diff --git a/kubernetes/apps/default/calibre/app/helmrelease.yaml b/.archive/kubernetes/calibre/app/helmrelease.yaml similarity index 100% rename from kubernetes/apps/default/calibre/app/helmrelease.yaml rename to .archive/kubernetes/calibre/app/helmrelease.yaml diff --git a/kubernetes/apps/default/calibre/app/kustomization.yaml b/.archive/kubernetes/calibre/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/default/calibre/app/kustomization.yaml rename to .archive/kubernetes/calibre/app/kustomization.yaml diff --git a/kubernetes/apps/default/calibre/ks.yaml b/.archive/kubernetes/calibre/ks.yaml similarity index 100% rename from kubernetes/apps/default/calibre/ks.yaml rename to .archive/kubernetes/calibre/ks.yaml diff --git a/kubernetes/apps/kube-system/cilium/gateway/external.yaml b/.archive/kubernetes/cilium/gateway/external.yaml similarity index 100% rename from kubernetes/apps/kube-system/cilium/gateway/external.yaml rename to .archive/kubernetes/cilium/gateway/external.yaml diff --git a/kubernetes/apps/kube-system/cilium/gateway/gatewayclass.yaml b/.archive/kubernetes/cilium/gateway/gatewayclass.yaml similarity index 100% rename from kubernetes/apps/kube-system/cilium/gateway/gatewayclass.yaml rename to .archive/kubernetes/cilium/gateway/gatewayclass.yaml diff --git a/kubernetes/apps/kube-system/cilium/gateway/internal.yaml b/.archive/kubernetes/cilium/gateway/internal.yaml similarity index 100% rename from kubernetes/apps/kube-system/cilium/gateway/internal.yaml rename to .archive/kubernetes/cilium/gateway/internal.yaml diff --git a/kubernetes/apps/kube-system/cilium/gateway/kustomization.yaml b/.archive/kubernetes/cilium/gateway/kustomization.yaml similarity index 100% rename from kubernetes/apps/kube-system/cilium/gateway/kustomization.yaml rename to .archive/kubernetes/cilium/gateway/kustomization.yaml diff --git a/kubernetes/apps/kube-system/cilium/gateway/redirect.yaml b/.archive/kubernetes/cilium/gateway/redirect.yaml similarity index 100% rename from kubernetes/apps/kube-system/cilium/gateway/redirect.yaml rename to .archive/kubernetes/cilium/gateway/redirect.yaml diff --git a/.archive/kubernetes/envoy-gateway/crds/helmrelease.yaml b/.archive/kubernetes/envoy-gateway/crds/helmrelease.yaml deleted file mode 100644 index 21f25d5c0..000000000 --- a/.archive/kubernetes/envoy-gateway/crds/helmrelease.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# yaml-language-server: $schema=https://schemas.budimanjojo.com/source.toolkit.fluxcd.io/ocirepository_v1beta2.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: OCIRepository -metadata: - name: envoy-gateway-crds -spec: - interval: 30m - timeout: 60s - url: oci://docker.io/envoyproxy/gateway-helm - ref: - tag: 1.4.2 - layerSelector: - mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip - operation: copy ---- -# yaml-language-server: $schema=https://schemas.budimanjojo.com/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: envoy-gateway-crds -spec: - interval: 1h - timeout: 5m - chartRef: - kind: OCIRepository - name: envoy-gateway-crds - install: - crds: CreateReplace - remediation: - retries: -1 - upgrade: - cleanupOnFail: true - crds: CreateReplace - remediation: - retries: 5 diff --git a/.archive/kubernetes/envoy-gateway/crds/kustomization.yaml b/.archive/kubernetes/envoy-gateway/crds/kustomization.yaml deleted file mode 100644 index 09bc749a9..000000000 --- a/.archive/kubernetes/envoy-gateway/crds/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./helmrelease.yaml diff --git a/.archive/kubernetes/envoy-gateway/external/gateway.yaml b/.archive/kubernetes/envoy-gateway/external/gateway.yaml deleted file mode 100644 index f659f83a7..000000000 --- a/.archive/kubernetes/envoy-gateway/external/gateway.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gateway_v1.json -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: external - # annotations: - # external-dns.alpha.kubernetes.io/target: external.${SECRET_EXTERNAL_DOMAIN} -spec: - gatewayClassName: envoy-gateway - addresses: - - type: IPAddress - value: 192.168.169.122 - # infrastructure: - # annotations: - # external-dns.alpha.kubernetes.io/hostname: external.${SECRET_EXTERNAL_DOMAIN} - listeners: - - name: http - protocol: HTTP - port: 80 - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" - allowedRoutes: - namespaces: - from: Same - - name: https - protocol: HTTPS - port: 443 - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" - allowedRoutes: - namespaces: - from: All - tls: - certificateRefs: - - kind: Secret - name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls diff --git a/.archive/kubernetes/envoy-gateway/external/kustomization.yaml b/.archive/kubernetes/envoy-gateway/external/kustomization.yaml deleted file mode 100644 index 3df48216a..000000000 --- a/.archive/kubernetes/envoy-gateway/external/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./gateway.yaml - - ./redirect.yaml diff --git a/.archive/kubernetes/envoy-gateway/external/redirect.yaml b/.archive/kubernetes/envoy-gateway/external/redirect.yaml deleted file mode 100644 index c8337dceb..000000000 --- a/.archive/kubernetes/envoy-gateway/external/redirect.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/httproute_v1.json -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: https-redirect-external - annotations: - external-dns.alpha.kubernetes.io/controller: none -spec: - parentRefs: - - name: external - port: 80 - rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 diff --git a/.archive/kubernetes/envoy-gateway/internal/gateway.yaml b/.archive/kubernetes/envoy-gateway/internal/gateway.yaml deleted file mode 100644 index 53b4ad8e9..000000000 --- a/.archive/kubernetes/envoy-gateway/internal/gateway.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gateway_v1.json -apiVersion: gateway.networking.k8s.io/v1 -kind: Gateway -metadata: - name: internal - # annotations: - # external-dns.alpha.kubernetes.io/target: internal.${SECRET_EXTERNAL_DOMAIN} -spec: - gatewayClassName: envoy-gateway - addresses: - - type: IPAddress - value: 192.168.169.121 - # infrastructure: - # annotations: - # external-dns.alpha.kubernetes.io/hostname: internal.${SECRET_EXTERNAL_DOMAIN} - listeners: - - name: http - protocol: HTTP - port: 80 - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" - allowedRoutes: - namespaces: - from: Same - - name: https - protocol: HTTPS - port: 443 - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" - allowedRoutes: - namespaces: - from: All - tls: - certificateRefs: - - kind: Secret - name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls diff --git a/.archive/kubernetes/envoy-gateway/internal/kustomization.yaml b/.archive/kubernetes/envoy-gateway/internal/kustomization.yaml deleted file mode 100644 index f5ee97938..000000000 --- a/.archive/kubernetes/envoy-gateway/internal/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./gateway.yaml - - ./redirect.yaml - - ./securitypolicy.yaml diff --git a/.archive/kubernetes/envoy-gateway/internal/redirect.yaml b/.archive/kubernetes/envoy-gateway/internal/redirect.yaml deleted file mode 100644 index 16f1c9059..000000000 --- a/.archive/kubernetes/envoy-gateway/internal/redirect.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: gateway.networking.k8s.io/v1 -kind: HTTPRoute -metadata: - name: https-redirect-internal - annotations: - external-dns.alpha.kubernetes.io/controller: none -spec: - parentRefs: - - name: internal - port: 80 - rules: - - filters: - - type: RequestRedirect - requestRedirect: - scheme: https - statusCode: 301 diff --git a/.archive/kubernetes/envoy-gateway/internal/securitypolicy.yaml b/.archive/kubernetes/envoy-gateway/internal/securitypolicy.yaml deleted file mode 100644 index 48576cb76..000000000 --- a/.archive/kubernetes/envoy-gateway/internal/securitypolicy.yaml +++ /dev/null @@ -1,26 +0,0 @@ ---- -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: SecurityPolicy -metadata: - name: internal-secure -spec: - extAuth: - failOpen: false - headersToExtAuth: - - X-Forwarded-Proto - - authorization - - proxy-authorization - - accept - - cookie - http: - backendRefs: - - group: "" - kind: Service - name: authelia - namespace: default - port: 80 - path: /api/authz/ext-authz/ - targetRefs: - - group: gateway.networking.k8s.io - kind: Gateway - name: internal diff --git a/.archive/kubernetes/envoy-gateway/ks.yaml b/.archive/kubernetes/envoy-gateway/ks.yaml deleted file mode 100644 index 4a4629b02..000000000 --- a/.archive/kubernetes/envoy-gateway/ks.yaml +++ /dev/null @@ -1,111 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app envoy-gateway-crds - namespace: &namespace network -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 1h - path: ./kubernetes/apps/network/envoy-gateway/crds - prune: true - retryInterval: 2m - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 5m - wait: false ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app envoy-gateway-operator - namespace: &namespace network -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 1h - path: ./kubernetes/apps/network/envoy-gateway/operator - dependsOn: - - name: envoy-gateway-crds - namespace: *namespace - # healthChecks: - # - apiVersion: helm.toolkit.fluxcd.io/v2 - # kind: HelmRelease - # name: *app - # namespace: *namespace - # - apiVersion: gateway.networking.k8s.io/v1 - # kind: GatewayClass - # name: envoy-gateway - # healthCheckExprs: - # - apiVersion: gateway.networking.k8s.io/v1 - # kind: GatewayClass - # failed: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'False') - # inProgress: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'Unknown') - # current: status.conditions.filter(e, e.type == 'Accepted').all(e, e.status == 'True') - prune: true - retryInterval: 2m - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 5m - wait: false ---- -# yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app envoy-gateway-internal - namespace: &namespace network -spec: - interval: 1h - retryInterval: 2m - timeout: 5m - prune: true - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/network/envoy-gateway/internal - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - wait: false - dependsOn: - - name: envoy-gateway-operator - namespace: *namespace ---- -# yaml-language-server: $schema=https://schemas.budimanjojo.com/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app envoy-gateway-external - namespace: &namespace network -spec: - interval: 1h - retryInterval: 2m - timeout: 5m - prune: true - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/apps/network/envoy-gateway/external - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - wait: false - dependsOn: - - name: envoy-gateway-operator - namespace: *namespace diff --git a/.archive/kubernetes/envoy-gateway/operator/gatewayclass.yaml b/.archive/kubernetes/envoy-gateway/operator/gatewayclass.yaml deleted file mode 100644 index 3537a0197..000000000 --- a/.archive/kubernetes/envoy-gateway/operator/gatewayclass.