shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

feat: flux instance

Browse Source
This commit is contained in:
auricom
2025-04-03 16:37:50 +02:00
parent d0a14fc471
commit a33b7d9285
106 changed files with 754 additions and 808 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
kubernetes/apps/cert-manager/cert-manager/issuers/helmrelease.yaml → kubernetes/apps/cert-manager/cert-manager/app/clusterissuer.yaml
View File

0
kubernetes/apps/cert-manager/cert-manager/issuers/externalsecret.yaml → kubernetes/apps/cert-manager/cert-manager/app/externalsecret.yaml
View File

7
kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

11
kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
crds:
enabled: true
enableCertificateOwnerRef: true
dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
dns01RecursiveNameserversOnly: true
prometheus:
enabled: true
servicemonitor:
enabled: true
prometheusInstance: observability

55
kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml
View File

@@ -1,41 +1,40 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: cert-manager
spec:
interval: 5m
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
tag: v1.17.1
url: oci://ghcr.io/home-operations/charts-mirror/cert-manager
verify:
provider: cosign
matchOIDCIdentity:
- issuer: "^https://token.actions.githubusercontent.com$"
subject: "^https://github.com/home-operations/charts-mirror.*$"
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 30m
chart:
spec:
chart: cert-manager
version: v1.17.1
sourceRef:
kind: HelmRepository
name: jetstack
namespace: flux-system
maxHistory: 2
interval: 1h
chartRef:
kind: OCIRepository
name: cert-manager
install:
createNamespace: true
crds: CreateReplace
remediation:
retries: 3
retries: -1
upgrade:
cleanupOnFail: true
crds: CreateReplace
remediation:
retries: 3
uninstall:
keepHistory: false
values:
crds:
enabled: true
enableCertificateOwnerRef: true
dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
dns01RecursiveNameserversOnly: true
prometheus:
enabled: true
servicemonitor:
enabled: true
prometheusInstance: observability
valuesFrom:
- kind: ConfigMap
name: cert-manager-values

17
kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml
View File

@@ -4,14 +4,13 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager
resources:
- ./externalsecret.yaml
- ./clusterissuer.yaml
- ./helmrelease.yaml
- ./prometheusrule.yaml
# configMapGenerator:
# - name: cert-manager-dashboard
# files:
# - cert-manager-dashboard.json=https://raw.githubusercontent.com/monitoring-mixins/website/master/assets/cert-manager/dashboards/cert-manager.json
# generatorOptions:
# disableNameSufs
# kustomize.toolkit.fluxcd.io/substitute: disabled
# labels:
# grafana_dashboard: "true"
configMapGenerator:
- name: cert-manager-values
files:
- values.yaml=./helm/values.yaml
configurations:
- ./helm/kustomizeconfig.yaml

7
kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml

44
kubernetes/apps/cert-manager/cert-manager/ks.yaml
View File

@@ -10,42 +10,22 @@ spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
name: *app
namespace: cert-manager
healthCheckExprs:
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False')
current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')
interval: 1h
path: ./kubernetes/apps/cert-manager/cert-manager/app
prune: true
retryInterval: 2m
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app cert-manager-issuers
namespace: flux-system
spec:
targetNamespace: cert-manager
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: cert-manager
- name: external-secrets-stores
path: ./kubernetes/apps/cert-manager/cert-manager/issuers
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app

7
kubernetes/apps/external-secrets/external-secrets/app/helm/kustomizeconfig.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

21
kubernetes/apps/external-secrets/external-secrets/app/helm/values.yaml Normal file
View File

@@ -0,0 +1,21 @@
---
installCRDs: true
replicaCount: 1
leaderElect: true
image:
repository: ghcr.io/external-secrets/external-secrets
webhook:
image:
repository: ghcr.io/external-secrets/external-secrets
serviceMonitor:
enabled: true
interval: 1m
certController:
image:
repository: ghcr.io/external-secrets/external-secrets
serviceMonitor:
enabled: true
interval: 1m
serviceMonitor:
enabled: true
interval: 1m

40
kubernetes/apps/external-secrets/external-secrets/app/helmrelease.yaml Normal file
View File

