversOnly: true
prometheus:
enabled: true
servicemonitor:
enabled: true
prometheusInstance: observability

55
kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml
View File

@@ -1,41 +1,40 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: cert-manager
spec:
interval: 5m
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
tag: v1.17.1
url: oci://ghcr.io/home-operations/charts-mirror/cert-manager
verify:
provider: cosign
matchOIDCIdentity:
- issuer: "^https://token.actions.githubusercontent.com$"
subject: "^https://github.com/home-operations/charts-mirror.*$"
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 30m
chart:
spec:
chart: cert-manager
version: v1.17.1
sourceRef:
kind: HelmRepository
name: jetstack
namespace: flux-system
maxHistory: 2
interval: 1h
chartRef:
kind: OCIRepository
name: cert-manager
install:
createNamespace: true
crds: CreateReplace
remediation:
retries: 3
retries: -1
upgrade:
cleanupOnFail: true
crds: CreateReplace
remediation:
retries: 3
uninstall:
keepHistory: false
values:
crds:
enabled: true
enableCertificateOwnerRef: true
dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
dns01RecursiveNameserversOnly: true
prometheus:
enabled: true
servicemonitor:
enabled: true
prometheusInstance: observability
valuesFrom:
- kind: ConfigMap
name: cert-manager-values

17
kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml
View File

@@ -4,14 +4,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager
resources:
- ./externalsecret.yaml
- ./clusterissuer.yaml
- ./helmrelease.yaml
- ./prometheusrule.yaml
# configMapGenerator:
# - name: cert-manager-dashboard
# files:
# - cert-manager-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
# generatorOptions:
# disableNameSufs
# kustomize.toolkit.fluxcd.io/substitute: disabled
# labels:
# grafana_dashboard: "true"
configMapGenerator:
- name: cert-manager-values
files:
- values.yaml=./helm/values.yaml
configurations:
- ./helm/kustomizeconfig.yaml

46
kubernetes/apps/cert-manager/cert-manager/ks.yaml
View File

@@ -10,42 +10,22 @@ spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
name: *app
namespace: cert-manager
healthCheckExprs:
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False')
current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')
interval: 1h
path: ./kubernetes/apps/cert-manager/cert-manager/app
prune: true
retryInterval: 2m
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
namespace: flux-system
timeout: 5m
postBuild:
substitute:
APP: *app
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app cert-manager-issuers
namespace: flux-system
spec:
targetNamespace: cert-manager
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: cert-manager
- name: external-secrets-stores
path: ./kubernetes/apps/cert-manager/cert-manager/issuers
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app

7
kubernetes/apps/external-secrets/external-secrets/app/helm/kustomizeconfig.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

21
kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
installCRDs: true
replicaCount: 1
leaderElect: true
image:
repository: ghcr.io/external-secrets/external-secrets
webhook:
image:
repository: ghcr.io/external-secrets/external-secrets
serviceMonitor:
enabled: true
interval: 1m
certController:
image:
repository: ghcr.io/external-secrets/external-secrets
serviceMonitor:
enabled: true
interval: 1m
serviceMonitor:
enabled: true
interval: 1m

40
kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml Normal file
View File

@@ -0,0 +1,40 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: external-secrets
spec:
interval: 5m
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
tag: 0.15.1
url: oci://ghcr.io/external-secrets/charts/external-secrets
verify:
provider: cosign
matchOIDCIdentity:
- issuer: ^https://token.actions.githubusercontent.com$
subject: ^https://github.com/external-secrets/external-secrets.*$
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
spec:
interval: 1h
chartRef:
kind: OCIRepository
name: external-secrets
install:
remediation:
retries: -1
upgrade:
cleanupOnFail: true
remediation:
retries: 3
valuesFrom:
- kind: ConfigMap
name: external-secrets-values

6
kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml → kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml
View File

@@ -5,3 +5,9 @@ kind: Kustomization
namespace: kube-system
resources:
- ./helmrelease.yaml
configMapGenerator:
- name: external-secrets-values
files:
- values.yaml=./helm/values.yaml
configurations:
- ./helm/kustomizeconfig.yaml

52
kubernetes/apps/external-secrets/external-secrets/ks.yaml Normal file
View File

@@ -0,0 +1,52 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app external-secrets
namespace: &namespace flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
name: *app
namespace: external-secrets
interval: 1h
path: ./kubernetes/apps/external-secrets/external-secrets/app
prune: true
retryInterval: 2m
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
namespace: *namespace
targetNamespace: external-secrets
timeout: 15m
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app external-secrets-stores
namespace: &namespace flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
healthCheckExprs:
- apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False')
current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')
interval: 1h
path: ./kubernetes/apps/external-secrets/external-secrets/stores
prune: true
retryInterval: 2m
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
namespace: *namespace
targetNamespace: external-secrets
timeout: 15m

0
kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml → kubernetes/apps/external-secrets/external-secrets/stores/kustomization.yaml
View File

2
kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml → kubernetes/apps/external-secrets/external-secrets/stores/onepassword/clustersecretstore.yaml
View File