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.networking.k8s.io/gatewayclass_v1.json -apiVersion: gateway.networking.k8s.io/v1 -kind: GatewayClass -metadata: - name: envoy-gateway -spec: - controllerName: gateway.envoyproxy.io/gatewayclass-controller - parametersRef: - group: gateway.envoyproxy.io - kind: EnvoyProxy - name: proxy-config - namespace: network ---- -# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.envoyproxy.io/envoyproxy_v1alpha1.json -apiVersion: gateway.envoyproxy.io/v1alpha1 -kind: EnvoyProxy -metadata: - name: proxy-config -spec: - backendTLS: - minVersion: "1.3" - maxVersion: "1.3" diff --git a/.archive/kubernetes/envoy-gateway/operator/kustomization.yaml b/.archive/kubernetes/envoy-gateway/operator/kustomization.yaml deleted file mode 100644 index ded543436..000000000 --- a/.archive/kubernetes/envoy-gateway/operator/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./gatewayclass.yaml diff --git a/kubernetes/apps/default/homepage/app/config/bookmarks.yaml b/.archive/kubernetes/homepage/app/config/bookmarks.yaml similarity index 100% rename from kubernetes/apps/default/homepage/app/config/bookmarks.yaml rename to .archive/kubernetes/homepage/app/config/bookmarks.yaml diff --git a/kubernetes/apps/default/homepage/app/config/docker.yaml b/.archive/kubernetes/homepage/app/config/docker.yaml similarity index 100% rename from kubernetes/apps/default/homepage/app/config/docker.yaml rename to .archive/kubernetes/homepage/app/config/docker.yaml diff --git a/kubernetes/apps/default/homepage/app/config/kubernetes.yaml b/.archive/kubernetes/homepage/app/config/kubernetes.yaml similarity index 100% rename from kubernetes/apps/default/homepage/app/config/kubernetes.yaml rename to .archive/kubernetes/homepage/app/config/kubernetes.yaml diff --git a/kubernetes/apps/default/homepage/app/config/services.yaml b/.archive/kubernetes/homepage/app/config/services.yaml similarity index 100% rename from kubernetes/apps/default/homepage/app/config/services.yaml rename to .archive/kubernetes/homepage/app/config/services.yaml diff --git a/kubernetes/apps/default/homepage/app/config/settings.yaml b/.archive/kubernetes/homepage/app/config/settings.yaml similarity index 100% rename from kubernetes/apps/default/homepage/app/config/settings.yaml rename to .archive/kubernetes/homepage/app/config/settings.yaml diff --git a/kubernetes/apps/default/homepage/app/config/widgets.yaml b/.archive/kubernetes/homepage/app/config/widgets.yaml similarity index 100% rename from kubernetes/apps/default/homepage/app/config/widgets.yaml rename to .archive/kubernetes/homepage/app/config/widgets.yaml diff --git a/kubernetes/apps/default/homepage/app/externalsecret.yaml b/.archive/kubernetes/homepage/app/externalsecret.yaml similarity index 100% rename from kubernetes/apps/default/homepage/app/externalsecret.yaml rename to .archive/kubernetes/homepage/app/externalsecret.yaml diff --git a/kubernetes/apps/default/homepage/app/helmrelease.yaml b/.archive/kubernetes/homepage/app/helmrelease.yaml similarity index 85% rename from kubernetes/apps/default/homepage/app/helmrelease.yaml rename to .archive/kubernetes/homepage/app/helmrelease.yaml index 1603bae78..e4f066855 100644 --- a/kubernetes/apps/default/homepage/app/helmrelease.yaml +++ b/.archive/kubernetes/homepage/app/helmrelease.yaml @@ -54,20 +54,17 @@ spec: serviceAccount: create: true name: *app - ingress: + route: app: - enabled: true - className: internal - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: type: configMap diff --git a/kubernetes/apps/default/homepage/app/kustomization.yaml b/.archive/kubernetes/homepage/app/kustomization.yaml similarity index 100% rename from kubernetes/apps/default/homepage/app/kustomization.yaml rename to .archive/kubernetes/homepage/app/kustomization.yaml diff --git a/kubernetes/apps/default/homepage/app/rbac.yaml b/.archive/kubernetes/homepage/app/rbac.yaml similarity index 100% rename from kubernetes/apps/default/homepage/app/rbac.yaml rename to .archive/kubernetes/homepage/app/rbac.yaml diff --git a/kubernetes/apps/default/homepage/ks.yaml b/.archive/kubernetes/homepage/ks.yaml similarity index 100% rename from kubernetes/apps/default/homepage/ks.yaml rename to .archive/kubernetes/homepage/ks.yaml diff --git a/kubernetes/apps/network/nginx/external/helmrelease.yaml b/.archive/kubernetes/nginx/external/helmrelease.yaml similarity index 100% rename from kubernetes/apps/network/nginx/external/helmrelease.yaml rename to .archive/kubernetes/nginx/external/helmrelease.yaml diff --git a/kubernetes/apps/network/nginx/external/kustomization.yaml b/.archive/kubernetes/nginx/external/kustomization.yaml similarity index 100% rename from kubernetes/apps/network/nginx/external/kustomization.yaml rename to .archive/kubernetes/nginx/external/kustomization.yaml diff --git a/kubernetes/apps/network/nginx/internal/helmrelease.yaml b/.archive/kubernetes/nginx/internal/helmrelease.yaml similarity index 100% rename from kubernetes/apps/network/nginx/internal/helmrelease.yaml rename to .archive/kubernetes/nginx/internal/helmrelease.yaml diff --git a/kubernetes/apps/network/nginx/internal/kustomization.yaml b/.archive/kubernetes/nginx/internal/kustomization.yaml similarity index 100% rename from kubernetes/apps/network/nginx/internal/kustomization.yaml rename to .archive/kubernetes/nginx/internal/kustomization.yaml diff --git a/kubernetes/apps/network/nginx/ks.yaml b/.archive/kubernetes/nginx/ks.yaml similarity index 66% rename from kubernetes/apps/network/nginx/ks.yaml rename to .archive/kubernetes/nginx/ks.yaml index ddb10afb0..f6f3915f5 100644 --- a/kubernetes/apps/network/nginx/ks.yaml +++ b/.archive/kubernetes/nginx/ks.yaml @@ -2,34 +2,6 @@ # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization -metadata: - name: &app nginx-certificates - namespace: &namespace network -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cert-manager - namespace: cert-manager - interval: 1h - path: ./kubernetes/apps/network/nginx/certificates - postBuild: - substitute: - APP: *app - prune: true - retryInterval: 2m - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 5m - wait: false ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization metadata: name: &app nginx-external namespace: &namespace network diff --git a/kubernetes/apps/default/atuin/app/helmrelease.yaml b/kubernetes/apps/default/atuin/app/helmrelease.yaml index 9c110d92f..00c96bc22 100644 --- a/kubernetes/apps/default/atuin/app/helmrelease.yaml +++ b/kubernetes/apps/default/atuin/app/helmrelease.yaml @@ -73,26 +73,12 @@ spec: hostnames: ["sh.${SECRET_EXTERNAL_DOMAIN}"] parentRefs: - name: internal - namespace: kube-system + namespace: network sectionName: https rules: - backendRefs: - - name: app + - name: *app port: *port - # ingress: - # app: - # enabled: true - # className: internal - # hosts: - # - host: &host "sh.${SECRET_EXTERNAL_DOMAIN}" - # paths: - # - path: / - # service: - # identifier: app - # port: http - # tls: - # - hosts: - # - *host persistence: config: existingClaim: atuin diff --git a/kubernetes/apps/default/authelia/app/config/configuration.yaml b/kubernetes/apps/default/authelia/app/config/configuration.yaml index 097b2266f..264f16050 100644 --- a/kubernetes/apps/default/authelia/app/config/configuration.yaml +++ b/kubernetes/apps/default/authelia/app/config/configuration.yaml @@ -83,15 +83,6 @@ identity_providers: clients: # Genereate client_secret # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret - - client_id: freshrss - client_name: freshrss - client_secret: '{{ secret "/config/secret/FRESHRSS_OAUTH_DIGEST" }}' - public: false - authorization_policy: two_factor - redirect_uris: ["https://freshrss.${SECRET_EXTERNAL_DOMAIN}:443/i/oidc/"] - scopes: [openid, profile, groups, email] - userinfo_signed_response_alg: none - token_endpoint_auth_method: client_secret_basic - client_name: grafana client_id: grafana client_secret: '{{ secret "/config/secret/GRAFANA_OAUTH_DIGEST" }}' @@ -142,20 +133,3 @@ identity_providers: scopes: [openid, profile, groups, email] redirect_uris: ['https://paperless.${SECRET_EXTERNAL_DOMAIN}/accounts/oidc/authelia/login/callback'] userinfo_signed_response_alg: none - - client_id: pgadmin - client_name: pgAdmin - client_secret: '{{ secret "/config/secret/PGADMIN_OAUTH_DIGEST" }}' - public: false - authorization_policy: two_factor - pre_configured_consent_duration: 1y - scopes: [openid, profile, email] - redirect_uris: ['https://pgadmin.${SECRET_EXTERNAL_DOMAIN}/oauth2/authorize'] - userinfo_signed_response_alg: none - token_endpoint_auth_method: client_secret_basic - - client_id: windmill - client_name: Windmill - client_secret: '{{ secret "/config/secret/WINDMILL_OAUTH_DIGEST" }}' - authorization_policy: two_factor - redirect_uris: ['https://windmill.