@@ -0,0 +1,40 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: external-secrets
spec:
interval: 5m
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
tag: 0.15.1
url: oci://ghcr.io/external-secrets/charts/external-secrets
verify:
provider: cosign
matchOIDCIdentity:
- issuer: ^https://token.actions.githubusercontent.com$
subject: ^https://github.com/external-secrets/external-secrets.*$
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
spec:
interval: 1h
chartRef:
kind: OCIRepository
name: external-secrets
install:
remediation:
retries: -1
upgrade:
cleanupOnFail: true
remediation:
retries: 3
valuesFrom:
- kind: ConfigMap
name: external-secrets-values

6
kubernetes/apps/kube-system/external-secrets/app/kustomization.yaml → kubernetes/apps/external-secrets/external-secrets/app/kustomization.yaml
View File

@@ -5,3 +5,9 @@ kind: Kustomization
namespace: kube-system
resources:
- ./helmrelease.yaml
configMapGenerator:
- name: external-secrets-values
files:
- values.yaml=./helm/values.yaml
configurations:
- ./helm/kustomizeconfig.yaml

52
kubernetes/apps/external-secrets/external-secrets/ks.yaml Normal file
View File

@@ -0,0 +1,52 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app external-secrets
namespace: &namespace flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
name: *app
namespace: external-secrets
interval: 1h
path: ./kubernetes/apps/external-secrets/external-secrets/app
prune: true
retryInterval: 2m
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
namespace: *namespace
targetNamespace: external-secrets
timeout: 15m
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app external-secrets-stores
namespace: &namespace flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
healthCheckExprs:
- apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False')
current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')
interval: 1h
path: ./kubernetes/apps/external-secrets/external-secrets/stores
prune: true
retryInterval: 2m
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
namespace: *namespace
targetNamespace: external-secrets
timeout: 15m

0
kubernetes/apps/kube-system/external-secrets/stores/kustomization.yaml → kubernetes/apps/external-secrets/external-secrets/stores/kustomization.yaml
View File

2
kubernetes/apps/kube-system/external-secrets/stores/onepassword/clustersecretstore.yaml → kubernetes/apps/external-secrets/external-secrets/stores/onepassword/clustersecretstore.yaml
View File

@@ -15,4 +15,4 @@ spec:
connectTokenSecretRef:
name: onepassword-connect-secret
key: token
namespace: kube-system
namespace: external-secrets

7
kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/kustomizeconfig.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

111
kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helm/values.yaml Normal file
View File

@@ -0,0 +1,111 @@
---
controllers:
onepassword-connect:
annotations:
reloader.stakater.com/auto: "true"
pod:
securityContext:
runAsUser: 999
runAsGroup: 999
containers:
app:
image:
# repository: docker.io/1password/connect-api
repository: ghcr.io/haraldkoch/onepassword-connect-api
tag: 1.7.3@sha256:257a6ca59b806fec2c9c6df0acaef633a39e600eefba0ba03396554c00e065c1
env:
OP_BUS_PORT: "11220"
OP_BUS_PEERS: localhost:11221
OP_HTTP_PORT: &port 8080
OP_SESSION:
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /heartbeat
port: *port
initialDelaySeconds: 15
periodSeconds: 30
failureThreshold: 3
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *port
initialDelaySeconds: 15
startup:
enabled: false
resources:
requests:
cpu: 5m
memory: 10Mi
limits:
memory: 100Mi
sync:
# image: docker.io/1password/connect-sync:1.7.0
image:
repository: ghcr.io/haraldkoch/onepassword-sync
tag: 1.7.3@sha256:7e30af4d83e6884981b2d47e6cfe5cca056da20b182e4c4c6def9e8ac65c0982
env:
- { name: OP_HTTP_PORT, value: &sport 8081 }
- { name: OP_BUS_PORT, value: "11221" }
- { name: OP_BUS_PEERS, value: localhost:11220 }
- name: OP_SESSION
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
probes:
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *sport
initialDelaySeconds: 15
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /heartbeat
port: *sport
failureThreshold: 3
periodSeconds: 30
initialDelaySeconds: 15
service:
app:
controller: onepassword-connect
ports:
http:
port: *port
# ingress:
# app:
# enabled: true
# className: internal
# annotations:
# hajimari.io/enable: "false"
# hosts:
# - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
# paths:
# - path: /
# service:
# identifier: app
# port: http
# tls:
# - hosts:
# - *host
persistence:
shared:
type: emptyDir
globalMounts:
- path: /home/opuser/.op/data

27
kubernetes/apps/external-secrets/external-secrets/stores/onepassword/helmrelease.yaml Normal file
View File