@@ -15,4 +15,4 @@ spec:
connectTokenSecretRef:
name: onepassword-connect-secret
key: token
namespace: kube-system
namespace: external-secrets

7
kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/kustomizeconfig.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

111
kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/values.yaml Normal file
View File

@@ -0,0 +1,111 @@
---
controllers:
onepassword-connect:
annotations:
reloader.stakater.com/auto: "true"
pod:
securityContext:
runAsUser: 999
runAsGroup: 999
containers:
app:
image:
# repository: docker.io/1password/connect-api
repository: ghcr.io/haraldkoch/onepassword-connect-api
tag: 1.7.3@sha256:257a6ca59b806fec2c9c6df0acaef633a39e600eefba0ba03396554c00e065c1
env:
OP_BUS_PORT: "11220"
OP_BUS_PEERS: localhost:11221
OP_HTTP_PORT: &port 8080
OP_SESSION:
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /heartbeat
port: *port
initialDelaySeconds: 15
periodSeconds: 30
failureThreshold: 3
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *port
initialDelaySeconds: 15
startup:
enabled: false
resources:
requests:
cpu: 5m
memory: 10Mi
limits:
memory: 100Mi
sync:
# image: docker.io/1password/connect-sync:1.7.0
image:
repository: ghcr.io/haraldkoch/onepassword-sync
tag: 1.7.3@sha256:7e30af4d83e6884981b2d47e6cfe5cca056da20b182e4c4c6def9e8ac65c0982
env:
- { name: OP_HTTP_PORT, value: &sport 8081 }
- { name: OP_BUS_PORT, value: "11221" }
- { name: OP_BUS_PEERS, value: localhost:11220 }
- name: OP_SESSION
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
probes:
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *sport
initialDelaySeconds: 15
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /heartbeat
port: *sport
failureThreshold: 3
periodSeconds: 30
initialDelaySeconds: 15
service:
app:
controller: onepassword-connect
ports:
http:
port: *port
# ingress:
# app:
# enabled: true
# className: internal
# annotations:
# hajimari.io/enable: "false"
# hosts:
# - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
# paths:
# - path: /
# service:
# identifier: app
# port: http
# tls:
# - hosts:
# - *host
persistence:
shared:
type: emptyDir
globalMounts:
- path: /home/opuser/.op/data

27
kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml Normal file
View File

@@ -0,0 +1,27 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app onepassword-connect
spec:
interval: 30m
chartRef:
kind: OCIRepository
name: app-template
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
valuesFrom:
- kind: ConfigMap
name: external-secrets-stores-values

6
kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml → kubernetes/apps/external-secrets/external-secrets/stores/onepassword/kustomization.yaml
View File

@@ -6,3 +6,9 @@ resources:
- ./clustersecretstore.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml
configMapGenerator:
- name: external-secrets-stores-values
files:
- values.yaml=./helm/values.yaml
configurations:
- ./helm/kustomizeconfig.yaml

0
kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml → kubernetes/apps/external-secrets/external-secrets/stores/onepassword/secret.sops.yaml
View File

5
kubernetes/apps/flux-system/capacitor/app/kustomization.yaml → kubernetes/apps/external-secrets/kustomization.yaml
View File

@@ -2,7 +2,6 @@
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: external-secrets
resources:
- ./helmrelease.yaml
- ./rbac.yaml
- ../../../../templates/gatus/guarded
- ./external-secrets/ks.yaml

72
kubernetes/apps/flux-system/addons/ks.yaml
View File

@@ -1,72 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app flux-monitoring
namespace: flux-system
spec:
targetNamespace: flux-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/flux-system/addons/monitoring
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app flux-notifications
namespace: flux-system
spec:
targetNamespace: flux-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/flux-system/addons/notifications
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app flux-webhooks
namespace: flux-system
spec:
targetNamespace: flux-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/flux-system/addons/webhooks
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app

8
kubernetes/apps/flux-system/addons/monitoring/kustomization.yaml
View File

@@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: flux-system
resources:
- ./podmonitor.yaml
- ./prometheusrule.yaml

32
kubernetes/apps/flux-system/addons/monitoring/podmonitor.yaml
View File

@@ -1,32 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: flux-system
namespace: flux-system
labels:
app.kubernetes.io/part-of: flux
app.kubernetes.io/component: monitoring
spec:
namespaceSelector:
matchNames:
- flux-system
selector:
matchExpressions:
- key: app
operator: In
values:
- helm-controller
- source-controller
- kustomize-controller
- notification-controller
- image-automation-controller
- image-reflector-controller
podMetricsEndpoints:
- port: http-prom
relabelings:
# https://github.com/prometheus-operator/prometheus-operator/issues/4816
- sourceLabels: [__meta_kubernetes_pod_phase]
action: keep
regex: Running

19
kubernetes/apps/flux-system/addons/monitoring/prometheusrule.yaml
View File

@@ -1,19 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: flux
namespace: flux-system
spec:
groups:
- name: flux.rules
rules:
- alert: FluxComponentAbsent
annotations:
summary: Flux component has disappeared from Prometheus target discovery.
expr: |
absent(up{job=~".*flux-system.*"} == 1)
for: 15m
labels:
severity: critical