${SECRET_EXTERNAL_DOMAIN}/user/login_callback/authelia'] - scopes: [openid, profile, groups, email] - userinfo_signed_response_alg: none diff --git a/kubernetes/apps/default/authelia/app/externalsecret.yaml b/kubernetes/apps/default/authelia/app/externalsecret.yaml index d66a2f17a..fea42babc 100644 --- a/kubernetes/apps/default/authelia/app/externalsecret.yaml +++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml @@ -22,22 +22,16 @@ spec: # AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost # AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false" OIDC_JWKS_KEY: "{{ .OIDC_JWKS_KEY }}" - FRESHRSS_OAUTH_CLIENT_SECRET: "{{ .FRESHRSS_OAUTH_CLIENT_SECRET }}" - FRESHRSS_OAUTH_DIGEST: "{{ .FRESHRSS_OAUTH_DIGEST }}" GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}" GRAFANA_OAUTH_DIGEST: "{{ .GRAFANA_OAUTH_DIGEST }}" OUTLINE_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}" OUTLINE_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}" JELLYFIN_OAUTH_CLIENT_SECRET: "{{ .JELLYFIN_OAUTH_CLIENT_SECRET }}" JELLYFIN_OAUTH_DIGEST: "{{ .JELLYFIN_OAUTH_DIGEST }}" - PGADMIN_OAUTH_CLIENT_SECRET: "{{ .PGADMIN_OAUTH_CLIENT_SECRET }}" - PGADMIN_OAUTH_DIGEST: "{{ .PGADMIN_OAUTH_DIGEST }}" PAPERLESS_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}" PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}" KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}" KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}" - WINDMILL_OAUTH_CLIENT_SECRET: "{{ .WINDMILL_OAUTH_CLIENT_SECRET }}" - WINDMILL_OAUTH_DIGEST: "{{ .WINDMILL_OAUTH_DIGEST }}" SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}" dataFrom: - extract: diff --git a/kubernetes/apps/default/authelia/app/helmrelease.yaml b/kubernetes/apps/default/authelia/app/helmrelease.yaml index eb4322748..97b3257d6 100644 --- a/kubernetes/apps/default/authelia/app/helmrelease.yaml +++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml @@ -94,34 +94,45 @@ spec: path: /metrics interval: 1m scrapeTimeout: 10s - ingress: - app: - enabled: true - className: external - annotations: - nginx.ingress.kubernetes.io/configuration-snippet: | - add_header Cache-Control "no-store"; - add_header Pragma "no-cache"; - add_header X-Frame-Options "SAMEORIGIN"; - add_header X-XSS-Protection "1; mode=block"; - gethomepage.dev/enabled: "true" - gethomepage.dev/group: Infrastructure - gethomepage.dev/name: Authelia - gethomepage.dev/icon: authelia.png - gethomepage.dev/pod-selector: >- - app in ( - authelia - ) - hosts: - - host: &host auth.${SECRET_EXTERNAL_DOMAIN} - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + # ingress: + # app: + # enabled: true + # className: external + # annotations: + # nginx.ingress.kubernetes.io/configuration-snippet: | + # add_header Cache-Control "no-store"; + # add_header Pragma "no-cache"; + # add_header X-Frame-Options "SAMEORIGIN"; + # add_header X-XSS-Protection "1; mode=block"; + # gethomepage.dev/enabled: "true" + # gethomepage.dev/group: Infrastructure + # gethomepage.dev/name: Authelia9091 + # gethomepage.dev/icon: authelia.png + # gethomepage.dev/pod-selector: >- + # app in ( + # authelia + # ) + # hosts: + # - host: &host auth.${SECRET_EXTERNAL_DOMAIN} + # paths: + # - path: / + # service: + # identifier: app + # port: http + # tls: + # - hosts: + # - *host + route: + main: + hostnames: ["auth.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: external + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/authelia/app/kustomization.yaml b/kubernetes/apps/default/authelia/app/kustomization.yaml index 7b2c604f2..c0298dd92 100644 --- a/kubernetes/apps/default/authelia/app/kustomization.yaml +++ b/kubernetes/apps/default/authelia/app/kustomization.yaml @@ -5,6 +5,7 @@ kind: Kustomization resources: - ./externalsecret.yaml - ./helmrelease.yaml + - ./referencegrant.yaml configMapGenerator: - name: authelia-configmap files: diff --git a/kubernetes/apps/default/authelia/app/referencegrant.yaml b/kubernetes/apps/default/authelia/app/referencegrant.yaml new file mode 100644 index 000000000..6f1244bce --- /dev/null +++ b/kubernetes/apps/default/authelia/app/referencegrant.yaml @@ -0,0 +1,30 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/referencegrant_v1beta1.json +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: authelia-to-default +spec: + from: + - group: gateway.envoyproxy.io + kind: SecurityPolicy + namespace: default + to: + - group: "" + kind: Service + name: authelia +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/referencegrant_v1beta1.json +apiVersion: gateway.networking.k8s.io/v1beta1 +kind: ReferenceGrant +metadata: + name: authelia-to-observability +spec: + from: + - group: gateway.envoyproxy.io + kind: SecurityPolicy + namespace: observability + to: + - group: "" + kind: Service + name: authelia diff --git a/kubernetes/apps/default/authelia/ks.yaml b/kubernetes/apps/default/authelia/ks.yaml index ab06f97da..206be74c5 100644 --- a/kubernetes/apps/default/authelia/ks.yaml +++ b/kubernetes/apps/default/authelia/ks.yaml @@ -16,6 +16,8 @@ spec: namespace: database - name: external-secrets-stores namespace: external-secrets + - name: gateway-api-crds + namespace: network components: - ../../../../components/gatus/external interval: 1h diff --git a/kubernetes/apps/default/bazarr/app/helmrelease.yaml b/kubernetes/apps/default/bazarr/app/helmrelease.yaml index 2038aa2bd..62af2340c 100644 --- a/kubernetes/apps/default/bazarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/bazarr/app/helmrelease.yaml @@ -86,31 +86,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/group: Media - gethomepage.dev/name: Bazarr - gethomepage.dev/icon: bazarr.png - - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/exercisediary/app/helmrelease.yaml b/kubernetes/apps/default/exercisediary/app/helmrelease.yaml index 8cb753f05..579c0fb19 100644 --- a/kubernetes/apps/default/exercisediary/app/helmrelease.yaml +++ b/kubernetes/apps/default/exercisediary/app/helmrelease.yaml @@ -42,35 +42,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: exercisediary - gethomepage.dev/description: Workout diary with GitHub-style year visualization. - gethomepage.dev/group: Applications - gethomepage.dev/icon: exercisediary.png - gethomepage.dev/pod-selector: >- - app in ( - exercisediary - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: *port - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/exercisediary/ks.yaml b/kubernetes/apps/default/exercisediary/ks.yaml index 73ebabbe9..7e5004886 100644 --- a/kubernetes/apps/default/exercisediary/ks.yaml +++ b/kubernetes/apps/default/exercisediary/ks.yaml @@ -10,6 +10,7 @@ spec: labels: app.kubernetes.io/name: *app components: + - ../../../../components/ext-auth - ../../../../components/gatus/external - ../../../../components/volsync dependsOn: diff --git a/kubernetes/apps/default/flood/app/helmrelease.yaml b/kubernetes/apps/default/flood/app/helmrelease.yaml index adafa6e02..edf64cb4c 100644 --- a/kubernetes/apps/default/flood/app/helmrelease.yaml +++ b/kubernetes/apps/default/flood/app/helmrelease.yaml @@ -51,31 +51,18 @@ spec: controller: *app ports: http: - port: 3000 - ingress: + port: &port 3000 + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/group: Media - gethomepage.dev/name: qBittorrent - gethomepage.dev/icon: qbittorrent.png - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/flood/ks.yaml b/kubernetes/apps/default/flood/ks.yaml index c7402c4ee..177dad791 100644 --- a/kubernetes/apps/default/flood/ks.yaml +++ b/kubernetes/apps/default/flood/ks.yaml @@ -16,6 +16,7 @@ spec: - name: volsync namespace: volsync components: + - ../../../../components/ext-auth - ../../../../components/gatus/guarded - ../../../../components/volsync interval: 1h diff --git a/kubernetes/apps/default/freshrss/app/helmrelease.yaml b/kubernetes/apps/default/freshrss/app/helmrelease.yaml index 0fdccf90a..865eb49b0 100644 --- a/kubernetes/apps/default/freshrss/app/helmrelease.yaml +++ b/kubernetes/apps/default/freshrss/app/helmrelease.yaml @@ -32,12 +32,6 @@ spec: TZ: ${TIMEZONE} CRON_MIN: 18,48 DOMAIN: "https://freshrss.${SECRET_EXTERNAL_DOMAIN}/" - OIDC_ENABLED: 1 - OIDC_PROVIDER_METADATA_URL: https://auth.${SECRET_EXTERNAL_DOMAIN}/.well-known/openid-configuration - OIDC_CLIENT_ID: freshrss - OIDC_REMOTE_USER_CLAIM: preferred_username - OIDC_SCOPES: openid groups email profile - OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto envFrom: - secretRef: name: freshrss-secret @@ -50,32 +44,18 @@ spec: controller: *app ports: http: - port: 80 - ingress: + port: &port 80 + route: app: - enabled: true - className: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: FreshRSS - gethomepage.dev/description: Developer platform to turn scripts into workflows and UIs - gethomepage.dev/group: Applications - gethomepage.dev/icon: freshrss.png - gethomepage.dev/href: https://windmill.${SECRET_EXTERNAL_DOMAIN} - gethomepage.dev/pod-selector: >- - app in ( - freshrss - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/frigate/app/helmrelease.yaml b/kubernetes/apps/default/frigate/app/helmrelease.yaml index e46efd19e..7adbb8364 100644 --- a/kubernetes/apps/default/frigate/app/helmrelease.yaml +++ b/kubernetes/apps/default/frigate/app/helmrelease.yaml @@ -82,37 +82,18 @@ spec: port: *port rtsp: enabled: true - port: 8554 - ingress: + port: &port 8554 + route: app: - enabled: true - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Frigate - gethomepage.dev/description: NVR with realtime local object detection for IP cameras - gethomepage.dev/group: Applications - gethomepage.dev/icon: frigate.png - gethomepage.dev/href: https://frigate.${SECRET_EXTERNAL_DOMAIN} - gethomepage.dev/pod-selector: >- - app in ( - frigate - ) - className: internal - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/frigate/ks.yaml b/kubernetes/apps/default/frigate/ks.yaml index 90b8cda71..06ba3a861 100644 --- a/kubernetes/apps/default/frigate/ks.yaml +++ b/kubernetes/apps/default/frigate/ks.yaml @@ -15,6 +15,7 @@ spec: - name: node-feature-discovery-rules namespace: kube-system components: + - ../../../../components/ext-auth - ../../../../components/gatus/guarded - ../../../../components/volsync interval: 1h diff --git a/kubernetes/apps/default/home-assistant/app/helmrelease.yaml b/kubernetes/apps/default/home-assistant/app/helmrelease.yaml index bef13d4cd..8beb4e7e1 100644 --- a/kubernetes/apps/default/home-assistant/app/helmrelease.yaml +++ b/kubernetes/apps/default/home-assistant/app/helmrelease.yaml @@ -64,21 +64,18 @@ spec: externalTrafficPolicy: Local ports: http: - port: 8123 - ingress: + port: &port 8123 + route: app: - enabled: true - className: internal - hosts: - - host: &host "hass.