@@ -0,0 +1,27 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app onepassword-connect
spec:
interval: 30m
chartRef:
kind: OCIRepository
name: app-template
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
valuesFrom:
- kind: ConfigMap
name: external-secrets-stores-values

6
kubernetes/apps/kube-system/external-secrets/stores/onepassword/kustomization.yaml → kubernetes/apps/external-secrets/external-secrets/stores/onepassword/kustomization.yaml
View File

@@ -6,3 +6,9 @@ resources:
- ./clustersecretstore.yaml
- ./helmrelease.yaml
- ./secret.sops.yaml
configMapGenerator:
- name: external-secrets-stores-values
files:
- values.yaml=./helm/values.yaml
configurations:
- ./helm/kustomizeconfig.yaml

0
kubernetes/apps/kube-system/external-secrets/stores/onepassword/secret.sops.yaml → kubernetes/apps/external-secrets/external-secrets/stores/onepassword/secret.sops.yaml
View File

5
kubernetes/apps/flux-system/capacitor/app/kustomization.yaml → kubernetes/apps/external-secrets/kustomization.yaml
View File

@@ -2,7 +2,6 @@
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: external-secrets
resources:
- ./helmrelease.yaml
- ./rbac.yaml
- ../../../../templates/gatus/guarded
- ./external-secrets/ks.yaml

72
kubernetes/apps/flux-system/addons/ks.yaml
View File

@@ -1,72 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app flux-monitoring
namespace: flux-system
spec:
targetNamespace: flux-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/flux-system/addons/monitoring
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app flux-notifications
namespace: flux-system
spec:
targetNamespace: flux-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/flux-system/addons/notifications
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app flux-webhooks
namespace: flux-system
spec:
targetNamespace: flux-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/flux-system/addons/webhooks
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app

8
kubernetes/apps/flux-system/addons/monitoring/kustomization.yaml
View File

@@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: flux-system
resources:
- ./podmonitor.yaml
- ./prometheusrule.yaml

32
kubernetes/apps/flux-system/addons/monitoring/podmonitor.yaml
View File

@@ -1,32 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: flux-system
namespace: flux-system
labels:
app.kubernetes.io/part-of: flux
app.kubernetes.io/component: monitoring
spec:
namespaceSelector:
matchNames:
- flux-system
selector:
matchExpressions:
- key: app
operator: In
values:
- helm-controller
- source-controller
- kustomize-controller
- notification-controller
- image-automation-controller
- image-reflector-controller
podMetricsEndpoints:
- port: http-prom
relabelings:
# https://github.com/prometheus-operator/prometheus-operator/issues/4816
- sourceLabels: [__meta_kubernetes_pod_phase]
action: keep
regex: Running

19
kubernetes/apps/flux-system/addons/monitoring/prometheusrule.yaml
View File

@@ -1,19 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/scrapeconfig_v1alpha1.json
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: flux
namespace: flux-system
spec:
groups:
- name: flux.rules
rules:
- alert: FluxComponentAbsent
annotations:
summary: Flux component has disappeared from Prometheus target discovery.
expr: |
absent(up{job=~".*flux-system.*"} == 1)
for: 15m
labels:
severity: critical

20
kubernetes/apps/flux-system/addons/notifications/github/externalsecret.yaml
View File

@@ -1,20 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: github-token
namespace: flux-system
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: github-token-secret
creationPolicy: Owner
template:
engineVersion: v2
data:
token: '{{ .GITHUB_NOTIFICATION_TOKEN }}'
dataFrom:
- extract:
key: flux

7
kubernetes/apps/flux-system/addons/notifications/github/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./notification.yaml

26
kubernetes/apps/flux-system/addons/notifications/github/notification.yaml
View File

@@ -1,26 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: github
namespace: flux-system
spec:
type: github
address: https://github.com/auricom/home-ops
secretRef:
name: github-token-secret
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
name: github
namespace: flux-system
spec:
providerRef:
name: github
eventSeverity: info
eventSources:
- kind: Kustomization
name: "*"

6
kubernetes/apps/flux-system/addons/notifications/kustomization.yaml
View File

@@ -1,6 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./github

8
kubernetes/apps/flux-system/addons/webhooks/github/kustomization.yaml
View File

@@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./ingress.yaml
- ./receiver.yaml