20
kubernetes/apps/flux-system/addons/notifications/github/externalsecret.yaml
View File

@@ -1,20 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: github-token
namespace: flux-system
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: github-token-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
token: '{{ .GITHUB_NOTIFICATION_TOKEN }}'
dataFrom:
- extract:
key: flux

7
kubernetes/apps/flux-system/addons/notifications/github/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./notification.yaml

26
kubernetes/apps/flux-system/addons/notifications/github/notification.yaml
View File

@@ -1,26 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: github
namespace: flux-system
spec:
type: github
address: https://github.com/auricom/home-ops
secretRef:
name: github-token-secret
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
name: github
namespace: flux-system
spec:
providerRef:
name: github
eventSeverity: info
eventSources:
- kind: Kustomization
name: "*"

6
kubernetes/apps/flux-system/addons/notifications/kustomization.yaml
View File

@@ -1,6 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./github

8
kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml
View File

@@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./ingress.yaml
- ./receiver.yaml

30
kubernetes/apps/flux-system/alerts/alertmanager/alert.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
name: alertmanager
namespace: flux-system
spec:
providerRef:
name: alertmanager
eventSeverity: error
eventSources:
# - kind: FluxInstance
# name: "*"
- kind: GitRepository
name: "*"
- kind: HelmRelease
name: "*"
- kind: HelmRepository
name: "*"
- kind: Kustomization
name: "*"
- kind: OCIRepository
name: "*"
exclusionList:
- "error.*lookup github\\.com"
- "error.*lookup raw\\.githubusercontent\\.com"
- "dial.*tcp.*timeout"
- "waiting.*socket"
suspend: false

7
kubernetes/apps/flux-system/alerts/alertmanager/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./alert.yaml
- ./provider.yaml

10
kubernetes/apps/flux-system/alerts/alertmanager/provider.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: alertmanager
namespace: flux-system
spec:
type: alertmanager
address: http://alertmanager-operated.observability.svc.cluster.local:9093/api/v2/alerts/

13
kubernetes/apps/flux-system/alerts/github-status/alert.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
name: github-status
namespace: flux-system
spec:
providerRef:
name: github-status
eventSources:
- kind: Kustomization
name: "*"

19
kubernetes/apps/flux-system/alerts/github-status/externalsecret.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: github-status-token
namespace: flux-system
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword
target:
name: github-status-token-secret
template:
data:
token: "{{ .FLUX_GITHUB_TOKEN }}"
dataFrom:
- extract:
key: flux

8
kubernetes/apps/flux-system/alerts/github-status/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./alert.yaml
- ./externalsecret.yaml
- ./provider.yaml

12
kubernetes/apps/flux-system/alerts/github-status/provider.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: github-status
namespace: flux-system
spec:
type: github
address: https://github.com/auricom/home-ops
secretRef:
name: github-status-token-secret

7
kubernetes/apps/flux-system/alerts/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./alertmanager
- ./github-status

82
kubernetes/apps/flux-system/capacitor/app/helmrelease.yaml
View File

@@ -1,82 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app capacitor
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.7.3
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
values:
controllers:
capacitor:
strategy: RollingUpdate
containers:
app:
image:
repository: ghcr.io/gimlet-io/capacitor
tag: v0.4.8@sha256:c999a42cccc523b91086547f890466d09be4755bf05a52763b0d14594bf60782
resources:
requests:
cpu: 50m
memory: 100Mi
ephemeral-storage: 1Gi
limits:
memory: 200Mi
ephemeral-storage: 2Gi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: {drop: [ALL]}
serviceAccount:
create: true
name: capacitor
service:
app:
controller: *app
ports:
http:
enabled: true
port: 9000
ingress:
app:
enabled: true
className: internal
annotations:
hajimari.io/icon: mdi:sync
gethomepage.dev/enabled: "true"
gethomepage.dev/name: Capacitor
gethomepage.dev/description: General purpose UI for FluxCD.
gethomepage.dev/group: Applications
gethomepage.dev/icon: capacitor.png
gethomepage.dev/pod-selector: >-
app in (
capacitor
)
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host

55
kubernetes/apps/flux-system/capacitor/app/rbac.yaml
View File

@@ -1,55 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: capacitor
rules:
- apiGroups:
- networking.k8s.io
- apps
- ""
resources:
- pods
- pods/log
- ingresses
- deployments
- services
- secrets
- events
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- source.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- infra.contrib.fluxcd.io
resources:
- gitrepositories
- ocirepositories
- buckets
- helmrepositories
- helmcharts
- kustomizations
- helmreleases
- terraforms
verbs:
- get
- watch
- list
- patch # to allow force reconciling by adding an annotation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: capacitor
subjects:
- kind: ServiceAccount
name: capacitor
namespace: flux-system
roleRef:
kind: ClusterRole
name: capacitor
apiGroup: rbac.authorization.k8s.io