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["hass.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/home-assistant/code/helmrelease.yaml b/kubernetes/apps/default/home-assistant/code/helmrelease.yaml index abf3f93a6..518cbcb73 100644 --- a/kubernetes/apps/default/home-assistant/code/helmrelease.yaml +++ b/kubernetes/apps/default/home-assistant/code/helmrelease.yaml @@ -63,21 +63,18 @@ spec: controller: *app ports: http: - port: 8888 - ingress: + port: &port 8888 + route: app: - enabled: true - className: internal - hosts: - - host: &host hass-code.${SECRET_EXTERNAL_DOMAIN} - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["hass-code.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/homebox/app/helmrelease.yaml b/kubernetes/apps/default/homebox/app/helmrelease.yaml index a280c7d01..27608bf21 100644 --- a/kubernetes/apps/default/homebox/app/helmrelease.yaml +++ b/kubernetes/apps/default/homebox/app/helmrelease.yaml @@ -41,31 +41,18 @@ spec: controller: *app ports: http: - port: 7745 - ingress: + port: &port 7745 + route: app: - enabled: true - className: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Homebox - gethomepage.dev/description: Inventory and organization system built for the Home User - gethomepage.dev/group: Applications - gethomepage.dev/icon: homebox.png - gethomepage.dev/pod-selector: >- - app in ( - homebox - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/jellyfin/app/helmrelease.yaml b/kubernetes/apps/default/jellyfin/app/helmrelease.yaml index 61ff6670c..39df0f297 100644 --- a/kubernetes/apps/default/jellyfin/app/helmrelease.yaml +++ b/kubernetes/apps/default/jellyfin/app/helmrelease.yaml @@ -96,21 +96,18 @@ spec: externalTrafficPolicy: Local ports: http: - port: 8096 - ingress: + port: &port 8096 + route: app: - enabled: true - className: external - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: external + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/jellyseerr/app/helmrelease.yaml b/kubernetes/apps/default/jellyseerr/app/helmrelease.yaml index 5c19c3a2e..9643db9c9 100644 --- a/kubernetes/apps/default/jellyseerr/app/helmrelease.yaml +++ b/kubernetes/apps/default/jellyseerr/app/helmrelease.yaml @@ -69,23 +69,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: external - hosts: - - host: &host1 "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: &paths - - path: / - service: - identifier: app - port: http - - host: &host2 requests.${SECRET_EXTERNAL_DOMAIN} - paths: *paths - tls: - - hosts: - - *host1 - - *host2 + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}","requests.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: existingClaim: *app diff --git a/kubernetes/apps/default/joplin/app/helmrelease.yaml b/kubernetes/apps/default/joplin/app/helmrelease.yaml index fcb0a6247..7749721d6 100644 --- a/kubernetes/apps/default/joplin/app/helmrelease.yaml +++ b/kubernetes/apps/default/joplin/app/helmrelease.yaml @@ -51,27 +51,14 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: external - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Joplin - gethomepage.dev/description: Secure note taking and to-do app with synchronisation capabilities - gethomepage.dev/group: Applications - gethomepage.dev/icon: joplin.png - gethomepage.dev/pod-selector: >- - app in ( - joplin - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: external + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port diff --git a/kubernetes/apps/default/komga/app/helmrelease.yaml b/kubernetes/apps/default/komga/app/helmrelease.yaml index 898814169..caeeb0430 100644 --- a/kubernetes/apps/default/komga/app/helmrelease.yaml +++ b/kubernetes/apps/default/komga/app/helmrelease.yaml @@ -42,30 +42,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Komga - gethomepage.dev/description: Media server for comics/mangas/BDs/magazines/eBooks with API and OPDS support - gethomepage.dev/group: Media - gethomepage.dev/icon: komga.png - gethomepage.dev/pod-selector: >- - app in ( - komga - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml index 187a0f870..23fb6ef69 100644 --- a/kubernetes/apps/default/kustomization.yaml +++ b/kubernetes/apps/default/kustomization.yaml @@ -9,7 +9,6 @@ resources: - ./atuin/ks.yaml - ./authelia/ks.yaml - ./bazarr/ks.yaml - - ./calibre/ks.yaml - ./exercisediary/ks.yaml - ./flaresolverr/ks.yaml - ./flood/ks.yaml @@ -18,7 +17,6 @@ resources: - ./home-assistant/ks.yaml - ./homebox/ks.yaml - ./homelab/ks.yaml - - ./homepage/ks.yaml - ./jellyfin/ks.yaml - ./jellyseerr/ks.yaml - ./joplin/ks.yaml diff --git a/kubernetes/apps/default/libmedium/app/helmrelease.yaml b/kubernetes/apps/default/libmedium/app/helmrelease.yaml index 1e4d72733..f03abe64d 100644 --- a/kubernetes/apps/default/libmedium/app/helmrelease.yaml +++ b/kubernetes/apps/default/libmedium/app/helmrelease.yaml @@ -37,36 +37,18 @@ spec: controller: *app ports: http: - port: 7000 - ingress: + port: &port 7000 + route: app: - enabled: true - className: external - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Libmedium - gethomepage.dev/description: Medium.com - gethomepage.dev/group: Alternative Frontends - gethomepage.dev/icon: medium.png - gethomepage.dev/pod-selector: >- - app in ( - libmedium - ) - hosts: - - host: &host "libmedium.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: external + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/libmedium/ks.yaml b/kubernetes/apps/default/libmedium/ks.yaml index 9a004a3c3..fb14d279e 100644 --- a/kubernetes/apps/default/libmedium/ks.yaml +++ b/kubernetes/apps/default/libmedium/ks.yaml @@ -10,6 +10,7 @@ spec: labels: app.kubernetes.io/name: *app components: + - ../../../../components/ext-auth - ../../../../components/gatus/external dependsOn: - name: external-secrets-stores diff --git a/kubernetes/apps/default/lidarr/app/helmrelease.yaml b/kubernetes/apps/default/lidarr/app/helmrelease.yaml index 3be75d9e6..8772e6527 100644 --- a/kubernetes/apps/default/lidarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/lidarr/app/helmrelease.yaml @@ -39,6 +39,8 @@ spec: TZ: "${TIMEZONE}" LIDARR__APP__INSTANCENAME: Lidarr LIDARR__SERVER__PORT: &port 8080 + LIDARR__AUTH__METHOD: External + LIDARR__AUTH__REQUIRED: DisabledForLocalAddresses LIDARR__LOG__LEVEL: info PUSHOVER_APP_URL: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" PUSHOVER_PRIORITY: "0" @@ -59,26 +61,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - hosts: - - host: *host - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/linkding/app/helmrelease.yaml b/kubernetes/apps/default/linkding/app/helmrelease.yaml index 92764558f..e04ee6182 100644 --- a/kubernetes/apps/default/linkding/app/helmrelease.yaml +++ b/kubernetes/apps/default/linkding/app/helmrelease.yaml @@ -55,30 +55,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Linkding - gethomepage.dev/description: Bookmark manager that is designed be to be minimal and fast - gethomepage.dev/group: Applications - gethomepage.dev/icon: linkding.png - gethomepage.dev/pod-selector: >- - app in ( - linkding - ) - hosts: - - host: &host "links.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["links.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/lldap/app/helmrelease.yaml b/kubernetes/apps/default/lldap/app/helmrelease.yaml index d7aab222a..5ba7a64c7 100644 --- a/kubernetes/apps/default/lldap/app/helmrelease.yaml +++ b/kubernetes/apps/default/lldap/app/helmrelease.yaml @@ -54,30 +54,17 @@ spec: ldap: enabled: true port: *ldapPort - ingress: + route: app: - enabled: true - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: lldap - gethomepage.dev/description: Light LDAP implementation - gethomepage.dev/group: Infrastructure - gethomepage.dev/icon: lldap.png - gethomepage.dev/pod-selector: >- - app in ( - lldap - ) - className: internal - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: data: type: emptyDir diff --git a/kubernetes/apps/default/lms/app/helmrelease.yaml b/kubernetes/apps/default/lms/app/helmrelease.yaml index df1ae2b69..edef94019 100644 --- a/kubernetes/apps/default/lms/app/helmrelease.yaml +++ b/kubernetes/apps/default/lms/app/helmrelease.yaml @@ -44,7 +44,7 @@ spec: externalTrafficPolicy: Local ports: http: - port: 9000 + port: &port 9000 cli: enabled: true port: 9090 @@ -57,30 +57,17 @@ spec: enabled: true port: 3483 protocol: UDP - ingress: + route: app: - enabled: true - className: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Lyrion Music Server - gethomepage.dev/description: Stream not only your local music collection, but content from many music services and internet radio stations to your players. - gethomepage.dev/group: Applications - gethomepage.dev/icon: lms.png - gethomepage.dev/pod-selector: >- - app in ( - lms - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/lychee/app/helmrelease.yaml b/kubernetes/apps/default/lychee/app/helmrelease.yaml index 03ac9c811..9b1d87e8b 100644 --- a/kubernetes/apps/default/lychee/app/helmrelease.yaml +++ b/kubernetes/apps/default/lychee/app/helmrelease.yaml @@ -72,30 +72,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: external - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Lychee - gethomepage.dev/description: Photo-management tool. - gethomepage.dev/group: Media - gethomepage.dev/icon: lychee.png - gethomepage.dev/pod-selector: >- - app in ( - lychee - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: external + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/navidrome/app/helmrelease.yaml b/kubernetes/apps/default/navidrome/app/helmrelease.yaml index 06ef1f44c..bc5f76bf2 100644 --- a/kubernetes/apps/default/navidrome/app/helmrelease.yaml +++ b/kubernetes/apps/default/navidrome/app/helmrelease.yaml @@ -54,35 +54,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: external - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Navidrome - gethomepage.dev/description: Modern music server and streamer compatible with subsonic/airsonic. - gethomepage.dev/group: Media - gethomepage.dev/icon: Navidrome.png - gethomepage.dev/pod-selector: >- - app in ( - navidrome - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: external + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/opengist/app/helmrelease.yaml b/kubernetes/apps/default/opengist/app/helmrelease.yaml index 9b0d0653b..5d71b7c19 100644 --- a/kubernetes/apps/default/opengist/app/helmrelease.yaml +++ b/kubernetes/apps/default/opengist/app/helmrelease.yaml @@ -67,32 +67,20 @@ spec: controller: *app ports: http: - port: 6157 + port: &port 6157 # ssh: # port: 2222 - ingress: + route: app: - className: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Opengist - gethomepage.dev/description: Photo-management tool. - gethomepage.dev/group: Applications - gethomepage.dev/icon: opengist.png - gethomepage.dev/pod-selector: >- - app in ( - opengist - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - pathType: Prefix - service: - identifier: app - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: type: configMap diff --git a/kubernetes/apps/default/outline/app/helmrelease.yaml b/kubernetes/apps/default/outline/app/helmrelease.yaml index 924bed1a4..0cb98e1a7 100644 --- a/kubernetes/apps/default/outline/app/helmrelease.yaml +++ b/kubernetes/apps/default/outline/app/helmrelease.yaml @@ -75,28 +75,15 @@ spec: controller: *app ports: http: - port: 8080 - ingress: + port: &port 8080 + route: app: - enabled: true - className: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Outline - gethomepage.dev/description: A fast, collaborative, knowledge base. - gethomepage.dev/group: Applications - gethomepage.dev/icon: outline.png - gethomepage.dev/pod-selector: >- - app in ( - outline - ) - hosts: - - host: &host "docs.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["docs.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port diff --git a/kubernetes/apps/default/paperless/app/helmrelease.yaml b/kubernetes/apps/default/paperless/app/helmrelease.yaml index 7ef947239..34c0845df 100644 --- a/kubernetes/apps/default/paperless/app/helmrelease.yaml +++ b/kubernetes/apps/default/paperless/app/helmrelease.yaml @@ -60,31 +60,18 @@ spec: controller: *app ports: http: - port: 8000 - ingress: + port: &port 8000 + route: app: - enabled: true - className: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Paperless - gethomepage.dev/description: Document management system that transform physical documents into a searchable online archive. - gethomepage.dev/group: Applications - gethomepage.dev/icon: paperless.png - gethomepage.dev/pod-selector: >- - app in ( - paperless - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: data: enabled: true diff --git a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml index 4ae9c35d7..5f3bd07d0 100644 --- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml @@ -55,35 +55,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Prowlarr - gethomepage.dev/description: Torrent and Usenet Indexer manager/proxy. - gethomepage.dev/group: Media - gethomepage.dev/icon: prowlarr.png - gethomepage.dev/pod-selector: >- - app in ( - prowlarr - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml index 278de0571..c283e3cb6 100644 --- a/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/apps/default/qbittorrent/app/helmrelease.yaml @@ -59,20 +59,17 @@ spec: protocol: TCP targetPort: *port-bt externalTrafficPolicy: Local - ingress: + route: app: - enabled: true - className: internal - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml b/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml index 145414e83..86b7160c7 100644 --- a/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml +++ b/kubernetes/apps/default/radarr-archive/app/helmrelease.yaml @@ -65,26 +65,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - hosts: - - host: *host - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/radarr/app/helmrelease.yaml b/kubernetes/apps/default/radarr/app/helmrelease.yaml index c3171bbc2..a29bea42e 100644 --- a/kubernetes/apps/default/radarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/radarr/app/helmrelease.yaml @@ -65,26 +65,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - hosts: - - host: *host - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/readeck/app/helmrelease.yaml b/kubernetes/apps/default/readeck/app/helmrelease.yaml index d083ab970..fd54dcad1 100644 --- a/kubernetes/apps/default/readeck/app/helmrelease.yaml +++ b/kubernetes/apps/default/readeck/app/helmrelease.yaml @@ -48,35 +48,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Readeck - gethomepage.dev/description: Saves the precious readable content of web pages to keep forever. - gethomepage.dev/group: Applications - gethomepage.dev/icon: readeck.png - gethomepage.dev/pod-selector: >- - app in ( - readeck - ) - hosts: - - host: *host - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/redlib/app/helmrelease.yaml b/kubernetes/apps/default/redlib/app/helmrelease.yaml index ab744e92f..8f16d2d20 100644 --- a/kubernetes/apps/default/redlib/app/helmrelease.yaml +++ b/kubernetes/apps/default/redlib/app/helmrelease.yaml @@ -51,32 +51,14 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: external - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Redlib - gethomepage.dev/description: Reddit.com - gethomepage.dev/group: Alternative Frontends - gethomepage.dev/icon: redlib.png - gethomepage.dev/pod-selector: >- - app in ( - redlib - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: external + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port diff --git a/kubernetes/apps/default/redlib/ks.yaml b/kubernetes/apps/default/redlib/ks.yaml index e6e532e7f..0ac4beabf 100644 --- a/kubernetes/apps/default/redlib/ks.yaml +++ b/kubernetes/apps/default/redlib/ks.yaml @@ -10,6 +10,7 @@ spec: labels: app.kubernetes.io/name: *app components: + - ../../../../components/ext-auth - ../../../../components/gatus/external interval: 1h path: ./kubernetes/apps/default/redlib/app diff --git a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml index 4ef00534b..182da98b9 100644 --- a/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml +++ b/kubernetes/apps/default/sabnzbd/app/helmrelease.yaml @@ -78,35 +78,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - # nginx.ingress.kubernetes.io/auth-method: GET - # nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - # nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - # nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: SABnzbd - gethomepage.dev/description: Automated Usenet download tool. - gethomepage.dev/group: Applications - gethomepage.dev/icon: sabnzbd.png - gethomepage.dev/pod-selector: >- - app in ( - sabnzbd - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/sharry/app/helmrelease.yaml b/kubernetes/apps/default/sharry/app/helmrelease.yaml index 5fb2a0334..86a0819d5 100644 --- a/kubernetes/apps/default/sharry/app/helmrelease.yaml +++ b/kubernetes/apps/default/sharry/app/helmrelease.yaml @@ -43,32 +43,18 @@ spec: controller: *app ports: http: - port: 9090 - ingress: + port: &port 9090 + route: app: - enabled: true - className: external - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: "0" - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Sharry - gethomepage.dev/description: Share files with others in a simple way. - gethomepage.dev/group: Applications - gethomepage.dev/icon: sharry.png - gethomepage.dev/pod-selector: >- - app in ( - sharry - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/sonarr/app/helmrelease.yaml b/kubernetes/apps/default/sonarr/app/helmrelease.yaml index 53af34166..054e52075 100644 --- a/kubernetes/apps/default/sonarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/sonarr/app/helmrelease.yaml @@ -78,26 +78,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/tdarr/app/helmrelease.yaml b/kubernetes/apps/default/tdarr/app/helmrelease.yaml index be1e6e47d..d0a9ca712 100644 --- a/kubernetes/apps/default/tdarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/tdarr/app/helmrelease.yaml @@ -50,36 +50,18 @@ spec: server: enabled: true protocol: TCP - port: 8266 - ingress: + port: &port 8266 + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Tdarr - gethomepage.dev/description: Distributed transcode automation using FFmpeg/HandBrake + Audio/Video library analytics. - gethomepage.dev/group: Media - gethomepage.dev/icon: tdarr.png - gethomepage.dev/pod-selector: >- - app in ( - tdarr - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/tdarr/ks.yaml b/kubernetes/apps/default/tdarr/ks.yaml index d37bd6a82..a1fe6de93 100644 --- a/kubernetes/apps/default/tdarr/ks.yaml +++ b/kubernetes/apps/default/tdarr/ks.yaml @@ -16,6 +16,7 @@ spec: - name: volsync namespace: volsync components: + - ../../../../components/ext-auth - ../../../../components/gatus/guarded - ../../../../components/volsync interval: 1h diff --git a/kubernetes/apps/default/unifi/app/helmrelease.yaml b/kubernetes/apps/default/unifi/app/helmrelease.yaml index 8ec55de41..699fffb54 100644 --- a/kubernetes/apps/default/unifi/app/helmrelease.yaml +++ b/kubernetes/apps/default/unifi/app/helmrelease.yaml @@ -47,7 +47,7 @@ spec: loadBalancerIP: 192.168.169.103 ports: http: - port: 8443 + port: &port 8443 protocol: HTTPS controller: enabled: true @@ -77,31 +77,17 @@ spec: enabled: true port: 10001 protocol: UDP - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/backend-protocol: HTTPS - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Unifi - gethomepage.dev/description: Centralized enterprise-grade networking for home and business. - gethomepage.dev/group: Infrastructure - gethomepage.dev/icon: unifi.png - gethomepage.dev/pod-selector: >- - app in ( - unifi - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml b/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml index 011baa337..d83f81f47 100644 --- a/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml +++ b/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml @@ -60,30 +60,17 @@ spec: ports: http: port: &port 80 - ingress: + route: app: - enabled: true - className: external - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Vaultwarden - gethomepage.dev/description: Open-source password manager compatible with Bitwarden clients. - gethomepage.dev/group: Applications - gethomepage.dev/icon: vaultwarden.png - gethomepage.dev/pod-selector: >- - app in ( - vaultwarden - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: *port - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: external + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/vikunja/app/helmrelease.yaml b/kubernetes/apps/default/vikunja/app/helmrelease.yaml index 0b0345590..69f290c98 100644 --- a/kubernetes/apps/default/vikunja/app/helmrelease.yaml +++ b/kubernetes/apps/default/vikunja/app/helmrelease.yaml @@ -49,33 +49,18 @@ spec: controller: *app ports: http: - port: 3456 - ingress: + port: &port 3456 + route: app: - enabled: true - className: internal - annotations: - external-dns.alpha.kubernetes.io/enabled: "true" - external-dns.alpha.kubernetes.io/target: services.