6
kubernetes/apps/flux-system/addons/webhooks/kustomization.yaml
View File

@@ -1,6 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./github

30
kubernetes/apps/flux-system/alerts/alertmanager/alert.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
name: alertmanager
namespace: flux-system
spec:
providerRef:
name: alertmanager
eventSeverity: error
eventSources:
# - kind: FluxInstance
# name: "*"
- kind: GitRepository
name: "*"
- kind: HelmRelease
name: "*"
- kind: HelmRepository
name: "*"
- kind: Kustomization
name: "*"
- kind: OCIRepository
name: "*"
exclusionList:
- "error.*lookup github\\.com"
- "error.*lookup raw\\.githubusercontent\\.com"
- "dial.*tcp.*timeout"
- "waiting.*socket"
suspend: false

7
kubernetes/apps/flux-system/alerts/alertmanager/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./alert.yaml
- ./provider.yaml

10
kubernetes/apps/flux-system/alerts/alertmanager/provider.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: alertmanager
namespace: flux-system
spec:
type: alertmanager
address: http://alertmanager-operated.observability.svc.cluster.local:9093/api/v2/alerts/

13
kubernetes/apps/flux-system/alerts/github-status/alert.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/alert_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Alert
metadata:
name: github-status
namespace: flux-system
spec:
providerRef:
name: github-status
eventSources:
- kind: Kustomization
name: "*"

19
kubernetes/apps/flux-system/alerts/github-status/externalsecret.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: github-status-token
namespace: flux-system
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword
target:
name: github-status-token-secret
template:
data:
token: "{{ .FLUX_GITHUB_TOKEN }}"
dataFrom:
- extract:
key: flux

8
kubernetes/apps/flux-system/alerts/github-status/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./alert.yaml
- ./externalsecret.yaml
- ./provider.yaml

12
kubernetes/apps/flux-system/alerts/github-status/provider.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/provider_v1beta3.json
apiVersion: notification.toolkit.fluxcd.io/v1beta3
kind: Provider
metadata:
name: github-status
namespace: flux-system
spec:
type: github
address: https://github.com/auricom/home-ops
secretRef:
name: github-status-token-secret

7
kubernetes/apps/flux-system/alerts/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./alertmanager
- ./github-status

82
kubernetes/apps/flux-system/capacitor/app/helmrelease.yaml
View File

@@ -1,82 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app capacitor
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.7.3
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
values:
controllers:
capacitor:
strategy: RollingUpdate
containers:
app:
image:
repository: ghcr.io/gimlet-io/capacitor
tag: v0.4.8@sha256:c999a42cccc523b91086547f890466d09be4755bf05a52763b0d14594bf60782
resources:
requests:
cpu: 50m
memory: 100Mi
ephemeral-storage: 1Gi
limits:
memory: 200Mi
ephemeral-storage: 2Gi
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: {drop: [ALL]}
serviceAccount:
create: true
name: capacitor
service:
app:
controller: *app
ports:
http:
enabled: true
port: 9000
ingress:
app:
enabled: true
className: internal
annotations:
hajimari.io/icon: mdi:sync
gethomepage.dev/enabled: "true"
gethomepage.dev/name: Capacitor
gethomepage.dev/description: General purpose UI for FluxCD.
gethomepage.dev/group: Applications
gethomepage.dev/icon: capacitor.png
gethomepage.dev/pod-selector: >-
app in (
capacitor
)
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host

55
kubernetes/apps/flux-system/capacitor/app/rbac.yaml
View File

@@ -1,55 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: capacitor
rules:
- apiGroups:
- networking.k8s.io
- apps
- ""
resources:
- pods
- pods/log
- ingresses
- deployments
- services
- secrets
- events
- configmaps
verbs:
- get
- watch
- list
- apiGroups:
- source.toolkit.fluxcd.io
- kustomize.toolkit.fluxcd.io
- helm.toolkit.fluxcd.io
- infra.contrib.fluxcd.io
resources:
- gitrepositories
- ocirepositories
- buckets
- helmrepositories
- helmcharts
- kustomizations
- helmreleases
- terraforms
verbs:
- get
- watch
- list
- patch # to allow force reconciling by adding an annotation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: capacitor
subjects:
- kind: ServiceAccount
name: capacitor
namespace: flux-system
roleRef:
kind: ClusterRole
name: capacitor
apiGroup: rbac.authorization.k8s.io

24
kubernetes/apps/flux-system/capacitor/ks.yaml
View File

@@ -1,24 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app capacitor
namespace: flux-system
spec:
targetNamespace: flux-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/flux-system/capacitor/app
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app