24
kubernetes/apps/flux-system/capacitor/ks.yaml
View File

@@ -1,24 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app capacitor
namespace: flux-system
spec:
targetNamespace: flux-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/flux-system/capacitor/app
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app

47
kubernetes/apps/flux-system/cluster.yaml Normal file
View File

@@ -0,0 +1,47 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/gitrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: home-ops-kubernetes
namespace: flux-system
spec:
interval: 30m
# https://github.com/k8s-at-home/template-cluster-k3s/issues/324
url: ssh://git@github.com/auricom/home-ops
ref:
branch: main
secretRef:
name: github-deploy-key
ignore: |
# exclude all
/*
# include kubernetes directory
!/kubernetes
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: flux-cluster
namespace: flux-system
spec:
interval: 30m
path: ./kubernetes/flux
prune: true
wait: false
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
decryption:
provider: sops
secretRef:
name: sops-age
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: false
- kind: Secret
name: cluster-secrets
optional: false

5
kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml → kubernetes/apps/flux-system/flux-instance/app/externalsecret.yaml
View File

@@ -7,13 +7,12 @@ metadata:
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
name: onepassword
target:
name: github-webhook-token-secret
template:
engineVersion: v2
data:
token: "{{ .GITHUB_SYNC_WEBHOOK_TOKEN }}"
token: "{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}"
dataFrom:
- extract:
key: flux

7
kubernetes/apps/flux-system/flux-instance/app/helm/kustomizeconfig.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

104
kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml Normal file
View File

@@ -0,0 +1,104 @@
---
instance:
distribution:
# renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution
version: 2.5.1
cluster:
networkPolicy: false
components:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
sync:
kind: GitRepository
url: https://github.com/auricom/home-ops
ref: refs/heads/main
path: kubernetes/flux
interval: 1h
commonMetadata:
labels:
app.kubernetes.io/name: flux
kustomize:
patches:
- # Add Sops decryption to 'flux-system' Kustomization
patch: |
- op: add
path: /spec/decryption
value:
provider: sops
secretRef:
name: sops-age
target:
group: kustomize.toolkit.fluxcd.io
kind: Kustomization
- # Increase the number of workers
patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --concurrent=10
- op: add
path: /spec/template/spec/containers/0/args/-
value: --requeue-dependency=5s
target:
kind: Deployment
name: (kustomize-controller|helm-controller|source-controller)
- # Increase the memory limits
patch: |
apiVersion: apps/v1
kind: Deployment
metadata:
name: all
spec:
template:
spec:
containers:
- name: manager
resources:
limits:
memory: 2Gi
target:
kind: Deployment
name: (kustomize-controller|helm-controller|source-controller)
- # Enable in-memory kustomize builds
patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --concurrent=20
- op: replace
path: /spec/template/spec/volumes/0
value:
name: temp
emptyDir:
medium: Memory
target:
kind: Deployment
name: kustomize-controller
- # Enable Helm repositories caching
patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --helm-cache-max-size=10
- op: add
path: /spec/template/spec/containers/0/args/-
value: --helm-cache-ttl=60m
- op: add
path: /spec/template/spec/containers/0/args/-
value: --helm-cache-purge-interval=5m
target:
kind: Deployment
name: source-controller
- # Flux near OOM detection for Helm
patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --feature-gates=OOMWatch=true
- op: add
path: /spec/template/spec/containers/0/args/-
value: --oom-watch-memory-threshold=95
- op: add
path: /spec/template/spec/containers/0/args/-
value: --oom-watch-interval=500ms
target:
kind: Deployment
name: helm-controller

40
kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml Normal file
View File

@@ -0,0 +1,40 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: flux-instance
spec:
interval: 5m
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
tag: 0.18.0
url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance
verify:
provider: cosign
matchOIDCIdentity:
- issuer: ^https://token.actions.githubusercontent.com$
subject: ^https://github.com/controlplaneio-fluxcd/charts.*$
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: flux-instance
spec:
interval: 1h
chartRef:
kind: OCIRepository
name: flux-instance
install:
remediation:
retries: -1
upgrade:
cleanupOnFail: true
remediation:
retries: 3
valuesFrom:
- kind: ConfigMap
name: flux-instance-values

0
kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml → kubernetes/apps/flux-system/flux-instance/app/ingress.yaml
View File

16
kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./ingress.yaml
- ./prometheusrule.yaml
- ./receiver.yaml
configMapGenerator:
- name: flux-instance-values
files:
- values.yaml=./helm/values.yaml
configurations:
- ./helm/kustomizeconfig.yaml

30
kubernetes/apps/flux-system/flux-instance/app/prometheusrule.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: flux-instance-rules
namespace: flux-system
spec:
groups:
- name: flux-instance.rules
rules:
- alert: FluxInstanceAbsent
expr: |
absent(flux_instance_info{exported_namespace="flux-system", name="flux"})
for: 5m
annotations:
summary: >-
Flux instance metric is missing
labels:
severity: critical
- alert: FluxInstanceNotReady
expr: |
flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"}
for: 5m
annotations:
summary: >-
Flux instance {{ $labels.name }} is not ready
labels:
severity: critical