${SECRET_DOMAIN}. - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Vikunja - gethomepage.dev/description: Tasks and project management platform. - gethomepage.dev/group: Applications - gethomepage.dev/icon: vikunja.png - gethomepage.dev/pod-selector: >- - app in ( - vikunja - ) - hosts: - - host: *host - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: external + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/webhook/app/helmrelease.yaml b/kubernetes/apps/default/webhook/app/helmrelease.yaml index 72339a8f7..6c596795c 100644 --- a/kubernetes/apps/default/webhook/app/helmrelease.yaml +++ b/kubernetes/apps/default/webhook/app/helmrelease.yaml @@ -56,20 +56,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: *port - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: type: configMap diff --git a/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml b/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml index fa26e2a9a..13cfd862c 100644 --- a/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml +++ b/kubernetes/apps/default/zigbee2mqtt/app/helmrelease.yaml @@ -83,35 +83,17 @@ spec: ports: http: port: *port - ingress: + route: app: - enabled: true - className: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Zigbee2mqtt - gethomepage.dev/description: Bridge for connecting Zigbee devices to MQTT networks. - gethomepage.dev/group: Applications - gethomepage.dev/icon: zigbee2mqtt.png - gethomepage.dev/pod-selector: >- - app in ( - zigbee2mqtt - ) - hosts: - - host: &host "zigbee.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["zigbee.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port persistence: config: enabled: true diff --git a/kubernetes/apps/default/zigbee2mqtt/ks.yaml b/kubernetes/apps/default/zigbee2mqtt/ks.yaml index a7dba3239..1bb0c5792 100644 --- a/kubernetes/apps/default/zigbee2mqtt/ks.yaml +++ b/kubernetes/apps/default/zigbee2mqtt/ks.yaml @@ -19,6 +19,7 @@ spec: - name: volsync namespace: volsync components: + - ../../../../components/ext-auth - ../../../../components/gatus/guarded - ../../../../components/volsync interval: 1h diff --git a/kubernetes/apps/kube-system/cilium/README.md b/kubernetes/apps/kube-system/cilium/README.md deleted file mode 100644 index 28b8f1ed4..000000000 --- a/kubernetes/apps/kube-system/cilium/README.md +++ /dev/null @@ -1,22 +0,0 @@ -# Cilium - -## UniFi BGP - -```sh -router bgp 64513 - bgp router-id 192.168.1.1 - no bgp ebgp-requires-policy - - neighbor k8s peer-group - neighbor k8s remote-as 64514 - - neighbor 192.168.42.10 peer-group k8s - neighbor 192.168.42.11 peer-group k8s - neighbor 192.168.42.12 peer-group k8s - - address-family ipv4 unicast - neighbor k8s next-hop-self - neighbor k8s soft-reconfiguration inbound - exit-address-family -exit -``` diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml index 28a95b00f..21285503e 100644 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -20,24 +20,3 @@ spec: targetNamespace: *namespace timeout: 5m wait: false ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app cilium-gateway - namespace: &namespace kube-system -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 1h - path: ./kubernetes/apps/kube-system/cilium/gateway - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 15m - wait: false diff --git a/kubernetes/apps/kube-system/gateway-api-crds/ks.yaml b/kubernetes/apps/kube-system/gateway-api-crds/ks.yaml deleted file mode 100644 index b8d819df4..000000000 --- a/kubernetes/apps/kube-system/gateway-api-crds/ks.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app gateway-api-crds - namespace: &namespace kube-system -spec: - commonMetadata: - labels: - app.kubernetes.io/name: *app - interval: 1h - path: ./kubernetes/apps/kube-system/gateway-api-crds/app - prune: true - retryInterval: 2m - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - targetNamespace: *namespace - timeout: 5m - wait: false diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index 65056fdc3..f28c60b31 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -10,7 +10,6 @@ resources: - ./coredns/ks.yaml - ./descheduler/ks.yaml - ./intel-device-plugin/ks.yaml - - ./gateway-api-crds/ks.yaml - ./kubelet-csr-approver/ks.yaml - ./metrics-server/ks.yaml - ./node-feature-discovery/ks.yaml diff --git a/kubernetes/apps/kube-system/gateway-api-crds/app/helmrelease.yaml b/kubernetes/apps/network/envoy-gateway/app/helmrelease.yaml similarity index 62% rename from kubernetes/apps/kube-system/gateway-api-crds/app/helmrelease.yaml rename to kubernetes/apps/network/envoy-gateway/app/helmrelease.yaml index ef134d460..344d2b243 100644 --- a/kubernetes/apps/kube-system/gateway-api-crds/app/helmrelease.yaml +++ b/kubernetes/apps/network/envoy-gateway/app/helmrelease.yaml @@ -3,30 +3,41 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: OCIRepository metadata: - name: gateway-api-crds + name: envoy-gateway spec: interval: 5m layerSelector: mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip operation: copy ref: - tag: 1.3.0 - url: oci://ghcr.io/wiremind/wiremind-helm-charts/gateway-api-crds + tag: 1.5.0 + url: oci://docker.io/envoyproxy/gateway-helm --- # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: gateway-api-crds + name: &app envoy-gateway spec: - interval: 1h + interval: 5m chartRef: kind: OCIRepository - name: gateway-api-crds + name: *app + driftDetection: + mode: warn install: remediation: retries: -1 + crds: CreateReplace upgrade: cleanupOnFail: true remediation: retries: 3 + crds: CreateReplace + values: + deployment: + envoyGateway: + rbac: + cluster: true + gateway: + controllerName: gateway.envoyproxy.io/gatewayclass-controller diff --git a/kubernetes/apps/kube-system/gateway-api-crds/app/kustomization.yaml b/kubernetes/apps/network/envoy-gateway/app/kustomization.yaml similarity index 70% rename from kubernetes/apps/kube-system/gateway-api-crds/app/kustomization.yaml rename to kubernetes/apps/network/envoy-gateway/app/kustomization.yaml index 17cbc72b2..778cafec9 100644 --- a/kubernetes/apps/kube-system/gateway-api-crds/app/kustomization.yaml +++ b/kubernetes/apps/network/envoy-gateway/app/kustomization.yaml @@ -3,4 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./helmrelease.yaml + - helmrelease.yaml + - podmonitor.yaml + - servicemonitor.yaml diff --git a/kubernetes/apps/network/envoy-gateway/app/podmonitor.yaml b/kubernetes/apps/network/envoy-gateway/app/podmonitor.yaml new file mode 100644 index 000000000..a27e4cedd --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/app/podmonitor.yaml @@ -0,0 +1,20 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/podmonitor_v1.json +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: envoy-proxy +spec: + jobLabel: envoy-proxy + namespaceSelector: + matchNames: + - network + podMetricsEndpoints: + - honorLabels: true + interval: 10s + path: /stats/prometheus + port: metrics + selector: + matchLabels: + app.kubernetes.io/component: proxy + app.kubernetes.io/name: envoy diff --git a/kubernetes/apps/network/envoy-gateway/app/servicemonitor.yaml b/kubernetes/apps/network/envoy-gateway/app/servicemonitor.yaml new file mode 100644 index 000000000..eb5a77ec7 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/app/servicemonitor.yaml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/monitoring.coreos.com/servicemonitor_v1.json +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: envoy-gateway +spec: + selector: + matchLabels: + app.kubernetes.io/name: gateway-helm + namespaceSelector: + matchNames: + - network + endpoints: + - port: metrics + path: /metrics + interval: 10s + honorLabels: true diff --git a/kubernetes/apps/network/envoy-gateway/config/backendtrafficpolicy.yaml b/kubernetes/apps/network/envoy-gateway/config/backendtrafficpolicy.yaml new file mode 100644 index 000000000..71a7df103 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/config/backendtrafficpolicy.yaml @@ -0,0 +1,28 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: internal +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: internal + compression: + - type: Brotli + - type: Gzip +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: BackendTrafficPolicy +metadata: + name: external +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: external + compression: + - type: Brotli + - type: Gzip diff --git a/kubernetes/apps/network/nginx/certificates/certificates.yaml b/kubernetes/apps/network/envoy-gateway/config/certificate.yaml similarity index 100% rename from kubernetes/apps/network/nginx/certificates/certificates.yaml rename to kubernetes/apps/network/envoy-gateway/config/certificate.yaml diff --git a/kubernetes/apps/network/envoy-gateway/config/clienttrafficpolicy.yaml b/kubernetes/apps/network/envoy-gateway/config/clienttrafficpolicy.yaml new file mode 100644 index 000000000..bc1c8d243 