0
kubernetes/flux/config/cluster.yaml → kubernetes/apps/flux-system/cluster.yaml
View File

5
kubernetes/apps/flux-system/addons/webhooks/github/externalsecret.yaml → kubernetes/apps/flux-system/flux-instance/app/externalsecret.yaml
View File

@@ -7,13 +7,12 @@ metadata:
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
name: onepassword
target:
name: github-webhook-token-secret
template:
engineVersion: v2
data:
token: "{{ .GITHUB_SYNC_WEBHOOK_TOKEN }}"
token: "{{ .FLUX_GITHUB_WEBHOOK_TOKEN }}"
dataFrom:
- extract:
key: flux

7
kubernetes/apps/flux-system/flux-instance/app/helm/kustomizeconfig.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
nameReference:
- kind: ConfigMap
version: v1
fieldSpecs:
- path: spec/valuesFrom/name
kind: HelmRelease

104
kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml Normal file
View File

@@ -0,0 +1,104 @@
---
instance:
distribution:
# renovate: datasource=github-releases depName=controlplaneio-fluxcd/distribution
version: 2.5.1
cluster:
networkPolicy: false
components:
- source-controller
- kustomize-controller
- helm-controller
- notification-controller
sync:
kind: GitRepository
url: https://github.com/auricom/home-ops
ref: refs/heads/main
path: kubernetes/flux
interval: 1h
commonMetadata:
labels:
app.kubernetes.io/name: flux
kustomize:
patches:
- # Add Sops decryption to 'flux-system' Kustomization
patch: |
- op: add
path: /spec/decryption
value:
provider: sops
secretRef:
name: sops-age
target:
group: kustomize.toolkit.fluxcd.io
kind: Kustomization
- # Increase the number of workers
patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --concurrent=10
- op: add
path: /spec/template/spec/containers/0/args/-
value: --requeue-dependency=5s
target:
kind: Deployment
name: (kustomize-controller|helm-controller|source-controller)
- # Increase the memory limits
patch: |
apiVersion: apps/v1
kind: Deployment
metadata:
name: all
spec:
template:
spec:
containers:
- name: manager
resources:
limits:
memory: 2Gi
target:
kind: Deployment
name: (kustomize-controller|helm-controller|source-controller)
- # Enable in-memory kustomize builds
patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --concurrent=20
- op: replace
path: /spec/template/spec/volumes/0
value:
name: temp
emptyDir:
medium: Memory
target:
kind: Deployment
name: kustomize-controller
- # Enable Helm repositories caching
patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --helm-cache-max-size=10
- op: add
path: /spec/template/spec/containers/0/args/-
value: --helm-cache-ttl=60m
- op: add
path: /spec/template/spec/containers/0/args/-
value: --helm-cache-purge-interval=5m
target:
kind: Deployment
name: source-controller
- # Flux near OOM detection for Helm
patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: --feature-gates=OOMWatch=true
- op: add
path: /spec/template/spec/containers/0/args/-
value: --oom-watch-memory-threshold=95
- op: add
path: /spec/template/spec/containers/0/args/-
value: --oom-watch-interval=500ms
target:
kind: Deployment
name: helm-controller

40
kubernetes/apps/flux-system/flux-instance/app/helmrelease.yaml Normal file
View File

@@ -0,0 +1,40 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1beta2.json
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
metadata:
name: flux-instance
spec:
interval: 5m
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
tag: 0.18.0
url: oci://ghcr.io/controlplaneio-fluxcd/charts/flux-instance
verify:
provider: cosign
matchOIDCIdentity:
- issuer: ^https://token.actions.githubusercontent.com$
subject: ^https://github.com/controlplaneio-fluxcd/charts.*$
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: flux-instance
spec:
interval: 1h
chartRef:
kind: OCIRepository
name: flux-instance
install:
remediation:
retries: -1
upgrade:
cleanupOnFail: true
remediation:
retries: 3
valuesFrom:
- kind: ConfigMap
name: flux-instance-values

0
kubernetes/apps/flux-system/addons/webhooks/github/ingress.yaml → kubernetes/apps/flux-system/flux-instance/app/ingress.yaml
View File

16
kubernetes/apps/flux-system/flux-instance/app/kustomization.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./ingress.yaml
- ./prometheusrule.yaml
- ./receiver.yaml
configMapGenerator:
- name: flux-instance-values
files:
- values.yaml=./helm/values.yaml
configurations:
- ./helm/kustomizeconfig.yaml