18
kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml → kubernetes/apps/flux-system/flux-instance/app/receiver.yaml
View File

@@ -1,26 +1,18 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/receiver_v1beta2.json
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/receiver_v1.json
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
name: home-ops-kubernetes
name: github-webhook
spec:
type: github
events:
- ping
- push
events: ["ping", "push"]
secretRef:
name: github-webhook-token-secret
resources:
- apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
name: home-ops-kubernetes
namespace: flux-system
name: flux-system
- apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
name: apps
namespace: flux-system
- apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
name: flux-cluster
namespace: flux-system
name: flux-system

32
kubernetes/apps/flux-system/flux-instance/ks.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app flux-instance
namespace: &namespace flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: flux-operator
namespace: *namespace
interval: 1h
path: ./kubernetes/apps/flux-system/flux-instance/app
prune: true
retryInterval: 2m
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
namespace: *namespace
targetNamespace: *namespace
timeout: 5m
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: false
- kind: Secret
name: cluster-secrets
optional: false

9
kubernetes/apps/flux-system/kustomization.yaml
View File

@@ -5,9 +5,10 @@ kind: Kustomization
resources:
# Pre Flux-Kustomizations
- ./namespace.yaml
# Flux-Kustomizations
- ./addons/ks.yaml
- ./capacitor/ks.yaml
# Standard Resources
# - ./flux-instance/ks.yaml
- ./alerts
- ./cluster.yaml
- ./flux-instance/ks.yaml
- ./flux-operator/ks.yaml
- ./repositories
- ./vars

11
kubernetes/apps/flux-system/repositories/helm/actions-runner-controller.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: actions-runner-controller
namespace: flux-system
spec:
type: oci
interval: 5m
url: oci://ghcr.io/actions/actions-runner-controller-charts

10
kubernetes/apps/flux-system/repositories/helm/aqua.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: aqua
namespace: flux-system
spec:
interval: 2h
url: https://aquasecurity.github.io/helm-charts/

10
kubernetes/apps/flux-system/repositories/helm/backube.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: backube
namespace: flux-system
spec:
interval: 2h
url: https://backube.github.io/helm-charts/

10
kubernetes/apps/flux-system/repositories/helm/bjw-s.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: bjw-s
namespace: flux-system
spec:
interval: 2h
url: https://bjw-s.github.io/helm-charts/

10
kubernetes/apps/flux-system/repositories/helm/cert-manager-webhook-ovh.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cert-manager-webhook-ovh
namespace: flux-system
spec:
interval: 2h
url: https://aureq.github.io/cert-manager-webhook-ovh/

10
kubernetes/apps/flux-system/repositories/helm/cilium.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cilium
namespace: flux-system
spec:
interval: 2h
url: https://helm.cilium.io

10
kubernetes/apps/flux-system/repositories/helm/cloudnative-pg.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cloudnative-pg
namespace: flux-system
spec:
interval: 2h
url: https://cloudnative-pg.github.io/charts

10
kubernetes/apps/flux-system/repositories/helm/coredns.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: coredns
namespace: flux-system
spec:
interval: 1h
url: https://coredns.github.io/helm

10
kubernetes/apps/flux-system/repositories/helm/crowdsec.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: crowdsec
namespace: flux-system
spec:
interval: 2h
url: https://crowdsecurity.github.io/helm-charts

12
kubernetes/apps/flux-system/repositories/helm/crunchydata.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: crunchydata
namespace: flux-system
spec:
type: oci
interval: 30m
url: oci://registry.developers.crunchydata.com/crunchydata
timeout: 3m

10
kubernetes/apps/flux-system/repositories/helm/descheduler.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: descheduler
namespace: flux-system
spec:
interval: 2h
url: https://kubernetes-sigs.github.io/descheduler

10
kubernetes/apps/flux-system/repositories/helm/dysnix.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: dysnix
namespace: flux-system
spec:
interval: 2h
url: https://dysnix.github.io/charts

11
kubernetes/apps/flux-system/repositories/helm/emxq.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: emqx
namespace: flux-system
spec:
interval: 2h
url: https://repos.emqx.io/charts
timeout: 3m

10
kubernetes/apps/flux-system/repositories/helm/external-dns.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: external-dns
namespace: flux-system
spec:
interval: 2h
url: https://kubernetes-sigs.github.io/external-dns

10
kubernetes/apps/flux-system/repositories/helm/external-secrets.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: external-secrets
namespace: flux-system
spec:
interval: 2h
url: https://charts.external-secrets.io

11
kubernetes/apps/flux-system/repositories/helm/gitea.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: gitea
namespace: flux-system
spec:
interval: 2h
url: https://dl.gitea.io/charts
timeout: 3m

11
kubernetes/apps/flux-system/repositories/helm/grafana.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: grafana
namespace: flux-system
spec:
interval: 2h
url: https://grafana.github.io/helm-charts
timeout: 3m

10
kubernetes/apps/flux-system/repositories/helm/hajimari.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: hajimari
namespace: flux-system
spec:
interval: 2h
url: https://hajimari.io