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/config/clienttrafficpolicy.yaml @@ -0,0 +1,38 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: internal +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: internal + clientIPDetection: + xForwardedFor: + numTrustedHops: 1 + tls: + minVersion: '1.2' + alpnProtocols: + - h2 + - http/1.1 +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_clienttrafficpolicies.yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: ClientTrafficPolicy +metadata: + name: external +spec: + targetRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: external + clientIPDetection: + xForwardedFor: + numTrustedHops: 1 + tls: + minVersion: '1.2' + alpnProtocols: + - h2 + - http/1.1 diff --git a/kubernetes/apps/network/envoy-gateway/config/envoyproxy.yaml b/kubernetes/apps/network/envoy-gateway/config/envoyproxy.yaml new file mode 100644 index 000000000..1f8cbfa3f --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/config/envoyproxy.yaml @@ -0,0 +1,31 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/envoyproxy/gateway/refs/heads/main/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: EnvoyProxy +metadata: + name: config +spec: + # ipFamily: DualStack + telemetry: + metrics: + prometheus: {} + shutdown: + drainTimeout: 300s + logging: + level: + default: info + provider: + type: Kubernetes + kubernetes: + envoyDeployment: + replicas: 1 + container: + resources: + requests: + cpu: 150m + memory: 640Mi + limits: + cpu: 500m + memory: 1Gi + envoyService: + externalTrafficPolicy: Cluster # cilium l2 announce doesn't support externalTrafficPolicy: Local diff --git a/kubernetes/apps/network/envoy-gateway/config/gateway.yaml b/kubernetes/apps/network/envoy-gateway/config/gateway.yaml new file mode 100644 index 000000000..728ce3881 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/config/gateway.yaml @@ -0,0 +1,78 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: GatewayClass +metadata: + name: envoy-gateway +spec: + controllerName: gateway.envoyproxy.io/gatewayclass-controller + parametersRef: + group: gateway.envoyproxy.io + kind: EnvoyProxy + name: config + namespace: network +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: internal + annotations: + external-dns.alpha.kubernetes.io/target: &host internal.${SECRET_EXTERNAL_DOMAIN} +spec: + gatewayClassName: envoy-gateway + infrastructure: + annotations: + external-dns.alpha.kubernetes.io/hostname: *host + lbipam.cilium.io/ips: 192.168.169.121 + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.${SECRET_EXTERNAL_DOMAIN}" + allowedRoutes: + namespaces: + from: Same + - name: https + protocol: HTTPS + port: 443 + hostname: "*.${SECRET_EXTERNAL_DOMAIN}" + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - kind: Secret + name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/gateway_v1.json +apiVersion: gateway.networking.k8s.io/v1 +kind: Gateway +metadata: + name: external + annotations: + external-dns.alpha.kubernetes.io/target: &host external.${SECRET_EXTERNAL_DOMAIN} +spec: + gatewayClassName: envoy-gateway + infrastructure: + annotations: + external-dns.alpha.kubernetes.io/hostname: *host + lbipam.cilium.io/ips: 192.168.169.122 + listeners: + - name: http + protocol: HTTP + port: 80 + hostname: "*.${SECRET_EXTERNAL_DOMAIN}" + allowedRoutes: + namespaces: + from: Same + - name: https + protocol: HTTPS + port: 443 + hostname: "*.${SECRET_EXTERNAL_DOMAIN}" + allowedRoutes: + namespaces: + from: All + tls: + certificateRefs: + - kind: Secret + name: ${SECRET_EXTERNAL_DOMAIN//./-}-tls diff --git a/kubernetes/apps/network/envoy-gateway/config/httproute.yaml b/kubernetes/apps/network/envoy-gateway/config/httproute.yaml new file mode 100644 index 000000000..3128fe42c --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/config/httproute.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/httproute_v1.json +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: https-redirect + annotations: + external-dns.alpha.kubernetes.io/controller: none +spec: + parentRefs: + - name: internal + namespace: network + sectionName: http + - name: external + namespace: network + sectionName: http + rules: + - filters: + - requestRedirect: + scheme: https + statusCode: 301 + type: RequestRedirect diff --git a/kubernetes/apps/network/envoy-gateway/config/kustomization.yaml b/kubernetes/apps/network/envoy-gateway/config/kustomization.yaml new file mode 100644 index 000000000..a1ecb4204 --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/config/kustomization.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - backendtrafficpolicy.yaml + - certificate.yaml + - clienttrafficpolicy.yaml + - envoyproxy.yaml + - gateway.yaml + - httproute.yaml diff --git a/kubernetes/apps/network/envoy-gateway/ks.yaml b/kubernetes/apps/network/envoy-gateway/ks.yaml new file mode 100644 index 000000000..8a17aa9bc --- /dev/null +++ b/kubernetes/apps/network/envoy-gateway/ks.yaml @@ -0,0 +1,48 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app envoy-gateway + namespace: &namespace network +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 1h + path: ./kubernetes/apps/network/envoy-gateway/app + dependsOn: + - name: gateway-api-crds + namespace: *namespace + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: *namespace + timeout: 15m +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app envoy-gateway-config + namespace: &namespace network +spec: + interval: 1h + retryInterval: 2m + timeout: 5m + prune: true + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/apps/network/envoy-gateway/config + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: *namespace + wait: false + dependsOn: + - name: envoy-gateway + namespace: *namespace diff --git a/kubernetes/apps/network/gateway-api-crds/ks.yaml b/kubernetes/apps/network/gateway-api-crds/ks.yaml new file mode 100644 index 000000000..ed022afe5 --- /dev/null +++ b/kubernetes/apps/network/gateway-api-crds/ks.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: gateway-api-crds +spec: + interval: 30m + url: https://github.com/kubernetes-sigs/gateway-api.git + ref: + tag: v1.3.0 + ignore: | + # exclude + /* + # include + !config/crd/experimental/gateway*.yaml +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &name gateway-api-crds + namespace: &namespace network +spec: + targetNamespace: *namespace + prune: true + sourceRef: + kind: GitRepository + name: *name + interval: 1h + retryInterval: 2m + timeout: 5m + healthChecks: + - &crds + apiVersion: apiextensions.k8s.io/v1 + kind: CustomResourceDefinition + name: backendtlspolicies.gateway.networking.k8s.io + - <<: *crds + name: gatewayclasses.gateway.networking.k8s.io + - <<: *crds + name: gateways.gateway.networking.k8s.io + - <<: *crds + name: httproutes.gateway.networking.k8s.io + - <<: *crds + name: tlsroutes.gateway.networking.k8s.io diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml index 3c2c1ecff..1b1043214 100644 --- a/kubernetes/apps/network/kustomization.yaml +++ b/kubernetes/apps/network/kustomization.yaml @@ -7,6 +7,7 @@ components: - ../../components/common resources: - ./cloudflared/ks.yaml + - ./envoy-gateway/ks.yaml - ./external-dns/ks.yaml - - ./nginx/ks.yaml + - ./gateway-api-crds/ks.yaml - ./k8s-gateway/ks.yaml diff --git a/kubernetes/apps/network/nginx/certificates/kustomization.yaml b/kubernetes/apps/network/nginx/certificates/kustomization.yaml deleted file mode 100644 index 23a5be6c1..000000000 --- a/kubernetes/apps/network/nginx/certificates/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./certificates.yaml diff --git a/kubernetes/apps/observability/apprise/app/helmrelease.yaml b/kubernetes/apps/observability/apprise/app/helmrelease.yaml index 862f896bf..b13e0c6ef 100644 --- a/kubernetes/apps/observability/apprise/app/helmrelease.yaml +++ b/kubernetes/apps/observability/apprise/app/helmrelease.yaml @@ -41,24 +41,15 @@ spec: controller: *app ports: http: - port: 8000 - ingress: + port: &port 8000 + route: app: - enabled: true - className: internal - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host - persistence: - config: - enabled: true - existingClaim: *app - globalMounts: - - path: /config + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port diff --git a/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml b/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml index e4816270f..bfc10d1d2 100644 --- a/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml +++ b/kubernetes/apps/observability/blackbox-exporter/app/helmrelease.yaml @@ -23,14 +23,6 @@ spec: retries: 3 values: fullnameOverride: *app - ingress: - enabled: true - className: internal - hosts: - - host: blackbox-exporter.${SECRET_EXTERNAL_DOMAIN} - paths: - - path: / - pathType: Prefix securityContext: readOnlyRootFilesystem: true allowPrivilegeEscalation: false diff --git a/kubernetes/apps/observability/gatus/app/config/config.yaml b/kubernetes/apps/observability/gatus/app/config/config.yaml index 00adfd016..1a6567209 100644 --- a/kubernetes/apps/observability/gatus/app/config/config.yaml +++ b/kubernetes/apps/observability/gatus/app/config/config.yaml @@ -1,15 +1,17 @@ --- web: port: 8080 -storage: - type: sqlite - path: /config/sqlite.db - caching: true metrics: true -debug: false ui: title: Status | Gatus header: Status + logo: https://avatars.githubusercontent.com/u/27022259 + link: https://github.com/auricom + buttons: + - name: Github + link: https://github.com/auricom + - name: Homelab + link: https://github.com/onedr0p/home-ops alerting: pushover: application-token: ${CUSTOM_PUSHOVER_APP_TOKEN} diff --git a/kubernetes/apps/observability/gatus/app/helmrelease.yaml b/kubernetes/apps/observability/gatus/app/helmrelease.yaml index 5082c2341..27e201a3e 100644 --- a/kubernetes/apps/observability/gatus/app/helmrelease.yaml +++ b/kubernetes/apps/observability/gatus/app/helmrelease.yaml @@ -1,5 +1,5 @@ --- -# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s-labs/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: @@ -11,15 +11,11 @@ spec: name: app-template install: remediation: - retries: 3 + retries: -1 upgrade: cleanupOnFail: true remediation: - strategy: rollback retries: 3 - dependsOn: - - name: rook-ceph-cluster - namespace: rook-ceph values: controllers: gatus: @@ -29,7 +25,7 @@ spec: init-config: image: repository: ghcr.io/home-operations/k8s-sidecar - tag: 1.30.7@sha256:3b6444d91c6e69a9e07c5e55419452d967d18c833d88b36277dc2021b708f621 + tag: 1.30.9@sha256:74d65c3def9276b24b5bfe41f8efb773174e7a1ecf3c9b5a31bd02cfdee232c9 env: FOLDER: /config LABEL: gatus.io/enabled @@ -47,16 +43,12 @@ spec: app: image: repository: ghcr.io/twin/gatus - tag: v5.21.0@sha256:b45c89b1f8bfd5be456306b2bf1a581cc13ca0d897faf357ef77c35ac9eca1fa + tag: v5.23.1@sha256:43a12405c1bda5768026b0f75786a744678a472eb7f272039d95017e59ef50b6 env: - CUSTOM_SECRET_EXTERNAL_DOMAIN: ${SECRET_EXTERNAL_DOMAIN} + TZ: ${TIMEZONE} GATUS_CONFIG_PATH: /config GATUS_DELAY_START_SECONDS: 5 - TZ: ${TIMEZONE} - WEB_PORT: &port 8080 - envFrom: - - secretRef: - name: gatus-secret + GATUS_WEB_PORT: &port 80 probes: liveness: &probes enabled: true @@ -68,12 +60,12 @@ spec: initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 1 - failureThreshold: 6 + failureThreshold: 3 readiness: *probes securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true - capabilities: { drop: [ALL] } + capabilities: { drop: ["ALL"] } resources: requests: cpu: 100m @@ -84,47 +76,49 @@ spec: runAsNonRoot: true runAsUser: 1000 runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: OnRootMismatch - seccompProfile: { type: RuntimeDefault } service: app: - controller: gatus ports: http: port: *port - ingress: + serviceMonitor: app: - className: external - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Gatus - gethomepage.dev/description: Automated developer-oriented status page. - gethomepage.dev/group: Applications - gethomepage.dev/icon: gatus.png - gethomepage.dev/pod-selector: >- - app in ( - gatus - ) - hosts: - - host: &host "status.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + endpoints: + - port: http + route: + app: + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port + rbac: + roles: + gatus: + type: ClusterRole + rules: + - apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] + bindings: + gatus: + type: ClusterRoleBinding + roleRef: + identifier: gatus + subjects: + - identifier: gatus serviceAccount: - create: true - name: *app + gatus: {} persistence: config: - existingClaim: gatus + type: emptyDir config-file: type: configMap - name: gatus-configmap + name: "{{ .Release.Name }}-configmap" globalMounts: - path: /config/config.yaml subPath: config.yaml diff --git a/kubernetes/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml index 61fd664f4..0f99069eb 100644 --- a/kubernetes/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -272,13 +272,6 @@ spec: gnetId: 11454 revision: 14 datasource: Prometheus - nginx: - nginx: - url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/nginx.json - datasource: Prometheus - nginx-request-handling-performance: - url: https://raw.githubusercontent.com/kubernetes/ingress-nginx/master/deploy/grafana/dashboards/request-handling-performance.json - datasource: Prometheus prometheus: prometheus: # renovate: depName="Prometheus" @@ -329,24 +322,14 @@ spec: - vonage-status-panel serviceMonitor: enabled: true - ingress: - enabled: true - ingressClassName: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Grafana - gethomepage.dev/description: Observability and data visualization platform. - gethomepage.dev/group: Infrastructure - gethomepage.dev/icon: grafana.png - gethomepage.dev/pod-selector: >- - app in ( - grafana - ) - hosts: - - &host "grafana.${SECRET_EXTERNAL_DOMAIN}" - tls: - - hosts: - - *host + route: + main: + enabled: true + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https persistence: enabled: false testFramework: diff --git a/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml index 59955db4a..1d6fa2082 100644 --- a/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -105,29 +105,14 @@ spec: ### Prometheus instance values ### prometheus: - ingress: - enabled: true - pathType: Prefix - ingressClassName: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Prometheus - gethomepage.dev/description: Systems and service monitoring system. - gethomepage.dev/group: Infrastructure - gethomepage.dev/icon: prometheus.png - gethomepage.dev/pod-selector: >- - app in ( - prometheus-kube-prometheus-stack-prometheus - ) - hosts: ["prometheus.${SECRET_EXTERNAL_DOMAIN}"] - tls: - - hosts: - - "prometheus.${SECRET_EXTERNAL_DOMAIN}" + route: + main: + enabled: true + hostnames: ["prometheus.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https prometheusSpec: replicas: 2 replicaExternalLabelName: replica @@ -217,29 +202,14 @@ spec: resources: requests: storage: 1Gi - ingress: - enabled: true - pathType: Prefix - ingressClassName: internal - annotations: - nginx.ingress.kubernetes.io/auth-method: GET - nginx.ingress.kubernetes.io/auth-url: http://authelia.default.svc.cluster.local.:8888/api/verify - nginx.ingress.kubernetes.io/auth-signin: https://auth.${SECRET_EXTERNAL_DOMAIN}?rm=$request_method - nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email - nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Method $request_method; - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Alert-Manager - gethomepage.dev/description: Handles alerts sent by Prometheus. - gethomepage.dev/group: Infrastructure - gethomepage.dev/icon: alertmanager.png - gethomepage.dev/pod-selector: >- - app in ( - alertmanager-kube-prometheus-stack-alertmanager - ) - hosts: ["alert-manager.${SECRET_EXTERNAL_DOMAIN}"] - tls: - - hosts: - - "alert-manager.${SECRET_EXTERNAL_DOMAIN}" + route: + main: + enabled: true + hostnames: ["alertmanager.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https prometheus: monitor: enabled: true diff --git a/kubernetes/apps/observability/pushgateway/app/helmrelease.yaml b/kubernetes/apps/observability/pushgateway/app/helmrelease.yaml index 544b397c4..c2e91e99d 100644 --- a/kubernetes/apps/observability/pushgateway/app/helmrelease.yaml +++ b/kubernetes/apps/observability/pushgateway/app/helmrelease.yaml @@ -34,10 +34,4 @@ spec: enabled: true namespace: observability ingress: - enabled: true - className: internal - hosts: - - &host "pushgateway.${SECRET_EXTERNAL_DOMAIN}" - tls: - - hosts: - - *host + enabled: false diff --git a/kubernetes/apps/observability/pushgateway/app/httproute.yaml b/kubernetes/apps/observability/pushgateway/app/httproute.yaml new file mode 100644 index 000000000..7238e72d5 --- /dev/null +++ b/kubernetes/apps/observability/pushgateway/app/httproute.yaml @@ -0,0 +1,27 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/gateway.networking.k8s.io/httproute_v1.json +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: https-redirect +spec: + hostnames: + - pushgateway.${SECRET_EXTERNAL_DOMAIN} + parentRefs: + - group: gateway.networking.k8s.io + kind: Gateway + name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - group: '' + kind: Service + name: pushgateway + namespace: default + port: 9091 + weight: 1 + matches: + - path: + type: PathPrefix + value: / diff --git a/kubernetes/apps/observability/pushgateway/app/kustomization.yaml b/kubernetes/apps/observability/pushgateway/app/kustomization.yaml index 09bc749a9..d4b286802 100644 --- a/kubernetes/apps/observability/pushgateway/app/kustomization.yaml +++ b/kubernetes/apps/observability/pushgateway/app/kustomization.yaml @@ -4,3 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./helmrelease.yaml + - ./httproute.yaml diff --git a/kubernetes/apps/observability/scrutiny/app/helmrelease.yaml b/kubernetes/apps/observability/scrutiny/app/helmrelease.yaml index a1189fb40..58cdf67d6 100644 --- a/kubernetes/apps/observability/scrutiny/app/helmrelease.yaml +++ b/kubernetes/apps/observability/scrutiny/app/helmrelease.yaml @@ -47,30 +47,17 @@ spec: ports: http: port: &port 8080 - ingress: + route: app: - enabled: true - className: internal - annotations: - gethomepage.dev/enabled: "true" - gethomepage.dev/name: Scrutiny - gethomepage.dev/description: Hard Drive S.M.A.R.T Monitoring. - gethomepage.dev/group: Infrastructure - gethomepage.dev/icon: scrutiny.png - gethomepage.dev/pod-selector: >- - app in ( - scrutiny - ) - hosts: - - host: &host "{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / - service: - identifier: app - port: http - tls: - - hosts: - - *host + hostnames: ["{{ .Release.Name }}.${SECRET_EXTERNAL_DOMAIN}"] + parentRefs: + - name: internal + namespace: network + sectionName: https + rules: + - backendRefs: + - name: *app + port: *port probes: liveness: enabled: true diff --git a/kubernetes/components/ext-auth/authentication.yaml b/kubernetes/components/ext-auth/authentication.yaml new file mode 100644 index 000000000..d308ff83d --- /dev/null +++ b/kubernetes/components/ext-auth/authentication.yaml @@ -0,0 +1,32 @@ +--- +# yaml-language-server: $schema=https://schemas.budimanjojo.com/gateway.envoyproxy.io/securitypolicy_v1alpha1.json +apiVersion: gateway.envoyproxy.io/v1alpha1 +kind: SecurityPolicy +metadata: + name: ${APP} +spec: + extAuth: + headersToExtAuth: + - X-Forwarded-For # this is here so we can get the real IP + - X-Forwarded-Proto + - authorization + - header-authorization + - proxy-authorization + - accept + - cookie + failOpen: false + http: + backendRefs: + - group: "" + kind: Service + name: authelia + namespace: default + port: 8888 + path: /api/authz/ext-authz/ + headersToBackend: + - 'remote-*' + - 'authelia-*' + targetRefs: + - group: ${EXT_AUTH_GROUP:-gateway.networking.k8s.io} + kind: ${EXT_AUTH_KIND:-HTTPRoute} + name: ${EXT_AUTH_TARGET:-${APP}} diff --git a/kubernetes/components/ext-auth/kustomization.yaml b/kubernetes/components/ext-auth/kustomization.yaml new file mode 100644 index 000000000..219debc13 --- /dev/null +++ b/kubernetes/components/ext-auth/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1alpha1 +kind: Component +resources: + - ./authentication.yaml