30
kubernetes/apps/flux-system/flux-instance/app/prometheusrule.yaml Normal file
View File

@@ -0,0 +1,30 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/prometheusrule_v1.json
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: flux-instance-rules
namespace: flux-system
spec:
groups:
- name: flux-instance.rules
rules:
- alert: FluxInstanceAbsent
expr: |
absent(flux_instance_info{exported_namespace="flux-system", name="flux"})
for: 5m
annotations:
summary: >-
Flux instance metric is missing
labels:
severity: critical
- alert: FluxInstanceNotReady
expr: |
flux_instance_info{exported_namespace="flux-system", name="flux", ready!="True"}
for: 5m
annotations:
summary: >-
Flux instance {{ $labels.name }} is not ready
labels:
severity: critical

18
kubernetes/apps/flux-system/addons/webhooks/github/receiver.yaml → kubernetes/apps/flux-system/flux-instance/app/receiver.yaml
View File

@@ -1,26 +1,18 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/receiver_v1beta2.json
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/notification.toolkit.fluxcd.io/receiver_v1.json
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
name: home-ops-kubernetes
name: github-webhook
spec:
type: github
events:
- ping
- push
events: ["ping", "push"]
secretRef:
name: github-webhook-token-secret
resources:
- apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
name: home-ops-kubernetes
namespace: flux-system
name: flux-system
- apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
name: apps
namespace: flux-system
- apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
name: flux-cluster
namespace: flux-system
name: flux-system

32
kubernetes/apps/flux-system/flux-instance/ks.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app flux-instance
namespace: &namespace flux-system
spec:
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: flux-operator
namespace: *namespace
interval: 1h
path: ./kubernetes/apps/flux-system/flux-instance/app
prune: true
retryInterval: 2m
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
namespace: *namespace
targetNamespace: *namespace
timeout: 5m
postBuild:
substituteFrom:
- kind: ConfigMap
name: cluster-settings
optional: false
- kind: Secret
name: cluster-secrets
optional: false

9
kubernetes/apps/flux-system/kustomization.yaml
View File

@@ -5,9 +5,10 @@ kind: Kustomization
resources:
# Pre Flux-Kustomizations
- ./namespace.yaml
# Flux-Kustomizations
- ./addons/ks.yaml
- ./capacitor/ks.yaml
# Standard Resources
# - ./flux-instance/ks.yaml
- ./alerts
- ./cluster.yaml
- ./flux-instance/ks.yaml
- ./flux-operator/ks.yaml
- ./repositories
- ./vars

0
kubernetes/flux/repositories/helm/actions-runner-controller.yaml → kubernetes/apps/flux-system/repositories/helm/actions-runner-controller.yaml
View File

0
kubernetes/flux/repositories/helm/aqua.yaml → kubernetes/apps/flux-system/repositories/helm/aqua.yaml
View File

0
kubernetes/flux/repositories/helm/backube.yaml → kubernetes/apps/flux-system/repositories/helm/backube.yaml
View File

0
kubernetes/flux/repositories/helm/bjw-s.yaml → kubernetes/apps/flux-system/repositories/helm/bjw-s.yaml
View File

0
kubernetes/flux/repositories/helm/cert-manager-webhook-ovh.yaml → kubernetes/apps/flux-system/repositories/helm/cert-manager-webhook-ovh.yaml
View File

0
kubernetes/flux/repositories/helm/cilium.yaml → kubernetes/apps/flux-system/repositories/helm/cilium.yaml
View File

0
kubernetes/flux/repositories/helm/cloudnative-pg.yaml → kubernetes/apps/flux-system/repositories/helm/cloudnative-pg.yaml
View File

0
kubernetes/flux/repositories/helm/coredns.yaml → kubernetes/apps/flux-system/repositories/helm/coredns.yaml
View File

0
kubernetes/flux/repositories/helm/crowdsec.yaml → kubernetes/apps/flux-system/repositories/helm/crowdsec.yaml
View File

0
kubernetes/flux/repositories/helm/crunchydata.yaml → kubernetes/apps/flux-system/repositories/helm/crunchydata.yaml
View File

0
kubernetes/flux/repositories/helm/descheduler.yaml → kubernetes/apps/flux-system/repositories/helm/descheduler.yaml
View File