11
kubernetes/apps/flux-system/repositories/helm/ingress-nginx.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: ingress-nginx
namespace: flux-system
spec:
interval: 2h
url: https://kubernetes.github.io/ingress-nginx
timeout: 3m

10
kubernetes/apps/flux-system/repositories/helm/intel.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: intel
namespace: flux-system
spec:
interval: 2h
url: https://intel.github.io/helm-charts

11
kubernetes/apps/flux-system/repositories/helm/jetstack.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: jetstack
namespace: flux-system
spec:
interval: 2h
url: https://charts.jetstack.io/
timeout: 3m

10
kubernetes/apps/flux-system/repositories/helm/k8s-gateway.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: k8s-gateway
namespace: flux-system
spec:
interval: 2h
url: https://ori-edge.github.io/k8s_gateway

40
kubernetes/apps/flux-system/repositories/helm/kustomization.yaml Normal file
View File

@@ -0,0 +1,40 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./actions-runner-controller.yaml
- ./aqua.yaml
- ./backube.yaml
- ./bjw-s.yaml
- ./cert-manager-webhook-ovh.yaml
- ./cilium.yaml
- ./cloudnative-pg.yaml
- ./coredns.yaml
- ./crunchydata.yaml
- ./crowdsec.yaml
- ./descheduler.yaml
- ./dysnix.yaml
- ./emxq.yaml
- ./external-dns.yaml
- ./external-secrets.yaml
- ./gitea.yaml
- ./grafana.yaml
- ./hajimari.yaml
- ./ingress-nginx.yaml
- ./intel.yaml
- ./jetstack.yaml
- ./k8s-gateway.yaml
- ./kyverno.yaml
- ./metrics-server.yaml
- ./node-feature-discovery.yaml
- ./openebs.yaml
- ./piraeus.yaml
- ./postfinance.yaml
- ./prometheus-community.yaml
- ./rook-ceph.yaml
- ./spegel.yaml
- ./stakater.yaml
- ./stevehipwell.yaml
- ./vector.yaml
- ./windmill.yaml

11
kubernetes/apps/flux-system/repositories/helm/kyverno.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: kyverno
namespace: flux-system
spec:
type: oci
interval: 5m
url: oci://ghcr.io/kyverno/charts

10
kubernetes/apps/flux-system/repositories/helm/metrics-server.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: metrics-server
namespace: flux-system
spec:
interval: 2h
url: https://kubernetes-sigs.github.io/metrics-server

11
kubernetes/apps/flux-system/repositories/helm/node-feature-discovery.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: node-feature-discovery
namespace: flux-system
spec:
interval: 2h
url: https://kubernetes-sigs.github.io/node-feature-discovery/charts
timeout: 3m

10
kubernetes/apps/flux-system/repositories/helm/openebs.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: openebs
namespace: flux-system
spec:
interval: 2h
url: https://openebs.github.io/openebs

10
kubernetes/apps/flux-system/repositories/helm/piraeus.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: piraeus
namespace: flux-system
spec:
interval: 2h
url: https://piraeus.io/helm-charts/

10
kubernetes/apps/flux-system/repositories/helm/postfinance.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: postfinance
namespace: flux-system
spec:
interval: 2h
url: https://postfinance.github.io/kubelet-csr-approver

11
kubernetes/apps/flux-system/repositories/helm/prometheus-community.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: prometheus-community
namespace: flux-system
spec:
interval: 2h
url: https://prometheus-community.github.io/helm-charts
timeout: 3m

11
kubernetes/apps/flux-system/repositories/helm/rook-ceph.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: rook-ceph
namespace: flux-system
spec:
interval: 2h
url: https://charts.rook.io/release
timeout: 3m

11
kubernetes/apps/flux-system/repositories/helm/spegel.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: spegel
namespace: flux-system
spec:
type: oci
interval: 2h
url: oci://ghcr.io/spegel-org/helm-charts

11
kubernetes/apps/flux-system/repositories/helm/stakater.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: stakater
namespace: flux-system
spec:
interval: 2h
url: https://stakater.github.io/stakater-charts
timeout: 3m

11
kubernetes/apps/flux-system/repositories/helm/stevehipwell.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: stevehipwell
namespace: flux-system
spec:
type: oci
interval: 5m
url: oci://ghcr.io/stevehipwell/helm-charts

10
kubernetes/apps/flux-system/repositories/helm/vector.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: vector
namespace: flux-system
spec:
interval: 2h
url: https://helm.vector.dev

10
kubernetes/apps/flux-system/repositories/helm/windmill.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: windmill
namespace: flux-system
spec:
interval: 2h
url: https://windmill-labs.github.io/windmill-helm-charts/

3
kubernetes/apps/flux-system/addons/webhooks/kustomization.yaml → kubernetes/apps/flux-system/repositories/kustomization.yaml
View File

@@ -3,4 +3,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./github
- ./helm
- ./oci