0
kubernetes/flux/repositories/helm/dysnix.yaml → kubernetes/apps/flux-system/repositories/helm/dysnix.yaml
View File

0
kubernetes/flux/repositories/helm/emxq.yaml → kubernetes/apps/flux-system/repositories/helm/emxq.yaml
View File

0
kubernetes/flux/repositories/helm/external-dns.yaml → kubernetes/apps/flux-system/repositories/helm/external-dns.yaml
View File

0
kubernetes/flux/repositories/helm/external-secrets.yaml → kubernetes/apps/flux-system/repositories/helm/external-secrets.yaml
View File

0
kubernetes/flux/repositories/helm/gitea.yaml → kubernetes/apps/flux-system/repositories/helm/gitea.yaml
View File

0
kubernetes/flux/repositories/helm/grafana.yaml → kubernetes/apps/flux-system/repositories/helm/grafana.yaml
View File

0
kubernetes/flux/repositories/helm/hajimari.yaml → kubernetes/apps/flux-system/repositories/helm/hajimari.yaml
View File

0
kubernetes/flux/repositories/helm/ingress-nginx.yaml → kubernetes/apps/flux-system/repositories/helm/ingress-nginx.yaml
View File

0
kubernetes/flux/repositories/helm/intel.yaml → kubernetes/apps/flux-system/repositories/helm/intel.yaml
View File

0
kubernetes/flux/repositories/helm/jetstack.yaml → kubernetes/apps/flux-system/repositories/helm/jetstack.yaml
View File

0
kubernetes/flux/repositories/helm/k8s-gateway.yaml → kubernetes/apps/flux-system/repositories/helm/k8s-gateway.yaml
View File

0
kubernetes/flux/repositories/helm/kustomization.yaml → kubernetes/apps/flux-system/repositories/helm/kustomization.yaml
View File

0
kubernetes/flux/repositories/helm/kyverno.yaml → kubernetes/apps/flux-system/repositories/helm/kyverno.yaml
View File

0
kubernetes/flux/repositories/helm/metrics-server.yaml → kubernetes/apps/flux-system/repositories/helm/metrics-server.yaml
View File

0
kubernetes/flux/repositories/helm/node-feature-discovery.yaml → kubernetes/apps/flux-system/repositories/helm/node-feature-discovery.yaml
View File

0
kubernetes/flux/repositories/helm/openebs.yaml → kubernetes/apps/flux-system/repositories/helm/openebs.yaml
View File

0
kubernetes/flux/repositories/helm/piraeus.yaml → kubernetes/apps/flux-system/repositories/helm/piraeus.yaml
View File

0
kubernetes/flux/repositories/helm/postfinance.yaml → kubernetes/apps/flux-system/repositories/helm/postfinance.yaml
View File

0
kubernetes/flux/repositories/helm/prometheus-community.yaml → kubernetes/apps/flux-system/repositories/helm/prometheus-community.yaml
View File

0
kubernetes/flux/repositories/helm/rook-ceph.yaml → kubernetes/apps/flux-system/repositories/helm/rook-ceph.yaml
View File

0
kubernetes/flux/repositories/helm/spegel.yaml → kubernetes/apps/flux-system/repositories/helm/spegel.yaml
View File

0
kubernetes/flux/repositories/helm/stakater.yaml → kubernetes/apps/flux-system/repositories/helm/stakater.yaml
View File

0
kubernetes/flux/repositories/helm/stevehipwell.yaml → kubernetes/apps/flux-system/repositories/helm/stevehipwell.yaml
View File

0
kubernetes/flux/repositories/helm/vector.yaml → kubernetes/apps/flux-system/repositories/helm/vector.yaml
View File

0
kubernetes/flux/repositories/helm/windmill.yaml → kubernetes/apps/flux-system/repositories/helm/windmill.yaml
View File

0
kubernetes/flux/repositories/kustomization.yaml → kubernetes/apps/flux-system/repositories/kustomization.yaml
View File

0
kubernetes/flux/repositories/oci/app-template.yaml → kubernetes/apps/flux-system/repositories/oci/app-template.yaml
View File

0
kubernetes/flux/repositories/oci/kustomization.yaml → kubernetes/apps/flux-system/repositories/oci/kustomization.yaml
View File

0
kubernetes/flux/vars/cluster-secrets.sops.yaml → kubernetes/apps/flux-system/vars/cluster-secrets.sops.yaml
View File

0
kubernetes/flux/vars/cluster-settings.yaml → kubernetes/apps/flux-system/vars/cluster-settings.yaml
View File

0
kubernetes/flux/vars/kustomization.yaml → kubernetes/apps/flux-system/vars/kustomization.yaml
View File

41
kubernetes/apps/kube-system/external-secrets/app/helmrelease.yaml
View File

@@ -1,41 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
namespace: kube-system
spec:
interval: 30m
chart:
spec:
chart: external-secrets
version: 0.15.0
sourceRef:
kind: HelmRepository
name: external-secrets
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
installCRDs: true
serviceMonitor:
enabled: true
interval: 1m
webhook:
serviceMonitor:
enabled: true
interval: 1m
certController:
serviceMonitor:
enabled: true
interval: 1m

50
kubernetes/apps/kube-system/external-secrets/ks.yaml
View File

@@ -1,50 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app external-secrets
namespace: flux-system
spec:
targetNamespace: kube-system
commonMetadata:
labels:
app.kubernetes.io/name: *app
path: ./kubernetes/apps/kube-system/external-secrets/app
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: external-secrets-stores
namespace: flux-system
spec:
targetNamespace: kube-system
commonMetadata:
labels:
app.kubernetes.io/name: &app external-secrets
dependsOn:
- name: external-secrets
path: ./kubernetes/apps/kube-system/external-secrets/stores
prune: true
sourceRef:
kind: GitRepository
name: home-ops-kubernetes
wait: false
interval: 30m
retryInterval: 1m
timeout: 5m
postBuild:
substitute:
APP: *app

139
kubernetes/apps/kube-system/external-secrets/stores/onepassword/helmrelease.yaml
View File

@@ -1,139 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app onepassword-connect
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 3.7.3
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 2
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
uninstall:
keepHistory: false
values:
controllers:
onepassword-connect:
annotations:
reloader.stakater.com/auto: "true"
pod:
securityContext:
runAsUser: 999
runAsGroup: 999
containers:
app:
image:
# repository: docker.io/1password/connect-api
repository: ghcr.io/haraldkoch/onepassword-connect-api
tag: 1.7.3@sha256:257a6ca59b806fec2c9c6df0acaef633a39e600eefba0ba03396554c00e065c1
env:
OP_BUS_PORT: "11220"
OP_BUS_PEERS: localhost:11221
OP_HTTP_PORT: &port 8080
OP_SESSION:
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /heartbeat
port: *port
initialDelaySeconds: 15
periodSeconds: 30
failureThreshold: 3
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *port
initialDelaySeconds: 15
startup:
enabled: false
resources:
requests:
cpu: 5m
memory: 10Mi
limits:
memory: 100Mi
sync:
# image: docker.io/1password/connect-sync:1.7.0
image:
repository: ghcr.io/haraldkoch/onepassword-sync
tag: 1.7.3@sha256:7e30af4d83e6884981b2d47e6cfe5cca056da20b182e4c4c6def9e8ac65c0982
env:
- { name: OP_HTTP_PORT, value: &sport 8081 }
- { name: OP_BUS_PORT, value: "11221" }
- { name: OP_BUS_PEERS, value: localhost:11220 }
- name: OP_SESSION
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
probes:
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *sport
initialDelaySeconds: 15
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /heartbeat
port: *sport
failureThreshold: 3
periodSeconds: 30
initialDelaySeconds: 15
service:
app:
controller: *app
ports:
http:
port: *port
ingress:
app:
enabled: true
className: internal
annotations:
hajimari.io/enable: "false"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"
paths:
- path: /
service:
identifier: app
port: http
tls:
- hosts:
- *host
persistence:
shared:
type: emptyDir
globalMounts:
- path: /home/opuser/.op/data

1
kubernetes/apps/kube-system/kustomization.yaml
View File

@@ -9,7 +9,6 @@ resources:
- ./cilium/ks.yaml
- ./coredns/ks.yaml
- ./descheduler/ks.yaml
- ./external-secrets/ks.yaml
- ./fstrim/ks.yaml
- ./intel-device-plugin/ks.yaml
# - ./k8s-ycl/ks.yaml

1
kubernetes/apps/network/external-dns/cloudflare/helmrelease.yaml
View File

@@ -25,7 +25,6 @@ spec:
strategy: rollback
retries: 3
values:
fullnameOverride: *app
provider:
name: cloudflare
env:

Some files were not shown because too many files have changed in this diff Show More