17
kubernetes/apps/flux-system/repositories/oci/app-template.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: app-template
namespace: flux-system
spec:
interval: 1h
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
tag: 3.7.3
url: oci://ghcr.io/bjw-s/helm/app-template
verify:
provider: cosign

6
kubernetes/apps/flux-system/repositories/oci/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./app-template.yaml

39
kubernetes/apps/flux-system/vars/cluster-secrets.sops.yaml Normal file
View File

@@ -0,0 +1,39 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.26.1-standalone-strict/secret-v1.json
apiVersion: v1
kind: Secret
metadata:
name: cluster-secrets
namespace: flux-system
stringData:
SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:8HotHVJva77fd9S+j2BB,iv:fqCDD0NuK9ySCsGGT3G4QsfViM2L9oPp9ZLgwXf0tLI=,tag:rX1quD8RTjvzV75fmwmC6w==,type:str]
SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:j1yBajAlXKQeDuvbV2IyJp8IT3wA,iv:pxPgYZEZ6pvcr6trM1gkL5MZORewARaiVfwRTyWxny0=,tag:y31EGp46NgF/Pf3hQ2Iavw==,type:str]
SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:nS0cVHEiuEk1w43AjcWNjGVecEr8RZr4iXsMCO9152bn2wWc,iv:jDz8AP6eCF5+CASt3ogR8vzAO5VkbZQ3pY2+AFmz15U=,tag:DVKZ3xSZLrW9pQIx0HJRCQ==,type:str]
SECRET_DOMAIN: ENC[AES256_GCM,data:UtdBDs6+azVHO7Y=,iv:ZnWrBW+vW6HiMs1PbgY2LjcwUwuUh1HxYjqvOXvCrDk=,tag:r6uDIJhVoTIcizIfRW+lHw==,type:str]
SECRET_EXTERNAL_DOMAIN: ENC[AES256_GCM,data:Brd9H7gizPxew+4=,iv:YaIxv9TFF0mAks9gJXwXA1N7b8k5mcSJ6hs9lpaUV/M=,tag:8xdRoWun3IUVywagpsrsBw==,type:str]
SECRET_INTERNAL_DOMAIN: ENC[AES256_GCM,data:WLuQAi9JsUsD5Q==,iv:Zc+5/rQONxepZFVC/ia01aBdlVyG99thOeIipeAVS3E=,tag:FwwjDKoUMfZ/taFPRRThOQ==,type:str]
SECRET_CROWDSEC_NGINX_BOUNCER_API_KEY: ENC[AES256_GCM,data:ecukkFOK40WWIxJ48sXrxJUBaHx2BnzqxkIT+cXYZg4=,iv:y6AfslVPufBfrIL3GQqTw0cDAan64mB9J7RY9OzKQqw=,tag:+V4Rgz26wey2UtA32S0PJQ==,type:str]
SECRET_KOMF_MAL_CLIENT_ID: ENC[AES256_GCM,data:HuKHFrICgCj6nbcbix8u7qGeggFmmKht7Elk9dINZtE=,iv:c3mqFdFkIO9dctZ3ooPh4ajOZaY0ZudEeNWbG+lryPI=,tag:jWG2+pgkAf/XUgJyUvdrNg==,type:str]
SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str]
SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str]
SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str]
type: Opaque
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVkZXb3RYbEZ5eTVSbmFE
R1QxMmw0ZzkvT0NIa01URTAvQ0xWa2tZKzNvCnl0UDQ1MGV6dEtuVEd2S0NhcThS
MGZ1VWNXMmxHSi90eFBGbXE2V0hwamcKLS0tIEp3a2ZTeTNyaXBhSW5nSU0yN1hu
WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-01-03T20:27:58Z"
mac: ENC[AES256_GCM,data:QgFNCP1l74XISc2/6byMOzk4brz0SkbfjLxgoLRaBx08BHULaJRHiNqRRyhaKF5ZjxsOxVYiFpHrWgfu/mi/InwA6nBttwNSM/+bzKabRC6vdgrLIIXxJKGKu7BlmtILF4uZRqKqcOIK+nrZS8YWdlOY0Vyzunh4kMQoyIvugRk=,iv:0HYH18NEag1KqIXwoiMPHkFiW1jaQkK1LJ5XhENPalw=,tag:RO8oMhTRBLOzf31DgV38CQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.9.3

34
kubernetes/apps/flux-system/vars/cluster-settings.yaml Normal file
View File

@@ -0,0 +1,34 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: flux-system
name: cluster-settings
data:
CILIUM_BGP_SVC_RANGE: 192.168.169.0/24
CILIUM_POD_CIDR: 10.69.0.0/16
CLUSTER_LB_K8SGATEWAY: 192.168.169.100
CLUSTER_LB_SMTP_RELAY: 192.168.169.102
CLUSTER_LB_UNIFI: 192.168.169.103
CLUSTER_LB_GITEA: 192.168.169.104
CLUSTER_LB_QBITTORRENT: 192.168.169.105
CLUSTER_LB_RESILIOSYNC_CLAUDE: 192.168.169.106
CLUSTER_LB_HASS: 192.168.169.107
CLUSTER_LB_VECTOR: 192.168.169.108
CLUSTER_LB_EMQX: 192.168.169.109
CLUSTER_LB_JELLYFIN: 192.168.169.110
CLUSTER_LB_RESILIOSYNC_HELENE: 192.168.169.111
CLUSTER_LB_MAILRISE: 192.168.169.112
CLUSTER_LB_REDIS: 192.168.169.113
CLUSTER_LB_FRIGATE: 192.168.169.114
CLUSTER_LB_CILIUM: 192.168.169.115
CLUSTER_LB_LMS: 192.168.169.116
CLUSTER_LB_TDARR: 192.168.169.117
CLUSTER_LB_POSTGRES: 192.168.169.118
CLUSTER_LB_NGINX_INTERNAL: 192.168.169.119
CLUSTER_LB_NGINX_EXTERNAL: 192.168.169.120
LOCAL_LAN: 192.168.8.0/22
LOCAL_LAN_OPNSENSE: 192.168.8.1
LOCAL_LAN_TRUENAS: 192.168.9.10
LOCAL_LAN_TRUENAS_REMOTE: 10.10.0.2
TIMEZONE: Europe/Paris

4
kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml → kubernetes/apps/flux-system/vars/kustomization.yaml
View File

@@ -3,5 +3,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./cluster-secrets.sops.yaml
- ./cluster-settings.yaml

41
kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml
View File

@@ -1,41 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
namespace: kube-system
spec:
interval: 30m
chart:
spec:
chart: external-secrets
version: 0.15.0
sourceRef:
kind: HelmRepository
name: external-secrets
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
installCRDs: true
serviceMonitor:
enabled: true
interval: 1m
webhook:
serviceMonitor:
enabled: true
interval: 1m
certController:
serviceMonitor:
enabled: true
interval: 1m

50
kubernetes/apps/kube-system/external-secrets/ks.yaml
View File

@@ -1,50 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app external-secrets
namespace: flux-system
spec:
targetNamespace: kube-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/kube-system/external-secrets/app
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: external-secrets-stores
namespace: flux-system
spec:
targetNamespace: kube-system
commonMetadata:
labels:
app.kubernetes.io/name: &app external-secrets
dependsOn:
- name: external-secrets
path: ./kubernetes/apps/kube-system/external-secrets/stores
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app

139
kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml
View File

@@ -1,139 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app onepassword-connect
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.7.3
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
values:
controllers:
onepassword-connect:
annotations:
reloader.stakater.com/auto: "true"
pod:
securityContext:
runAsUser: 999
runAsGroup: 999
containers:
app:
image:
# repository: docker.io/1password/connect-api
repository: ghcr.io/haraldkoch/onepassword-connect-api
tag: 1.7.3@sha256:257a6ca59b806fec2c9c6df0acaef633a39e600eefba0ba03396554c00e065c1
env:
OP_BUS_PORT: "11220"
OP_BUS_PEERS: localhost:11221
OP_HTTP_PORT: &port 8080
OP_SESSION:
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /heartbeat
port: *port
initialDelaySeconds: 15
periodSeconds: 30
failureThreshold: 3
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *port
initialDelaySeconds: 15
startup:
enabled: false
resources:
requests:
cpu: 5m
memory: 10Mi
limits:
memory: 100Mi
sync:
# image: docker.io/1password/connect-sync:1.7.0
image:
repository: ghcr.io/haraldkoch/onepassword-sync
tag: 1.7.3@sha256:7e30af4d83e6884981b2d47e6cfe5cca056da20b182e4c4c6def9e8ac65c0982
env:
- { name: OP_HTTP_PORT, value: &sport 8081 }
- { name: OP_BUS_PORT, value: "11221" }
- { name: OP_BUS_PEERS, value: localhost:11220 }
- name: OP_SESSION
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
probes:
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *sport
initialDelaySeconds: 15
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /heartbeat
port: *sport
failureThreshold: 3
periodSeconds: 30
initialDelaySeconds: 15
service:
app:
controller: *app
ports:
http:
port: *port
ingress:
app:
enabled: true
className: internal
annotations:
hajimari.io/enable: "false"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host
persistence:
shared:
type: emptyDir
globalMounts:
- path: /home/opuser/.op/data

1
kubernetes/apps/kube-system/kustomization.yaml
View File

@@ -9,7 +9,6 @@ resources:
- ./cilium/ks.yaml
- ./coredns/ks.yaml
- ./descheduler/ks.yaml
- ./external-secrets/ks.yaml
- ./fstrim/ks.yaml
- ./intel-device-plugin/ks.yaml
# - ./k8s-ycl/ks.yaml

1
kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml
View File

@@ -25,7 +25,6 @@ spec:
strategy: rollback
retries: 3
values:
fullnameOverride: *app
provider:
name: cloudflare
env:

2
kubernetes/apps/network/nginx/ks.yaml
View File

@@ -11,7 +11,7 @@ spec:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: cert-manager-issuers
- name: cert-manager
path: ./kubernetes/apps/network/nginx/certificates
prune: true
sourceRef: